Tag Archive for: violation

HIPAA Safe Harbor Bill | Tahlia Clement

The HIPAA Safe Harbor Bill: A New Incentive for Organizations to Prioritize Security

/in /by
HIPAA Safe Harbor Bill | Tahlia Clement

On January 5, 2021, the President signed H.R. 7898, The HIPAA Safe Harbor Bill, into law. This new legislation amends the HITECH act to require the Department of Health and Human Services (HHS) to incentivize best-practice cybersecurity for meeting HIPAA requirements.

Previously, organizations that experienced cyberattacks were subject to HIPAA enforcement actions that included severe penalties and fines despite such organization’s cybersecurity practices.  Now, H.R. 7898 specifically requires that HHS evaluate whether the organization is using recognized security practices by reviewing the previous 12 months when calculating fines or penalties based on a cyberattack. However, the law also expressly states that it does not give HHS the authority to increase fines or even the extent of an audit when an organization is found to be out of compliance with recognized security practices.

According to the law, “the Term ‘recognized security practices’ means the standards, guidelines, best practices, methodologies, procedures, and processes developed under…the NIST Act, the approaches promulgated under… the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”

This new law is important since the healthcare industry continues to be the most impacted sector when it comes to cyberattacks. The healthcare industry accounted for 79 percent of all reported data breaches from January to November 2020, and attacks against healthcare organizations increased overall by 45 percent between November 2020 and January 2021. In addition, HIPAA violation fines can range from $100 per violation all the way up to $59,522 per violation. Since these fines are calculated on a “per violation” basis, in 2020 the fines imposed ranged from $3,500 to $6,850,000, with multiple fines imposed totaling over $1,000,000.

A recent example is when University of Texas M.D. Anderson Cancer Center was fined $4,300,000 for violations of the HIPAA and HITECH Act. However, on January 14, 2021 the United States Court of Appeals for the Fifth Circuit vacated the fine stating that it was “arbitrary, capricious, and otherwise unlawful.” The Court held that HIPAA does not require entities to use “bulletproof protection” and instead held that M.D. Anderson had adopted sufficient security practices. This case shows that even courts are now looking at security practices when determining if a HIPAA violation fine is reasonable.

For more information about your entity’s cybersecurity risks and HIPAA compliance, reach out to one of FGHW’s healthcare attorneys. Our attorneys have extensive experience with reviewing and analyzing HIPAA and cybersecurity practices to determine if they comply with recognized security practices under the new law. If your cybersecurity practices are not up to the new standards, FGHW’s attorneys can assist in implementing practices that are compliant.

Dallas Attorney Tahlia Clement

Tahlia Clement’s primary practice areas are marketing, advertising and promotions law, health law, internet law, and general business transactions. Tahlia graduated from SMU Dedman School of Law and holds a B.A. in journalism and mass communications from Arizona State University.

Data Breach? Your Obligations under the Texas Identity Theft Enforcement and Protection Act

/in /by
Illustration by attorney Christopher Elam

For any business – big or small – customer confidence is critical for success in today’s competitive marketplace.  But in the event your company’s security is breached and consumer information is stolen, you may have a legal obligation to notify your customers.  Admitting a data breach can be embarrassing, but failure to comply with the law can be devastating to your reputation and your bottom line. 

The Texas Identity Theft Enforcement and Protection Act

The Texas Identity Theft Enforcement and Protection Act (Tex. Bus. Com. Code §§521.001 et seq.) applies to anyone who conducts business in Texas and “owns or licenses computerized data that includes sensitive personal information.”  Texas businesses are required under the Act to protect the sensitive personal information of their staff and customers.   As used in the Act, the term “sensitive personal information” includes unencrypted identifying information, such as an individual’s name in combination with other information, such as a social security number, driver’s license number, or credit card information.  The term also includes an individual’s health care information.

The Act requires you to notify the affected individuals as soon as possible after you discover or reasonably believe that there has been a data breach.  A data breach isn’t just limited to your computer systems being hacked – the Act’s notification requirements could also be triggered if, for example, an unscrupulous employee steals a customer’s credit card information, or if a customer using your website receives another customer’s information as a result of a coding error.  If the data breach affects more than 10,000 individuals, you must also report the incident to consumer reporting agencies.

The Penalties

The penalties for not complying with the notification requirements can be steep.  For each violation, the State of Texas can impose a civil penalty of anywhere between $2,000 and $50,000.  Plus, for every person that should have received notification of the data breach but did not, there’s an additional penalty of up to $100 per person.  If you fail to react appropriately to an extensive data breach, you could be on the hook for up to $250,000 in fines alone.  Although individuals themselves cannot bring a lawsuit to enforce the law, the Texas Attorney General may bring an action to recover the penalties and may even seek an injunction.  The Attorney General is also entitled to recover reasonable expenses, including attorney’s fees, court costs, and investigatory costs.

If your business collects or maintains the sensitive personal information of its customers such as credit card information or healthcare information, you need to take extra precautions to collect, store, and secure that data properly.  If you have experienced a data breach, or even if you suspect one has occurred, we strongly recommend seeking the advice of an experienced attorney to help you avoid the perils of an inadequate response.

Christopher Elam is an attorney at Farrow-Gillespie Heath Witter LLP. Mr. Elam has experience in business transactions, corporate governance, trademarks and real estate transactions, as well as mergers and acquisitions. He graduated from SMU Dedman School of Law in 2010.

