On August 18, 2025, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement with BST & Co. CPAs, LLP (BST). The announcement continues OCR’s escalating enforcement of the HIPAA Security Rule, particularly around ransomware and risk analysis inadequacies.
For the OCR, this is the agency’s 15th ransomware enforcement action
As Cybersecurity Awareness Month wraps up, it’s worth mentioning that employee security awareness training is an ongoing process. Employee error remains a significant contributing factor in data breaches. According to the 2022 Verizon Data Breach Report, “74% of all breaches include the human element… error, privilege misuse, use of stolen credentials or social engineering.”
On June 16, 2023, Nevada’s Governor signed Senate Bill (SB) 370, which enacts certain protections for consumer health data.
The law is similar to Washington’s My Health, My Data Act, which was passed in April. The Future of Privacy Forum prepared a useful chart comparing the Washington and Nevada laws.
Nevada’s law
With advances in technology and business marketing come changes in the law and new litigation. Many businesses are familiar with the federal Telephone Consumer Protection Act (TCPA) but may be less familiar with Florida’s version, the Florida Telephone Solicitation Act (FTSA). A recent wave of class-action lawsuits stems from a 2021 amendments to the FTSA
In a recent opinion, Henderson v. The Source for Public Data, L.P., et al, the U.S. Court of Appeals for the 4th Circuit considered whether Section 230(c)(1) of the Communications Decency Act (CDA) – a federal law that allows social media websites to provide a forum for users to post videos or other information
California passed Assembly Bill (AB) 2089, which amends the Confidentiality of Medical Information Act (CMIA) to include mental health application information under the definition of medical information. Under the revisions to CMIA, mental health application information is defined as information related to a consumer’s inferred or diagnosed mental health or substance use disorder, as
Earlier this month, New York Governor Kathy Hochul signed into a law a bill that will require New York private sector employers to provide written notice to employees before engaging in electronic monitoring of their activities in the workplace. Civil Rights (CVR) Chapter 6, Article 5, Section 52-C*2 will take effect six months after enactment,
Here we go again! On March 15th, 2021, the California Department of Justice (“Department”) announced approval of modifications to the California Consumer Privacy Act’s (CCPA) regulations, originally introduced in December of 2020. The new regulations mainly modify provisions related to a consumer’s right to opt out of sale of their personal information, with
Recently, the National Labor Relations Board (NLRB), in a split decision 2-1, approved a California-based ambulance company’s implementation of a social media policy that prohibited employees from “inappropriate communications” related to the company. The NLRB’s ruling reversed a decision by an administrative law judge, back in October 2019, that concluded that the company’s social media
In the final days of 2020, the Office for Civil Rights (OCR) at the U.S. Health and Human Service (HHS) released a HIPAA Audits Industry Report (“the Report”), that could be quite helpful to covered entities and business associates for tackling HIPAA compliance as we enter the new year. The Report examines OCR’s findings from