Category Archives: Workplace Privacy

DOJ Issues Data Breach Guidance

Written by
On Wednesday, April 29, 2015, the Department of Justice Computer Crime and Intellectual Property Section (CCIPS) Cybersecurity Unit issued new, detailed guidance on data breach incident response best practices.  The document was announced at an invitation-only round table hosted by DOJ and provides guidance on what DOJ regards as “best practices for victims and potential victims to address the risk of data breaches, before, during and after cyber-attacks and intrusions.”  The document was prepared with input from federal prosecutors as well as private sector companies that experienced cybersecurity [...] Read more

HHS Issues Guidance on HIPAA and Workplace Wellness Programs

Written by
On Thursday, April 16, 2015, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued guidance, consisting of two frequently asked questions (FAQs), on the application of the HIPAA Privacy, Security, and Breach Notification Rules to workplace wellness programs. HHS explains in one of the FAQs that the application of HIPAA to workplace wellness programs depends on whether the wellness program is offered as part of a group health plan for employees, or if it is offered independent of such a group health plan.  If the wellness program is offered as a part [...] Read more

Webinar: Advising the C-Suite and Boards of Directors on Cybersecurity

Written by
On February 11, 2015, Alston & Bird hosted a webinar entitled “Advising the C-Suite and Boards of Directors on Cybersecurity.” Panelists included Alston & Bird attorneys Jessica Corley, Scott Ortwein and Kim Peretti, with Jim Harvey as the moderator. The cybersecurity legal landscape is rapidly unfolding due to the mass number of companies whose systems, data, and assets are networked and connected to the internet, as well as the surge of unprecedented attacks. Cybersecurity is no longer solely a concern for a company’s CIO or CISO, but also a concern for all members of the c-suite [...] Read more

HIPAA Audit Program Phase 2: Delayed

Written by
A representative of the U.S. Department of Health and Human Services’s Office for Civil Rights (OCR) has recently revealed that OCR has delayed the start of phase 2 of its HIPAA Audit Program – and has revised its plans for phase 2. Previous Plans for Phase 2 Earlier this year, OCR had announced that phase 2 of the Audit Program would begin this year and would target specific high risk issues.  It had indicated that, beginning this past summer, it would conduct a pre-audit survey of 800 covered entities and 400 business associates, to determine suitability for the OCR HIPAA Audit Program.  [...] Read more

HIPAA Audit Program Returning?

Written by
We previously blogged about the Office for Civil Rights’ (OCR) HIPAA Privacy, Security and Breach Audit Program (HIPAA Audit Program) on November 30, 2011, March 7, 2012, and June 26, 2012. On Monday, OCR published a notice  in the Federal Register in which it essentially announces the return of its HIPAA Audit Program. In the notice, OCR announces that it plans to submit a new information collection request (ICR) – a HIPAA Audit Program survey – to the Office of Management and Budget (OMB) for approval under the Paperwork Reduction Act of 1995, and seeks comments on the proposed survey [...] Read more

New HHS OIG Report Raises Concerns about Oversight and Enforcement of HIPAA Security Rule

Written by and
On Wednesday, December 4, 2013, the HHS Office of Inspector General (OIG) issued a report raising concerns about the adequacy of the HHS Office for Civil Rights’ (OCR) oversight and enforcement of HIPAA’s Security Rule. The Security Rule establishes the administrative, physical, and technical safeguards that covered entities and their business associates are required to implement in order to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). The HITECH Act requires HHS to conduct periodic audits of covered entities to ensure compliance [...] Read more

Gov. Christie Signs Revised Social Media Privacy Bill

Written by
August 29, 2013 – After initially vetoing legislation in May, New Jersey Governor Chris Christie today signed into law legislation that will prohibit employers from requiring job applicants or current workers to provide their user names and passwords for social media sites. In doing so, New Jersey becomes the twelfth state to enact such a measure. The law goes into effect December 1, 2013. After Christie’s veto, the bill was revised to, among other things, remove language that allow employees to bring civil actions for alleged violations. Instead, employees can report violations [...] Read more

HHS/OCR Posts HIPAA Privacy, Security and Breach Notification Audit Protocol

Written by
In our November 30, 2011 and March 7, 2012 posts, we discussed the HHS Office for Civil Rights (OCR) audit pilot program, which began in November 2011 and is expected to conclude in December 2012. The audit program has been developed pursuant to the requirements of the HITECH Act. Under the audit pilot program, OCR conducted an initial 20 audits, with on-site field work completed in March 2012. It will conduct an additional 95 audits as part of the pilot program, for a total of 115 audits through December 2012. Today, OCR released on its website the comprehensive audit protocol that it developed [...] Read more