Orthopedic Clinic Settles with HHS OCR for $1.5 Million Over Claims of Systemic HIPAA Noncompliance

Stethoscope head lying on medical formThe US Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced a settlement with Georgia-based Athens Orthopedic Clinic PA (the “Clinic”) to resolve multiple alleged violations of the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (“HIPAA”).

Under the terms of the settlement, the Clinic agreed to pay $1.5 million to OCR and to adopt a corrective action plan to settle potential violations of the Privacy and Security Rules under HIPAA. The Clinic provides orthopedic services to approximately 138,000 patients annually. Continue Reading

German DPA Issues Guidance on Schrems II and the Transfer of Personal Data to Non-EU Countries

Data Protection ShieldSince the Court of Justice of the EU (“CJEU”) decided in its Schrems II ruling that the Privacy Shield is no longer valid and that  EU Standard Contractual Clauses (SCC) can no longer be used without extra scrutiny and require the implementation of additional security measures by both the EU data exporter and the US data importer, companies are wondering on how they can transfer data to non EU countries. According to the CJEU, the SCCs are still valid, but a level of protection for personal data equivalent to that in the EU must be ensured, which would not be the case if public authorities, such as intelligence services, can access EU personal data without adequate judicial oversight or due process. Continue Reading

New Data Protection Law for the Dubai International Financial Centre

A new data protection law came into force in the Dubai International Financial Centre (DIFC) on 1 July 2020. The new law, Law No. 5 of 2020 (DIFC DP Law), which repeals the Data Protection Law No.1 of 2007, bears striking similarities to the EU’s General Data Protection Regulation (GDPR). The Law applies to controllers or processors that process personal data in the DIFC on a regular basis, regardless of the entity’s place of incorporation. Continue Reading

Federal Substance Use Disorder Confidentiality Rules Eased by HHS

Healthcare and Medicine TechnologyThe Substance Abuse and Mental Health Services Administration (“SAMHSA”) recently modified 42 CFR Part 2 regulations which sets forth federal confidentiality rules governing substance use disorder information.  While these changes bring Part 2 closer in alignment to HIPAA, the additional modifications that the CARES Act requires (which will require aligning Part 2’s consent requirements more closely to HIPAA) are not addressed.  See our discussion by Elliot Golding and Kristin Bryan on the Triage Health law blog.

CCPA Business-to-Business and Personnel Carve-Out Extension Clears California Legislature

Following a winding path in the California Legislature, AB-1281 passed the CA Senate on Friday, August 28th, and the Assembly on Sunday, August 30th, and will now go to Governor Newsom for his signature. Governor Newson is not expected to veto the bill. AB-1281 amends the California Consumer Privacy Act (CCPA), extending the business-to-business and personnel/applicant carve-outs through January 1, 2022. Continue Reading

New Amendments Passed to Japan’s Data Privacy Law

Japan FlagIn the midst of revising the Japan Civil Code and the foreign attorney laws, Japan has recently passed amendments to its data privacy law, the Act on the Protection of Personal Information (“APPI”).  Some of these changes put Japan’s law closer in line with the EU’s General Data Protection Regulation “GDPR” as to which both have recognized the adequacy of each other’s data privacy regimes.  As a result, transfers of personal information from Japan to all third countries will be subject to stricter controls when the amendments become fully enforceable, which is expected to occur in 2022. Continue Reading

Final CCPA Regulations Are Now in Effect – With a Few Changes

CCPA-California-Consumer-Privacy-ActThe California Attorney General (“AG”) announced on Friday, August 14th, that the Office of Administrative Law (“OAL”) approved the final California Consumer Privacy Act (“CCPA”) regulations. The AG submitted the regulations to OAL for approval on June 1, 2020.  The final version includes several substantive changes where the AG “withdrew” provisions along with procedural and grammatical changes.  Although the AG did not explain the reasons for withdrawing several provisions in the Addendum to Final Statement of Reasons, the AG stated he may resubmit these provisions following “further review and possible revision.”  The final regulations have immediate effect and are now enforceable by the AG. Continue Reading

NIST Releases Zero Trust Architecture

The U.S National Institute of Standards and Technology (“NIST”) recently published its “Zero Trust Architecture,” which outlines a road map for cybersecurity measures across an organization.  NIST explained that the security concept was created with the purpose of “mov[ing] defenses from static, network-based perimeters to focus on users, assets, and resources.”  “Zero trust” is a term for a security model based on the principle that there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned).  It is a response to enterprise network trends that include increasing numbers of remote users, bring your own device policies, and cloud-based assets that are not located within an enterprise-owned network perimeter.  Zero trust focuses on protecting resources, not network segments, as the network location is no longer considered the prime component to the security posture of the resource.

The NIST 800-207 draft is a detailed document that includes a wealth of information for would-be practitioners of Zero Trust.  Given the rapid evolution of “reasonable security procedures and practices,” cybersecurity professionals should give the Zero Trust Architecture serious consideration.

Key Takeaways from the FTC’s PrivacyCon

What even might actually manage to have more geeks than Comic-Con?


Ok, probably not, but on July 21, 2020 the FTC hosted their fifth annual PrivacyCon event, and for the first time it was entirely online. This event is designed to provide researched information on various important privacy topics. The FTC curates the event content based on submitted materials and moderates each session. This year’s topics were (1) health apps, (2) artificial intelligence, (3) Internet of Things devices, (4) privacy and security of specific technologies such as digital cameras and virtual assistants, (5) international privacy, and (6) miscellaneous privacy and security issues. Continue Reading