Archives: Information Risk

Subscribe to Information Risk RSS Feed

More OCR Guidance on COVID-19 and HIPAA Relief – Business Associates

The Office for Civil Rights (OCR) has been moving swiftly to provide guidance on addressing key regulatory issues to aid in the fight to contain and defeat COVID-19. Some of the latest developments include exercising its enforcement discretion on certain good faith disclosures of protected health information (PHI) by business associates, adding FAQs for telehealth … Continue Reading

HIPAA Privacy Rule Waiver, Other Medical Information Questions During the COVID-19 Pandemic

As the coronavirus spreads across the globe and in the United States, providers, businesses, employers, and others are struggling to understand what medical information they can collect and what information they can share. These are difficult questions the answers to which involve considering factors such as long-standing compliance requirements (e.g., HIPAA, ADA, GINA, state law), … Continue Reading

Work-From-Home Checklist During the Coronavirus Pandemic

The debate over working from home continues, reaching a high point in 2013 when Marissa Mayer, then CEO of Yahoo, sought to curb the practice. However, as the Coronavirus continues to spread across the U.S., more companies are instructing their employees to work-from-home as a social distancing technique to help contain the spread and remain … Continue Reading

New York SHIELD Act FAQs

Over the past few months, businesses across the country have been focused on the California Consumer Privacy Act (CCPA) which dramatically expands privacy rights for California residents and provides a strong incentive for businesses to implement reasonable safeguards to protect personal information. That focus is turning back east as the Stop Hacks and Improve Electronic … Continue Reading

What Does Phishing Have to do with Coronavirus?

As announcements relaying the spread of Coronavirus (COVID-19) continue daily, governmental agencies at all levels are offering information and guidance, and businesses are scrambling to prepare and protect their employees and customers. As part of a larger group in my firm helping to synthesize all this information, there is an aspect of responding to COVID-19 … Continue Reading

New York Adopts New Data Security and Privacy Regulations for Schools and Their Vendors

We observed in a post on this blog that government agencies, businesses, hospitals, universities and school districts are frequent targets of data breaches that can affect millions of individuals.   Cyberattacks on school districts continue to appear in the news. In January, students in the Pittsburg Unified School District (California) were left without internet access as … Continue Reading

CA Attorney General Updates CCPA Proposed Regulations

Many businesses and their service providers have been awaiting final guidance from the California Attorney General concerning the California Consumer Privacy Act (CCPA). When news came last Friday of a regulatory update (“Update”), there may have been some initial disappointment that the Update did not announce final regulations, but only revisions to existing proposed regulations … Continue Reading

CCPA Data Breach Class Action Litigation Begins

As reported by Bloomberg Law, data breach class action litigation has begun under the California Consumer Privacy Act (CCPA). Filed in the Northern District of California, San Francisco Division, a putative class action lawsuit against Hanna Andersson, LLC and its ecommerce platform provider, Salesforce.com, alleges negligence and a failure to maintain reasonable safeguards, among other … Continue Reading

Health Plan Sponsors – Have You Updated Your Vendor Agreements for Substance Use Disorder (SUD) Confidentiality Regulations?

Employers that sponsor group health plans (medical, dental, vision, HFSA) are used to negotiating detailed administrative services agreements with vendors that provide services to those plans. Many also are familiar with “business associate agreements” required under HIPAA that must be in place with certain vendors, such as third-party claims administrators (TPAs), wellness program vendors, benefits … Continue Reading

Privacy & Cybersecurity Issues to Watch in 2020

2020 may very well be the most impactful year for data privacy and cybersecurity in the United States. In honor of Data Privacy Day, we discuss some of the reasons why that may be the case. In short, as privacy and cybersecurity risks continue to emerge for organizations large and small, the law is beginning … Continue Reading

Coronavirus Raises Privacy Concerns for Healthcare Providers and their Workers

The outbreak of a new coronavirus that is believed to have began in central Chinese city of Wuhan and now appears to be spreading to the United States is driving concerns for organizations around preparedness regarding their operations, their customers, and their employees. Both the Center for Disease Control and Prevention (CDC) and the State … Continue Reading

Websites: A Growing Compliance Concern – CCPA, HIPAA, Accessibility, State Laws…

Websites play a vital role for organizations. They facilitate communication with consumers, constituents, patients, employees, and the general public. They project an organization’s image and promote goodwill, provide information about products and services and allow for their purchase. Websites also inform investors about performance, enable job seekers to view and apply for open positions, and … Continue Reading

Personal Information, Private Information, Personally Identifiable Information…What’s the Difference?

