Latest HIPAA News

Early Bird Registration For National HIPAA Summit 2024 Ends 22nd December

The National HIPAA Summit is a leading forum on healthcare EDI, privacy, cybersecurity, and HIPAA compliance.

The 22nd December deadline for early bird registration for the Virtual 41st National HIPAA Summit is fast approaching. You can register as a HIPAA Journal reader also receive $100 off the registration fee by entering “HIPAAJournal” on the registration page.  (This is not a sponsored post or paid sponsorship or affiliate link)

HIPAA Summit

The event provides a tremendous opportunity for learning through HIPAA workforce training sessions and keynote speeches from top government officials and leading industry professionals. You can download a PDF of the HIPAA Summit Agenda here.

Attendees will gain valuable insights into health information privacy, healthcare cybersecurity, HIPAA enforcement, and a wealth of information to help them maintain HIPAA compliance and take healthcare data privacy and security to the next level.

This year, the HIPAA Summit is being co-chaired by:

  • Adam Greene, JD, MPH – Partner and Co-chair, Health Information & HIPAA Practice, Davis Wright Tremaine LLP, HIPAA Summit Distinguished Service Award Winner, Former Senior Health Information Technology and Privacy Specialist, Office for Civil Rights, HHS, Washington, DC
  • Kirk J. Nahra, JD – Partner and Co-chair of the Privacy and Cybersecurity Practice, Wilmer Hale, Adjunct Professor, American University Washington College of Law, Washington, DC
  • Iliana Peters, JD, LLM – Shareholder, Polsinelli, Former Acting Deputy Director, Health Information Privacy, Office for Civil Rights, US Department of Health and Human Services, Washington, DC
  • Robert M. Tennant, MA – Vice President, Federal Affairs, Workgroup for Electronic Data Interchange (WEDI); Former Director, HIT Policy, Medical Group Management Association; Washington, DC

Government Keynote Speakers

  • Nicholas Heesters, MEng, JD, CIPP – Senior Advisor for Cybersecurity, Office for Civil Rights, US Department of Health and Human Services, Philadelphia, PA
  • Melanie Fontes Rainer, MSME, JD – Director, Office for Civil Rights, HHS; Former Senior Advisor, Healthcare to Attorney General, CA DOJ; Former Chief of Staff, Medicare-Medicaid Coordination Office, Centers for Medicare & Medicaid Services, Washington, DC
  • J. Ronnie Solomon, JD – Attorney, Division of Privacy and Identity Protection, Federal Trade Commission, Washington, DC.
  • Micky Tripathi, MPP, PhD – National Coordinator for Health Information Technology, US Department of Health and Human Services; Affiliate, Berkman Klein Center for Internet & Society, Harvard University, Washington, DC

 

The post Early Bird Registration For National HIPAA Summit 2024 Ends 22nd December appeared first on HIPAA Journal.

Editorial: Benefits of HIPAA for Healthcare Organizations

One of the problems with developing legislation for the entire healthcare industry is rules must be written for organizations of different sizes, with vastly different business models, budgets, staffing levels, and capabilities. Rules need to be written that are sufficiently flexible to accommodate this variety and be appropriate for all organizations and their unique operating structures.

One of the challenges with developing HIPAA was to create rules that would correct inefficiencies and get the healthcare system working more harmoniously. They also needed to stand the test of time and be flexible enough to accommodate changes that could not be envisaged when the legislation was signed into law. When the Privacy and Security requirements were introduced, they needed to be specific enough to serve as a practical framework for healthcare organizations to follow yet be flexible enough to account for changes in technology and operating practices over time.

This was vital as the process of updating legislation is simply too slow to allow for regular changes to be made. The HHS needs to issue a request for information to find out what needs to change, process the feedback, then a notice of proposed rulemaking, review the comments on the proposed changes, pen the final rule, issue that rule, and provide sufficient time for healthcare organizations to comply with the changes. That process spans several years, yet working practices evolve and new technology is constantly being introduced.

The way that HIPAA needed to be written has naturally led to the legislation receiving a lot of criticism. HIPAA has been criticized for having too many requirements and also not enough in certain areas, and for being too inflexible and difficult to interpret, and challenging to comply with. Despite the challenges of compliance and the gaps in HIPAA, the legislation has provided many benefits for healthcare organizations, healthcare professionals, patients, and health plan members. The legislation is far from perfect and HIPAA is in desperate need of updating – new HIPAA regulations will soon be introduced – but in its current form, the benefits of this important legislative act far outweigh any disadvantages.

