Civil and Criminal Enforcement of HIPAA Privacy and Security Regs on the Rise

George Indest Headshot

Attorney George F. Indest III, The Health Law Firm

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The Office of Civil Rights (OCR), a division within the U.S. Department of Health and Human Services (HHS), is the federal organization responsible for investigating complaints and enforcing the Privacy and Security Regulations implementing the Health Insurance Portability and Accountability Act, commonly referred to as “HIPAA.”

As the COVID-19 pandemic seems to be leveling off and more employees are going back to the office, and into the field, HIPAA complaint investigations will definitely pick up. Furthermore, criminal prosecutions for violations of HIPAA have recently been on the rise as well.

OCR’s Investigations and Enforcement Actions.

OCR enforces the HIPAA Privacy and Security Regulations in several ways:

The first method it has is the receiving and investigating of HIPAA violation complaints. These can easily be filed online by going to https://www.hhs.gov/hipaa/filing-a-complaint/.

If you receive a notice from the OCR that it is investigating a HIPAA complaint against you, it will request a large number of various documents relating to the matter. It is crucial that you retain the services of an experienced health lawyer to assist you in responding. Often, it will not be necessary to provide all of the documents requested by OCR, if your attorney determines that certain legal grounds exist for avoiding this. Regardless, you should seek legal counsel, anyway, since both criminal and civil sanctions may result.

OCR Also Conducts Compliance Audits.

OCR conducts compliance reviews to determine if covered entities are in compliance. Covered entities include, for example, physicians, medical groups, nurse practitioners (in most cases), psychologists, mental health counselors (in most cases), pharmacists, health clinics (in most cases), assisted living facilities (ALFs), home health agencies (HHAs), hospitals, and many others.

OCR reviews the information that it gathers through its investigation or audit. In some cases, it may determine that the covered entity did not violate the Privacy Regulations or the Security Regulations. However, in the case of the covered entity’s violation, OCR may do any of the following:

Dismissing the matter or taking no further action.

Obtaining the Covered Entity’s agreement for voluntary compliance going forward.

Obtaining corrective action through a corrective action plan (CAP).

Negotiating a resolution agreement (RA).

Assessment of civil penalties (monetary fines).

Referral to the Department of Justice (DOJ) for further investigation and criminal prosecution.

Civil Violations.

In cases of noncompliance where the covered entity does not satisfactorily resolve the matter, OCR may decide to impose civil money penalties (CMPs) on the covered entity. It can then take further administrative or civil litigation action to enforce these if they are not paid.

Civil monetary penalties for HIPAA violations are determined based on a tiered civil penalty structure. The HHS secretary has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. HHS is prohibited from imposing civil monetary penalties (except in cases of willful neglect) if the violation is corrected within 30 days (this time period may be extended at HHS’s discretion). So it is imperative to retain an attorney and get on top of the situation fast.

The range of penalties for civil violations.

HIPAA violation: Unknowing
Penalty range: $100 – $50,000 per violation, with an annual maximum of $25,000 for repeat violations

HIPAA violation: Reasonable Cause
Penalty range: $1,000 – $50,000 per violation, with an annual maximum of $100,000 for repeat violations

HIPAA violation: Willful neglect but corrected (violation is corrected within the required time period)
Penalty range: $10,000 – $50,000 per violation, with an annual maximum of $250,000 for repeat violations

HIPAA violation: Willful neglect, not promptly corrected (violation is not corrected within the required time period)
Penalty range: $50,000 per violation, with an annual maximum of $1.5 million

Criminal penalties for violations.

In June 2005, DOJ clarified who can be held criminally liable under HIPAA. Its clarification included officers, employees, and other principles of business entities (corporations and companies) that are covered entities, including co-conspirators, aiders, and abettors of the acts.

Criminal violations of HIPAA are investigated and prosecuted by DOJ. As with the civil penalties, there are different criminal penalties based on the level of severity of the criminal violation.

Covered entities and specified other individuals who knowingly obtain or disclose individually identifiable health information, in violation of the Administrative Simplification Regulations to the HIPAA Regulations, face a fine of up to $50,000, as well as imprisonment for up to one (1) year.

Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five (5) years in prison.

Finally, offenses committed with a profit motive, in other words, with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm permit fines of $250,000 and imprisonment up to ten (10) years.

What is a “Covered Entity?”

One thing to remember is that HIPAA and its enforcing regulations only apply to “covered entities” with certain minor exceptions. The following are examples of “covered entities”:

Health plans (e.g., health insurers, HMOs, PPOs)

Health care clearinghouses

Health care providers who transmit claims in electronic form (this will cover almost all health facilities and health professionals)

Medicare prescription drug card sponsors

Individuals such as directors, employees, or officers of a covered entity (where the covered entity is not an individual) may criminally liable under HIPAA per the “corporate criminal liability” theory.

 

Criminal Penalties for HIPAA Violations.

