Latest HIPAA News

Emergency Directives Issued by CISA and OCR to Mitigate Critical Windows Vulnerabilities

Microsoft has issued patches for several critical vulnerabilities in all supported Windows versions that require urgent attention to prevent exploitation. While there have been no reports of exploitation of the flaws in the wild, the seriousness of the vulnerabilities and their potential to be weaponized has prompted both the Department of Homeland Security (DHS) and the Department of Health and Human Services (HHS) to issue emergency directives about the vulnerabilities.

One of the vulnerabilities was discovered by the National Security Agency (NSA), which took the unusual step of reporting the vulnerability to Microsoft. This is the first time that a vulnerability has been reported by the NSA to a software vendor.

Windows CryptoAPI Vulnerability Requires Immediate Patching

The NSA-discovered vulnerability, tracked as CVE-2020-0601, affects Windows 10 and Server 2016/2019 systems. The vulnerability is due to how the Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) certificates. The flaw would allow a remote attacker to sign malicious code with an ECC certificate to make it appear that the code has been signed by a trusted organization.

The vulnerability could also be exploited in a man-in-the-middle attack. Malicious certificates could be issued for a hostname that did not authorize it and applications and browsers that rely on the Windows’ CryptoAPI would not issue any warnings or alerts. A remote attacker could exploit the flaw and decrypt, modify, or inject data on user connections undetected.

There are no reported cases of exploitation of the vulnerability, but the NSA believes it will not take long for advanced persistent threat (APT) groups to understand the underlying flaw and weaponize the vulnerability, hence the decision to report the flaw to Microsoft.

According to the NSA, “The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.”

Critical RCE Vulnerabilities in Windows Remote Desktop

Three pre-authentication vulnerabilities in Windows Remote Desktop have been patched by Microsoft. Two of the vulnerabilities – CVE-2020-0609 and CVE-2020-0610 – could allow a remote attacker to connect to servers and remotely execute arbitrary code without any user interaction. After exploiting the flaws they could install programs, view, change, or delete data, or create new accounts with full admin rights. The flaws could be exploited by sending a specially crafted request to a vulnerable server.

The third vulnerability – CVE-2020-0612 – could be exploited in a similar fashion and could allow an attacker to perform a denial of service attack and crash the RDP system.

The vulnerabilities are present in the RDP Gateway Server and Windows Remote Desktop Client and affect all supported versions of Windows and Windows Server.

Emergency Directives Issued by DHS and OCR

The Department of Homeland Security has determined the vulnerabilities to pose an unacceptable risk to the Federal enterprise and has issued an emergency directive (20-02) to all federal agencies calling for the patches to be applied on all affected endpoints within 10 business days and for technical and/or management controls to be put in place for newly provisioned or previously disconnected endpoints.

The seriousness of the vulnerabilities has prompted the HHS’ Office for Civil Rights to issue an emergency directive of its own to the healthcare industry and public sector. All healthcare and public health entities have been advised to apply the patches as soon as possible to ensure the vulnerabilities are not exploited.

The post Emergency Directives Issued by CISA and OCR to Mitigate Critical Windows Vulnerabilities appeared first on HIPAA Journal.

Survey Reveals HIPAA Compliance Issues with Group Health Plan Sponsors

Many group health plan sponsors are not fully compliant with the Health Insurance Portability and Accountability Act Rules, according to a recent survey by the integrated HR and benefits consulting, technology, and administration services firm, Buck.

The survey uncovered several areas where group health plan sponsors are noncompliant and revealed many group health plan sponsors are not prepared for a compliance investigation or HIPAA audit.

The 2019 HIPAA Readiness Survey was conducted between April 29, 2019 and May 17, 2019 on 31 group health plan sponsors.

The survey uncovered several areas where important provisions of HIPAA Rules are not fully understood or are not being followed such as risk analyses, business associate agreements, HIPAA training for staff, and breach notifications.

Risk analyses are not being conducted as frequently as they should, so threats to the confidentiality, integrity and availability of ePHI may not be identified and managed. 42% of respondents were unsure when a HIPAA-compliant risk assessment was last conducted or that said it was last conducted more than 5 years ago. 10% said the last time a risk/threat analysis was conducted was more than 5 years ago.