In this article – and the next two in the series – I will explain the benefits of HIPAA and how the proposed Privacy Rule changes will help to address some of the current pain points and should significantly improve HIPAA for healthcare organizations, their employees, patients and members. You can read about the benefits of HIPAA for healthcare professionals here.

How HIPAA has Benefited Healthcare Organizations

HIPAA was signed into law more than 25 years ago in 1996 before many current healthcare workers had even been born. For those in the industry old enough to remember, at that time there was a desperate need to improve efficiency in the healthcare industry, as a huge amount of time and effort was wasted on inefficient manual processes, the cost of which was driving up the cost of healthcare at an unsustainable level.

HIPAA improved efficiency by standardizing healthcare transactions across the industry, including requiring all healthcare organizations to use the same standard code sets and follow standard administrative practices. Not only did the standards introduced by the HIPAA Administrative Simplification Rules help to eliminate waste and reduce the administrative burden on healthcare organizations, they have also helped to improve patient safety by reducing the potential for medical errors by making it easier to match records with the right patients. Before the introduction of HIPAA, healthcare fraud was rife and was costing the healthcare industry around $7 billion a year. The standardization of healthcare transactions has helped to reduce significantly reduce fraud.

The introduction of the HIPAA Privacy, Security, and Breach Notification Rules brought many benefits to healthcare organizations, but also some of the biggest pain points for HIPAA-covered entities. These updates required considerable changes to working practices and came with a significant administrative burden. HIPAA set clear – and sometimes not so clear – rules on how health information can be used and disclosed, how health information must be handled, and the policies and procedures that need to be implemented to ensure the confidentiality, integrity, and availability of protected health information. The HIPAA Privacy Rule has empowered patients to take a much more active role in their healthcare, allowing them to check their medical records for errors and get any errors corrected, which has helped to reduce the risk of medical errors and improve patient outcomes, which naturally has many benefits for healthcare organizations. By having standard rules in place, patients have the same rights no matter where they obtain care, and the safeguards to ensure the confidentiality of health information have helped to build trust between patients and their healthcare providers.

The HIPAA Security Rule set standards for all covered entities to follow to ensure the confidentiality, integrity, and availability of electronic health information and helped healthcare providers successfully transition from paper records and charts to electronic health records and encouraged the adoption of new technologies for improving efficiency and the quality of care in a safe and secure way. The HIPAA Security Rule was not meant to be a comprehensive checklist of every security measure that should be considered or implemented, rather it is a set of minimum standards for security that must be achieved. By adopting those standards, healthcare organizations have prevented many data breaches and avoided the considerable costs of those breaches. Many of the data breaches now being reported are due to employee errors and non-compliance with the HIPAA Security Rule.

The HIPAA Breach Notification Rule provides important benefits to patients, but there are also benefits for healthcare organizations. Compliance with this aspect of HIPAA ensures transparency about unauthorized access and disclosures of protected health information and promptly notifying patients about data breaches – which are often out of the control of healthcare organizations –can improve trust in healthcare organizations and reduce the reputational damage caused by data breaches. Importantly, HIPAA lacks a private cause of action, which helps HIPAA-covered entities avoid the considerable legal costs of defending lawsuits from patients who believe their privacy has been violated.

How the Proposed Updates to the HIPAA Privacy Rule will Benefit Healthcare Organizations

While the HIPAA Rules lack specificity in certain areas and incorporate flexibilities to avoid the need for regular updates, updates to HIPAA are required to accommodate changes in working practices and advances in technology, and to correct the elements that are either not achieving the purpose they were intended to or are no longer important. There has also been considerable criticism over the years that HIPAA continues to place an unnecessary administrative burden on healthcare organizations. After issuing an RFI, OCR published a Notice of Proposed Rulemaking in 2021 to update the HIPAA Privacy Rule, mostly to strengthen individuals’ rights to access their own health information and to reduce the administrative burden on healthcare organizations.