Yes, there are criminal penalties, including prison for up to ten (10) years, possible for HIPAA violations.

To read an earlier blog I wrote on criminal penalties for HIPAA violations, please click here.

What is the Definition of “Knowingly?”

The DOJ interprets the required element of “knowingly” in the criminal liability section of HIPAA as requiring only knowledge of the actions that constitute an offense. Specific knowledge that an action is a violation of HIPAA is not required.

Can a HIPAA Violation Lead to Exclusion from the Medicare Program?

HHS has the authority to exclude from participation in Medicare any covered entity that was not compliant with certain HIPAA Regulations under certain circumstances. Call your healthcare lawyer for details on this.

For information on the effects of exclusion from any government-sponsored healthcare program on a doctor, nurse, dentist, or any other health provider, visit our website’s Health Law Articles and Documents page to view the OIG’s Special Advisory Bulletin.

 

The Administrative Simplification Act Simplifies it All.

The Administrative Simplification Act sought to clarify and simplify parts of HIPAA and increase specific penalties for violations. Title 42, United States Code, Chapter 7, Subchapter XI, Part C (Administrative Simplification Act).

The Administrative Simplification Regulations authorize a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm permits fines of $250,000 and imprisonment for up to 10 years.

Misuse and Disclosure of “Unique Health Identifiers.”

The wrongful use of a unique health identifier can be charged as a violation of 42 U.S.C. § 1320d–6(a)(1) and (b)(1)), the penalty provision of which is set forth in 42 U.S.C. § 1320d–6(b)(1). “Unique health identifier” includes a patient’s name, address, social security number, insurance member ID number, description of health history, and description of the patient’s symptoms.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals, and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or toll-free: (888) 331-6620.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620 Toll-Free: (888) 331-6620.

“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999. Copyright © 2021 The Health Law Firm. All rights reserved.

Senate Republicans Announce New Privacy Legislation: The SAFE DATA Act

George IndestBy George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

On September 17, 2020, Republican members of the Senate Commerce Committee introduced sweeping federal privacy legislation. The proposed law is called the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act. The Act is a combination of bills previously introduced in the Senate: the Consumer Data Protection Act, Filter Bubble Transparency Act, and the Deceptive Experiences to Online Users Reduction Act. It hasn’t passed, yet, so let’s wait and see.

HAH! You thought you had learned all of the acronyms and abbreviations because you know what HIPAA, HITECH, FERPA, USCDPA, and FOIA mean. Let’s see how long it takes you to remember what this one stands for.

What is the SAFE DATA Act?

This proposed legislation has three main components if passed into actual law. It:

1. Provides consumers with more choice and control over their data (allegedly),
2. Directs business to be more transparent and accountable (allegedly), and
3. Strengthens the FTC’s enforcement power (allegedly).

The Act would provide consumer rights, such as access, notice, deletion, opting-out, correction, and a right to data portability. It also prohibits covered entities from discriminating against consumers who utilize some of the proposed rights. It will prohibit organizations from denying goods or services to individuals because they have exercised any of their rights as set forth in the bill.

Implementation of the bill would be financed through a $100 million appropriation to the Federal Trade Commission (FTC) to enforce its provisions. Therefore, the FTC would gain the authority to obtain injunctions and impose other sanctions for violations.


Integrating Other Privacy Bill Provisions.

The SAFE DATA Act incorporates three main bill provisions into the proposal.

First, it includes the Filter Bubble Transparency Act (don’t ask). It requires a notice on public-facing websites that use algorithmic ranking systems

Second, it contains provisions from the Deceptive Experiences To Online Users Reduction (“DETOUR”) bill (ouch!). This provision makes it unlawful for an online service with more than 100 million authenticated users to use a user interface to impair user autonomy.

Third, like the United States Consumer Data Privacy Act (CDPA), the proposal requires companies to obtain affirmative, express consent from the customer before processing or transferring individuals’ sensitive data.

According to Julie Brill, former Commissioner of the FTC, a comprehensive privacy law would also address consent and collection issues related to COVID-19 health data, while at the same time promoting racial equality and prohibiting data discrimination. Boy, that’s great; who knew this was likely to be accomplished in our lifetimes.

View the proposed Safe Data Act in full.

You may also read one of my prior blogs to learn more about HIPAA privacy rights violations and medical confidentiality.


Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals, and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or toll-free (888) 331-6620.

Sources:

Cox, Ayeisha. “Lawmakers Introduce the SAFE DATA Act.” American Health Lawyers Association (AHLA). (October 2, 2020). Web.

Traylor. Christian. “Federal Data Privacy Legislation: Will it Help the US Remain Competitive in the Global Marketplace?” JD Supra. (September 29, 2020). Web.

Panakal, Dominic Dhil. “Senate Republicans Stitch Together Safe Data Ideas into New Bill.” The National Law Review. (September 24, 2020).

