RSS Print Email

This blog is a service of Alston & Bird's Privacy & Data Security team and focuses on key data privacy and data security issues.


EU’s Article 29 Working Party Releases Opinion on Internet of Things Protections

The European Union’s Article 29 Data Protection Working Party (WP29) adopted an opinion (the Opinion) on September 16, 2014 regarding data protection within the Internet of Things (IoT). Recognizing the rapid growth of the IoT, the Opinion responds to emerging data privacy concerns within the IoT, and provides recommendations for stakeholder compliance with EU data protection laws.

Read More

Alston & Bird's Dominique Shelton Presents Panel On Omnichannel Innovation At National Retail Federation's Summit 2014 In Seattle, WA

October 15, 2014 | Posted by Shah, Sheila | Topic(s): Online Privacy, Marketing, Privacy, Mobile Privacy, Big Data

On October 1, Alston & Bird Partner Dominique Shelton and entrepreneur Maria Fernandez presented a panel on Omnichannel retailing, a marketing method that mixes physical and digital channels to create an innovative and unified customer experience, at the National Retail Federation’s 2014 Summit in Seattle, Washington.

Read More

HIPAA/HITECH Act Accounting of Disclosures NPRM: Redux?

In May 2011, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services (HHS) issued a proposed rule to modify the HIPAA Privacy Rule’s standard for accounting of disclosures of protected health information (PHI). The proposed rule would have implemented the HITECH Act’s requirement for covered entities and business associates to account for disclosures of PHI to carry out treatment, payment and health care operations if the disclosures are through an electronic health record (EHR). HHS also proposed to expand the accounting provision to provide individuals with the right to receive an access report of all uses and disclosures of electronic PHI in a designated record set. Additionally, the proposed rule would have shortened the time period for which covered entities and business associates must account for disclosures (and provide an access report) to three years (instead of six years). However, the proposed rule would also have shortened the period of time which such entities have to respond to a request for an accounting (or for an access report) from 60 days to 30 days. We blogged about the proposed rule here, and issued an advisory which provides a section-by-section analysis of the proposed rule. The proposed rule generated significant comment, was criticized as impractical, and has not been finalized by OCR.

Read More

Alston & Bird’s Dominique Shelton Moderates Privacy Panel for Lex Mundi in Paris

October 3, 2014 | Posted by David Caplan | Topic(s): Advisories, Online Privacy, Privacy, Mobile Privacy

On September 26, 2014, Alston & Bird co-sponsored a privacy panel at the Lex Mundi IP conference in Paris, France. Moderated by Dominique Shelton, the panel featured speakers from Scripps Interactive Network, Roche Diagnostics, Jackel International, and GE.

Read More

Alston & Bird Health Care Advisory: HIPAA Audit Program Phase 2 Update

We have previously blogged about the U.S. Department of Health & Human Services HIPAA Audit Program, including the Audit Program pilot (November 30, 2011 and March 7, 2012), the release of the Office for Civil Rights (OCR) audit protocols (June 26, 2012), and the status of phase 2 of the Audit Program (February 26, 2014 and September 16, 2014).  Today, Alston & Bird issued a Health Care ADVISORY on the status of Phase 2 of the HIPAA Audit Program, in which we discuss recent guidance from OCR on the HIPAA Audit Program and its status and provide some basic compliance reminders that may be usefully in being prepared for a HIPAA audit.  The Health Care ADVISORY can be found on our website at: and as a pdf at: HIPAA Audit Program Phase 2 Update.

Written by Paula Stannard, Counsel, Health Care| Alston & Bird LLP

Read More

New California Law Expands Data Security Requirements, SSN Protections and Breach Notification Obligations

On September 30, 2014, the Governor of California signed Assembly Bill 1710, which made three small but important changes to the state’s privacy laws.  The bill:  (1) amended California’s breach notification law to require that the notifying entities offer identity theft protection services to affected individuals in certain cases; (2) required California businesses that “maintain” personal information on state residents to adopt reasonable security procedures to protect that personal information (a requirement that previously only applied to businesses that own or license such data); and (3) amended the state’s Social Security Number (“SSN”) protection law to prohibit the sale or advertisement for sale of such numbers, with limited exception.  The bill will become effective January 1, 2015.  Having been the first state to enact a breach notification law, California continues to be at the cutting edge of state efforts to deal with cybersecurity.  

Read More

Laboratories Must Comply with New HIPAA Patient Access Rules by October 6, 2014

September 28, 2014 | Posted by Dempewolf, Julia | Topic(s): Health Privacy, Privacy, Health Insurance Portability and Accountability Act (HIPAA), Regulation