Farrow-Gillespie Heath Witter

The CCPA: California’s Follow-up to the GDPR

/in /by

Farrow-Gillespie Heath Witter

Illustration by legal assistant Charles Jackson

Following the enactment of the European Union’s GDPR, California has passed the California Consumer Privacy Act of 2018 (CCPA) that will go into effect January 1, 2020. The CCPA is intended to protect California residents’ personal information, which is defined as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes identifiers such as name or email address, commercial information, personal property records or purchase history, biometric information, search history, professional information and educational information. However, the CCPA does not apply to information already regulated under HIPAA, the Graham-Leach Bliley Act, the FCRA, or the Drivers’ Privacy Protection Act.

The CCPA applies to companies that:

  • Conduct business in California
  • Collect the personal information of California residents
  • Satisfy at least one of the following:
    • Produce annual gross revenues in excess of $25,000,000
    • Buy, receive, sell, share, or a combination thereof, the personal information of 50,000 or more consumers, households, or devices for commercial purposes
    • Obtain 50% or more of their annual revenue from selling, releasing, or renting consumer personal information to a third party for monetary consideration

Under the CCPA, California residents will know what information companies are collecting about them, why the data is being collected, and with whom they are sharing the data.  California residents will have the power to demand that their data is deleted and not stored, and that their data cannot be sold or shared with any third parties.  Further, California residents can opt out a company’s terms of service without losing access to its offerings.  The CCPA also restricts companies from selling the data of anyone under the age of 16 without explicit consent.

To hold companies accountable for consumer data, California residents will be able to sue companies subject to the CCPA for up to $750 for each data breach violation. In addition, the California attorney general can sue for $7,500 for each intentional violation of privacy.

The CCPA also requires the expansion of privacy disclosures that companies provide when collecting or using consumers’ personal information.  The disclosures must include a description of the rights California residents have about their personal information, how they can exercise such rights, as well as information on how the companies will collect, use, and share their data.  In addition, the company must provide a link to a “Do Not Sell My Personal Information” page that allow consumers to opt-out and is accessible on all relevant platforms.

For companies that are subject to CCPA, more requirements may be coming, as the law gives the California Attorney General the authority to implement new regulations.  If you believe you are subject to the CCPA, consult an attorney familiar with data privacy to ensure compliance.

For full documentation of the CCPA, please visit the website of the California legislature.

 

Tahlia Grassie | Farrow-Gillespie & Heath LLP | Dallas, TXTahlia Clement is a clerk at FGHW. Ms. Clement is a 2019 candidate for a Juris Doctor at SMU Dedman School of Law, where she is the Editor-in-Chief for SMU’s Science and Technology Law Review. She holds a B.A. in journalism and mass communications from Arizona State University.

Two Major Developments for Employers

/in , /by

Employment law has seen two recent major developments that affect employers. The first involves nondisclosure limitations in sexual harassment settlements. The second rewards employers who conduct internal wage and hour audits.

Recent Development #1: New Tax Law Nondislosure Limitations

One of an employer’s primary motivations in resolving an employment claim is to obtain the employee’s promise to keep the settlement and the allegations underlying the claim confidential. The recently-passed federal tax law may interfere with an employer’s interest in maintaining the confidentiality of such agreements.

In response to the recent “me too” movement, Section 13307 of the tax law (signed December 22, 2017) disallows tax deductions for an employer’s payment of a sexual harassment or sexual assault settlement if the settlement is subject to a nondisclosure agreement. The deduction restriction applies not only to the settlement amount, but also to the employer’s payment of related attorneys’ fees. While many experts predict some modification of the provision, employers should be mindful of this deduction restriction when considering whether to resolve a claim of sexual harassment or sexual assault.  Until the provision is revised, an employer either should negotiate any confidential settlement agreement with the understanding that the payment will not be tax deductible, or should resign itself to having no nondisclosure provision in the agreement.

Recent Development #2: DOL Payroll Audit Independent Determination Program

On March 6, 2018, the U.S. Department of Labor (DOL) announced a new pilot program aimed at providing employers with an opportunity to voluntarily correct payroll errors that may have resulted in inadvertent violations of the Fair Labor Standards Act (FLSA). Recognizing that employers who discover a failure to pay overtime or the misclassification of employees are often hesitant to take corrective action because of potentially expansive liability exposure, the DOL has adopted the Payroll Audit Independent Determination (PAID) program. The program allows employers to avoid potential litigation and liquidated damages by conducting internal audits and self-reporting any violations to the DOL.  DOL’s Wage and Hour Division (WHD) will assist employers in correcting mistakes and will facilitate the exchange of back wages payment for enforceable releases of liability from the affected employees.

The WHD plans to implement the PAID pilot program nationwide for six months, then evaluate the results. The PAID program is not available to settle ongoing FLSA litigation and is not accessible to employers with recurring violations.

For more information regarding either of these new developments, contact Julie Heath.

Julie Heath | Farrow-Gillespie & Heath LLP | Dallas, TXJulie E. Heath practices primarily in the area of employment litigation and counseling. In addition to litigation and arbitration defense, she counsels HR departments and businesses of on all aspects of employment law. Julie has been named to the list of Texas Super Lawyers (a Thomas Reuters service) in every year since 2012.