PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

The M.D. Anderson Case and the Future of HIPAA Enforcement

HIPAA Enforcement MD Anderson Case 02

The U.S. Court of Appeals for the 5th Circuit just issued a blistering attack on HIPAA enforcement by the U.S. Department of Health and Human Services (HHS). In University of Texas M.D. Anderson Cancer v. Department of Health and Human Services (No. 19-60226, Jan. 14, 2001), the 5th Circuit struck down a fine and enforcement […]

Read More…

The FTC Zoom Case: Does the FTC Need a New Approach?

Co-authored by Prof. Woodrow Hartzog It was inevitable. On Monday, Zoom joined an exclusive club of tech companies – Facebook, LinkedIn, Twitter, Microsoft, Google, Uber, Snap, and more. This club involves companies that have been under a Federal Trade Commission (FTC) consent decree. In a weird sense, for tech companies, being enforced against by the FTC […]

Read More…

First OCR Enforcement of HIPAA’s Right of Access

HIPAA Right to Access

Days after my recent blog post on the HIPAA Right of Access, the OCR released details of their first enforcement action for violation of the Right of Access. The complaint, received in August 2018, involved a mother who waited over 9 months to receive prenatal records from Bayfront Health in St. Petersburg.  She requested the […]

Read More…

The FTC Can Rise to the Privacy Challenge, but Not Without Help From Congress

FTC

Over at Lawfare, I have an essay co-authored by Chris Hoofnagle and Woodrow Hartzog called The FTC Can Rise to the Privacy Challenge, but Not Without Help From Congress.  This piece is also posted at the Brooking Institution’s TechTank.  The essay begins: Facebook’s recent settlement with the Federal Trade Commission (FTC) has reignited debate over whether the […]

Read More…

A Major Move to Weaken HIPAA

HIPAA Penalties Reduced

Quietly, at the end of April, HIPAA was significantly weakened.  HHS published what sounds like an innocuous notification in the Federal Register: Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties.  This notification is actually an enormous change to the HIPAA penalty structure, a drastic reduction in HIPAA fines. The existing penalty structure under HIPAA […]

Read More…

HIPAA Enforcement 2018

HIPAA Enforcement 2018 - TeachPrivacy HIPAA Training 02

Last year was a record-setting year for HIPAA enforcement.  On HHS’s website, OCR has touted its 2018 enforcement: OCR has concluded an all-time record year in HIPAA enforcement activity.  In 2018, OCR settled 10 cases and secured one judgment, together totaling $28.7 million. This total surpassed the previous record of $23.5 million from 2016 by […]

Read More…

Increasing State HIPAA Enforcement: Highlights from 2018

State HIPAA Enforcement - increasing 02

There have been quite a number of state HIPAA enforcement cases this year, and one expert points out a trend toward increasing state enforcement of HIPAA. An article in Data Breach Today discusses a number of state HIPAA enforcement cases.  Here are some of the ones discussed: Massachusetts — $75,000 settlement with McLean Hospital for […]

Read More…

The Robocall Wars: The Rise of Robocalls and the TCPA Robocall Cops

Robocalls and the TCPA Robocall Cops 02

Move over robocop, there’s a new constable in town — the robocall cop. In the past decade, robocalls have surged.  There has also been a dramatic rise in litigation about these calls under the Telephone Consumer Protection Act (TCPA). The TCPA litigation is led by a small group of serial litigators, people who have assumed the […]

Read More…

HIPAA Enforcement: Employee Access and BAAs Matter

HIPAA Enforcement - Employee Access 01

Pagosa Springs Medical Center (PSMC) has agreed to pay $111,400 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. OCR found that the company failed to deactivate a former employee’s access to a web-based calendar that contained the protected health information […]

Read More…

Largest COPPA Penalty Ever – NY AG Settles with Oath (Formerly AOL)

COPPA - TeachPrivacy Privacy Awareness Training 01

On December 4, 2018, New York Attorney General Barbara D. Underwood announced a $4.95 million settlement with Oath, Inc. (formerly known as AOL), for violating the Children’s Online Privacy Protection Act (COPPA). This is the largest penalty in a COPPA enforcement case in U.S. history. […]

Read More…