HIPAA covered laboratories and hospitals with laboratories subject to the Clinical Laboratory Improvement Amendments of 1988 (“CLIA”) must comply with changes to the HIPAA Privacy Rule that provide patients with direct access to laboratory test results by October 6, 2014.  Earlier this year, the Centers for Medicare & Medicaid Services, the HHS Office for Civil Rights and the Centers for Disease Control and Prevention published a final rule amending the CLIA regulations and the HIPAA Privacy Rule to provide patients with greater access to their lab test results.  As we previously blogged, patients may now request test reports directly from CLIA labs.  As amended, the CLIA regulations, which are now effective, permit a CLIA lab to provide, upon request, a patient and/or his/her personal representative (and any person designated by the patient) with access to completed test reports that, using the lab’s authentication process, can be identified as belonging to that patient.  Beginning October 6, 2014, the Privacy Rule amendments (which eliminated an exemption for PHI held by CLIA labs) require HIPAA covered CLIA labs to provide individuals and/or their personal representatives with access to protected health information (“PHI”) about the individual maintained in a designated record set under the Privacy Rule provisions establishing the individual’s right of access to PHI (“access rights”).  Thus, the combination of the two provisions now require most CLIA labs to provide test results (and any other PHI they maintain) when requested by the patient.  Labs that are not covered by HIPAA may provide a patient and/or his/her personal representative (and any person designated by the patient) with access to completed test reports, but are not required to do so.  (For more information on the final rule and how the new requirements interact with the Privacy Rule’s requirements for verification of the identity and authority of those exercising the access right, please see our February 6, 2014 blog post referenced above.)

Read More

WP29 Announces a Common “Tool-Box” Approach to Handling of Complaints under the Right to be Forgotten

September 18, 2014 | Posted by Maki DePalo | Topic(s): European Union (EU), International, Privacy, Data Protection

On September 18, 2014, the Article 29 Working Party (the “WP29”) issued a press release, announcing that the European data protection authorities agreed on a common “tool-box” approach to handling complaints lodged due to search engines’ refusal to remove complainant’s entries from their search results.

Read More

HIPAA Audit Program Phase 2: Delayed

A representative of the U.S. Department of Health and Human Services’s Office for Civil Rights (OCR) has recently revealed that OCR has delayed the start of phase 2 of its HIPAA Audit Program – and has revised its plans for phase 2.

Read More

FTC Announces Final Agenda for September Big Data Workshop

September 10, 2014 | Posted by Barringer, Ty | Topic(s): Events, Federal Trade Commission (FTC), Big Data

The Federal Trade Commission has released a final program for its September workshop, “Big Data: A Tool for Inclusion or Exclusion?” During the workshop, speakers with a wide range of experience and expertise in the privacy field will present on the various issues and opportunities that arise from the relationship between big data and consumers.

Read More

HHS OIG Releases Report Regarding ONC’s Oversight of Testing and Certification of Electronic Health Records

The HHS Office of Inspector General (OIG) recently issued a report regarding the Office of the National Coordinator for Health Information Technology’s (ONC) oversight of electronic health record (EHR) testing and certification, “The Office of the National Coordinator for Health Information Technology’s Oversight of the Testing and Certification of Electronic Health Records."

Read More

Kim Peretti authors Bloomberg BNA article on Cyber Threat Intelligence and Information Sharing

September 5, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Data Security, Cybersecurity, Privacy

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, authored (with contributions from associate Lou Dennig) the Bloomberg BNA article, “Cyber Threat Intelligence: To Share or Not to Share—What Are the Real Concerns?” In the article, Peretti discusses the importance of exchanging cyberthreat information and the concerns relating to information sharing, as well as provides guidance for companies in mitigating potential risks regarding this information sharing.

Posted by Security Incident Management & Response Team | Alston & Bird LLP

Inside Counsel Talks Cybersecurity with Kim Peretti Ahead of WIPL Conference

September 5, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Events, Cybersecurity, Cybercrime

Kim Peretti, a partner in the firm’s White Collar Crime Group, discussed cybersecurity and the upcoming Women, Influence & Power in Law Conference with Inside Counsel.

“From a legal standpoint, the risk exposure for a cyberattack has continued to rapidly increase,” and senior executives and board members play an important role in their company’s cybersecurity, said Peretti. “Senior management should know it’s not just an IT issue, it’s an enterprise risk and needs to be handled as all other enterprise risks. The board and senior executives should be involved in a company strategy before and after a breach in an oversight role.”

Peretti will be leading a panel on enterprise risk management at this year’s WIPL Conference in Washington, D.C. “In cybercrime, women are outnumbered by men, though more and more are entering the field,” she said. “It was a remarkable event last year, like no other event I know. It really brings everything together.”

Posted by Security Incident Management & Response Team | Alston & Bird LLP

Alston & Bird Hosting Event: The Evolving Cyber Insurance Market: Key Issues and Challenges

September 3, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Events, Data Security, Cybersecurity, Privacy, Department of Homeland Security (DHS)

Kim Peretti, partner and co-chair of the firm’s Security Incident Management and Response Team, will moderate a panel discussion during this September 11 event. The featured speakers are Tom Finan, Senior Cybersecurity Strategist and Counsel with the U.S. Department of Homeland Security, and Sean Hyatt, counsel in the firm’s Litigation & Trial Practice Group and a member of the Insurance Litigation & Regulation Team.

Read More

FTC seeks public comment on AgeCheq Inc.’s application for approval of proposed verifiable parental consent method

On August 25, 2014, the Federal Trade Commission (“FTC”) issued a Federal Register notice to be published, announcing the FTC’s request for public comment on a proposed verifiable parental consent method. The method has been submitted for approval by AgeCheq, Inc. under the Children's Online Privacy Protection Act and the rules promulgated thereunder.

Read More