Business associate agreements were another area where survey respondents highlighted potential HIPAA failures. 33% of respondents had not created an inventory of their business associates or were unaware whether an inventory had been created. 16% of respondents said they did not have current business associate agreements for certain vendors or were unaware if current BAAs had been obtained. 3% said they do not have current business associate agreements in place.

45% of respondents said privacy and security policies were updated in the past year, but 45% said they were updated between 1 and 5 years ago, and 3% said they had not been updated for at least 5 years.

Almost three quarters of respondents had prepared for breaches and had developed breach notification polices. 10% of respondents said they did not have policies in place covering breach notifications and 16% were unsure if they had policies covering breach notifications.

Refresher HIPAA training sessions are required to ensure employees are reminded of the importance of HIPAA compliance and understand their responsibilities under HIPAA. More than a third of respondents (35%) had last been offered HIPAA training between one and five years ago, with 13% admitting that HIPAA training was not ongoing and was only provided when onboarding staff. One in ten respondents said they did not know when training on HIPAA was last provided to employees.

Privacy and security policies and procedures must be implemented, but it is essential that those policies are followed by employees. To determine whether that is the case, operational reviews are required. These reviews show whether day-to-day working practices are HIPAA compliant. 23% of respondents said they had not conducted an operational review and 43% of respondents did not know if a review had been conducted.

In the event of a data breach, complaint, or audit, HIPAA failures are likely to be uncovered, which could easily result in a financial penalty for noncompliance. To avoid financial penalties, it is essential for group health plan sponsors to be fully aware of the requirements of HIPAA, have compliant policies and procedures in place, and to regularly assess their compliance efforts and ensure that, in the event of an audit, compliance can be demonstrated.

The post Survey Reveals HIPAA Compliance Issues with Group Health Plan Sponsors appeared first on HIPAA Journal.

Georgia Man Charged Over False Allegations of HIPAA Violations

A Georgia man has been charged over an elaborate scheme to frame an acquaintance for violations of the Health Insurance Portability and Accountability Act (HIPAA) that never occurred.

Jeffrey Parker, 43, of Richmond Hill, GA, claimed he was a whistleblower reporting HIPAA violations by a nurse. He reported the violations to the hospital where the person worked, and complaints also sent to the Department of Justice (DoJ) and the Federal Bureau of Investigation (FBI). Parker was also interviewed by Fox28Media in October 2018 and told reporters that the nurse had been violating HIPAA privacy laws for an extensive period.

The nurse worked at an unnamed hospital in Savannah, GA, which was part of a health system that also operated healthcare facilities in Nashville, TN and other areas. She was alleged to have emailed graphic photographs of patients with traumatic injuries such as gunshot wounds to other individuals outside the hospital. In the Fox28Media interview Parker explained that the sharing of images between employees and other individuals had been going on for a long time.

Parker requested that his identity remain hidden out of fear for his personal safety. He also claimed he had received threats as a result of reporting the HIPAA violations.

In additions to claiming the nurse had violated HIPAA, Parker set up email accounts using the names of real hospital employees. Those email accounts were used to send further reports of HIPAA violations to the hospital as well as the DoJ and the FBI to make it appear that the nurse’s co-workers were also reporting HIPAA violations.

The FBI responded quickly to the threats over his personal safety and interviewed Parker about the alleged crimes. An FBI agent found inconsistencies in Parker’s story and, upon further questioning, Parker admitted making false statements and creating the email addresses to support his story. According to the Fox28Media story, the nurse was a former lover of Parker.

“Falsely accusing others of criminal activity is illegal, and it hinders justice system personnel with the pursuit of unnecessary investigations,” said U.S. Attorney Bobby L. Christine. “This fake complaint caused a diversion of resources by federal investigators, as well as an unnecessary distraction for an important health care institution in our community.”

Parker was charged with one count of false statements by the U.S. Attorney for the Southern District of Georgia. Parker now faces up to five years imprisonment for the crime.

“Hopefully the quick uncovering of this alleged scheme by our investigators will send a message that these types of actions will be exposed, and justice will be served,” said Chris Hacker, Special Agent in Charge of FBI Atlanta.

The post Georgia Man Charged Over False Allegations of HIPAA Violations appeared first on HIPAA Journal.

DHS Warns of Critical Citrix Vulnerability Being Exploited in the Wild

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a recently discovered vulnerability in the Citrix Application Delivery Controller and Citrix Gateway web server appliances.

