PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

A Major Move to Weaken HIPAA

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
May 12, 2019

HIPAA Penalties Reduced

Quietly, at the end of April, HIPAA was significantly weakened.  HHS published what sounds like an innocuous notification in the Federal Register: Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties.  This notification is actually an enormous change to the HIPAA penalty structure, a drastic reduction in HIPAA fines.

The existing penalty structure under HIPAA is based on the HITECH Act of 2009, which increased HIPAA’s fines in an attempt to give teeth to HIPAA enforcement.  Since HIPAA began being enforced in 2003 until the HITECH Act, fines had barely been issued despite an enormous amount of HIPAA violations.  HITECH was Congress’s rebuff to this weak enforcement approach.  After HITECH’s more potent penalty structure, HHS finally began issuing fines.  The chart below is how HHS has been interpreting the HITECH penalty framework since the HITECH Act:

HIPAA Penalties Table 1

There were some ambiguities under the HITECH Act as to these penalty tiers, but HHS had long interpreted these tiers according to the above chart.  But now, HHS has suddenly changed its mind and adopted a very different interpretation. Under this new interpretation, the penalty tier limits are now as follows:

HIPAA Penalties Table 2

Notice the new annual limits.  There are severe reductions in the annual limits for nearly every category except for uncorrected willful neglect. This change yanks many of the teeth out of HIPAA enforcement.Teeth Pulling

Continue Reading

Cartoon: Data Minimization

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
May 9, 2019

Cartoon Data Minimization - TeachPrivacy Privacy Awareness Training 02 small

This privacy cartoon is about data minimization, a principle embodied in many privacy laws.  Under the data minimization principle, organizations are to collect, process, or share only the minimum necessary personal data to achieve their purpose.  There’s a lot of hat tipping to data minimization, but this principle is often not followed enough.  Far too often, personal data is collected without any particular purpose in mind and far too much is shared than necessary.

Continue Reading

Privacy Law Fundamentals – New 2019 Edition

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
May 5, 2019

Privacy Law Fundamentals 2019 03

I am pleased to announce the publication of the new edition of PRIVACY LAW FUNDAMENTALS, my short guide to privacy law with Prof Paul Schwartz.  The purpose of this compact treatise is to distill the vast terrain of privacy law to the essential cases, regulations, statutes, and other notable developments.  We aim to provide what you need to know about privacy law in a concise volume that doesn’t weigh 500 pounds. We hope that this book will serve as a privacy law reference that you can readily keep at hand.

You can obtain a copy of the book at the IAPP bookstore.  A lot has happened in privacy law since the last edition because every day there’s something new in this field.  Here’s the table of contents.

Please visit my casebook website — Information Privacy Law — to find out more info about this book, as well as my casebooks with Paul Schwartz.

Continue Reading

Anatomy of a Privacy Law

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
May 5, 2019

Anatomy of a Privacy Law - Prof Daniel Solove 01

I was recently giving a presentation about new privacy laws, and I created the infographic above to catalog the various elements that privacy laws often have.  Going through this list can help to assess how complete a privacy law is.  For example, the California Consumer Privacy Act (CCPA) is often compared to the General Data Protection Regulation (GDPR), and I’ve heard it sometimes referred to as a GDPR in the United States.  But the CCPA is far different from the GDPR, as the GDPR is significantly more comprehensive and has many more dimensions than the CCPA.  For example, the GDPR has a broader scope (covers more types of entities) and has many provisions about responsibilities and governance that the CCPA lacks.   Indeed, the GDPR has most of the elements in this list. In the US, HIPAA comes the closest to the GDPR in terms of how many items it has from the last, but HIPAA is just limited to certain forms of health data.

Click here for a larger PDF version of the infographic.

The vast majority of privacy laws have provisions relating to their scope and applicability, a definition of the personal information that they regulate, individual rights and organizational responsibilities, enforcement provisions, and a particular position with regard to preemption.

Continue Reading

Will the United States Finally Enact a Federal Comprehensive Privacy Law?

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
April 22, 2019

Comprehensive Privacy Law US - TeachPrivacy CCPA Training 01

These days, there seems to be a lot of energy around a federal comprehensive privacy law in the United States.  When the US Congress started passing privacy laws in the 1970s, 80s, and 90s, it eschewed the route of passing a comprehensive privacy law, opting instead for the sectoral approach — passing a series of narrow industry-specific laws.  Then, in the late 1990s and early 2000s, there was a brief debate in the US about passing a comprehensive privacy law, when a few companies suggested it.  But most companies shot down the idea. They liked the sectoral approach. They were okay with being regulated by a patchwork of various federal and state privacy laws.

At the time, when discussing the issue at conferences and events, I said that this view was short-sighted. The rest of the world was starting to move toward a comprehensive privacy law. The patchwork of laws left many gaps and holes in privacy protection and had countless inconsistencies. Congress did nothing.