When privacy geeks talk “privacy,” it is not uncommon for them to use certain terms interchangeably –personal data, personal information, personally identifiable information, private information, individually identifiable information, protected health information, or individually identifiable health information. They might even speak in acronyms – PI, PII, PHI, NPI, etc. Blurring those distinctions might be OK for … Continue Reading

Professional Tax Preparers – You Need A Written Information Security Plan, Says the IRS and FTC

Tax season soon will soon be upon us and many not-so-eager taxpayers will share sensitive personal information about themselves, their dependents, their employees, and others with their trusted professional tax preparers for processing. What many of these preparers might not realize is that federal law and a growing number of state laws obligate them to … Continue Reading

CCPA Update: AG Announces Proposed Regulations, Governor Signs Amendments into Law

Lots of action for the California Consumer Privacy Act (CCPA) in the last few days! After much anticipation, on October 10th, 2019, California Attorney General Xavier Becerra (“the AG”) announced the Proposed Regulations for the CCPA.  The next day, California Governor Gavin Newsom signed into law six amendments to the CCPA. Below is a summary of … Continue Reading

Response to Yelp Review Costs Small Dental Practice $10,000 and Two Years of Monitoring to Settle HIPAA Complaint

No business likes to receive bad reviews on Yelp® or anywhere else in social media. When they do, some feel the need to respond to clarify or rebut the reviews, but they must do so carefully. This is particularly true for HIPAA covered entities, as their responses could include protected health information (PHI). A recent … Continue Reading

OCR Recognizes Insider Threats to HIPAA PHI, You Should Too

As we have observed here, news reports of security risks, hackings and breaches caused by individuals, terror groups or even countries around the world certainly are important and can be unsettling. But, for many organizations, including healthcare providers and business associates, a significant and perhaps more immediate area of data risk is malicious insiders. On … Continue Reading

Expansion of Technology at K-12 Schools Comes with Data Security Risks for Students and Parents

A new school year is upon us and some students are already back at school. Upon their return, many students may experience new technologies and equipment rolled out by their schools districts, such as online education resources, district-provided equipment, etc. to enhance the education they provide and improve district administration. However, a recent report, “The State … Continue Reading

Licensed by Your State’s Insurance Commissioner? Comprehensive Data Security Requirements Are Headed Your Way

Most businesses in the insurance industry have one thing in common – they collect and maintain significant amounts of sensitive, nonpublic information including personal information. Not surprisingly, insurance-related businesses are a target of cyberattacks and a few have faced some of the largest data breaches reported to date. Beyond the headlines, however, small and mid-sized … Continue Reading

Healthcare Organizations, Is Your Patient Portal Secure?

Co-author: Valerie Jackson While healthcare organizations are embracing new technologies such as patient portals, a recent report shows that organizations’ cybersecurity measures for these technologies are behind the times. A patient portal is a secure online website that allows patients to access their Electronic Health Record from any device with an Internet connection. Many patient … Continue Reading

New York Enacts the SHIELD Act

On Thursday, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), sponsored by Senator Kevin Thomas and Assemblymember Michael DenDekker. The SHIELD Act, which amends the State’s current data breach notification law, imposes more expansive data security and data breach notification requirements on companies, in … Continue Reading

Illinois’ Attorney General Wants to Know About Data Breaches

Possibly adding to the list of states that have updated their privacy and breach notification laws this year, the Illinois legislature passed Senate Bill 1624 which would update the state’s current breach notification law to require most “data collectors,” which includes entities that, for any purpose, handle, collect, disseminate, or otherwise deal with nonpublic personal information, to notify … Continue Reading

Upward Trend in Cyberattacks Targeting Senior Executives

Verizon recently published its 2019 Data Breach Investigations Report. This report is the 12th edition and contains an analysis of 41,686 security incidents with 2,013 confirmed breaches from 73 sources, including public and private entities. Included among its many findings, the report found high-level executives are twelve times more likely to be the target of … Continue Reading

Senate Committee Blocks CCPA Bill to Expand Private Right of Action

The California Senate Appropriations Committee recently blocked a bill that would expand a private right of action under the California Consumer Privacy Act (CCPA). As we reported, in late February, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson introduced Senate Bill 561, legislation intended to strengthen and clarify the CCPA. Then in April, the Senate … Continue Reading
LexBlog