These Privacy Rule changes should help to improve information sharing, which will make patient care coordination and case management easier, including the coordination and management of care through social and community services. The updates will also facilitate family and caregiver involvement in the care of individuals that are experiencing emergencies or health crises. The restrictions of HIPAA have been clear became clear throughout the opioid and COVID-19 public health emergencies. The update helps to address this by incorporating flexibilities to permit disclosures in emergencies and threatening circumstances. These updates will help healthcare providers deliver better care and improve patient outcomes.

The amount of paperwork involved in providing healthcare also needed to be addressed. Finally, some of the time-consuming tasks that healthcare organizations still need to perform manually are being eliminated, such as the requirement for a covered entity to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices and retain copies of that documentation for 6 years.

Any update to HIPAA comes with a considerable workload initially but the benefits should be felt quickly. OCR believes the efficiencies introduced by the Privacy Rule changes will help to save $3.2 billion over five years, thus limiting the increase in the cost of healthcare. The Final Rule has yet to be published in the Federal Register, but that should finally happen in 2023.

Healthcare Organizations are Still Struggling with HIPAA Compliance After 26 Years

HIPAA has been in effect for 26 years, the Privacy and Security Rules for two decades, and the Omnibus Rule and Breach Notification Rules for 14 years, yet HIPAA compliance is still proving to be a challenge for many healthcare organizations.

One of the common complaints about HIPAA that makes compliance complicated is the frequent use of terms use as reasonable… exercise reasonable diligence, implement reasonable and appropriate policies and procedures, reduce risks and vulnerabilities to a reasonable and appropriate level. There are also ‘required’ and ‘addressable’ provisions, where addressable provisions are still required elements of compliance, in some form. These flexibilities are what make HIPAA workable for such a wide range of healthcare organizations and stay relevant, but they can present significant challenges for healthcare organizations, especially smaller practices that lack the staff and resources to devote to compliance.

One of the ways that many smaller healthcare organizations have simplified compliance and ensured all the i’s are dotted and t’s are crossed is by using HIPAA compliance software. These software solutions guide healthcare organizations through compliance with all aspects of the HIPAA Rules, eliminating the guesswork and making sure that no provisions are overlooked. The software can be used to achieve compliance and maintain the compliance program, prompting risk analyses, updates, and training, and ensuring compliance efforts are fully documented to ensure painless audits and investigations.

Security Rule compliance can be particularly challenging, as the Security Rule does not provide specifics about technologies that should be used to protect healthcare data. Many healthcare organizations have simplified compliance and gone above and beyond the requirements of HIPAA by adopting a cybersecurity framework. Frameworks such as the NIST Framework for Improving Critical Infrastructure Cybersecurity and the HITRUST Cybersecurity Framework provide structure, transparency, and guidance for achieving compliance with HIPAA and other privacy and security regulations and provide clarity and consistency while reducing the burden of compliance.

In 2021, the HITECH Act received an update to encourage the adoption of recognized security practices such as those developed under section 405(d) of the Cybersecurity Act of 2015 and covered by these cybersecurity frameworks to improve cybersecurity across the healthcare industry. The update provides incentives in the form of reduced penalties and sanctions and shorter audits and investigations by OCR, which considers the adoption of recognized security practices as a mitigating factor when making determinations about HIPAA Security Rule violations and data breaches.

HIPAA is Only the First Step

The main benefits of HIPAA for healthcare organizations are improvements in efficiency through standardized working practices which eliminate waste, improve patient safety, and boost profits. HIPAA compliance fosters trust between providers and patients and health plans and their members and helps to improve patient outcomes, increase patient and client loyalty, and improve retention.

However, HIPAA is just a set of minimum standards for privacy and security, so HIPAA compliance can be viewed as only the first step. Adopting a cybersecurity framework and implementing recognized security practices will further strengthen an organization’s security posture, and thanks to the HITECH Act update, there is now an added incentive for doing this.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: Benefits of HIPAA for Healthcare Organizations appeared first on HIPAA Journal.

Captify Health Suffers 3-Year Breach of its Your Patient Advisor Website

Captify Health has recently started notifying users of its Your Patient Advisor online service that their sensitive information has been exposed and obtained by unauthorized individuals. In some cases, credit card information was stolen and misused. Captify Health prepares patients for their colonoscopy procedures by providing the colonoscopy preparation products recommended by doctors through its Your Patient Advisor service. As an online retailer, Captify Health collects customer information and processes debit/credit card payments through the website.

