Privacy & Security Matters Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Privacy Monday – September 22, 2014

Posted in Cybersecurity, Data Breach, HIPAA/HITECH, Privacy Monday

Happy autumnal equinox — http://www.skyandtelescope.com/astronomy-news/observing-news/autumnal-equinox-2014-arrives-09222014/

Home Depot Breach – By the Numbers

56 million cards at risk (compare to Target = 40 million)

$62 million in estimated costs (compare to Target  =$146 million and counting)

$27 million insurance coverage (compare to Target = $100 million in cover)

Lawsuits filed – at least 1 in US and 1 in Canada

Filed 8-K with Securities and Exchange Commission on September 8 (Took Target 2 months to file)

Lame Duck Cyber Legislation Preview from ML Strategies

In June, the Senate Homeland Security and Governmental Affairs Committee approved two cybersecurity measures, the National Cybersecurity Communications Integration Center Act and the Federal Information Security Modernization Act.  While the bills are bipartisan, introduced by HSGAC Chairman Tom Carper (D-DE) and Ranking Member Tom Coburn (R-OK), final passage is uncertain and could wait until next year. In July, the Senate Intelligence Committee approved S. 2588, the Cybersecurity Information Sharing Act, a bipartisan bill proposed by committee Chairwoman Dianne Feinstein (D-CA) and Ranking Member Saxby Chambliss (R-GA). Introduced by Rep. Jim Sensenbrenner (R-WI), the USA Freedom Act (H.R. 3361), amending the Foreign Intelligence Service Act of 1978, was approved in the House in May. A companion bill, S. 2685, was introduced by Senator Patrick Leahy (D-VT) and placed on the Senate calendar in July. Despite this legislative activity on cyber, it is possible that this issue will not be addressed during the lame duck, barring some triggering event.

OCR Issues Guidance on HIPAA and Same-Sex Marriage

previously posted on Health Law & Policy Matters

The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) has released guidance  to help covered entities and business associates understand the privacy implications of the 2013 Supreme Court decision in United States v. Windsor (“Windsor”).

The Supreme Court ruled in Windsor that Section 3 of the Defense of Marriage Act (“DOMA”), which provided that federal law would recognize only opposite-sex marriages, was unconstitutional.  Since Windsor, HHS has already extended Medicare coverage to same-sex couples.

The HIPAA Privacy Rule provides some protections to family members, including spouses, of patients.  For example, Protected Health Information relating to the patient’s care may sometimes be shared with family members of patients.  In addition, the protections against the use of individuals’ genetic information for underwriting purposes under the Genetic Information Nondiscrimination Act (“GINA”) extend to certain information about family members.

OCR’s guidance on HIPAA and Same-sex Marriage addresses the effect of Windsor on HIPAA provisions relating to family members.  The guidance clarifies that, under the Privacy Rule, “spouse” includes both same-sex and opposite-sex individuals who are legally married.  The term “marriage” extends to same-sex marriages, and “family member” includes dependents of those marriages.

These terms apply to legally married same-sex individuals, regardless of whether or not they live in or receive services in a jurisdiction that recognizes their marriage.

One big question remains: Do same-sex spouses qualify as “personal representatives” under the Privacy Rule?  OCR stated that it intends to issue clarifications on this topic through guidance or rulemaking.  We will continue to post updates on HIPAA and same-sex marriage issues as additional guidance is released.