Tag Archives: enforcement

HHS Office for Civil Rights Announces the Expiration of COVID-19 Public Health Emergency HIPAA Enforcement Discretion 

Like many regulatory standards, enforcement of HIPAA was relaxed as part of the COVID-19 pandemic response.  With the end of the public health emergency declaration on May 11, 2023, the broad relaxed HIPAA enforcement also will be coming to an end.

“OCR exercised HIPAA enforcement discretion throughout the COVID-19 public health emergency to support the health care sector and the public in responding to this pandemic,” said Melanie Fontes Rainer,… More

Massachusetts AG Creates “Data Privacy and Security Division”; What Enforcement Changes Will Follow?

Massachusetts Attorney General Maura Healey recently announced the creation of the Data Privacy and Security Division within her office, with the stated goal of “protect[ing] consumers from the surge of threats to the privacy and security of their data in an ever-changing digital economy.”

The leadership of the Office of the Attorney General’s (OAG’s) privacy and security efforts will not change:  Sara Cable,… More

Enforcement of HIPAA Rules for Telehealth Relaxed Due to COVID-19 Public Health Emergency

On Friday, March 20, 2020, the Department of Health and Human Services Office for Civil Rights (“OCR”) announced it will “exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.  This notification is effective immediately.”… More

HHS to Reduce Top HIPAA Fines Based on “Level of Culpability”

In a Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties issued on April 23, 2019, the Department of Health and Human Services (HHS) exercised “its discretion in how it applies HHS regulations concerning the assessment of Civil Money Penalties (CMPs) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as such provision was amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act” to reduce the maximum annual fines it will impose for HIPAA violations.… More

DNC Sues Russia, the Trump campaign, Wikileaks

It’s probably not going to change anything, but the Democratic National Committee has sued Russia (and members of the Russian establishment), members of the Trump campaign, and Wikileaks regard the 2016 election security breaches.  The DNC’s complaint includes almost every claim imaginable in response to a hacking incident.  If nothing else, it’s a good model for lawyers to crib from. More

Settlement Offers Guidance on What “Reasonable” Security Means Under COPPA

The FTC’s COPPA Guidance does an admirable job explaining the basics of what a business needs to do to comply with COPPA, but is vague as to how a business must protect personal information collected from children. The COPPA Guidance requires that a company use “reasonable procedures” to protect such information from unauthorized access or use, but does not explain what “reasonable procedures” means. This is,… More

AG Healey Issues Guidance to Schools and Health Care Providers on Immigration Enforcement Issues

In the wake of several executive orders on immigration, ICE—the federal agency responsible for enforcing the nation’s immigration laws—has ramped up enforcement activities. As a result, local public school districts and health care providers in Massachusetts have asked the Attorney General about their rights and obligations with respect to the undocumented students and patients they serve. On May 22, 2017, the AG issued comprehensive guidance to answer their questions.… More

Which U.S. Businesses Must Comply with EU Data Protection laws?

What the recent Amazon decision tells us

On 28 July 2016, the European Court of Justice rendered a decision in a dispute between an Austrian Consumer Protection organization known as VKI (Verein für Konsumenteninformation) and Amazon EU Sàrl, a subsidiary of Amazon registered in Luxembourg. The main issue in this case is whether Amazon General Conditions were enforceable under Consumer Law; however; one of the questions referred to the European Court was about the territorial scope (Article 4) of the 95/46/EC Directive on Data Protection.… More

At Long Last, US-EU Privacy Shield Adopted By EU Member States

Key takeaways:

  • The Privacy Shield will now go into effect.
  • The preliminary start date for companies to be certified under the Privacy Shield is August 1, 2016.
  • Expect more challenges to the Privacy Shield before all is said and done.

The Details:

Following the invalidation of the US-EU Safe Harbor by the European Court of Justice in the Schrems case,… More

OCR Releases Video Guidance on Provision of Medical Records

The summer movie season is now officially in full swing, with the release of three informational videos regarding HIPAA and the right of individuals to access their medical records, published by the Office of Civil Rights of the Department of Health and Human Services. 

The video trilogy, and accompanying infographic, are the eagerly-awaited sequel to OCR’s guidance “Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.525,” issued earlier this year. … More