First Seven-Figure HIPAA Settlement of 2020

Less than one week after its last announced settlement, the Office for Civil Rights announced its first seven-figure HIPAA settlement of 2020. A non-profit healthcare system in Rhode Island, Lifespan, agreed to pay $1,040,000 for alleged systemic HIPAA violations. A 2017 breach involving an unencrypted stolen laptop triggered the investigation. OCR found HIPAA Security Rule violations and the lack of a business associate agreement with its parent corporation, which reported the 2017 breach.

Second HIPAA Enforcement Action of 2020 Announced

Today, the Office for Civil Rights (OCR) announced a $25,000 settlement with a small federally qualified health center (FQHC) for systemic HIPAA Security Rule violations. Over 9 years ago, the FQHC reported a disclosure of patient information to an unknown email account affecting 1,263 patients. This breach report prompted an investigation revealing a near complete failure to comply with the HIPAA Security Rule.

Telehealth, Privacy and The Three Little Pigs

We learned early in life from the Three Little Pigs that a house made of straw or sticks, while much easier to build, lacks the safety and security of a brick house. This fable’s lesson applies to many scenarios including the recent rapid deployment of telehealth services. While a pandemic, not laziness, caused the hurried telehealth services implementation for many, that’s irrelevant to the big bad wolf (and there is always a big bad wolf). He will come and he will huff, and he will puff, and he will compromise the privacy of patient information in a system without adequate protections.

US Supreme Court Finds First Amendment Problems with TCPA Exception

Today, the United States Supreme Court issued its decision in Barr v. American Association of Political Consultants, Inc. concluding that an exception to the Telephone Consumer Protection Act (TCPA) constitutes a content-based speech restriction and violates the First Amendment. But, instead of invalidating the entire statute, the Court only severed the offending provision.

COVID-19 Technology and Privacy Part II – A Promising Legislative Solution Emerges

In Part I of this mini-series last week, Dayle A. Duran, Esq., CIPP/US articulately described Apple and Google’s COVID-19 contact tracing API. Overall, she concluded that, if used as intended, the technology provides good privacy protections, but flagged that the real privacy risks lie in unintended use and function creep. Recently proposed bipartisan legislation may adequately address these concerns.

COVID-19 TECHNOLOGY AND PRIVACY Part I – Contact Tracing: The Apple | Google API

This is part one of a two-part series focused on COVID-19 contact tracing technology and its implications for US privacy law. The next installment of this series will examine legislative solutions to protect data subjects from misuse of information collected through contact tracing apps and related technologies.

Rip off the Band-Aid: Time to Scrap the FTC’s Health Breach Notification Rule

The Federal Trade Commission’s Health Breach Notification Rule (HBNR) is a perfect example of a narrowly tailored regulation that only contributes to the cumbersome patchwork of privacy rules in this country without providing any real benefit. In this blog post, I explore the problems with the HBNR and why we should focus instead on creating meaningful, comprehensive privacy legislation.

Telehealth by Telephone in Connecticut: A Provider’s Guide

Until recently, telehealth was not commonplace here in CT. Not only has the public health emergency forced widespread adoption of telehealth, but it also triggered a flurry of piecemeal rules and executive orders in rapid-fire succession causing substantial confusion. The most confusing of those rules relate to the delivery of telehealth services via telephone.