Exploitation of the vulnerability – tracked as CVE-2019-19781 – is possible over the internet and can allow remote execution of arbitrary code on vulnerable appliances. Exploitation of the flaw would allow a threat actor to gain access to the appliances and attack other resources connected to the internal network. Some security researchers have described the bug as one of the most dangerous to be discovered in recent years.

The alert, issued on January 8, 2019, urges all organizations using the affected Citrix appliances (formerly NetScaler ADC and NetScaler Gateway) to apply mitigations immediately to limit the potential for an attack, and to apply the firmware updates as soon as they are released later this month.

Two proof of concept exploits have already been published on GitHub which makes exploitation of the flaws trivial. Scans for vulnerable systems have increased since the publication of the exploits on Friday by Project Zero India and TrustedSec and attacks on honeypots setup by security researchers have increased in frequency over the weekend.

Worldwide there are approximately 80,000 companies in 158 countries that need to apply mitigations to correct the vulnerabilities. Approximately 38% of vulnerable organizations are located in the United States.

The flaws are present in all supported versions of the Citrix Application Delivery Controller and Citrix Gateway web server – versions 13.0, 12.1, 12.0, 11.1, and 10.5 – which include Citrix NetScaler ADC and NetScaler Gateway.

The path traversal bug was discovered by UK security researcher Mikhail Klyuchnikov who reported it to Citrix. The flaw can be exploited over the internet on a vulnerable appliance without the need for authentication. All that is required to exploit the flaw is to find a vulnerable appliance and send a specially crafted request along with the exploit code.   The bug is being referred to as Shitrix by security researchers on cybersecurity forums.

Currently there is no patch available to correct the flaw. Citrix will be issuing a firmware upgrade later this month to correct the vulnerability, which is currently scheduled for release on January 20, 2020 for firmware versions 11.1 and 12.0, January 27, 2020 for versions 12.1 and 13.0, and January 31, 2020 for version 10.5.

In the meantime, it is essential for configuration changes to be applied to make it harder for the vulnerability to be exploited. These can be found on Citrix Support Page CTX267679.

Since the flaw is currently under active attack, after applying mitigations it is important to check to make sure the flaw has not already been exploited.

TrustedSec, which held back on publishing its PoC exploit code until an exploit had already been released on GitHub, has developed a tool that can be used to identify vulnerable Citrix instances on networks and has published potential indicators of compromised Citrix hosts.

The post DHS Warns of Critical Citrix Vulnerability Being Exploited in the Wild appeared first on HIPAA Journal.

FBI Issues Alert as Maze Ransomware Attacks Increase in the U.S.

Last week, the Federal Bureau of Investigation (FBI) issued a flash alert warning private companies in the United States about the threat of attacks involving Maze ransomware. The warning came just a few days after the FBI issued an alert about two other ransomware variants, LockerGoga and MegaCortex.

The Maze ransomware TLP: Green warning is not intended for public distribution as it provides technical details about the attacks and indicators of compromise which can be used by private firms to prevent attacks. If published in the public domain, it could aid the attackers.

In the alert, victims of Maze ransomware attacks were urged to share information with the FBI as soon as possible to help its agents trace the attackers and bring them to justice.

Maze ransomware was first identified in early 2019, but it was not until November 2019 when the first attacks hit companies in the United States. Those attacks have been increasing in recent weeks.

When network access is gained, data is exfiltrated prior to file encryption. A ransom demand is then issued specific to the organization. The attackers claim they will supply the keys to decrypt files and will destroy all data they stole in the attack. The attackers warn their victims that if payment is not made before the deadline is reached, they will start publishing the stolen data.

Maze ransomware was used in a recent attack on the City of Pensacola. When the ransom was not paid the attackers started publishing the stolen data. In December, the Carrollton, GA-based wire and cabling firm, Southwire, was attacked with Maze ransomware. An 850 BTC ($6 million) ransom demand was issued for the keys to decrypt files. The attackers said they had stolen data and threatened to publish it if the ransom was not paid. When no payment was received, the attackers created a website with an Irish ISP and started publishing the data.

Southwire successfully obtained a court injunction in Ireland forcing the ISP to take down the website that was being used by the Maze gang to publish its data. That website is now offline. Southwire also filed a lawsuit against the hackers in federal court in Georgia. Southwire alleges violations of the U.S. Computer Fraud and Abuse Act and is seeking injunctive relief and damages. Since the attackers are unknown, the lawsuit was filed against ‘John Doe.’

