PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

HIPAA Enforcement Case – Allergy Associates

Daniel Solove @danielsolove
Founder of TeachPrivacy
November 27, 2018

HIPAA Enforcement

Allergy Associates of Hartford has agreed to pay $125,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. The incident occurred in February 2015.  A patient reached out to a local TV station about a dispute with a doctor at Allergy Associates. When the reporter contacted the doctor for comment, the doctor improperly disclosed the patient’s PHI.  After Allergy Associates learned that HHS was investigating this incident, no disciplinary action was taken against the doctor.  According to the Resolution Agreement:

(1) Allergy Associates impermissibly disclosed the Complainant’s PHI to an unauthorized third party. See 45 C.F.R. § 164.502(a).

(2) Allergy Associates failed to apply appropriate sanctions against its Workforce Member who failed to comply with the entity’s privacy policies and procedures and the Privacy Rule. See 45 C.F.R. §164.530(e)(l).

According to the HHS press release:

“When a patient complains about a medical practice, doctors cannot respond by disclosing private patient information to the media,” said OCR Director Roger Severino. “Because egregious disclosures can lead to substantial penalties, covered entities need to pay close attention to HIPAA’s privacy rules, especially when responding to press inquiries.”

The press release can be viewed here.  The Notice of Proposed Determination can be viewed here. The Resolution Agreement can be viewed here.

Also of Interest Regarding HIPAA

HIPAA Enforcement Guide

HIPAA Training Guide

HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement

Why Is HIPAA Data Breach Enforcement Increasing? An Insurer’s View from Katherine Keefe

HIPAA Training Courses

HIPAA Training Requirements FAQ

HIPAA Whiteboard

HIPAA Resources

Continue Reading

Employers and Schools that Demand Account Passwords and the Future of Cloud Privacy

Daniel Solove @danielsolove
Founder of TeachPrivacy
June 3, 2013

Passwords 01by Daniel J. Solove

In 2012, the media erupted with news about employers demanding employees provide them with their social media passwords so the employers could access their accounts. This news took many people by surprise, and it set off a firestorm of public outrage. It even sparked a significant legislative response in the states.

I thought that the practice of demanding passwords was so outrageous that it couldn’t be very common. What kind of company or organization would actually do this? I thought it was a fringe practice done by a few small companies without much awareness of privacy law.

Continue Reading

The Mail Machine Ate My Thumb Drive

Daniel Solove @danielsolove
Founder of TeachPrivacy
November 4, 2018

USB zDrive - Thumb DriveIn the annals of what must be one of the most ridiculous data security incidents, a law firm employee sent a client file on an unencrypted thumb drive in the mail.  The file contained Social Security information and other financial data.

Seriously?

Envelope

The envelope arrived without the USB drive. The firm contacted the post office.

What happened next is most bizarre.  Here’s an excerpt from the law firm’s letter notifying the state attorney general:

Continue Reading

HIPAA Cartoon: Notice of Privacy Practices

Daniel Solove @danielsolove
Founder of TeachPrivacy
October 28, 2018

Cartoon HIPAA Notice - TeachPrivacy HIPAA Training 02 medium

This HIPAA cartoon involves the notice of privacy practices (NPP) under HIPAA.  HIPAA has a set of detailed requirements for the NPP.  See 45 CFR 164.520 for the text of HIPAA’s requirement for NPPs.

The biggest challenge regarding privacy notices is that hardly anyone actually reads the notice, and notices are often a chore to read.

There is a Hobson’s choice when it comes to such notices, whether under HIPAA or otherwise.  As I wrote in Privacy Self-Management and the Consent Dilemma, 126 Harvard Law Review 1880 (2013): “[M]aking [notices] simple and easy to understand conflicts with fully informing people about the consequences of giving up data, which are quite complex if explained in sufficient detail to be meaningful.  People need a deeper understanding and background to make informed choices.”  Sadly, there’s no easy way to win on this one.

Continue Reading

The Future of Cybersecurity Insurance and Litigation: An Interview with Kimberly Horn

Daniel Solove @danielsolove
Founder of TeachPrivacy
October 9, 2018

Cybersecurity litigation is currently at a crossroads. Courts have struggled in these cases, coming out in wildly inconsistent ways about whether a data breach causes harm. Although the litigation landscape is uncertain, there are some near certainties about cybersecurity generally: There will be many data breaches, and they will be terrible and costly. We thus have seen the rise of cybersecurity insurance to address this emergent and troublesome risk vector.

I am delighted to be interviewing Kimberly Horn, who is the Global Focus Group Leader for Cyber Claims at Beazley. Kim has significant experience in data privacy and cyber security matters, including guiding insureds through immediate and comprehensive responses to data breaches and network intrusions. She also has extensive experience managing class action litigation, regulatory investigations, and PCI negotiations arising out of privacy breaches.

 

Kimberly Horn

Continue Reading

Locating Personal Data and Tracking Privacy Rights: An Interview with Dimitri Sirota

Daniel Solove @danielsolove
Founder of TeachPrivacy
October 2, 2018

One of the biggest challenges for organizations is locating all the personal data they have. This task must be done, however, to comply with the General Data Protection Regulation (GDPR) and other privacy laws. Moreover, the GDPR and the new California Consumer Privacy Act provide that individuals have rights regarding their data. These rights often require that organizations must keep records of individual privacy preferences regarding their data.

I had the opportunity to interview Dimitri Sirota about these issues. Dimitri is the CEO and co-founder of one of the first enterprise privacy management platforms, BigID, and a privacy and identity expert.

Dimitri Sirota

Continue Reading

The Supreme Court on Smart Phones: An Interview of Bart Huffman about Law and Technology

Daniel Solove @danielsolove
Founder of TeachPrivacy
September 26, 2018

The U.S. Supreme Court has been notoriously slow to tackle new technology. In 2002, Blackberry launched its first smart phone. On June 29, 2007, Steve Jobs announced the launch of the original Apple iPhone. But it took the Supreme Court until 2014 to decide a case involving the Fourth Amendment and smart phones – Riley v. California, 134 S.Ct. 2473 (2014). This past summer, the Supreme Court issued another opinion involving smart phones – Carpenter vs. United States, 138 S.Ct. 2206 (2018).

I am thrilled to have had the opportunity to interview Bart Huffman, a partner in Reed Smith’s global IP, Tech & Data Group, about the Supreme Court’s recent foray into smart phones.

Continue Reading

HIPAA Cartoon: Breach of Confidentiality

Daniel Solove @danielsolove
Founder of TeachPrivacy
September 17, 2018

Cartoon HIPAA Confidentiality - TeachPrivacy HIPAA Training 02

This HIPAA cartoon involves confidentiality. There are countless cases of misdirected PHI that is emailed or faxed to the wrong people.

I recently created a new short course on HIPAA Confidentiality.  You can learn more about it here.

HIPAA Training

HIPAA Resources

HIPAA Training Courses
HIPAA Training Guide
HIPAA Training Requirements FAQ
HIPAA Whiteboard
HIPAA Resources

Continue Reading