Congressional Paralysis and the Rise of the States

Since 2000, Congress has largely been unable to pass many privacy laws. It has largely passed amendments to existing laws, but it hasn’t passed many major pieces of sectoral privacy regulation, let alone a broader privacy law. Partisanship, as well as a lack of compromise and maturity, have rendered Congress unable to craft laws with the nuance and balance needed to address privacy and data security issues. During this time, the states have passed a blizzard of laws. Every state has passed a data breach notification law. States have passed countless privacy laws too — especially California.
State Privacy Laws

A New Urge for Congress to Act

The EU’s General Data Protection Regulation (GDPR), which started being enforced in May 2018, and the passage of California’s Consumer Privacy Act (CCPA) have reignited the debate over a comprehensive federal privacy law.   “It’s time,” many people are saying.  Now, industry is crying out for a comprehensive federal law.  In November 2018, in response to a call for comments on a federal privacy law by the NTIA, numerous companies responded by stating that they were now in favor of a federal privacy law.

But with this Congress, I think that a comprehensive privacy law is unlikely.

Continue Reading

Cartoon: The CCPA, a Federal Comprehensive Privacy Law, and Preemption

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
April 14, 2019

Cartoon CCPA Preemption - TeachPrivacy CCPA Training 02 small

For years, many policymakers, industry representatives, and commentators were opposed to a comprehensive federal privacy law.  They typical federalism arguments were often trotted out. Then, in 2018, California passed the California Consumer Privacy Act (CCPA). Now, there seems to be a chorus for a comprehensive federal privacy law with preemption.  I’ll be posting soon about my thoughts on a federal law and on preemption.

Continue Reading

Please Join Us at the International Privacy and Security Forum (April 3-5, 2019)

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
March 8, 2019

International Privacy and Security Forum

I hope that you can join us for the International Privacy+Security Forum (April 3-5, 2019 in Washington, DC).

The International Privacy+Security Forum is an annual sister event to the Privacy+Security Forum, an annual event held in October at George Washington University in Washington, DC.  The Int’l Forum event focuses on privacy and security laws from around the world.  The main feature of Forum events is that we have deep-dive sessions on topics.  We attract highly seasoned professionals, and we encourage highly interactive sessions.

We will have 100+ speakers and about 40 sessions.

Continue Reading

Cartoon: Data Breach Notification

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
March 3, 2019

Cartoon Data Beach Notification - TeachPrivacy Security Awareness Training 02 small

This cartoon is about data breach notification.  All 50 states plus the District of Columbia and Puerto Rico now have data breach notification laws, and breach notification laws are spreading around the globe.  And, as is often said in data security, it’s not whether a breach will happen, but when . . .

Continue Reading

HIPAA Enforcement 2018

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
February 25, 2019

HIPAA Enforcement 2018 - TeachPrivacy HIPAA Training 02

Last year was a record-setting year for HIPAA enforcement.  On HHS’s website, OCR has touted its 2018 enforcement:

OCR has concluded an all-time record year in HIPAA enforcement activity.  In 2018, OCR settled 10 cases and secured one judgment, together totaling $28.7 million. This total surpassed the previous record of $23.5 million from 2016 by 22 percent.  In addition, OCR also achieved the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc., representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016.

Here is an overview of the resolution agreements and enforcement actions with civil monetary penalties from 2018:

Continue Reading

Increasing State HIPAA Enforcement: Highlights from 2018

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
January 22, 2019

State HIPAA Enforcement - increasing 02

There have been quite a number of state HIPAA enforcement cases this year, and one expert points out a trend toward increasing state enforcement of HIPAA.

An article in Data Breach Today discusses a number of state HIPAA enforcement cases.  Here are some of the ones discussed:

Massachusetts — $75,000 settlement with McLean Hospital for a data breach involving 1,500 victims based on an employee who routinely took home unencrypted backup tapes with PHI.  From the state press release:

The AG’s complaint alleges that McLean, a psychiatric hospital in Belmont, allowed an employee to regularly take home eight unencrypted back-up tapes containing clinical and demographic information from the Harvard Brain Tissue Resource Center that the hospital possessed. The tapes contained personal information such as names, social security numbers, diagnoses and family histories. When the employee was terminated from her position at McLean in May 2015, she only returned four of the tapes, and the hospital was unable to recover the others.

New Jersey — $100,000 settlement with EmblemHealth for a 2016 breach involving 81,000 victims.  Details from the state’s press release:

The incident at issue took place on October 3, 2016 when EmblemHealth’s vendor sent a paper copy of EmblemHealth’s Medicare Part D Prescription Drug Plan’s Evidence of Coverage to 81,122 of its customers, including 6,443 who live in New Jersey.

The label affixed to the mailing improperly included each customer’s HICN, which incorporates the nine digits of the customer’s Social Security number, as well as an alphabetic or alphanumeric beneficiary identification code. (The number shown was identified as the “Package ID#” on the mailing label and did not include any separation between the digits.)

During its investigation, the Division found that following the departure of the EmblemHealth employee who typically prepared the Evidence of Coverage mailings, the task was assigned to a team manager of EmblemHealth’s Medicare Products Group, who received minimal training specific to the task and worked unsupervised. Before forwarding the data file to the print vendor, this team manager failed to remove the patient HICNs from the electronic data file.

Continue Reading