Colorado is the latest state to revisit, and expand upon, its laws pertaining to the use and protection of student data. Colorado Governor John Hickenlooper recently signed into law House Bill 16-1423 (the “Bill”) designed to increase the transparency and security of personal information about students enrolled in Colorado’s public education system (K-12). Described by its sponsors and the media as “nation-leading” with respect to the extremely broad scope of the definition of “student personally identifiable information”, the Bill imposes additional, detailed requirements on the Colorado Department of Education, the Colorado Department of Education, the Colorado Charter School Institute, school districts, public schools, and other local education providers (each, a “Public Education Entity”) and commercial software providers (including education application providers) with respect to the collection, use, and security of student data. In this blog post, we focus only on the duties of commercial software or education application providers. Continue Reading Colorado Student Data Privacy Bill – What EdTech software providers need to know
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently issued a warning regarding vulnerabilities in third-party applications used by entities covered by HIPAA. The OCR warning applies generally to HIPAA Covered Entities and Business Associates. While Covered Entities and Business Associates are more cognizant of vulnerabilities in operating systems (like Windows) and install updates and patches as needed (we hope), OCR reported that companies are less likely to do the same for third-party applications (like Adobe’s Acrobat or others). Continue Reading OCR Warns of HIPAA Risks in Third-Party Apps
The number one threat to a company’s information (personal or confidential) is still its own employees. Data security and privacy training are the first lines of defense against negligent employee behavior.
Join us tomorrow (6.22) at 1 PM ET for a webinar in which we will explore why traditional training programs are falling short and what you can do to boost your efforts and counter top concerns regarding malicious and negligent employee handling of personal and confidential data.
CLE credit available in NY and CA
The Mintz Levin Privacy and Security team is pleased to welcome Brian H. Lam to our group of privacy and security professionals. Brian comes to Mintz with broad experience in data aggregation, network data security, and technology transactions – in particular, the role security infrastructure plays in both technology transactions and M&A transactions.
Brian brings important real-world technical and legal expertise to our clients: he has undergraduate and graduate degrees in computer science (B.S. and M.S. from University of Colorado); has worked as a network security analyst prior to entering the University of Southern California law school; and is credentialed as a Certified Information Security Professional (CISSP), which is recognized by security professionals around the world as the field’s premier certification program.
The Department of Homeland Security (DHS) and the Department of Justice (DOJ) have issued the long-awaited final procedures for both Federal and Non-Federal Entities under the Cybersecurity Information Sharing Act (CISA) (“Final Procedures”) that provide information on how DHS will implement CISA. In addition to the Final Procedures, the agencies also released “Guidance to Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015” (the “Guidance”).
As we have written previously, a company may share cyber threat indicators (CTIs) and defensive measures (DMs) for cybersecurity purposes “notwithstanding any other provision of law,” and receive certain liability protections for sharing in accordance with the Act. The Final Procedures and the Guidance are finalized versions of interim guidance previously discussed. Any decision to share information under CISA is complex and involves factual and legal determinations.
Read on to find out what CTIs and DMs are, and information on the procedures companies must follow to obtain liability protection for sharing CTIs and DMs with the Federal Government. Continue Reading “Interim” No More: DHS and DOJ Publish Final CISA Guidance on Cybersecurity Sharing
At long last, the Department of Health and Human Services Office for Civil Rights (OCR) has released a revamped audit protocol that now addresses the requirements of the 2013 Omnibus Final Rule. OCR will be using the audit protocol for its impending Phase 2 audits of covered entities and business associates, which are set to begin next month.
The protocol covers the following subject areas:
- Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
- Security Rule requirements for administrative, physical, and technical safeguards.
- Breach Notification Rule requirements.
OCR has also released other materials that shed light on the logistics of the audit process, including a copy of the Audit Pre-Screening Questionnaire that it will use to collect demographic information about covered entities and business associates. OCR will use this information to create a pool of potential auditees.
Entities selected for audit will be required by OCR to identify and provide detailed information regarding their business associates. The information collected by OCR will be used to help identify business associates for the Phase 2 audits. OCR has released a template with the information that covered entities will have to provide, including the business associate’s name, contact information, type of services, and website.
Covered entities and business associates should be working to ensure that they have the required compliance documents and materials ready, especially given OCR’s aggressive timetable: if selected for an audit, an auditee will have only 10 days to respond to OCR.
As we have discussed previously on this blog, the audit protocol is an excellent HIPAA compliance tool, especially for audit readiness assessment. Unfortunately, the version of the tool on the OCR website can be unwieldy to use in practice. In order to assist covered entities and business associates with their HIPAA compliance efforts, we have repackaged the audit protocol into a more user-friendly format that can be downloaded here.
Originally posted to Mintz Levin’s Health Law & Policy Matters Blog on 4/20/16
As we reported last month, the FCC was preparing a proposed rulemaking (NPRM) to establish privacy and data security requirements for broadband internet access service (BIAS) providers. The FCC has now released that proposal with comments and reply comments due May 27th and June 27th respectively.
The brief background to this proposal is that in 2015, the FCC adopted net neutrality rules in Open Internet Order, which reclassified BIAS as a common carrier telecommunications service subject to regulation under Title II of the Communications Act. The Commission determined that, as a consequence of reclassification, Section 222 of the Communications Act, which is part of Title II, would now apply to BIAS providers. Section 222 regulates a telecommunications carrier’s use and disclosure of Customer Proprietary Network Information (“CPNI”) – which includes information related to the quantity, location, and amount of use of a telecommunications service. The FCC concluded in its Open Internet Order that the rules implementing Section 222 were telephone-centric and ill-suited to BIAS, and so chose to forbear from applying those rules to ISPs. With this latest release, the FCC is proposing a new set of rules implementing Section 222 that would apply to BIAS providers. Continue Reading FCC Broadband Privacy and Security Proposed Rulemaking Underway
The HHS Office for Civil Rights (“OCR”) officially launched the long-awaited (and dreaded) Phase 2 of the HIPAA Audits Program on March 21st. Covered Entities and Business Associates need to be prepared for these audits and be on the lookout for emails (check your spam filter!) from OCR that will begin the audit process.
Why Audits? Why Now?
The Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) requires OCR to periodically audit both Covered Entities and Business Associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. OCR conducted Phase 1 audits in 2011 and 2012. The Phase 1 audits only examined Covered Entities and the results were generally disappointing. Only 11% of the entities audited had no findings or observations and many findings related to Security Rule compliance. After many delays, OCR is now proceeding with Phase 2. Continue Reading Phase 2 HIPAA Audits Coming to You: Check Your Spam Filter!
For our HIPAA-covered entity readers, we have asked these questions before: Have you taken a business associate inventory ? Have you undertaken a comprehensive risk assessment as required by HIPAA?
It’s all getting real – read on. Continue Reading Pay Attention to Business Associate Agreements!
As we wrote previously, the federal government released several guidance documents last month implementing The Cybersecurity Information Sharing Act (CISA). Among these was the Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under CISA published by the Department of Homeland Security and Department of Justice. This document provides guidance on the circumstances in which personal information of a specific individual may – or may not – need to be shared in order to adequately describe a cyber threat indicator (CTI). In addition, the release identifies certain categories of information likely to be considered individually identifiable information unrelated to a cybersecurity threat, and provides guidance on sharing CTIs with the government in a manner covered by the Act’s liability protections. Continue Reading CISA Guidelines (Part 3): Guidance to Assist Non-Federal Entities