An external investigation into credit card fraud pointed to Captify Health as the source of a data breach. Captify Health was informed in March 2021 about the potential breach and conducted an internal investigation, with assistance provided by a third-party digital forensics firm. Malicious code was identified on the website which was transmitting the data of its customers to a third-party server. That information included full names, addresses, birth dates, payment card numbers, expiration dates, and security codes.

The forensic investigation revealed the initial breach of its website occurred on May 26, 2019, and lasted until April 20, 2021. During those 3 years, 244,296 individuals had used its service and potentially had their sensitive information stolen. According to the breach notification letters, sent via the Californian law firm Lewis Brisbois Bisgaard & Smith, there was an extensive investigation into a potential breach and it was determined on October 13, 2022, that malicious code had been added to its website. The affected individuals were then identified and contact information was verified, and breach notification letters were sent on December 16, 2022.

Captify Health said in its notification letters that “out of an abundance of caution, we have taken steps to ensure our platform is safe and secure for all purchases.” It is unclear how many individuals affected by the breach have experienced misuse of their credit card information. Captify Health has recommended customers carefully review their account statements for signs of fraudulent activity.

Retailers are often targeted to gain access to payment card information, as happened with the attack on the retailer Target, which resulted in the theft of the credit card details of 40 million customers via malware on its point-of-sale system. What stands out in the Captify Health breach is the length of time it took to identify the breach – almost three years; the time taken to investigate the potential breach and confirm a data breach had occurred – 19 months; and the time it took to issue notifications to affected individuals – more than two months (64 days) after confirming malicious code was confirmed as being present on its website, and 21 months after Captify Health was first notified about fraudulent credit card use.

The incident was reported to the Maine Attorney General on December 16, 2022, but it is not yet showing on the HHS’ Office for Civil Rights breach portal. Captify Health states in its website privacy policy that it is in full compliance with the HIPAA regulations and signs business associate agreements with doctors that use its service, which indicates the company is a business associate under HIPAA. A breach such as this has significant potential to cause serious reputational damage and puts Captify Health at risk of regulatory fines.

The post Captify Health Suffers 3-Year Breach of its Your Patient Advisor Website appeared first on HIPAA Journal.

Webinar Today: 3/23: Lessons and Examples from 2022 Breaches and HIPAA Fines

Healthcare data breaches continued to be reported at an astonishing rate in 2022, with data breaches of 500 or more records being reported at a rate of almost two per day. Healthcare providers and other healthcare entities continue to be targeted by cybercriminals and nation-state actors, and attacks have increased in both volume and sophistication. Cyberattacks on large healthcare providers continue to occur in high numbers, but 2022 has also seen an increase in attacks on small and medium-sized healthcare organizations and business associates of HIPAA-covered entities. For healthcare organizations, it is no longer a case of if a data breach will occur but when it will happen.

When data breaches occur, the HHS’ Office for Civil Rights (OCR) investigates and HIPAA-regulated entities must be able to demonstrate they are in compliance with the HIPAA Rules. High numbers of data breaches mean OCR investigates more HIPAA-regulated entities, so it is no surprise that there were many HIPAA enforcement actions in 2022. In fact, more HIPAA fines were imposed in 2022 than in any other year since OCR was given the authority to enforce HIPAA compliance.

One interesting HIPAA enforcement trend that has continued in 2022 is an increasing number of enforcement actions against small healthcare practices. In 2022, 55% of civil monetary penalties and settlements were to resolve compliance failures at small healthcare practices, with OCR continuing to focus on HIPAA Right of Access violations and missing HIPAA documentation, especially risk assessment documentation. The data breaches and HIPAA enforcement actions

Compliancy Group is hosting a webinar where attendees can learn more about the 2022 healthcare data breaches, HIPAA enforcement trends, and the lessons that can be learned from these data breaches and HIPAA fines. During the webinar you will find out about:

  • 2022 data breach trends – How they occurred, who they affected, and the lessons that can be learned from those data breaches
  • 2022 HIPAA enforcement trends – What OCR is now focused on and what to expect in 2023
  • How to protect against data breaches and civil monetary penalties
  • Compliancy Group’s HIPAA compliance experts will be on hand and will give you the inside scoop and will provide predictions for the coming year and what you should look out for.

Compliancy Group first hosted this webinar on January 18, but due to the immense popularity of the webinar, it is being run again this month, so if you missed it the first time around you have another chance to attend.

