A.G. Schneiderman Announces SHIELD Act to Protect New Yorkers

Share

The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) was introduced in the New York legislature in early November and would amend New York’s state breach notification law.  The bill was announced after the release of a New York Office of the Attorney General report found a nearly 60% hike in data breaches affecting state residents in 2016 and following the Equifax breach in September, which A.G. Schneiderman is investigating.

Among other things, the SHIELD Act would:

  • Require reasonable security for private information, using standards tailored to the size of the business, while avoiding duplicate regulations and providing incentive to businesses that certify security compliance and provides clear examples of safeguards (e.g., technical, administrative, and physical measures).
  • Carve out “compliant regulated entities,” which are defined as those already regulated by, and compliant with, existing or future regulations of any federal or NYS government entity (including NYS DFS cybersecurity regulations; regulations under Gramm-Leach-Bliley; HIPAA regulations) by deeming them compliant with this law’s reasonable security requirement.
  • Provide safe harbor from AG enforcement actions under this law for “certified compliant entities,” (those with independent certification of compliance with aforementioned government data security regulations, or with ISO/NIST standards).
  • Provide a more flexible standard for small business (less than 50 employees and under $3 million in gross revenue; or less than $5 million in assets): requiring reasonable safeguards “appropriate to the [small business’s] size and complexity.

Continue reading “A.G. Schneiderman Announces SHIELD Act to Protect New Yorkers”

Latest OCR Reminder Regarding Mobile Device Security and PHI

Share

With the ever-increasing use of mobile devices in the workplace that create, receive, maintain, and transmit electronic protected health information (ePHI), the Department of Health and Human Services (HHS), Office for Civil Rights (OCR)’s latest Cybersecurity Newsletter issued an important reminder of the importance of mitigating the risks surrounding the use of mobile devices.

Mobile devices pose unique security risks because of their portability, small physical size, and capacity to store vast amounts of data. Both the Federal Trade Commission (FTC) and OCR frequently remind all organizations, but especially those entities that process ePHI, of the importance of protecting data on mobile devices.

Continue reading “Latest OCR Reminder Regarding Mobile Device Security and PHI”

OCR’s Guidance on HIPAA-Permissible Information Sharing During Patient Opioid Crisis

Share

In response to President Trump’s call to action on opioids, acting Department of Health and Human Services (HHS) Secretary Eric D. Hargan declared the opioid crisis a national public health emergency on October 26, 2017.  The next day, HHS-Office for Civil Rights (OCR) released new guidance on when and how health care providers can share a patient’s health information with the patient’s family and close friends during certain crisis situations, such as opioid overdoses, without violating the Health Insurance Portability and Accountability Act (HIPAA) privacy regulations.

HIPAA prohibits health care providers from sharing protected health information about patients who have capacity to make their own health care decisions and object to information sharing, unless there is a serious and imminent threat of harm or safety.  However, health care professionals may disclose some health information without a patient’s permission under certain circumstances, including:

  • Sharing health information with family, close friends, or any other person identified by the patient, and involved in caring for the patient if the provider determines that doing so is in the incapacitated or unconscious patient’s best interests and the information is directly related to the family or friend’s involvement in the patient’s health care or payment for care. The provider may use professional judgment and experience with common practice to make reasonable inferences of the patient’s best interest.
  • Informing persons in a position to prevent or lessen a serious or imminent threat to the patient’s health or safety.

Continue reading “OCR’s Guidance on HIPAA-Permissible Information Sharing During Patient Opioid Crisis”

HHS Declares Public Health Emergency in California – HIPAA Waivers Apply

Share

In the aftermath of the California wildfires, the Department of Health and Human Services (HHS) has waived sanctions and penalties against covered entities that fail to comply with provisions of the HIPAA Privacy Rule.

The waiver is similar to HHS’ response to Hurricanes Harvey and Irma, which we discussed in a previous blog post. This waiver only applies (1) in the emergency area and for the emergency period identified in the public health emergency declaration, (2) to hospitals that have instituted a disaster protocol, and (3) for up to 72 hours from the time the hospital implements its disaster protocol. Continue reading “HHS Declares Public Health Emergency in California – HIPAA Waivers Apply”

OCR Reminder on How to Manage HIPAA Privacy Requirements during Emergency Relief Efforts

Share

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a reminder to its listserv subscribers following the Las Vegas Strip shooting on October 1, 2017, that HIPAA covered entities are permitted to share patient protected health information (PHI) under the HIPAA Privacy Rule  to carry out specific purposes and under certain circumstances.

For most disclosures, however, a covered entity must make reasonable efforts to limit the information disclosed to that which is minimally necessary to accomplish the purpose.  Per OCR’s reminder, covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose.

The following is a summary of OCR’s reminder and the uses and disclosures available under 45 C.F.R. §164.510.

Continue reading “OCR Reminder on How to Manage HIPAA Privacy Requirements during Emergency Relief Efforts”

Application for Proposed Ballot Measure: California Consumer Privacy Act of 2018

Share

A proposed ballot measure that would require businesses to provide annual disclosures to consumers on the collection or sale of personal information has been filed with the California Attorney General. If 365,880 signatures are obtained, it may appear on the November 2018 ballot.

The initiative is based on California’s “Shine the Light Law” which sets forth the procedures companies must follow in disclosing, upon request of a consumer, what information has been shared with third parties.  The law also contains specific language to be included in online privacy policies.

Continue reading “Application for Proposed Ballot Measure: California Consumer Privacy Act of 2018”

©2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Attorney Advertising.
Privacy Policy