We have written several times about U.S. Department of Health and Human Services Office for Civil Rights’ “HIPAA Right of Access Initiative.” In its most recent enforcement action under the Initiative, the 44th such enforcement action, the OCR investigated a complaint made against a psychotherapist concerning the alleged refusal to provide medical records. Ultimately, and even after the OCR provided “technical assistance,” the OCR claimed the covered entity still failed to provide the records.

“Under HIPAA, parents, as the personal representatives of their minor children, generally have a right to access their children’s medical records,” said OCR Director Melanie Fontes Rainer. “It should not take an individual or their parent representative nearly six years and multiple complaints to gain access to patient records.”

The settlement resulted in a $15,000 resolution amount and required compliance with a two-year corrective action plan (CAP). The CAP includes the following requirements for the solo practitioner:

  • Review and revise right to access policies within 30 days of the settlement, and review and adopt OCR recommend changes to such policies.
  • Provide to the OCR right to access training materials within 60 days of the settlement for OCR’s review and approval.
  • Following OCR’s approval of the training materials, provide training to all employees within 30 days and annually thereafter.
  • Provide the requested records to the complainant with 15 days of the settlement.
  • Within 90 days of receiving OCR’s approval of the right to access policies and procedures, and every 90 days thereafter, submit to OCR a detailed list of requests for access received by the healthcare provider, and documentation for any denials of access.
  • In the event an employee of the provider fails to comply with the right to access policies, the provider must notify OCR within 30 days and include a description of the failure and mitigation plan.
  • Within 120 days after OCR’s approval of the provider’s right to access policies and procedures, submit to OCR a report summarizing the status of implementation.
  • Within 60 days after the end of each year of the CAP, submit to OCR an annual report regarding the healthcare provider’s compliance with the CAP.   

For small providers, the HIPAA rules can be confusing; they also are more than 20 years old. So, smaller practitioners, particularly those newer to practice, simply may not be fully aware of the scope and obligations under of the HIPAA privacy, security, and breach notification rules. Compliance goes well beyond handing patients a template Notice of Privacy Practices and having a secure electronic medical record platform.

The full scope of the HIPAA rules is beyond the scope of this post, but at least for the right to access and considering the OCR’s Enforcement Initiative, here are some resources to help avoid patient complaints and an onerous OCR corrective enforcement action:

Ransomware is a scary term for many business leaders and CISOs who dread being hit with a malware attack that locks up their data and could shut down operations. They expect to find that oddly-worded ransom note advising how they could recover access to their data, for a sizable fee of course. For a variety of reasons, including improved controls, backups, a loathe for paying criminal threat actors, organizations are increasingly refusing to pay hackers.

Hackers have responded to these refusals with threats to disclose sensitive personal information online and even resorting to directly contacting the individuals whose data has been compromised.

A Wall Street Journal article this morning speaks to this disturbing trend in data breaches. Vastaamo, a psychotherapy treatment center in Helsinki, was hit with a cyberattack in 2020. The hackers exfiltrated sensitive patient mental health records of 33,000 patients and threatened to disclose them online unless Vastaamo paid the ransom – approximately 400,000 euros.

According to the article:

“When the clinic didn’t pay, the hacker pressed individual patients for payment with bullying emails…one victim said the hacker gave her 24 hours to pay around 200 euros in bitcoin, or her therapy records would be posted.”  

Going directly to the affected individuals, whether they be patients, employees, students, etc. allows the hackers to also apply significant pressure on the organization to pay a much larger sum.

The decision to pay or not to pay a ransom comes with a range of critical considerations, some of which are discussed here. In the fog of an attack, with the press, government agencies, affiliates, and/or patients or other affected individuals looking to the organization for answers, working to develop an effective strategy is far more difficult. Increasing preparedness will not make this process easy, however, tough decisions need to be made. But working through these kinds of scenarios and planning generally for an attack will better equip executives and the board to work through the facts of their case and make better decisions more quickly.