Webinar Details:

Lessons and Examples of 2022 Breaches and Fines

Host: Compliancy Group

Speaker: Liam Degnam, Compliancy Group’s Director of Strategic Initiatives

Date: Thursday, March 23rd, 2023

Time: 11:00 a.m. PT ¦ 12:00 p.m. MT ¦ 1:00 pm CT ¦ 2:00 pm ET

Register for the webinar using the form below and remember to add the date in your diary. This is a webinar you will not want to miss!

The post Webinar Today: 3/23: Lessons and Examples from 2022 Breaches and HIPAA Fines appeared first on HIPAA Journal.

Webinar Today: 12/6/2022: How to Complete Your 2022 Risk Assessment

The Health Insurance Portability and Accountability Act (HIPAA) requires HIPAA-covered entities and their business associates to complete a risk assessment. The purpose of the risk assessment is to identify and evaluate all risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). An annual risk assessment is also required by MACRA/MIPS.

Only by conducting a risk assessment is it possible to identify all risks to ePHI, evaluate them, prioritize them, and then subject them to the risk management process. Despite the importance of this element of HIPAA compliance, it is one of the most commonly cited HIPAA violations by the HHS’ Office for Civil Rights in its enforcement activities and HIPAA audits.

The risk assessment should not be viewed as a HIPAA compliance checkbox item to avoid financial penalties. Conducting a comprehensive HIPAA risk assessment will identify vulnerabilities before they are found and exploited by threat actors. Completing an annual HIPAA risk assessment will help HIPAA-regulated entities prevent costly data breaches as well as avoid regulatory fines.

To help you complete your 2022 HIPAA risk assessment and ensure you are fully compliant, Compliancy Group is hosting a webinar that provides an overview of everything you need to know about completing your 2022 risk assessment. Previous webinars have already helped many HIPAA-regulated entities ensure compliance with this important HIPAA requirement.

The 2022 deadline is approaching so covered entities must conduct their HIPAA risk assessment by the end of the year. Due to popular demand and the importance of the subject matter, this webinar is now being run again in December.

Mark the date in your calendar and register for the webinar using the form below.

2022 Deadline Approaching Fast

How to Complete your 2022 HIPAA Risk Assessment

December 7th @ 2:00 pm ET ¦ 1:00 pm CT ¦ 12:00 pm MT ¦ 11:00 am PT

 

The post Webinar Today: 12/6/2022: How to Complete Your 2022 Risk Assessment appeared first on HIPAA Journal.

Webinar Today: Aug 17, 2022: Do I Need to be HIPAA Compliant?

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards to protect sensitive patient health information and to prevent that information from being disclosed without an individual’s knowledge or consent. HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses, which are classed as HIPAA-covered entities.

There is a misconception that only HIPAA-covered entities need to ensure they are compliant with the HIPAA Privacy, Security, Breach Notification, and Omnibus Rules; however, HIPAA also applies to business associates of HIPAA-covered entities. A business associate is any third party that provides products or services to HIPAA-covered entities that involves contact with protected health information (PHI) in any form.

Achieving and maintaining HIPAA compliance is vital for all HIPAA-covered entities and business associates. The HHS’ Office for Civil Rights and state Attorneys General have the authority to impose financial penalties and other sanctions if non-compliance with the HIPAA Rules is discovered, and many organizations have discovered to their cost that compliance with the HIPAA Rules is not optional.

If you work in healthcare in any capacity, it is almost certain that you need to be HIPAA compliant. If you are in any doubt, Compliancy Group is hosting a webinar on August 17, 2022, to answer the question, do I need to be HIPAA compliant?

Do I Need to be HIPAA Compliant?

August 17th @ 2:00 pm ET ¦ 11:00 am PT

Host: Compliancy Group

[contact-form-7]

The post Webinar Today: Aug 17, 2022: Do I Need to be HIPAA Compliant? appeared first on HIPAA Journal.

American Data Privacy and Protection Act Establishes GDPR-like Federal Data Privacy and Protection Standards

Earlier this month, a draft bipartisan bicameral bill was introduced that seeks federal data privacy and protection regulations, which would replace the current patchwork of data privacy laws in different U.S. states.