According to CyberScoop, which obtained a copy of the FBI alert, the threat actors use a variety of methods to attack businesses, including malicious cryptocurrency websites, malspam and phishing campaigns impersonating government agencies and security vendors, and ransomware downloads via exploit kits such as Fallout.

The FBI has urged private companies in the United States to heed its warning and take steps to strengthen their defenses and address vulnerabilities. In the event of an attack, the FBI does not recommend paying the ransom as there is no guarantee that valid keys to decrypt data will be supplied or that the stolen data will be destroyed.

The post FBI Issues Alert as Maze Ransomware Attacks Increase in the U.S. appeared first on HIPAA Journal.

HIPAA Enforcement in 2019

It has been another year of heavy enforcement of HIPAA compliance. HIPAA enforcement in 2019 by the Department of Health and Human Services’ Office for Civil Right (OCR) has resulted in 10 financial penalties. $12,274,000 has been paid to OCR in 2019 to resolve HIPAA violation cases.

2019 saw one civil monetary penalty issued and settlements were reached with 9 entities, one fewer than 2018. In 2019, the average financial penalty was $1,022,833.

HIPAA Enforcement in 2019 by the HHS' Office for Civil Rights


Particularly egregious violations will attract financial penalties, but some of the HIPAA settlements in 2019 provide insights into OCRs preferred method of dealing with noncompliance. Even when HIPAA violations are discovered, OCR prefers to settle cases through voluntary compliance and by providing technical assistance. When technical assistance is provided and covered entities fail to act on OCR’s advice, financial penalties are likely to be issued.

This was made clear in two of the most recent HIPAA enforcement actions. OCR launched compliance investigations into two covered entities after being notified about data breaches. OCR discovered in both cases that HIPAA Rules had been violated. OCR chose to provide technical assistance to both entities rather than issue financial penalties, but the covered entities failed to act on the guidance and a financial penalty was imposed.

Sentara Hospitals disagreed with the guidance provided by OCR and refused to update its breach report to reflect the actual number of patients affected. West Georgia Ambulance was issued with technical guidance and failed to take sufficient steps to address the areas of noncompliance identified by OCR.

If you are told by OCR that your interpretation of HIPAA is incorrect, or are otherwise issued with technical guidance, it pays to act on that guidance quickly. Refusing to take corrective action is a sure-fire way to guarantee a financial penalty, attract negative publicity, and still be required to change policies and procedures in line with the guidance.

There were two important HIPAA enforcement updates in 2019. OCR adopted a new interpretation of the Health Information Technology for Economic and Clinical Health (HITECH) Act’s requirements for HIPAA penalties and a new enforcement initiative was launched.

The HITECH Act of 2009 called for an increase in the penalties for HIPAA violations. On January 25, 2013, the HHS implemented an interim final rule and adopted a new penalty structure. At the time it was thought that there were inconsistencies in the language of the HITECH Act with respect to the penalty amounts. OCR determined that the most logical reading of the HITECH Act requirements was to apply the same maximum penalty of $1,500,000 per violation category, per calendar year to all four penalty tiers.

In April 2019, OCR issued a notice of enforcement discretion regarding the penalties. A review of the language of the HITECH Act led to a reduction in the maximum penalties in three of the four tiers. The maximum penalties for HIPAA violations were changed to $25,000, $100,000, and $250,000 for penalty tiers, 1, 2, and 3. (subject to inflationary increases).

2019 saw the launch of a new HIPAA Right of Access enforcement initiative targeting organizations who were overcharging patients for copies of their medical records and were not providing copies of medical records in a timely manner in the format requested by the patient.

The extent of noncompliance was highlighted by a study conducted by Citizen Health, which found that 51% of healthcare organizations were not fully compliant with the HIPAA Right of Access. Delays providing copies of medical records, refusals to send patients’ PHI to their nominated representatives or their chosen health apps, not providing a copy of medical records in an electronic format, and overcharging for copies of health records are all common HIPAA Right of Access failures.

The two HIPAA Right of Action settlements reached so far under OCR’s enforcement initiative have both resulted in $85,000 fines. With these enforcement actions OCR is sending a clear message to healthcare providers that noncompliance with the HIPAA Right of Access will not be tolerated.