As noted in a prior post, New York’s Attorney General (“NYAG”) has made enforcement of the New York SHIELD Act  an enforcement priority. The SHIELD Act requires organizations handling personal information related to New York residents to maintain reasonable safeguards to protect that information.  Maintaining its focus on this area, the NYAG recently released a guide to help organizations strengthen their data security programs and “to put [them] on notice that they must take their data security obligations seriously, and at a minimum, take the reasonable steps outlined” in the NYAG’s guide (the “Guide”).   

The Guide is based on the NYAG’s experiences in investigating and prosecuting organizations in the wake of data incidents.  It states that the NYAG received 4,000 data breach notifications in 2022 and penalized organizations millions of dollars for failing to comply with their data security obligations.

In the Guide, the NYAG recommends action in nine areas.  Specifically, it directs organizations to:

  1. Maintain controls for secure authentication to ensure only authorized individuals have access to data.
  2. Encrypt sensitive customer information
  3. Ensure service providers use reasonable security measures
  4. Know where the business is keeping consumer information
  5. Guard against data leakage in web applications
  6. Protect customer accounts impacted by data security incidents
  7. Delete or disable unnecessary accounts
  8. Guard against automated attacks
  9. Provide clear and accurate notice to consumers

The Guide recommends best practices related to each of the above recommendations and also highlights relevant cases the NYAG has investigated that implicate these areas.  Additionally, it incorporates by reference guidance the NYAG issued in 2022 regarding credential stuffing attacks, which outlines four areas in which safeguards should be maintained and certain safeguards may not be effective.

In light of the NYAG’s aggressive enforcement of the NY SHIELD Act, and the sharp rise in data breach-related litigation, organizations should take a close look at their data security programs – with the Guide as one reference point – to ensure they are appropriately managing risk.

If you have questions or concerns regarding your organization’s data security program, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

The Federal Trade Commission updated its “Standards for Safeguarding Customer Information” (“Safeguards Rule”) and extended the compliance deadline to June 9, 2023. Some entities still may be wondering – “Do these regulations apply to my business?” and “What do I have to do?”

Back in 2021, we provided a high-level summary of the Safeguards Rule, and reiterate some of the requirements here. It is important to note that even if your entity or business is not a “financial institution,” the Safeguards Rule lays out a framework to safeguard personal information that you might use as a guide. Business that are not in “heavily regulated” industries often wonder – where do we get started, what are best practices. The Safeguards Rule may be a place to look. 

Who is Subject to the Safeguards Rule?

The Safeguards Rule applies to “financial institutions” subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act. If that seems as clear as mud, it is. But the regulations and FTC guidance provide some helpful examples. There might be some entities on the list that you would expect and some you might not have expected. We list some of the examples below:

  • mortgage lenders and brokers
  • payday lenders
  • finance companies
  • account servicers
  • check cashing companies
  • wire transferors
  • collection agencies
  • tax preparation firms
  • non-federally insured credit unions
  • investment advisors that aren’t required to register with the SEC
  • a retailer that extends credit by issuing its own credit card directly to consumers
  • an automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days
  • a personal property or real estate appraiser
  • a career counselor that specializes in providing career counseling services to individuals currently employed by or recently displaced from a financial organization, individuals who are seeking employment with a financial organization, or individuals who are currently employed by or seeking placement with the finance, accounting or audit departments of any company is a financial institution
  • a business that prints and sells checks for consumers
  • a business that regularly wires money to and from consumers
  • a business that operates a travel agency in connection with financial services
  • a business that provides real estate settlement

Note, entities that maintain customer information concerning fewer than 5,000 consumers are exempt from some aspects of the Safeguards Rule, such as maintaining an incident response plan. Of course, such a plan is important to have should the entity have a security incident. Also, the business may be required to have such a plan under other laws, including state law, as well as under contracts with the business’s customers.

What do we have to do?

The June 9, 2023, deadline noted above was a six-month extension of the original compliance deadline for the updated Rule. The extension generally applies to the following items:  

  • designate a qualified person to oversee their information security program,
  • develop a written risk assessment,
  • limit and monitor who can access sensitive customer information,
  • encrypt all sensitive information,
  • train security personnel,
  • develop an incident response plan,
  • periodically assess the security practices of service providers, and
  • implement multi-factor authentication or another method with equivalent protection for anyone accessing customer information.