The American Data Privacy and Protection Act (ADPPA) was introduced by Energy and Commerce Committee Chair Frank Pallone, (D-NJ), Ranking Member Cathy McMorris Rodgers (R-WA), and Ranking Member of the Senate Committee on Commerce, Science, and Transportation, Senator Roger Wicker (R-MS), and advanced passed a subcommittee on June 23 with a unanimous vote.

In a statement, Pallone, Rodgers, Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky (D-IL), and Subcommittee Ranking Member Gus Bilirakis (R-FL) said the markup of the bill is “another major step in putting people back in control of their data and strengthening our nation’s privacy and data security protections.”

GDPR-Like Federal Data Privacy and Protection Regulations

“This bill will protect consumers’ data privacy, digital security, and our kids online. The bipartisan comprehensive privacy bill will provide regulatory certainty for the business community, end discriminatory use of Americans’ data, promote innovation and protect small businesses, and hold companies to high standards of data security,” said Representatives Schakowsky and Bilirakis. “Consumers across the nation have longed-for deserve strong privacy protections in the digital world that we all increasingly inhabit. This legislation provides those protections.”

The ADPPA shares many provisions with state-level data privacy and protection laws, including the California Consumer Privacy Act (CCPA), and would generally preempt state privacy laws such and, in many respects, is equivalent to the EU’s General Data Protection Regulation (GDPR).

ADPPA-covered entities are any individuals or entities that collect, process, or transfer covered data and are subject to the jurisdiction of the Federal Trade Commission (FTC), are common carriers subject to the Communications Act of 1934, or are not organized to carry on business for their own profit or that of their members. That means that in contrast to state laws such as the CCPA, the bill applies to nonprofits and many small businesses. Government entities are exempt.

The ADPPA applies to “covered data,” which is “information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to an individual and may include derived data and unique identifiers.” The ADPPA will not apply to de-identified data, employee data, and publicly available information.

Requirements of the ADPPA

ADPPA-covered entities would be required to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect covered data against unauthorized access and acquisition. Americans will be given rights over their personal data, such as the right to access their personal data that has been collected or processed by an ADPPA-covered entity, correct any errors in the data, have the data deleted, restrict certain uses of their data, have their personal data exported in human- and machine-readable format, and will have the right to an accounting of disclosures. A time frame of 30 or 60 days would be provided for meeting those requests, depending on the size of the covered entity

The ADPPA also has provisions for “sensitive covered data,” which is defined as “any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare treatment of an individual.” Affirmative express consent would be required before an ADPPA-covered entity could collect and process sensitive covered data or transfer that information to a third party.

ADPPA-covered entities will be required to minimize the data collected, limits will be placed on the transfer of precise geolocation information, browsing history, and physical activity information collected from a smartphone or wearable device, and the collection, processing, or transferring of biometric information, known nonconsensual intimate images, or genetic information would be prohibited, apart from in limited circumstances.

The bill calls for privacy by design, and required policies and procedures to be implemented related to the collection, processing, and transfer of covered data, and ADPPA -covered entities would be required to make a privacy policy public that includes a detailed and accurate representation of the entity’s data collection, processing, and transfer activities. ADPPA-covered entities would be prevented from denying a service or product, conditioning a service or product, or setting the price of a service or a product based on an individual’s agreement to waive any privacy rights.

Implications for Healthcare Organizations

The ADPPA has implications for healthcare organizations and includes several provisions from the Health Insurance Portability and Accountability Act (HIPAA). Healthcare organizations that are compliant with HIPAA (or entities compliant with FERPA, the Gramm-Leach-Bliley Act, and other laws) would be seen to be compliant with the ADPPA, but only with respect to the data covered by those laws. In healthcare, the ADPPA would apply to all covered data that is not regulated by HIPAA including healthcare data collected, processed, or transferred by non-HIPAA-covered entities.

Any covered entity that fails to ensure personal data is kept private and confidential or does not allow Americans to exercise their rights under the ADPPA, will be held to account, with compliance enforced by the FDA and state attorneys general. The bill also includes a private cause of action that will allow Americans to sue over violations, although this is not due to be implemented until four years after the effective date.

This is not the first attempt at introducing a federal data privacy and protection bill and it is unclear if the bill has sufficient support in its current form.

The post American Data Privacy and Protection Act Establishes GDPR-like Federal Data Privacy and Protection Standards appeared first on HIPAA Journal.