On July 8, 2010, the Department of Health and Human Services (“HHS”) issued a notice of proposed rulemaking (“NPRM” or “proposed rule”)1 modifying the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy, Security, and Enforcement Rules2 pursuant to the Health Information Technology for Economic and Clinical Health Act (“HITECH”), which was enacted February 17, 2009 as part of the American Recovery and Reinvestment Act of 2009, Pub. L. 111-5.
Monthly Archives: July 2010
HHS Issues a Notice of Proposed Rulemaking to Modify the HIPAA Privacy, Security, and Enforcement Rules
Earlier today, the Department of Health and Human Services announced proposed modifications to the HIPAA Privacy Rules, calling them the most significant changes in HIPAA since 2003, when the HIPAA Security Rules were adopted. The propose changes include:
- provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities;
- establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes;…
On July 6, 2010, Connecticut Attorney General Richard Blumenthal announced a settlement with Health Net and its affiliates (Health Net of the Northeast, Inc., Health Net of Connecticut Inc., and parent companies UnitedHealth Group Inc. and Oxford Health Plans.) of a suit that cited failure to secure private patient medical records and financial information on nearly a half million Connecticut enrollees and promptly notify consumers endangered by the breach.… More
According to a report in the Boston Globe, TJX has settled a lawsuit brought by the Louisiana Municipal Police Employees’ Retirement System, a TJX stockholder, which had alleged that the TJX board of directors failed to protect customers’ personal data, apparently in connection with Alberto Gonzalez breach. Bloomberg News has reported the case was settled for $595,000 in legal fees and an agreement regarding enhanced oversight of customer files. … More
In late June, the Centers for Medicare & Medicaid Services (“CMS”) proposed new rules for hospitals that would entitle patients to choose their own visitors during a hospital stay, including visitors who are same-sex domestic partners. These proposed rules stem from the April 15, 2010 Presidential Memorandum on Hospital Visitation issued to the Secretary of Health and Human Services.
The proposed rules would require every hospital to have written policies and procedures detailing patients’ visitation rights,… More
In a federal court case decided earlier this year, United States v. Ahrndt, the court held that an individual had no reasonable expectation of privacy in the use of an unsecured wireless network. The details of this decision are instructive for those still looking at questions of network privacy and security.
This case had its start in 2007, when a woman referred to as JH was using her personal computer at her home in Oregon.… More
A recent article in the Wall Street Journal suggests that "top-tier venture-capital firms" have invested in start-up businesses in the privacy space in recent months. This could be a sign that the so-called "smart money" sees data privacy and security as a viable long-term industry, and not this decade’s version of Y2K. It seems likely that were are due for a long-term presence of privacy and security protection in our business and private lives. … More
On June 25, 2010, federal district court judge Reggie B. Walton of the United States District Court for the District of Columbia entered a stipulated court order (.pdf) directing the Federal Trade Commission (FTC) to delay enforcement of the FTC’s Red Flags Rule against doctors and medical practices represented by the American Medical Association (AMA) and American Osteopathic Association. The FTC and AMA agreed to this delay in a Joint Stipulation (.pdf),… More
This week, the Center for Democracy & Technology (CDT) submitted a complaint (.pdf) to the Federal Trade Commission (FTC) alleging that the data broker website Spokeo was violating federal financial privacy law by not taking adequate safeguards to protect consumers. Spokeo is a website that bills itself as a search engine that allows users the ability to look up “people-related information from phone books,… More