A business may not be able to tackle all of these items between now and June 9, 2023, but there are several items that could be addressed within that time. Importantly, the Safeguards Rule contemplates that not all covered financial institutions are the same. Specifically, the Rule provides that information security programs required under the Rule must contain administrative, technical, and physical safeguards that are

appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.

In short, covered financial institutions will need to address all of the applicable requirements but perhaps not to the same extent or in the same way as other covered financial institutions. Much will depend on a number of factors noted above, as well as the business’s risk assessment.   

On May 1, 2023, Governor Holcomb signed Senate Bill 5, Indiana’s comprehensive privacy statute (The Act). the Act will become operative on January 1, 2026, and make Indiana the seventh state, after CaliforniaColoradoConnecticutIowaUtah, and Virginia to enact a comprehensive consumer privacy statute.

Indiana beat Montana and Tennessee which both have consumer privacy statutes pending signature by their governors.

The Act applies to persons that conduct business in Indiana or produce products or services that are targeted to residents of the state and that, during a calendar year:

  • Control or process the personal data of at least 100,000 consumers who are residents of the state, or
  • Control or process personal data of at least 25,000 consumers who are residents of the state and derive more than 50% of gross revenue from the sale of personal data.

Like other states’ comprehensive consumer privacy laws, the statute provides consumers with the right to access personal data being processed, to delete personal data, and to opt out of the sale of their personal data.

For additional information on Indiana’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

Health data privacy, including in the context of reproductive health, was strengthened last week when Washington Governor Jay Inslee signed the “My Health, My Data Act” on April 27, 2023. See our summary of the law here.

Set to take effect on March 31, 2024, the new law aims to address health data collected by entities not covered by the federal Health Insurance Portability and Accountability Act (HIPAA).

Washington is not alone in considering more in-depth health data protections in the wake of the recent U.S. Supreme Court decisions pertaining to reproductive health.

Nevada’s legislature recently passed Senate Bill (SB) 370. Similar to the Evergreen State, the Nevada bill would prescribe protections for consumer health data that is maintained and used by entities not covered by HIPAA.

California is also considering Assembly Bill (AB) 354 which would amend the state’s Confidentiality of Medical Information Act to include protection for consumer’s reproductive or sexual health collected by a reproductive or sexual health digital service.

For additional information on Washington’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

Since the privacy and security regulations were issued under the federal Health Insurance Portability and Accountability Act (HIPAA), critics pointed to the limitations on the reach of those rules. A critical limitation advanced by privacy advocates is that the popular health data privacy rule extends only to certain covered entities and their business associates, not to health data generally. On April 17, 2022, Washington’s legislature passed House Bill 1155, also known as the My Health, My Data Act. The bill aims to address health data collected by entities not covered by HIPAA, including certain apps and websites.

If signed by the governor, most sections of the law would take effect on March 31, 2024, though certain parts of the legislation may take effect sooner.

When would the law apply?

A “regulated entity” for purposes of the law is defined as:

  • Conducts business in the State of Washington, or produces or provides products or services that are targeted to consumers in Washington, and
  • Alone or jointly with others, determines the purposes and means of collecting, processing, sharing, or selling consumer health data.

The legislation creates a subgroup of regulated entities, known as “small businesses,” largely to provide a few more months to comply. Small businesses are regulated entities that satisfy one or both of the following thresholds:

  • Collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or,
  • Derives less than 50 percent of gross revenue from the collection, processing, selling, or shares of consumer health data and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.

Who is protected by the law?

Under the legislation, a protected consumer is defined as a natural person who is a Washington resident or a natural person whose consumer health data is collected in Washington.

A consumer is only protected for actions taken as an individual or on behalf of a household and does not include actions taken by an individual acting in an employment context.

What data is protected by the law?

