BLOGS: Privacy and Data Protection

Wednesday, March 9, 2011, 3:51 PM

Privacy Bulletin: Issue No. 54

Feds crackdown on HIPAA Privacy Rule Violations, Issue Huge Fines

At the end of February, the Department of Health and Human Services Office for Civil Rights (“OCR”) issued two press releases concerning million dollar HIPAA Privacy Rule violations. Under the HIPAA Privacy Rule, health plans, health care clearinghouses and covered health care providers are required, subject to both civil and criminal penalties, to protect the privacy of patient information through the use of constant administrative, physical and technical safeguards. In a February 22 press release, OCR announced its imposition of a $4.3 million civil penalty for Cignet Health’s (Prince George’s County, MD) violation of the HIPAA Privacy Rule, which marked the first civil money penalty issued by HHS for HIPAA Privacy Rule Violations. Cignet Health was found to have willfully neglected its duty to comply with the Privacy Rule. Two days later, on February 24, OCR announced in a press release a $1 million settlement with Massachusetts General for alleged violations of the HIPAA Privacy Rule. The settlement payment arose from an OCR investigation following Massachusetts General’s loss of the protected health information (“PHI”) of 192 patients. The investigation indicated that Massachusetts General failed to implement reasonable, appropriate safeguards to protect the privacy of PHI. In connection with the settlement, Massachusetts General also agreed to enter into a Corrective Action Plan to develop, implement, train and enforce privacy policies that ensure PHI is protected. The ramifications of both incidents should serve as a reminder for businesses in the healthcare sector responsibility to protect their pateints' privacy. As noted by OCR Director Georgina Verdugo, “To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPPA Privacy and Security Rules.”

Supreme Court Holds Corporations do not have Personal Privacy for purposes of FOIA Exemption

In interpreting a provision of the Freedom of Information Act, the Supreme Court held that corporations are not entitled to personal privacy rights that protect the release of sensitive information. See FCC v. AT&T, No. 09-1279 (March 1, 2011). As a result, AT&T could not prevent release of documents compiled during an FCC investigation into whether the company overcharged for the use of the Internet. The Supreme Court ruling overturned a 3rd Circuit opinion which supported AT&T’s position that corporations were covered by Exemption 7 of the Freedom of Information Act, which prevented disclosure of information that would cause an unwarranted invasion of personal privacy. AT&T’s argument focused on the definition of the term person, which the 3rd Circuit said was often defined in the law to include partnerships, associations, and corporation. Writing for the Court, Justice Roberts disagreed and noted that the word personal was not often used to refer to corporations and frequently used to mean exactly the opposite of a corporation. With this ruling, corporations can’t claim protection under FOIA exemptions related to personal privacy.

Obama Signs USA PATRIOT Act Extension

President Obama signed the FISA Sunsets Extension Act (Public Law No. 112-3) into law on Friday, February 25, three days before provisions of the PATRIOT Act extended by the bill were set to expire. The bill extends until May 27, 2011, two privacy provisions of the PATRIOT ACT related to the United States’ ability to access business records and conduct “roving wiretaps” and a provision from the Intelligence Reform and Terrorism Prevention Act, known as the “lone-wolf” provision related to the FBI’s ability to monitor terrorists. Specifically, the law extends the sunset provisions for Section 215 of the PATROIT Act which allows the FBI to obtain an order for “any tangible thing related to a terrorism investigation, including a firm’s customer records” and Section 206 of the PATRIOT ACT which allows law enforcement to attach a wiretap warrant to a suspect, rather than a specific phone. The law also extends Section 6001 of the Intelligence Reform and Terrorism Prevention Act (the “lone wolf” provision) which broadens the definition of “agent of a foreign power” to include individuals who act alone in international terrorism within the United States. With only a three-month extension, Congress will likely soon begin debate on a possible multi-year extension of the provisions and amendments to the Act.

Illinois Court Found No Employer Duty to Protect Health Records

A Chicago appellate court held that a school district was not liable for inadvertant disclosure of employee health information under HIPAA or common law duty. The district disclosed an insurance enrollment list that contained the names of 1,750 former employees, along with their addresses, Social Security numbers, marital status, medical and dental insurers and health insurance plan information, then acted responsibly to attempt to clear up the disclosure. The employees whose names were revealed filed a class action suit against the school district, arguing that the school district owed a HIPAA duty to safeguard their personal information. They also sued under state statute and common law duties. The court ruled in favor of the district and found no statutory duty to safeguard the employees’ personal information. Under HIPAA, health records held by a covered entity in its role as an employer are excluded from the safeguard rule. Cooney v. Chicago Public Schools (IllAppCt) at ¶100-519

Monday, March 7, 2011, 3:23 PM

Womble Carlyle to Participate in IAPP 2011 Global Privacy Summit

Washington, D.C. — More than 1,500 privacy professionals from around the world will gather in Washington, D.C. for the International Association of Privacy Professionals (IAPP) Global Privacy Summit on March 9-11, 2011. The Summit, taking place at the Washington Marriott Wardman Park, will draw leading privacy, security and data protection professionals to network and discuss cutting edge privacy issues. Womble Carlyle’s Privacy and Data Protection Team will participate as an Exhibitor in the Summit.

Among those representing the firm’s Privacy and Data Protection Team at this year’s Global Privacy Summit are Ted Claypoole, Eric Breisach, Stephanie Shaw, and Jennifer Williston. Womble Carlyle’s attendees will join the community of global privacy professionals to share insight on various privacy issues, discuss challenges and identify innovative solutions to help address our clients’ privacy needs.

Womble Carlyle’s multi-disciplined Privacy and Data Protection Team helps clients with comprehensive planning to safeguard their businesses with the goal of helping clients avoid privacy protection pitfalls so they can focus on their core business. Our team has backgrounds in wide-ranging areas including intellectual property, technology, data security, regulatory compliance, health information, communications, education, employment, financial services, retail, e-commerce and trade secrets. By taking a full-service approach to privacy issues, we are able to meet our clients’ diverse needs.

Founded in 2000, the IAPP is the world's largest association of privacy professionals, representing more than 6,700 members from businesses, governments and academic institutions across 52 countries. For more information, please visit


back to top