Corporate Counsel magazine quotes Wyatt attorneys on changes to Tennessee data breach law

April 20, 2016 WyattLLP Cyber Security and Cyber Crime, Data Privacy & Security, Privacy & Security Corporate Counsel magazine, data breach, data privacy and data security, encryption, Tennessee

Kathie McDonald-McClure and Matt San Roman, members of Wyatt’s Data Privacy & Security Service Team, were recently interviewed for Corporate Counsel magazine. The article, “Tennessee Enacted the Toughest Data Breach Law Yet,” addresses the new amendment to the Tennessee Identity Theft Deterrence Act of 1999. The amendment, among other changes, may eliminate the “encryption safe harbor” rule (pending a legislative fix to other language that may keep it in). Other states may follow suit if cybercriminals demonstrate ways around popular encryption methods.

Please note that the full text of the article is only available to subscribers. To read our prior blog posts discussing the Tennessee amendment in more detail, click here and here.

Federal Government Report Summarizes Health Care Privacy Compliance Efforts

July 29, 2014July 31, 2014 Margaret Young Levi Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law breach, compliance report, data breach, OCR, Office for Civil Rights, Privacy & Security, report to Congress, U.S. Department of Health and Human Services

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:

–“Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and 2012” (the Breach Report); and

–“Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012” (the Compliance Report).

Both of OCR’s reports (as well as previous annual reports) may be accessed here. This post discusses the Compliance Report. We summarized the Breach Report in a separate post entitled “Federal Government Report on Data Breaches in Health Care.”

OCR is the office responsible for administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules. The Compliance Report summarizes OCR’s compliance and enforcement activity with respect to the HIPAA Privacy, Security, and Breach Notification Rules.

Continue reading →

Federal Government Report on Data Breaches in Health Care

July 21, 2014July 22, 2014 Margaret Young Levi Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law data breach, healthcare breach reports, Privacy and security of electronic data, privacy and security of personal health information, U.S. Department of Health & Human Services Office for Civil Rights

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:

• “Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and 2012” (the Breach Report), and
• “Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012” (the Compliance Report).

Both reports (as well as previous annual reports) may be accessed here. This post discusses the Breach Report, and a separate article will be posted later addressing the Compliance Report.

The Breach Report offers valuable insight into OCR’s priorities with respect to healthcare data breaches and gives an excellent summary of many recent settlements. OCR (the office responsible for administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules) has prepared this Breach Report describing the numbers and types of healthcare data breaches occurring for calendar years 2011 and 2012. The Breach Report is compiled from breach reports that HIPAA requires be provided to OCR by covered healthcare providers, health plans, healthcare clearinghouses and their business associates. The raw data upon which these reports is based is available here. OCR also provides some cumulative data on breaches reported since the breach notification law went into effect on September 23, 2009. OCR then slices and dices this data in a variety of different and useful ways, sorting it by: cause, location of affected protected health information (PHI), types of entities involved, number of individuals affected, remediation steps taken, etc. Continue reading →

Puerto Rico Imposes Massive Fine for Insurer’s Data Breach

February 24, 2014March 12, 2014 Erin Brisbay McMahon Federal Law Resources, Health Information Technology Breach Notification, data breach, Health Information Technology, HIPAA breach, privacy and security of protected health information, security of protected health information

The Puerto Rico Health Insurance Administration has fined Triple-S Salud Inc. (TSS) $6.8 million for failure to safeguard Medicare beneficiary numbers. This far exceeds any fine imposed by or settlement reached by the United States Office of Civil Rights to date for HIPAA data breaches. How did the fine reach such a staggering amount? What lessons can be learned? Continue reading →

Legislation would require Kentucky businesses to notify consumers of data breach

January 29, 2014March 12, 2014 Dan Soldato Electronic Health Records, Federal Law Resources, FTC Enforcement, Health Information Technology, HITECH Law data breach, State Breach Notification Law

by Dan Soldato

Data breaches, particularly of consumer information and other private information, are becoming an increasing public concern and a headline in the daily news. We regularly hear about incidents in which electronically stored customer information is lost by or stolen from businesses, including health care companies, retailers, and telecommunications companies. These risks are exponentially increasing with the increased use of mobile devices in businesses (e.g., laptops, tablets, flash drives, smartphones, etc.) and the increased use of mobile apps by consumers. Electronic data, if not adequately secured, can lead to both physical and electronic thefts (e.g., hacking, malware, etc.). In light of the increase in data breach reports, this week, the Consumer Financial Protection Bureau issued an advisory bulletin to provide guidance to consumers on protecting their personal information following the recent high-profile breaches involving debit cards and other payment data (e.g., Target, Michaels, Neiman Marcus). Notice to consumers about a breach of their data is seen as another way to further protect against a loss.

Data Breach Laws. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Section 5 of the Federal Trade Commission Act are two federal laws under which federal agencies aim to protect the confidentiality of sensitive personal information such as health information, social security numbers and other personally identifiable information. In addition, many states have enacted laws that have a similar aim. One such law that many states have enacted is a breach notification law that requires business entities to notify affected individuals when their personally identifiable information has been breached or compromised.

Kentucky is one of a handful of states that has yet to enact a breach notification law. However, on January 21, 2014, Representative Steve Riggs introduced HB232, which, if passed, would implement new standards and requirements to notify affected individuals in the event of a breach of their personally identifiable information. The Bill is now under consideration by the House Labor and Industry Committee. Continue reading →

Wyatt HiTech Law Blog

A legal blog about consumer and business data privacy and security in a high tech world

data breach