This week two more U.S. breach notice laws go into effect…
Archive for the ‘Laws & Regulations’ Category
South Carolina & Alaska Privacy Breach Notice Laws Go Into Effect July 1
Monday, June 29th, 2009FTC Issued Consent Order for GLBA Privacy Rule and Safeguards Rule Violations
Tuesday, June 16th, 2009Today the FTC issued a consent order against mortgage lender James B. Nutter & Company for GLBA Privacy Rule and Safeguards Rule violations resulting from having an inadequte information security program and safeguards. The requirements will result in, among other actions, 20 years of ongoing activities by James B. Nutter & Company; much more costly than it would have been to have established appropriate information security safeguards to begin with…
FTC’s New Red Flags Rules FAQ
Thursday, June 11th, 2009Today the US FTC released “Frequently Asked Questions: Identity Theft Red Flags and Address Discrepancies.”
Here are a couple important things to take away from this FAQ…
HITECH Act does *NOT* make HIPAA, or HIPAA advice, “obsolete”!
Monday, May 18th, 2009A couple of weeks ago I was surprised and concerned by a statement made in one of my many listservs by a lawyer commenting on HIPAA books and past advice given for HIPAA compliance…
Podcast: HITECH Act adds new compliance requirements, penalties
Wednesday, May 6th, 2009Last week I had the pleasure of speaking with Alexander B. Howard at SearchCompliance.com for a 26 minute podcast…
IP Addresses Are Considered PII By Some Countries No Matter If U.S. Orgs Like It Or Not
Monday, May 4th, 2009Today on Twitter, @clarinette02 posted a link to an interesting article, “IP Addresses Are Personal Data, E.U. Regulator Says,” from a little over a year ago…
Red Flags Rule Enforcement Delayed to August 1, 2009; FTC Providing a Compliance “Template”
Friday, May 1st, 2009Employee Rights to PII When You Leave Your Employer or Lose Your Job
Wednesday, April 29th, 2009I often get emails from my blog and Twitter readers, many of whom I have never met before; sometimes several in a day. Many often ask for help that really is a call for free consulting help. Others are quick, short and fast for me to answer. Others are just bizarre. I answer whatever I have time for. I recently got the following question (edited to protect identities), and I think so many folks may be involved in a similar situation with all the continuing job losses that it might be useful to several folks…
HIPAA & HITECH Act Sanctions & Penalties
Tuesday, April 28th, 2009Today I had the great pleasure and opportunity to do a podcast with Alexander Howard over at TechTarget discussing HIPAA and the HITECH Act…
Breach Notices, Securing PHI & PHR Vendor Responsibilities Under HIPAA/HITECH Act
Tuesday, April 21st, 2009Last Friday the US Department of Health and Human Services (HHS) released, at the last possible moment to meet their deadline, their interim final regulations to require covered entities (CEs) under the Health Insurance Portability and Accountability Act (HIPAA) and their business associates (BAs) to provide for notification in the case of breaches of unsecured protected health information (PHI) as required by the HITECH Act.
If you’ve read any of the at least 47 U.S. state and territory beach notice laws you will get a strong sense of deja vu while reading this document. They borrowed HEAVILY from the various existing breach notice laws to estblished their proposed definitions of securing PHI, what constitutes a “breach” of PHI, and for doing breach notifications.
There are two major issues…