Touchstone Medical Imaging (Touchstone) and the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) entered into a no-fault settlement and two-year corrective action plan (CAP) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA).
New Requirements for FTC Data Security Settlements
Two of the Federal Trade Commission’s (FTC’s) most recent data security settlements include new requirements that go beyond previous data security settlements. The new provisions (1) require that a senior corporate officer provide to the FTC annual certifications of compliance and (2) specifically prohibit making misrepresentations to the third parties conducting required assessments. A statement accompanying these settlements noted that the FTC has instructed staff to examine whether its privacy and data security orders could be strengthened and improved.
Continue reading “New Requirements for FTC Data Security Settlements”
HHS Immediately Reduces Annual Limits Across HIPAA Violations
The Department of Health and Human Services (HHS) issued a notice, effective immediately, that it is exercising its enforcement discretion in how it applies HHS regulations concerning the assessment of Civil Money Penalties (CMPs) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS currently applies the same annual CMP limit across four separate tiers of violations based on the level of culpability surrounding the HIPAA violation. HHS will reduce the annual CMP limit for each of the four penalty tiers, pending further rulemaking, to better reflect the text of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Continue reading “HHS Immediately Reduces Annual Limits Across HIPAA Violations”
Supreme Court Gives Companies Another Tool To Fend Off Data Breach Class Actions
In the wake of data breaches, companies may find themselves targets of class actions by customers or employees whose personal information was compromised in the breach. The exposure is considerable, with an estimated 765 million people impacted by data breaches between April and June of 2018. As we previously reported, some courts have allowed consumer and employee data breach cases to proceed despite threshold challenges – leading to multi-million-dollar settlements. And in Dittman, Pennsylvania’s Supreme Court recently held that an employer owed an affirmative duty to exercise reasonable care to protect employees’ personal nonpublic data from data breaches.
Continue reading “Supreme Court Gives Companies Another Tool To Fend Off Data Breach Class Actions”
FBI Releases 2018 Internet Crime Report
On April 22, 2019, the FBI’s Internet Crime Complaint Center (“IC3”) released its Internet Crime Report (the “Report”) for 2018. IC3 issues the Report annually as a means to highlight data and identify key trends about Internet crimes.
SEC Issues Risk Alert Regarding Reg S-P, Privacy, Safeguarding, and Registrant Compliance
The SEC’s OCIE recently issued a Risk Alert focusing on compliance issues related to Regulation S-P, the primary SEC rule governing compliance practices for privacy notices and safeguard policies for investment advisers and broker-dealers. The Risk Alert summarizes the OCIE’s findings from two-year’s worth of issues identified in deficiency letters to assist investment advisers and broker-dealers in adopting and implementing effective policies and procedures for safeguarding customer records and information pursuant to Regulation S-P.
In this alert, partner Jim Lundy outlines the Regulation S-P requirements, the OCIE’s Regulation S-P findings and key takeaways for SEC registrants.