Right of Access violations aside, the same areas of noncompliance continue to attract financial penalties, especially the failure to conduct a comprehensive, organization-wide risk analysis. 2019 also saw an increase in the number of cited violations of the HIPAA Breach Notification Rule.

HIPAA Compliance Issues Cited in 2019 Enforcement Actions

Noncompliance Issue Number of Cases
Risk Analysis 5
Breach Notifications 3
Access Controls 2
Business Associate Agreements 2
HIPAA Right of Access 2
Security Rule Policies and Procedures 2
Device and Media Controls 1
Failure to Respond to a Security Incident 1
Information System Activity Monitoring 1
No Encryption 1
Notices of Privacy Practices 1
Privacy Rule Policies and Procedures 1
Risk Management 1
Security Awareness Training for Employees 1
Social Media Disclosures 1

OCR’s HIPAA enforcement in 2019 also clearly demonstrated that a data breach does not have occurred for a compliance investigation to be launched. OCR investigates all breaches of 500 or more records to determine whether noncompliance contributed to the cause of a breach, but complaints can also result in an investigation and compliance review. That was the case with both enforcement actions under the HIPAA Right of Access initiative.


The post HIPAA Enforcement in 2019 appeared first on HIPAA Journal.

Ambulance Company Settles HIPAA Violation Case with OCR for $65,000

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a $65,000 settlement has been reached with West Georgia Ambulance, Inc., to resolve multiple violations of Health Insurance Portability and Accountability Act Rules.

OCR launched an investigation into the Carroll County, GA ambulance company after being notified on February 11, 2013 about the loss of an unencrypted laptop computer containing the protected health information of 500 patients. According the breach report, the laptop computer fell from the rear bumper of the ambulance and was not recovered.

The investigation uncovered longstanding noncompliance with several aspects of the HIPAA Rules. OCR discovered West Georgia Ambulance had not conducted a comprehensive, organization-wide risk analysis (45 C.F.R. § 164.308(a)(1)(ii)(A)), had not implemented a security awareness training program for its employees (45 C.F.R. § 164.308(a)(5)), and had failed to implement HIPAA Security Rule policies and procedures (45 C.F.R. § 164.316.).

OCR provided technical assistance to West Georgia Ambulance to help the firm address its compliance failures, but despite that assistance, OCR said no meaningful steps were taken to address the areas of noncompliance. A financial penalty was therefore warranted.

In addition to paying the $65,000 financial penalty, West Georgia Ambulance is required to adopt a corrective action plan to address all areas of noncompliance discovered by OCR during the investigation. OCR will also be scrutinizing West Georgia Ambulance’s HIPAA compliance program for two years to ensure HIPAA Rules are being followed.

“The last thing patients being wheeled into the back of an ambulance should have to worry about is the privacy and security of their medical information,” said OCR Director Roger Severino. “All providers, large and small, need to take their HIPAA obligations seriously.”

This is the 10th OCR HIPAA financial penalty of 2019. In total, $12,274,000 has been paid to OCR in 2019 to resolve noncompliance issues.

The post Ambulance Company Settles HIPAA Violation Case with OCR for $65,000 appeared first on HIPAA Journal.

FBI Issues Warning Following Spate of LockerGaga and MegaCortex Ransomware Attacks

The FBI has issued a TLP:Amber alert in response to a spate of cyberattacks involving the ransomware variants LockerGaga and MegaCortex. The threat actors using these ransomware variants have been targeting large enterprises and organizations and typically deploy the ransomware several months after a network has been compromised.

LockerGaga was first detected in January 2019 and MegaCortex ransomware first appeared in May 2019. Both ransomware variants exhibit similar IoCs and have similar C2 infrastructure and are both used in highly targeted attacks on large corporate networks.

LockerGaga was used in the ransomware attacks on the U.S. chemical companies Hexion and Momentive, the aluminum and energy company Norsk Hydro, and the engineering consulting firm, Altran Technologies. MegaCortex ransomware was used in the attacks on the accounting software firm Wolters Kluwer and the cloud hosting firm iNSYNQ, to name but a few. The threat actors are careful, methodical, and attempt to cause maximum damage to increase the probability that their victim’s will pay. The ransom demands are often of the order of hundreds of thousands of dollars or more.

