Tag Archives: security

HHS OCR/ONC Announce Latest Version of Security Risk Assessment Tool

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) have released version 3.4 of their Security Risk Assessment (SRA) Tool.

The SRA Tool is designed to help healthcare providers conduct a risk analysis as required by the HIPAA Security Rule. Identifying and assessing potential risks and vulnerabilities to electronic protected health information (ePHI) are foundational elements in the implementation of security measures that protect ePHI.… More

Privacy and Security of Genetic Information: The FTC Is Putting Privacy and Security Promises of DNA Companies to the Test

In the FTC’s first case focused on the privacy and security of genetic information, the FTC alleges that San Francisco-based Vitagene, Inc. – now known as 1Health.io – failed to live up to its promises and unfairly changed material privacy terms without customers’ consent.

After consumers paid between $29 and $259, sent a saliva sample to Vitagene, and answered an online questionnaire about their health history,… More

Expiration of COVID-19 Public Health Emergency Means the Beginning of the End for HIPAA Privacy and Security Enforcement Discretion

The Notifications of Enforcement Discretion issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act during the COVID-19 public health emergency expired at 11:59 pm on May 11, 2023, due to the expiration of the COVID-19 public health emergency.

As previously announced, the HHS Office for Civil Rights (“OCR”) is providing a 90-calendar day transition period for covered health care providers to come into compliance with the HIPAA Rules with respect to the provision of telehealth in particular.… More

HHS Office for Civil Rights Issues Bulletin on Requirements under HIPAA for Online Tracking Technologies to Protect the Privacy and Security of Health Information

On December 1, 2022, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued a bulletin to highlight the obligations of Health Insurance Portability and Accountability Act of 1996 (HIPAA) on covered entities and business associates under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) when using online tracking technologies.  These online tracking technologies, like Google Analytics or Meta Pixel,… More

China Adopts New Data Security Law

On June 10, 2021, China adopted a new Data Security Law that will impact every business operating in or doing business with China. The law, which will take effect in less than a month (September 1, 2021), is sweeping in scope, imposes extensive data processing obligations, and establishes potentially severe penalties for violations. Although many of the details surrounding implementation remain unclear, given the law’s extensive requirements and severe penalties for noncompliance,… More

President Biden Signs Executive Order to Improve Cybersecurity and Protect Federal Government Networks

On May 12, 2021, President Biden signed an Executive Order which is aimed at improving the nation’s cybersecurity and protecting federal government networks.  The Executive Order has been in the works for some time, but the timing of its release is a response to the Colonial Pipeline ransomware attack.

According to the Fact Sheet issued by the White House, this Executive Order will:

  • Remove barriers to threat information sharing between government and the private sector
  • Modernize and implement stronger cybersecurity standards in the Federal Government
  • Improve software supply chain security
  • Establish a Cybersecurity Safety Review Board
  • Create a standard playbook for responding to cyber incidents
  • Improve detection of cybersecurity incidents on Federal Government networks
  • Improve investigative and remediation capabilities

The overall impact of the Executive Order is limited,… More

Massachusetts AG Creates “Data Privacy and Security Division”; What Enforcement Changes Will Follow?

Massachusetts Attorney General Maura Healey recently announced the creation of the Data Privacy and Security Division within her office, with the stated goal of “protect[ing] consumers from the surge of threats to the privacy and security of their data in an ever-changing digital economy.”

The leadership of the Office of the Attorney General’s (OAG’s) privacy and security efforts will not change:  Sara Cable,… More

GDPR, CCPA and Now, the NY SHIELD Act: Additional Data Security Responsibilities for Companies Holding the Private Information of NY Residents

On March 21, 2020, the last of the features of the NY Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) became effective:  its data security requirements.  The SHIELD Act is a sweeping statute governing individual rights relating to data breaches.  It was adopted in July 2019 and has been rolled out in the months since then:  its breach notification provisions took effect on October 23, 2019, and its data security requirements have now taken effect. … More

US Security Officials Warning of Cyber Attacks in Wake of Iran Strike

On January 4, 2020, the US Department of Homeland Security posted at National Terrorism Advisory System Bulletin, in the wake of the killing of a senior Iranian military leader by a US drone.  That DHS advisory states:

The United States designated Iran a “State Sponsor of Terrorism” in 1984 and since then, Iran has actively engaged in or directed an array of violent and deadly acts against the United States and its citizens globally.… More