Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

On July 15, 2008, the U.S. Department of Health & Human Services (“HHS”) entered into its first Resolution Agreement with a HIPAA-covered entity to settle alleged violations of the privacy and security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Pursuant to the Resolution Agreement, a Seattle-based not-for-profit health system, Providence Health & Services and certain of its divisions (“Providence”), paid $100,000 to HHS and entered into a Corrective Action Plan with the government. HHS advised that Providence’s cooperation in the investigation helped it avoid a “civil monetary penalty.” Providence has been released from further civil fines to HHS arising out of the particular activities at issue in this matter, provided that Providence complies with the terms of the three-year Corrective Action Plan. The Resolution Agreement did not release Providence from any potential criminal liability.

Prior to this Resolution Agreement, HHS had not imposed any fines on any HIPAA-covered entities. In the more than five years that have passed since the compliance deadline for the HIPAA privacy regulations, HHS has received close to 40,000 complaints of violations, the majority of which were not eligible for enforcement. Of those where a violation was identified, HHS had previously resolved such cases by requiring changes in privacy practices and other corrective actions without entering into any formal settlement agreements or imposing any fines.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

There have been 449 data breaches reported in media in 2008, according to the Identity Theft Resource Center’s 2008 Data Breach List.  That number exceeds the 2007 year-end total, and counts as only one breach even massive incidents such as the Hannaford Bros. breach.  Note that some of the breaches in the 2008 list were reported in 2008 but occurred in earlier years. 

The public availability of the breach information reported by media and catalogued in the Data Breach List is a direct result of the data breach notification laws of 44 states.  As a reminder, the most recent list of state data breach laws is available here on the Proskauer on Privacy blog.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Proskauer on Privacy will never be confused with TMZ, but we would be remiss if we failed to report on the high profile privacy scandal unfolding in the backyard of our Los Angeles office. As we previously reported, California’s data breach notification law was amended effective January 1, 2008, to include breaches of medical and health insurance information. A number of recent incidents illustrate once again that it is not enough to have written policies and procedures in place for the handling of sensitive information – employee training is essential. 

The Los Angeles Times recently reported that over 120 employees viewed the medical records and personal information of approximately 900 celebrity patients at UCLA Medical Center between April 2003 and May 2007. According to the latest report, the unauthorized snooping continued even after the facility cracked down on peeking employees in April.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Google Inc. (“Google”) has filed a motion to dismiss a complaint by a Pittsburgh couple, Aaron and Christine Boring (“the Borings”), over Google’s alleged invasion of the Borings’ privacy through Google’s Street View service. Launched last May, Street View provides a navigable, 360-degree view from the streets of many U.S. cities, including Pittsburgh. 

The Borings have sued for invasion of privacy, trespass, negligence and unjust enrichment and seek damages from mental suffering and diminished property value. In their complaint, the Borings argue that Google recklessly invaded their reasonable expectation of privacy by trespassing onto their property, passing a sign reading “Private Road, No Trespassing.” From the Borings’ driveway, Google captured exterior images of the Borings’ residence and swimming pool that Google made visible with Street View.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A host of state laws require that companies take measures to protect the confidentiality of the Social Security Numbers that they possess regarding employees and consumers. But Connecticut’s new law, “AN ACT CONCERNING THE CONFIDENTIALITY OF SOCIAL SECURITY NUMBERS,” requires more. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

According to regulations published by the Federal Trade Commission and the federal banking agencies, covered companies that hold any customer accounts must implement identity theft prevention programs that identify and detect “Red Flags” signaling possible identity theft.  Companies establishing such programs must create policies and procedures not only to recognize and detect Red Flags, but also to respond to Red Flags by preventing or mitigating potential identity theft. Furthermore, companies must develop reasonable policies and procedures to verify the identity of a customer opening an account, and must also periodically update their identity theft programs.  The rules went into effect on January 1, 2008, and businesses must comply by November 1, 2008.  You can read more about Red Flags in this Client Alert.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Binding corporate rules (“BCRs”) may now be easier to implement due to much needed guidance issued last month by the European Union’s Article 29 Working Party, the group responsible for the oversight of the EU’s data protection regime. The guidance consists of three documents, which clarify the requirements for establishing BCRs. These documents are: (1) a checklist outlining the required elements of the BCRs; (2) a framework for the structure of BCRs; and (3) a list of frequently asked questions regarding BCRs.

• Email This
• Print
• Comments
• Trackbacks
• Share Link