Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Shee Shee Jin

Posts by Shee Shee Jin
Posted in Health Privacy/HIPAA

HIPAA Penalty Caps to Be Reduced and Tied to Culpability Level

In a dramatic turn, the US Department of Health and Human Services (HHS) has announced that effective immediately, penalties for many HIPAA violations will be subject to substantially reduced limits. After a record year of collecting high-dollar settlements, the agency has pulled back and tied its own hands through a Notification of Enforcement Discretion that will likely result in lower penalties and settlement agreement amounts.

Posted in Consumer Privacy

California Consumer Privacy Act: The Challenge Ahead – The CCPA’s Anti-Discrimination Clause

One of the most controversial elements of the California Consumer Privacy Act (“CCPA”) is the establishment of an “anti-discrimination” right – businesses may not “discriminate” against consumers for exercising certain rights under the CCPA, and they will need to assess whether and how they can require consumers to accept certain data practices as a condition of service.  Compliance would be challenging even if the provision were articulated clearly, but as we have discussed in this blog series, the accelerated drafting process and passage of the CCPA earlier this year left little time for public comment and responsive amendments.  As a result, the law includes a series of ambiguities that complicate compliance, and nowhere is that more apparent than in the anti-discrimination provision.

This entry in Hogan Lovells’ ongoing series on the CCPA focuses on the law’s anti-discrimination clause, its ambiguities and potentially contradictory provisions, and impact on businesses.

Posted in Consumer Privacy, Privacy & Security Litigation

U.S. Supreme Court Holds that Historical Cell Site Location Data Is Subject to a Reasonable Expectation of Privacy

In a landmark 5-4 decision, the United States Supreme Court held that the government conducts a search under the Fourth Amendment and therefore, absent exigent circumstances, needs a warrant supported by probable cause when obtaining cell-site location information (i.e., records of the cell towers to which mobile devices connect). The majority reached that conclusion based on the determination that such location records are subject to a reasonable expectation of privacy that continues to apply even though the location records are disclosed to the cell phone user’s wireless carrier, a third party.

Posted in Health Privacy/HIPAA, Privacy & Security Litigation

Aetna $17.2 Million Breach Settlement Brings Lessons for Handling Health Data

Aetna will pay almost $17.2 million to settle a federal class action lawsuit stemming from a 2017 mailing that disclosed the HIV status of health plan members. Aetna also agreed last week to pay a $1.15 million fine to the state of New York after the Attorney General Eric Schneiderman’s investigation into Aetna’s alleged violations of federal and state privacy laws. Both settlements require compliance monitoring and record keeping obligations.

Posted in Health Privacy/HIPAA

New York Regulators Lead the Charge to Fill Health Data Protection Gaps Left by Federal Law

After a year-long investigation into mobile health apps claiming to be able to measure vital signs or health indicators through smartphone sensors, the New York Attorney General settled claims against three developers alleged to have engaged in “misleading” marketing claims and “irresponsible” privacy practices. Mobile health apps Cardiio and Runtastic claimed that their apps effectively and accurately measured heart rate after vigorous exercise using only a smartphone camera and sensors. The third, Matis, claimed that its app transformed a smartphone into a fetal heart monitor. Concerned that unregulated apps claiming to measure key vital signs and other health indicators may harm consumers if the apps provide inaccurate or misleading results, NY AG Eric Schneiderman brought enforcement actions against the trio of developers.

Posted in International/EU Privacy

European Commission Outlines Data Sharing Strategy for Connected Vehicles

Connected vehicles today are rolling computers able to exchange information wirelessly with manufacturers, other vehicles, and third party service providers to significantly improve safety, efficiency, and comfort for drivers. Many entities are interested in the data these connected vehicles generate and transmit. These entities include dealers and repair shops, vehicle fleet service providers, end-users, infrastructure operators, diagnostics providers, researchers, financial services companies and insurance companies. The European Commission and industry actors in Europe, while recognizing the challenges of wide-spread deployment of these technologies, have taken further steps to develop a regime that facilitates information sharing for vehicle to vehicle, vehicle to infrastructure and other communications by delineating specific actions to take in the near future.

Posted in Health Privacy/HIPAA

Recap of the OCR/NIST Conference on Safeguarding Health Information

Representatives from government and the private sector discussed the present state of healthcare cybersecurity, and experts discussed practical strategies for implementing the HIPAA Security Rule at the ninth annual “Safeguarding Health Information: Building Assurance through HIPAA Security” conference held from October 19–20, 2016 and co-hosted by the National Institute of Standards and Technology and the Department of Health and Human Services, Office for Civil Rights. Comprehensive, enterprise-wide risk analysis and risk management practices remained points of emphasis throughout the conference. Additional themes, which we outline in this post, also emerged.