As we close out 2017, check out our most read privacy & security blogs of the year!

1. 42 C.F.R. Part 2 Final Rule Is Officially Delayed … Can Comments to HHS and OMB Fix It?

On January 18, 2017, the U.S. Department of Health and Human Services (HHS) published a final rule amending the Confidentiality of Substance Use Disorder Patient Records rule at 42 C.F.R. Part 2. Yesterday, HHS delayed the effective date of the rule from February 17 to March 21. While the rule adds some much needed flexibility that will improve the ability to share alcohol and drug abuse treatment records (“part 2 records”) with treating providers through health information exchange, the rule inexplicably makes it tougher to share part 2 records with other entities, such as social service providers, children and family services, criminal justice agencies, or personal health record vendors. Entities that create or receive part 2 records should consider commenting to the new Secretary of HHS and the Office of Management and Budget, if they would like to be able share the Part 2 records with more than treating providers, by requesting that the new administration reopen the new rule to address these issues.

Read more here.

2. DWT Releases Latest Health Care Breach Charts

Following the HITECH Act, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued regulations requiring HIPAA covered entities to provide certain notifications for breaches of unsecured protected health information. OCR provides data on its website for breaches affecting 500 or more individuals.

Read more here.

3. Data-Driven Marketing and the GDPR: the Data Brokers’ Conundrum

The digital marketing industry is powered by information about individuals (“personal data”) that pulses through a supply web. As this FTC infographic shows, some industries such as retail, energy, financial services, and health care, have direct relationships with those individuals. Other industries, such as data marketing, generally are at least one step removed. In fact, the most distinguishing feature of the data marketing industry may be that it earns its revenue supplying data or inferences from sources other than the data subjects themselves.

Read more here.

4. Employer-Sponsored Health Plan HIPAA Compliance Checklist

The administrative simplification provision of the Health Insurance Portability and Accountability Act and its implementing regulations (HIPAA) impose obligations on employer-sponsored group health plans. Given recent high-profile HIPAA enforcement actions, employers should understand their compliance obligations.

View checklist here.

5. 2016 Edition of HIPAA Regulations Released

The Code of Federal Regulations has recently published the 2016 version of the HIPAA regulations. This is the most up-to-date “official” version of the HIPAA regulations. We have created a version that includes PDF bookmarks to allow users to more easily jump from section to section.

View the regulations here.

6. The Price of PHI – A $2.2 Million USB Drive

A stolen unencrypted USB drive led to a $2.2 million settlement and a Resolution Agreement. The Department of Health and Human Services Office for Civil Rights (OCR) announced on January 18th a settlement with MAPFRE Life Insurance Company of Puerto Rico (“MAPFRE”) after an unencrypted USB data storage device containing records of approximately 2,200 individuals was stolen from MAPFRE’s IT Department after being left unsecured overnight.  OCR also alleged that MAPFRE did not follow through on representations to OCR regarding its risk analysis and other compliance efforts.

Read more here.

7. HIPAA Enforcement Actions by the Numbers

Protecting patient information is a central duty for both covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA).  Should an entity subject to HIPAA fail to protect patient information, it may face possible enforcement action from the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) as well as state attorneys general for alleged violations of HIPAA and its Privacy, Security, and Breach Notification Rules.

Read more here.

8. How to Use the GDPR as Your Competitive Advantage: Focus on the Carrot, Not the Stick

Ample bandwidth has been eaten by panicky commentary over the fines possible under the EU’s upcoming General Data Protection Regulation (GDPR). Sure, the GDPR arms EU data protection authorities with a hefty compliance stick. Yet the focus on exorbitant fines seems a bit disingenuous given the past nature (low amounts) and history (infrequent) of enforcement in the EU.

Read more here.

9. IoT Vendors Beware: FTC’s Latest Enforcement Action Signals Further Scrutiny of the Industry

The FTC’s first data security enforcement action in 2017 sends a clear signal to vendors serving the Internet of Things (“IoT”) marketplace: make sure your data security promises match your data security practices.  IoT is in the spotlight following last year’s DDoS attacks—which were reportedly perpetrated by hackers who amplified their attacks using insecure IoT devices.

Read more here.

10. Washington’s New Biometric Privacy Law: What Businesses Need to Know

With the rise in hackings and data breaches, companies and government agencies are looking for ways to protect their data that offer more security than passwords. Because passwords are easily lost, stolen, guessed, and cracked by hackers, companies are shifting to the use of biological characteristics that uniquely identify you, called biometric identifiers. For example, financial institutions and online retailers are developing ways to authenticate a purchase by requiring a user to take a selfie and smile, wink, or make another gesture. A stolen password could be easily reused, but faking a user’s arbitrary facial expression is more complicated.

Read more here.