Privacy & Information Security Law Blog

On February 24, 2011, the Department of Health and Human Services Office of Civil Rights (“OCR”) announced a $1,000,000 Resolution Agreement with the General Hospital Corporation and Massachusetts General Physicians Organization Inc. (“Mass General”) that stemmed from the loss of protected health information (“PHI”) of 192 patients.  A Mass General employee had left hard-copy records containing PHI on the subway in March 2009.  The records originated from Mass General’s Infectious Disease Associates outpatient practice and included sensitive records discussing patients’ treatments for HIV/AIDS.  After receiving a complaint from an affected patient, OCR conducted an investigation that demonstrated that Mass General had “failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule.”

The Government of India’s Ministry of Communications & Information Technology has published three draft rules that would implement the Information Technology Act, 2000. These include: Reasonable Security Practices and Procedures and Sensitive Personal Information; Due Diligence Observed by Intermediaries Guidelines and Guidelines for Cyber Cafe. The first two of these rules could affect international companies that provide digital services or process data in India. The comment period on the rules ends February 28, 2011.

On February 18, 2011, the European Network and Information Security Agency (“ENISA”), an advisory body created to enhance information security in the EU, announced the issuance of its report on cookies, entitled “Bittersweet cookies.  Some security and privacy considerations.”

On February 22, 2011, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) imposed its first civil money penalty for an entity’s violation of HIPAA’s Privacy Rule.  In its Notice of Final Determination, OCR concluded that Cignet Health withheld patient records despite requests for their disclosure.  Of the $4.3 million penalty, $1.3 million was levied for denying patients access to their own medical records, while an additional $3 million was imposed due to Cignet’s failure to cooperate with OCR’s investigation as required by the Privacy Rule.  Increased penalty amounts were authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act).

In our August 2009 blog post on data protection issues in China, we noted that there was no uniform Chinese law that specifically addresses the protection of personal data, and that it seemed likely that Chinese personal information protection law would continue to develop as a patchwork of piecemeal regulations. This remains true today, and developments since our previous article was published have in fact reinforced this assumption. In the past year and a half, new laws affecting personal information protection in China have arisen in various forms, including a consumer ...

On February 14, 2011, Senator Patrick Leahy (D-VT), Chairman of the Senate Judiciary Committee, announced the creation of a subcommittee on Privacy, Technology and the Law.  The subcommittee will be chaired by Senator Al Franken (D-MN), and its jurisdiction will include oversight of laws and policies that govern the commercial collection, use and dissemination of personal information.  Senator Franken said, “The boom of new technologies…has also put an unprecedented amount of personal information into the hands of large companies that are unknown and unaccountable to the ...

On February 10, 2011, the California Supreme Court ruled in Pineda v. Williams-Sonoma Stores, Inc. that ZIP codes are “personal identification information” under the state’s Song-Beverly Credit Card Act of 1971 (the “Credit Card Act”).  This finding effectively prohibits California businesses from requesting and recording cardholders’ ZIP codes during credit card transactions.

Reporting from Israel, legal consultant Dr. Omer Tene writes:

In a sweeping, 91-page decision issued last week, the Israeli National Labor Court severely restricted employers’ ability to monitor employee emails.  In its opinion, the Court made strong statements concerning the suspect nature of employee consent and mandated the implementation of principles of legitimacy, transparency, proportionality, purpose limitation, access, accuracy, confidentiality and security.  The Court stated that, given the constitutional status of the right to privacy, exemptions to the Privacy Protection Act, 1981, must be interpreted narrowly.

On February 8, 2011, the German Federal Commissioner for Data Protection and Freedom of Information issued a concept paper setting forth concrete suggestions for the creation of a Data Protection Foundation (the “Foundation”). The German government has reserved a budget of €10 million to establish the Foundation, which it plans to do in 2011.

On February 10, 2011, Representative Bobby Rush (D-Ill.) re-introduced the BEST PRACTICES Act (H.R. 611), which aims to provide consumers with meaningful choices about the collection, use and disclosure of their personal information. As we reported last year, Rush initially introduced the BEST PRACTICES Act in July 2010.  H.R. 611 contains no substantive changes to the original legislation (H.R. 5777), and does not include a Do Not Track mechanism.

In a press release issued today, Rush stated that he does not oppose Do Not Track, contending that “[i]n fact, in order for ...