HHS recently entered into a $3.5 million settlement agreement with a health care provider (the “Provider”) on behalf of five entities under its common ownership and control for violations of the HIPAA privacy and security rules. Each of the five entities constituted a “covered entity” under HIPAA. In 2013, the Provider filed five breach reports with HHS, each of which pertained to a separate incident that implicated the “electronic protected health information” (“EPHI“) of one of those covered entities. HHS’s subsequent investigation of the breaches revealed a number of violations of the HIPAA privacy and security rules, including that certain of the covered entities: Failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI; Provided unauthorized access to EPHI for a purpose not permitted by the HIPAA privacy rules; Failed to implement policies and procedures to address security… Continue Reading
The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced a $2.5 million HIPAA privacy and security settlement with CardioNet, a wireless health services provider and covered entity under HIPAA, based on CardioNet’s impermissible disclosure of unsecured electronic protected health information (“EPHI”). The disclosure occurred when a laptop computer belonging to a member of CardioNet’s workforce, which contained the unsecured EPHI of 1,391 individuals, was stolen from a parked vehicle outside of the workforce member’s home. CardioNet reported the breach to OCR and an investigation ensued, pursuant to which OCR determined that (i) CardioNet did not have a sufficient risk analysis and risk management process in place at the time of the theft, (ii) CardioNet had never actually implemented its draft policies and procedures for compliance with HIPAA’s security rules, and (iii) CardioNet was unable to produce any final policies or procedures regarding the implementation… Continue Reading
The U.S. Department of Health and Human Services (“HHS”) recently issued an interim final rule (the “HHS Rule”), which sets out inflation adjustments to the civil monetary penalty (“CMP”) amounts that HHS is authorized to assess or enforce, including for violations of the HIPAA privacy and security rules. The HHS Rule was issued for compliance with the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, which was enacted on November 2, 2015 (the “2015 Act”). The 2015 Act requires federal agencies to (i) adjust the level of CMP amounts with an initial “catch up” adjustment and (ii) make subsequent annual adjustments for inflation. The HIPAA CMP amounts had not been adjusted since 2009. Under the HHS Rule, HIPAA CMP amounts are increased by 10.2% for violations of the HIPAA privacy or security rules by a covered entity or a business associate, as follows: Prior $$… Continue Reading
The U.S. Department of Health and Human Services (“HHS”) issued guidance explaining that for purposes of the HIPAA privacy rule, the term “spouse” includes individuals who are in a legally valid same-sex marriage sanctioned by a state, territory, or foreign jurisdiction; the term “marriage” includes both same-sex and opposite-sex marriages; and the term “family member” includes dependents of those marriages. Legally married same-sex spouses, regardless of where they live, are family members for the purposes of applying rules permitting HIPAA covered entities to share an individual’s protected health information with a family member of the individual. The HHS guidance can be found here.
Two Covered Entities Settle Potential Violations of HIPAA Privacy and Security Rules For Approximately $2 Million
The U.S. Department of Health and Human Services (“HHS”) recently announced resolution agreements (“RAs”) with two covered entities, a health care provider and an insurer, under HIPAA’s privacy and security rules (the “Rules”), requiring combined payments of approximately $2 million to settle potential violations of the Rules. Both RAs stemmed from investigations conducted by HHS as a result of breach notifications the covered entities submitted to report the thefts of laptop computers containing unencrypted electronic protected health information (“ePHI”). Apart from the settlement payments, the RAs impose two-year corrective action plans, including the performance of risk analysis, implementation of risk management plans and training, and periodic follow up activities with HHS. Although failure to encrypt ePHI is not a per se violation of the Rules, the HHS news release regarding the RAs underscores HHS’ view that unencrypted laptops and other mobile devices pose significant risks to the security of ePHI,… Continue Reading
This article in Lawyers.com exlores the Washington State privacy act after the Court of Appeals in Washington rejected an argument that the state’s use of his text messages violated the privacy act. Providing commentary in the piece is Haynes and Boone, LLP Partner David Siegal.
Apple should be celebrating. Its App Store recently exceeded 2 billion downloads. Over 600,000 apps are now available for the iPhone, iPad and iPod Touch. Yet, continuing claims of fraud surely dampen any celebration and threaten to sour the App Store’s reputation as a secure marketplace. The New York Times recently shared Ryan Matthew Pierson’s story. In about an hour, Mr. Pierson’s iTunes account was charged $437.71 for virtual currency that he could use to buy guns, nightclubs and cars in iMobsters, a popular iPhone game. The problem is, Mr. Pierson has never played the game. He was the victim of fraud. Unfortunately, Mr. Pierson is not alone. Hundreds of others have complained that the App Store is not secure. Consumers are not the sole victims of this fraud. Developers lose hundreds of thousands of dollars to App Store fraud. Compounding their problems is consumers’ perception that developers are to blame… Continue Reading
>If not done properly, gathering personal data from gamers can bring game developers into the legal crosshairs. For instance, an iPhone game player recently sued game developer Storm8 for allegedly collecting phone numbers without permission from players who downloaded Storm8’s games from the iTunes app store. The complaint alleges the game software automatically collects and transmits the iPhone telephone number of each player back to Storm8, in violation of the Computer Fraud and Abuse Act and California state laws. Back in August, reports surfaced that Storm8’s games transmitted players’ wireless numbers back to the company’s servers. Storm8 responded that previous versions of the game software had a bug – that has since been fixed. The lawsuit’s objective appears to be an injunction barring Storm8 from collecting phone numbers in the future. However, even if Storm8 engaged in some unauthorized data gathering, the player still may not have a legally recognizable… Continue Reading
>Massachusetts is on track to became the first state to mandate that game companies (and other companies) storing the personal information of state residents must comply with specific data security practices. Massachusetts enacted a data protection statute on October 31, 2007, authorizing the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) to develop regulations implementing the statute. OCABR has now issued regulations set to go into effect on January 1, 2010. These regulations require game companies (regardless of where a company is located) to comply with certain administrative and computer security requirements when storing or transferring personal information that has been gathered from gamers or company employees living in Massachusetts.Under the regulations, games companies must create and follow a security program that includes, among other things, assignment of personnel to oversee and update the security program, identification of all records containing personal information, identification of security risks to those… Continue Reading