The law would protect “consumer health data,” defined as personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status. Health status includes but is not limited to the following:

  • Individual health conditions, treatment, diseases, or diagnosis
  • Social, psychological, behavioral, and medical interventions
  • Health-related surgeries or procedures
  • Use or purchase of prescribed medications
  • Bodily functions, vital signs, symptoms, or measurements of health-related functions
  • Diagnoses or diagnostic testing, treatment, or medication
  • Gender-affirming care information
  • Reproductive or sexual health information
  • Biometric data
  • Genetic data
  • Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services and supplies
  • Data that identifies a consumer seeking health care services.

What are the rights of consumers?

Under HIPAA, individuals have several rights with respect to their protected health information (PHI). These rights include the right to authorize disclosures in certain contexts (and revoke those authorizations), to request an amendment, to request an accounting of disclosures, to request a restriction on use and disclosure, and to be notified of a breach. The Washington legislation would provide consumers with the right to:

  • Confirm whether their consumer health data is being collected, shared, or sold, including a list of all third parties and their affiliates to whom the data has been shared and their contact information.
  • Consent to or deny collection or sharing of health data.
  • Withdraw consent from a regulated entity or small business to collect or share health data.
  • Delete health data collected by a regulated entity or small business, including on archived or backup systems.
  • Be provided clear and conspicuous disclosure of rights to consent or deny collection or sharing of health data.

The provisions concerning the administration of these rights look a lot like the provisions in the California Consumer Privacy Act (CCPA) and other recently enacted state comprehensive data privacy laws.

What obligations do businesses have?

The Washington law would add to the growing compliance burden on company websites as it would require regulated entities and small businesses to maintain a consumer health data privacy policy prominently on their homepages. That policy must that clearly and conspicuously disclose:

  • Categories of consumer health data collected and the purpose for which the data is collected.
  • Categories of sources from which the consumer health data is collected
  • Categories of consumer health data that are shared.
  • A list of the categories of third parties and specific affiliates with whom consumer health data is shared.
  • How a consumer can exercise the rights provided under the law.

This too is very similar to obligations under the CCPA. Regulated entities and small businesses may not discriminate against a consumer for exercising any rights included under the law. They also must respond to requests from consumers to withdraw consent to collect or share health data. Moreover, they must respond to requests from consumers to delete their consumer health data. The law also would mandate contracts be in place with processors of consumer health data and codify specific data security obligations for regulated entities and small businesses, including specific access management requirements.

Additionally, the law would make it unlawful for “any person” (apparently not just regulated entities or small businesses) to implement a geofence around an entity that provides in-person health care services where such geofence is used to: (1) Identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.

How is the law enforced?

Under the new legislation, violations of the requirements for health care data would be enforceable either by the prosecution by the State’s Attorney General’s Office or by private actions brought by affected consumers.

For additional information on Washington’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

On March 21, 2023, Virginia’s governor approved Senate Bill 1040, which prohibits an employer from using an employee’s social security number or any derivative as an employee’s identification number. The bill also prohibits including an employee’s social security number or any number derived from the social security number on any identification card or badge.

An employer who knowingly violates the new law may be subject to a civil penalty not to exceed $100 for each violation. However, the employer shall be provided notice of the violation by the state Commissioner and the employer can request an informal conference regarding the violation.

The bill takes effect on July 1, 2023.

Virginia joins other states with similar prohibitions such as in New York and under federal law.  

If you have questions about Virginia’s bill or the protection of employees’ social security numbers, contact a Jackson Lewis attorney to discuss.

The Indiana Legislature is poised to pass Senate Bill 5, a comprehensive privacy statute (the “Act”), and send it on to the Governor. Once signed, the Act will become operative on January 1, 2026, and make Indiana the seventh state, after California, Colorado, Connecticut, Iowa, Utah, and Virginia to enact a comprehensive consumer privacy statute.

