February 2011

At a recent presentation in Frankfurt, Peter Hustinx, head of the European Data Protection Supervisor Office in Brussels, launched an intriguing idea: sanctioning violations of data protection law in the same manner as violations of competition law.

The trade press regularly reports on multi-million euro fines for cartels or abuses


Continue Reading EU’s Hustinx: Data Protection Law Sanctions Should Mirror Competition Law

The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) announced Tuesday that it has issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Maryland (Cignet) violated the HIPAA Privacy Rule.  HHS imposed a $4.3 million civil money penalty on Cignet for the violations—the first civil money penalty ever issued by HHS for violations of the Privacy Rule.

The civil money penalty imposed on Cignet is based on the new violation categories and increased penalty amounts established under the HITECH Act, which we reported on previously.  In a Notice of Proposed Determination issued on October 20, 2010, OCR found that:

  • Between September 2009 and October 2009, Cignet failed to provide 41 individuals with timely access to copies of protected health information (PHI) about them in the designated record sets maintained by Cignet, in violation of 45 C.F.R. § 164.524.
  • From March 2009 through April 2010, Cignet failed to cooperate with OCR’s investigation of 27 complaints regarding Cignet’s noncompliance described above, in violation of 45 C.F.R. § 160.310(b).

Continue Reading HHS Imposes $4.3 Million Civil Money Penalty for HIPAA Privacy Violations

Today the District Court for the Northern District of Alabama dismissed the class action lawsuit filed against our client, Cable One, Inc., for lack of subject matter jurisdiction because the named plaintiff lacked standing.  The litigation arose out of a limited test of NebuAd Inc.’s “deep packet inspection&rdquo

Continue Reading Privacy Lawsuit Against Cable One Dismissed

A total of 225 breaches of protected health information (PHI) affecting 6,067,751 individuals have been recorded since the HIPAA breach notification rule was issued in August 2009 pursuant to the HITECH Act, according to a report by Redspin, a provider of HIPAA risk analysis and IT assessment services.

According to

Continue Reading Report: Over 6 Million Individuals Affected by PHI Breaches Since August 2009

The Article 29 Working Party, comprising data protection authorities from each of the EU Member States and the European Data Protection Supervisor, has reiterated concerns about aspects of Passenger Name Record (PNR) agreements between the EU and the US, Canada and Australia. Under the agreements, airlines must allow authorities in

Continue Reading European Data Protection Authorities Concerned About PNR Agreements

In our final post on what pharmaceutical companies should know about the forthcoming HIPAA/HITECH regulations, we will discuss provisions in the proposed rule relating to the sale of protected health information.  We previously covered the Department of Health and Human Service’s  (HHS) proposed treatment of communications about currently prescribed drugs, remunerated treatment communications, authorizations for future research, and compound authorizations.

Sale of Protected Health Information

The HITECH Act added a new circumstance where a covered entity must obtain authorization: the sale of protected health information.  (The HIPAA Privacy Rule also requires authorizations for uses and disclosures for marketing and most uses and disclosures of psychotherapy notes.)Continue Reading HIPAA/HITECH Regulations are Coming: What do Pharmaceutical Companies Need to Know? (Part 5 of 5)

This is the fourth in our series on provisions of the Department of Health and Human Services (HHS) proposed rule implementing the HITECH Act that, if included in the final rule, are likely to have the greatest impact on the business operations of pharmaceutical and other life sciences companies.  We previously covered HHS’s proposed treatment of communications about currently prescribed drugs, remunerated treatment communications, and authorizations for future research.

Today we will address how HHS may relax the current restrictions on “compound authorizations” for research purposes.

Compound Authorizations

HHS is proposing to amend the compound authorization requirements under the HIPAA Privacy Rule, which currently prohibit combining an authorization that conditions treatment, payment, enrollment in a health plan, or eligibility for benefits with an authorization for another purpose for which treatment, payment, enrollment, or eligibility may not be condition.  HHS recognized that the excess paperwork that results from this restriction has been found to be burdensome and potentially confusing to patients, as well as administratively burdensome for clinical researchers.Continue Reading HIPAA/HITECH Regulations are Coming: What do Pharmaceutical Companies Need to Know? (Part 4 of 5)

As expected, this year is shaping up to be a busy year on privacy.  As we noted in an earlier post, many Congressional members on both sides of the aisle are focusing on privacy issues.  We still expect Senator Kerry to introduce comprehensive privacy legislation in the next few

Continue Reading Privacy Bills Begin Dropping in Congress; More to Follow

For the fourth time in the past two months, Apple has been sued for allegedly violating the privacy of iPad and iPhone users.  Like the previous three suits (two of which we discussed in this post), Rodimer v. Apple, Inc. [PDF] alleges that Apple transmitted “personal information,” including Unique Device

Continue Reading Apple Sued Again For Alleged Privacy Violations