CMS recently sent a proposed request for information (RFI) to the Federal Office of Management and Budget (OMB) for review.  The RFI would seek feedback on whether provisions of HIPAA present barriers or otherwise discourage coordination of care among providers, payors and patients.  The RFI also seeks feedback on whether HIPAA “impede[s] the transformation to value-based health care without providing commensurate privacy or security protections. . . .”  Importantly, the RFI seems to acknowledge some of the most burdensome requirements under HIPAA by requesting feedback on provisions regarding accountings of disclosures and written acknowledgement of receipt of a notice of privacy practices.  The RFI also asks for comments regarding good faith disclosures.  Hopefully, this is a signal that there may be some common sense changes to HIPAA that reduce burdens on covered entities without jeopardizing patients’ privacy.  Stay tuned…

We’re all guilty of it.  We keep things that we don’t need, like that pair of stone-washed jeans from 1992 that you hope will come back into style or your beanie baby collection that you blindly believe might be worth something someday.  While our inability to purge old stuff from our closets may cost us closet space, the repercussions for an organization that hoards data are far more significant.  From a cybersecurity perspective, the more personal information a company maintains, the more information it has to lose.  Consequently, the more information a company loses, the higher the financial and reputational costs.

Continue Reading Less is more: The Role of Data Retention Policies in Cybsesecurtity Preparedness

On July 5, 2018, the EU Parliament passed a non-binding resolution encouraging the European Commission to suspend the EU-US Privacy Shield Program unless the US is fully compliant by September 1, 2018.  The EU Parliament believes that the current Privacy Shield program does not provide an adequate level of protection required by European law.  This comes roughly two years after the European Commission deemed the EU-US Privacy Shield Framework adequate to enable data transfers under EU law.  But a lot has changed in two years.  Continue Reading EU Commission Recommends Suspension of Privacy Shield; Recent FTC Efforts May Be Too Little Too Late

Today, in a 5-4 decision, the US Supreme Court ruled that the government’s acquisition of information regarding an individual’s location based on a cell phone record amounts to a Fourth Amendment search and generally requires a warrant.  In Carpenter v. United States, the government obtained nearly 13,000 location points on Carpenter’s movements over a 127-day period from Carpenter’s wireless carrier under the Stored Communications Act (SCA).  The standard for obtaining information under the SCA is much lower than the probable cause showing required for a warrant.  The government used these cell phone records to show that Carpenter’s phone was near four locations that had been robbed when those robberies occurred and obtained a conviction.  In reversing the decision of the Sixth Circuit and remanding the case, the Court held that individuals have a reasonable expectation of privacy in their physical movements.

Chief Justice Roberts delivered the 119-page opinion for the majority, joined by Justices Ginsburg, Breyer, Sotomayor and Kagan. Justices Kennedy, Alito, Thomas and Gorsuch each filed dissenting opinions.

Yesterday the United States Court of Appeals for the Seventh Circuit weighed in on the consumer class action standing issue.  The court found that Barnes & Noble customers have standing to pursue a class action concerning the hacking of the retailer’s PIN pads.  In doing so, the Seventh Circuit reversed a district court ruling dismissing the complaint for failure to adequately plead damages.  The Court of Appeals determined that the time value of money which had been removed from plaintiffs’ accounts (even though it was ultimately returned), the costs of credit monitoring, and the time invested to create new accounts all were sufficient to provide standing. Continue Reading The Seventh Circuit Weighs In On Standing

Facebook is the subject of a recent media blitz due to the allegations that 50 million people had their information improperly disclosed to Cambridge Analytica, a data research firm that may have played a role in the 2016 election.

The premise of the allegations is that Cambridge Analytica sent out a personality test to roughly 270,000 of Facebook’s users, stating that it would use the test for academic purposes.  However, allegedly, Cambridge Analytica collected the personal information not only of those who replied to the survey, but also of all of those individuals’ Facebook “friends.”  By doing so, the 270,000 users extrapolated to 50 million users. Continue Reading Facebook In Hot Water With Latest Privacy Missteps