Key Elements

Similar to the Colorado Privacy Act (CPA) and the Virginia Consumer Data Privacy Act (VCDPA), the Act was modeled in part on the CCPA, CPRA, and the EU General Data Protection Regulation (GDPR). But there are some variations. Key elements of the UCPA include:

When does the Act apply? The Act applies to persons that conduct business in Indiana or produce products or services that are targeted to residents of the state and that, during a calendar year:

  • Control or process personal data of at least 100,000 consumers who are residents of the state, or
  • Control or process personal data of at least 25,000 consumers who are residents of the state and derive more than 50% of gross revenue from the sale of personal data.

Are there exemptions? Among the persons not subject to the Act include Indiana and state agencies, third-party contractors of the state and such agencies acting on their behalf (but only with respect to such contracts), financial institutions, HIPAA-covered entities and business associates, not-for-profit organizations, institutions of higher education, and public utilities.

Who is protected under the Act? The Act protects the personal information of a “consumer,” defined as an individual who:

  • Is a resident of the state, and
  • Is acting only for personal, family, or household purposes.

Like the recently passed Iowa statute, Indiana excludes individuals acting in a commercial or employment context from its definition of consumer.

What “personal data” is protected under the Act? Under the Act, personal data is defined broadly as information that is linked or reasonably linkable to an individual. The definition excludes de-identified data, aggregate data, or publicly available information.

What rights do consumers have under the Act? The Act provides consumers with the following rights:

  • The right to request confirmation of whether a business is processing their personal data and related information.
  • The right to access their personal data upon request.
  • The right to correct information a company possesses
  • The right to delete personal information obtained by businesses
  • The right to opt out of the processing of personal data for purposes of targeted advertising, sale of personal data, or certain profiling activities.

The rules surrounding the administration of these rights pull from similar language in the other state privacy laws – a 45-day period to respond, a verification requirement, and a right to appeal a controller’s adverse decision concerning a consumer right request.

What obligations do covered persons have?

The Act lays out a list of obligations for controllers which generally track the laws in the other states. Without limitation, controllers must:

  • limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed,
  • establish, implement, and maintain reasonable administrative, technical, and physical security practices to protect the confidentiality, integrity, and accessibility of personal data,
  • not discriminate against a consumer for exercising rights under the Act,
  • not process sensitive data without the consumer’s consent,
  • provide consumer with a privacy notice that explained among other things the categories of personal data the controller processes and shares with third parties, and
  • provide consumers the opportunity to opt out of the sale of personal data and explain the means to exercise these and other rights under the Act.

For processing activities created or generated after December 31, 2025, controllers need to conduct and document impact assessments for certain processing activities, such as the sale of personal data and the processing of sensitive data. In short, these assessments must weigh the benefits of the processing and the risks to the consumer, considering risk mitigation efforts by the controller.

With respect to processors, the Act requires they adhere to the instructions of controllers, such as assisting the controller with responding to consumer requests. Contracts between controllers and processors must include certain provisions, such as instructions for processing personal data, the nature and duration of the processing. Other required provisions include (i) a requirement for processors to make available all information in the processor’s possession to demonstrate the processor’s compliance with the Act, (ii) cooperating with reasonable assessments of compliance by the controller (or arrange for a qualified and independent assessor), and (iii) obligating the processor to push the Act’s required provisions down to the processor’s subcontractors 

How is the law enforced, any private right of action? Unlike the CCPA, Indiana’s statute does not include a private right of action for consumers. In fact, the Act states that “[n]othing in [the Act] shall be construed as providing the basis for a private right of action for violations of this article or any other law.” Instead, the state attorney general will have exclusive enforcement authority. Businesses that are found to have violated the law may face fines of up to $7,500 per violation.

For additional information on Indiana’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

On April 6, 2023, the New York City Department of Consumer and Worker Protection (“Department”) issued its Final Rules regarding automated employment decision tools (“AEDT”). As previously reported, New York City’s AEDT law, Local Law 144 of 2021, prohibits employers and employment agencies from using AEDT unless:

  • The tool has been subjected to a bias audit within a year of the tool being used or implemented;
  • Information about the bias audit is made publicly available; and,
  • Certain written notices have been provided to employees or job candidates.

Read the full article on Jackson Lewis’ Data Intelligence Reporter.