A new report from the Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) highlights data protection gaps in the U.S. for health data from wearable devices, social media, and emerging technologies. The report, “Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA,” identifies several areas in which privacy and security protections for health data have lagged behind technological developments that are expanding the collection of health data outside the traditional venues for health care. Continue Reading
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is taking an aggressive stand on HIPAA enforcement and targeting violations related to security risk assessments and business associate agreements. Three resolution agreements posted in the last month make clear that the agency expects entities subject to HIPAA to take appropriate steps to secure their data, regardless of the size or type of the entity.
In a case that could have far-reaching implications for how companies are held liable for data security lapses, the FTC issued an order and opinion unanimously overturning its Chief Administrative Law Judge’s (ALJ) November 2015 dismissal of charges that LabMD’s allegedly lax data security measures were unfair practices under Section 5 of the FTC Act (see our coverage of the ALJ’s decision here). The FTC found that the ALJ applied the incorrect legal standard for unfairness—that the question was not whether LabMD’s data security practices were “likely to cause” “substantial consumer injury”, but whether they presented a “significant risk” of injury. The FTC went on to issue its own legal and factual findings that LabMD’s data security practices were unreasonable and unfair.
The FTC’s decision marks another twist in a long-running dispute about whether allegedly lax security procedures can, on their own, result in liability when there has not been demonstrated harm to consumers, a line of reasoning that some worry will expose victimized companies to liability. For the time being the FTC’s decision provides grounds for counseling companies to take steps to ensure their data security programs are aligned with industry standards or best practices. The Commission’s decision reinforces its role as a key player in the field of data security, a role that received additional support in last year’s Wyndham decision in the Third Circuit (see our coverage of that decision here). Continue Reading
Thank you to everyone who participated in last week’s webinar “Privacy Shield: What You Need to Know.”
In this complimentary webinar, Julie Brill, Tim Tobin, and Bret Cohen of Hogan Lovells’ Washington office, and Eduardo Ustaran of our London office explored:
- What do companies need to do to sign up to the Privacy Shield?
- How do companies demonstrate compliance with the Privacy Shield principles?
- What will it take to move from Safe Harbor to Privacy Shield?
- What are the pros and cons of Privacy Shield as compared to other EU cross-border transfer mechanisms?
- What is the long-term viability of Privacy Shield?
To access the a copy of the slide deck, click here.
To access the recorded webinar, click here.
Stay tuned to the blog for future updates , including any interpretations or next-steps guidance from the European data protection authorities, the U.S. Department of Commerce, or the Federal Trade Commission.
The Department of Health and Human Services (HHS) released guidance on July 11, 2016, intended to help the healthcare industry prepare for and respond to ransomware attacks. Specifically, this guidance clarifies: (1) that a ransomware attack is considered a “security incident” under HIPAA, and (2) that a ransomware attack will typically be considered a “breach” by HHS unless entities are able to demonstrate that there is a “low probability of compromise.” The guidance also clarifies that covered entities must implement the same risk assessment processes as they would with other types of cyber threats, including malware. At a time when ransomware attacks are on the rise, this guidance heightens the potential regulatory enforcement consequences of these events. Continue Reading
In less than one week, on August 1, U.S. companies may begin to submit self-certifications to the EU-U.S. Privacy Shield framework at www.privacyshield.gov. Those companies that previously certified to the predecessor Safe Harbor framework are in a particularly good position to certify to the Privacy Shield, which built upon Safe Harbor’s core principles by adding meaningful substantive and procedural privacy protections for EU individuals.
The U.S. Department of Education and Department of Justice (“Departments”) recently weighed in on the obligations of school districts, colleges, and universities to provide civil rights protections for transgender students. On May 13, 2016, the Departments issued a Dear Colleague Letter (“DCL”) that summarizes the responsibilities of school districts, colleges, and universities that receive federal financial assistance under the Departments’ interpretation of federal law, including Title IX of the Education Amendments of 1972 (“Title IX”) and the Family Education Rights and Privacy Act (“FERPA”). Here, we focus on the DCL’s guidance pertinent to compliance with FERPA. Continue Reading
The much anticipated Privacy Shield framework for the transfer of data between the EU and U.S. received final approval from the European Commission on 12 July 2016. With this important data transfer mechanism available to companies at the beginning of August, the Hogan Lovells Privacy and Cybersecurity team will answer your questions in a webinar Wednesday, 27 July.
CLE credit will be available.
With the recent approval of the EU-US Privacy Shield framework and the ability to start filing online registrations on 1 August, many companies have questions about the advantages and disadvantages of Privacy Shield as compared to other cross-border transfer mechanisms to cover trans-Atlantic data flows.
To answer your questions, we publish here International Data Transfers – Considering your options, a high-level analysis of the EU cross-border transfer options for companies—including the EU Standard Contractual Clauses, Intra-Group Agreements and other ad-hoc contracts, Binding Corporate Rules, Privacy Shield, and Consent—and the pros and cons of choosing each one.
On 6th July, the UK Government published two independent reviews concerning data security and data sharing in the health and care system in England. At the same time the UK Government launched a public consultation on proposals resulting from these reviews. The public consultation will be of interest to organisations that regularly interact with the public health sector in the UK and in particular to those organisations that rely on access to health data from the NHS for research purposes.