The United States Court of Appeals for the Fifth Circuit (the “Court”) vacated a $4,348,000 civil monetary penalty (“CMP”) imposed by the U.S. Department of Health and Human Services’ Office for Civil Rights (“HHS-OCR”) in 2017 against the University of Texas M.D. Anderson Cancer Center (“MD Anderson”) for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule and HIPAA Security Rule. The Court held that OCR’s actions were “arbitrary, capricious, and otherwise unlawful” and remanded the case for further proceedings. While the case is not binding precedent outside the Fifth Circuit, MD Anderson is the first HIPAA Covered Entity to appeal its fine to a Circuit Court since the HIPAA Privacy Rule and the HIPAA Security Rule took effect. The ruling likely will motivate future HIPAA settlement negotiations with HHS-OCR and encourage HIPAA Covered Entities to appeal enforcement outcomes they consider unreasonable.
Category: Privacy
IT Security Trends in the Era of COVID: Our Top Five Tips for Making Your Network Safer in 2021
As the COVID era drags on, it is clear that work life “post-COVID” may be very different from life “pre-COVID.” This is especially true as it relates to IT security. More and more employees have shifted to a telecommuting work model, and for many businesses that may be the case for an indefinite period of time. This raises important questions as to which security improvements or other changes IT departments need to make in 2021 to keep their businesses and client data safer from cyberattacks.
Draft Standard Contractual Clauses Released by European Commission: New Clause Cause for Applause?
Following on from last week’s big announcement by the European Data Protection Board (EDPB) on its expectations for international data transfers after the European Court of Justice’s July 16 Schrems II decision, the European Commission released a draft set of new Standard Contractual Clauses (SCCs) and a draft implementing decision. The Commission’s draft set of clauses allows for two new types of transfer and contains important updates to bring the text of the clauses in line with the General Data Protection Regulation. The draft documents are now available for public consultation, and both the EDPB and the European Data Protection Supervisor will be asked for their opinions on the documents. Following the Schrems II decision, many organizations have been waiting for guidance on additional safeguards and for the (long overdue) arrival of updated Standard Contractual Clauses. While the last few days have seen some welcome developments after a period of hiatus, organizations will likely need some time to assess the practical implications before making radical changes to international data transfer arrangements.
For the full alert, visit the Faegre Drinker website.
European Data Protection Board Issues New Recommendations for International Data Transfers: Essential Guarantees, Supplemental Measures, and False Warrant Canaries
A pair of highly anticipated guidance documents outline the European Data Protection Board’s (EDPB) expectations for organizations transferring data out of the EU. While the detailed process for evaluating data transfers brings welcomed guidance and clarity, some aspects of the EDPB’s framework present significant obstacles for those working with non-EU service providers or moving data for routine business purposes.
For the full alert, visit the Faegre Drinker website.
Marriott Cyberattack Fine Reduced as ICO Shifts Penalty Policy
More than two years after receiving a massive initial fine, hotel chain Marriott International, Inc. reduces a cyberattack penalty by more than 80%. A shift in the United Kingdom’s Information Commissioner’s Office (ICO) calculation policy, along with other mitigating factors, led to the significant decrease. While the ICO reinforces the importance of responsibilities of data controllers in managing sophisticated cyberattacks, this latest development marks a continued shift away from turnover-centric penalty policies.
For the full alert, visit Faegre Drinker’s website.
Community Health Systems Enters Into Five-Million-Dollar, Multi-State Settlement Agreement in Connection with 2014 Data Breach
On October 8, 2020, Community Health Systems, Inc. (Community Health) and its subsidiary CHSPSC, LLC entered into a settlement agreement with 28 states for $5 million to resolve claims related to a 2014 data breach. Community Health owns over 200 hospitals across the United States and is one of the largest hospital networks in the country. The multi-state settlement follows a separate $2.3 million settlement that Community Health reached with the U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR) in connection with the same data breach.