Cottage Health and the Office for Civil Rights at the U.S. Department of Health and Human Services (HHS-OCR) recently entered into a $3 million no-fault settlement and three year corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA). This was HHS-OCR’s last HIPAA related settlement of 2018 – a record year in HIPAA enforcement activity, as detailed in this DBR on Data blog post.
Category: Privacy
New Washington State Privacy Bill Incorporates Some GDPR Concepts
A new bill, titled the “Washington Privacy Act,” was introduced in the Washington State Senate on January 18, 2019. If enacted, Washington would follow California to become the second state to adopt a comprehensive privacy law.
Similar to the California Consumer Privacy Act (CCPA), the Washington bill applies to entities that conduct business in the state or produce products or services that are intentionally targeted to residents of Washington and includes similar, though not identical size triggers. For example, it would apply to businesses that 1) control or process data of 100,000 or more consumers; or 2) derive 50 percent or more of gross revenue from the sale of personal information, and process or control personal information of 25,000 or more consumers. The bill would not apply to certain data sets regulated by some federal laws, or employment records and would not apply to state or local governments.
Continue reading “New Washington State Privacy Bill Incorporates Some GDPR Concepts”
Rosenbach v. Six Flags Entertainment Corporation – Illinois Supreme Court Holds That a Technical Violation of Statutory Biometric Rights is Sufficient to Bring a Claim
On Friday, the Illinois Supreme Court ruled that in order to pursue a claim for $1,000 – $5,000 in statutory damages under the Biometric Information Privacy Act (BIPA) an individual need not plead or prove more than a technical violation of the statute. This decision opens the door to additional lawsuits under the only biometric law in the nation that allows for a private right of action.
European Union Adopts Adequacy Decision For Safe Data Flows With Japan
On January 23, 2019, the European Commission announced its decision to adopt adequacy status with Japan for transfers of personal data. Pursuant to the European Union’s (EU) General Data Protection Regulation (GDPR), this decision will allow personal data to flow freely between the 28 EU countries, three additional European Economic Area member countries (Norway, Liechtenstein, and Iceland), and Japan, without the need for additional data protection safeguards or derogations. Japan adopted an equivalent decision with the EU on January 22, 2019. These reciprocal findings of adequacy will create the largest area of safe data flows in the world.
Continue reading “European Union Adopts Adequacy Decision For Safe Data Flows With Japan”
California Attorney General’s Office Gathers Public Opinions Regarding the Implementation of the California Consumer Privacy Act
The California Department of Justice has opened up public forums this month as part of the Attorney General’s rulemaking process to promulgate regulations under the California Consumer Privacy Act of 2018 (CCPA). We previously discussed the Attorney General’s Office’s public statement regarding the CCPA here.
As required by the CCPA, the Attorney General must adopt certain regulations on or before July 1, 2020. In holding these public forums, the Attorney General’s Office hopes to provide an initial opportunity for the public to participate in establishing procedures to facilitate consumers’ rights under the CCPA and to provide guidance for business compliance. Specifically, the following aspects are of high priority: businesses’ obligation to disclose data collection and sharing practices to consumers; consumer rights to request deletion of data; consumer rights to opt out of having their personal information sold to third parties; and restrictions on the sale of personal information of consumers under the age of 16 without explicit consent. The Attorney General’s Office scheduled six public forums across different counties in California and invites in-person attendance or written submissions of public comments through February 2019.
HHS Task Group Releases Cybersecurity Guidelines for the Health Care Industry
Health care is one of the most complex and socially impactful areas of digitalization. Ensuring cybersecurity of health care operations, therefore, is of paramount importance – because potential vulnerabilities may lead not only to financial or technical exposures, but to lapses in life-or-death situations for patients.
To assist practitioners with education and guidelines, and in pursuance of Cybersecurity Act of 2015 (Public Law 114-113), Section 405(d), the Department of Health and Human Services created a “405(d) Task Group” in May 2017, involving, more than 150 health care and cybersecurity experts. The result of their collaborative work became a voluntary guideline entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” which was released at the end of 2018.
Continue reading “HHS Task Group Releases Cybersecurity Guidelines for the Health Care Industry”