The initial compromise is achieved through a variety of methods including the exploitation of unpatched vulnerabilities, phishing attacks, SQL injection, brute force tactics on RDP, and the use of stolen credentials. Once compromised, the attackers run batch files to stop processes and services used by security solutions to ensure their presence is not detected. The attackers move laterally to compromise as many devices as possible using a penetration testing tool named Cobalt Strike, living-of-the-land Windows binaries, and legitimate software tools such as Mimikatz. A beacon is added to each compromised device on the network, which is used to execute PowerShell scripts, escalate privileges, and spawn a new session to act as a listener on the victim’s system, according to the FBI warning, as reported by Bleeping Computer which obtained a copy of the alert.

In contrast to many other threat actors who deploy ransomware soon after a system is compromised, the threat actors behind these attacks often wait several months before the ransomware encryption routine is triggered. It is unclear what the threat actors do during that time, but it is likely the time is used to steal sensitive data. The ransomware is deployed in the final stage of the attack once all useful data has been obtained from the victims.

The advice offered by the FBI to improve defenses is standard for preventing ransomware and other cyberattacks. Cybersecurity best practices should be followed, including backing up data regularly; storing backup copies on non-networked devices; testing backups to ensure file recovery is possible; setting strong passwords; patching promptly; enabling multi-factor authentication, especially on admin accounts; ensuring RDP servers can only be accessed via a VPN; disabling SMBv1; and to scan for open ports and block them to prevent them from being accessible.

The FBI also recommends auditing the creation of new accounts and monitoring Active Directory for changes to authorized users; enabling PowerShell logging and monitoring for unusual commands, including the execution of Base64 encoded PowerShell; and ensuring only the latest version of PowerShell is installed.

The post FBI Issues Warning Following Spate of LockerGaga and MegaCortex Ransomware Attacks appeared first on HIPAA Journal.

Discussion Draft of Federal Data Privacy Bill Released by House Energy and Commerce Committee

A discussion draft of a new bipartisan data privacy bill has been released by the House Energy and Commerce Committee. The bill calls for national standards for privacy and security and would place restrictions on the collection, use, and retention of consumer data by U.S. businesses.

The draft legislation calls for all businesses to have a privacy program and to publish a privacy policy, written in clear language, which explains what data will be collected, how it will be used, how long it will be retained, and with whom consumer information will be shared.

Data security measures would also need to be implemented, which should be appropriate for the size of the business and the nature and complexity of data activities. In the event of a breach of consumer information, businesses would be required to report the breach to the Federal Trade Commission.

The Federal Trade Commission has been tasked with creating a Bureau of Privacy which would be responsible for developing rules, issuing guidance, and enforcing compliance. The FTC would also need to set a data retention time frame and create rules covering the disclosure of personal information to third parties.

The bill would give consumers much greater control over their personal data and how it can be used by businesses. Consumers will have the right to view and correct their data, control who can access their personal information, and request that businesses delete their personal information.

To help consumers find out which businesses have their personal information, the draft legislation calls for the creation of a centralized repository of data brokers. Consumers could use that repository and find out who holds a copy of their data and find out how they can exercise their right to access that data, make corrections, and arrange for their personal data to be deleted.

“This draft seeks to protect consumers while also giving data collectors clear rules of the road. It reflects many months of hard work and close collaboration between Democratic and Republican Committee staff,” explained a spokesperson for the Energy and Commerce Committee.

The release follows a Senate Commerce Committee hearing in which two data privacy bills proposed by Senate Commerce Committee Chairman, Roger Whicker (R-Miss) and Senator Maria Cantwell (D-Wash) were discussed. Both camps could not reach a consensus on what should be included in the bill, but it was agreed that the only way forward was for bipartisan legislation to be passed.

Two of the sticking points from the competing bills was whether the federal privacy bill should preempt state laws and if a private cause of action should be included. Sen. Cantwell’s bill calls for a private cause of action to allow consumers to sue companies for privacy violations, which is opposed by Congressman Wicker. Wicker’s bill calls for the new federal privacy law to replace state laws, whereas Sen. Cantwell wants state laws to be retained to provide greater protection for consumers. The discussion draft of the bill avoids both of these issues.

Feedback is being sought from industry stakeholders on the draft legislation. Comments will be accepted until the middle of January 2020.

The post Discussion Draft of Federal Data Privacy Bill Released by House Energy and Commerce Committee appeared first on HIPAA Journal.