On July 25, 2019, New York Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) into law. The SHIELD Act modifies the current Breach Notification Law to expand the types of data elements that are considered “private information” and to expand the data breach disclosure requirements for individuals and businesses. Moreover, the law creates a requirement that owners or licensors of private information meet a new “reasonable security requirement.”
Continue Reading SHIELD Act Becomes Law, Expanding Breach Notification and Data Security Requirements
hitech
OCR Issues Fact Sheet Listing Circumstances in which Business Associates May Face Direct Liability for HIPAA Violations
In a development that may – understandably – have been overlooked by many heading into Memorial Day weekend, on May 24, 2019, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a Fact Sheet on Direct Liability of Business Associates under the Health Insurance Portability and Accountability Act (HIPAA).
The Fact Sheet provides an important reminder to covered entities, business associates, and their counselors regarding the circumstances in which OCR may – and may not – take enforcement actions directly against business associates for violations of HIPAA regulations. In the Fact Sheet, OCR explains that in 2009 the Health Information Technology for Economic and Clinical Health (HITECH) Act made business associates “directly liable for compliance with certain requirements” under HIPAA’s regulations, as addressed by OCR in its 2013 Omnibus Rule.Continue Reading OCR Issues Fact Sheet Listing Circumstances in which Business Associates May Face Direct Liability for HIPAA Violations
HHS Exercises Discretion to Reduce Maximum Annual Civil Money Penalties for Certain HIPAA Violations
On April 26, 2019, the U.S. Department of Health and Human Services (HHS) issued a Notification of Enforcement Discretion (Notice) regarding imposition of Civil Money Penalties (CMPs) under HIPAA. In the Notice, HHS announces that it has revisited its prior interpretation of the standards for assessment of CMPs under the HITECH Act, and is exercising its discretion to reduce the maximum amount of CMPs that may be assessed annually for HIPAA violations based on culpability.
The official version of the Notice is dated April 30, 2019 and is available here.
Continue Reading HHS Exercises Discretion to Reduce Maximum Annual Civil Money Penalties for Certain HIPAA Violations