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave. Suite 1000, Altamonte Springs, FL 32714, Phone: (407) 331-6620 Toll-Free: (888) 331-6620.

“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999.
Copyright © 2020 The Health Law Firm. All rights reserved.

New Comprehensive Privacy Legislation Announced: The SAFE DATA Act

George IndestBy George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

On September 17, 2020, Republican members of the Senate Commerce Committee introduced sweeping federal privacy legislation. The proposed law is called the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act. The Act is a combination of bills previously introduced in the Senate: the Consumer Data Protection Act, Filter Bubble Transparency Act, and the Deceptive Experiences to Online Users Reduction Act. It hasn’t passed, yet, so let’s wait and see.

HAH! You thought you had learned all of the acronyms and abbreviations because you know what HIPAA, HITECH, FERPA, USCDPA, and FOIA mean. Let’s see how long it takes you to remember what this one stands for.

Details of the New SAFE DATA Act.

This proposed legislation has three main components if passed into actual law. It:

1. Provides consumers with more choice and control over their data (allegedly),
2. Directs business to be more transparent and accountable (allegedly), and
3. Strengthens the FTC’s enforcement power (allegedly).

The Act would provide consumer rights, such as access, notice, deletion, opting-out, correction, and a right to data portability. It also prohibits covered entities from discriminating against consumers who utilize some of the proposed rights. It will prohibit organizations from denying goods or services to individuals because they have exercised any of their rights as set forth in the bill.

Implementation of the bill would be financed through a $100 million appropriation to the Federal Trade Commission (FTC) to enforce its provisions. Therefore, the FTC would gain the authority to obtain injunctions and impose other sanctions for violations.

Incorporating Other Privacy Bill Provisions.

The SAFE DATA Act incorporates three main bill provisions into the proposal.

First, it includes the Filter Bubble Transparency Act (don’t ask). It requires a notice on public-facing websites that use algorithmic ranking systems

Second, it contains provisions from the Deceptive Experiences To Online Users Reduction (“DETOUR”) bill (ouch!). This provision makes it unlawful for an online service with more than 100 million authenticated users to use a user interface to impair user autonomy.

Third, like the United States Consumer Data Privacy Act (CDPA), the proposal requires companies to obtain affirmative, express consent from the customer before processing or transferring individuals’ sensitive data.

According to Julie Brill, former Commissioner of the FTC, a comprehensive privacy law would also address consent and collection issues related to COVID-19 health data, while at the same time promoting racial equality and prohibiting data discrimination. Boy, that’s great; who knew this was likely to be accomplished in our lifetimes.

View the proposed Safe Data Act in full.

You may also read one of my prior blogs to learn more about HIPAA privacy rights violations and medical confidentiality.


Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals, and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or toll-free (888) 331-6620.

Sources:

Cox, Ayeisha. “Lawmakers Introduce the SAFE DATA Act.” American Health Lawyers Association (AHLA). (October 2, 2020). Web.

Traylor. Christian. “Federal Data Privacy Legislation: Will it Help the US Remain Competitive in the Global Marketplace?” JD Supra. (September 29, 2020). Web.

Panakal, Dominic Dhil. “Senate Republicans Stitch Together Safe Data Ideas into New Bill.” The National Law Review. (September 24, 2020).

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave. Suite 1000, Altamonte Springs, FL 32714, Phone: (407) 331-6620 Toll-Free: (888) 331-6620.

“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999.
Copyright © 2020 The Health Law Firm. All rights reserved.

New Sweeping Privacy Legislation Announced: The SAFE DATA Act

George IndestBy George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

On September 17, 2020, Republican members of the Senate Commerce Committee introduced sweeping federal privacy legislation. The proposed law is called the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act. The Act is a combination of bills previously introduced in the Senate: the Consumer Data Protection Act, Filter Bubble Transparency Act, and the Deceptive Experiences to Online Users Reduction Act. It hasn’t passed, yet, so let’s wait and see.

HAH! You thought you had learned all of the acronyms and abbreviations because you know what HIPAA, HITECH, FERPA, USCDPA, and FOIA mean. Let’s see how long it takes you to remember what this one stands for.

Details of the SAFE DATA Act.

This proposed legislation has three main components if passed into actual law. It:

1. Provides consumers with more choice and control over their data (allegedly),
2. Directs business to be more transparent and accountable (allegedly), and
3. Strengthens the FTC’s enforcement power (allegedly).

The Act would provide consumer rights, such as access, notice, deletion, opting-out, correction, and a right to data portability. It also prohibits covered entities from discriminating against consumers who utilize some of the proposed rights. It will prohibit organizations from denying goods or services to individuals because they have exercised any of their rights as set forth in the bill.

Implementation of the bill would be financed through a $100 million appropriation to the Federal Trade Commission (FTC) to enforce its provisions. Therefore, the FTC would gain the authority to obtain injunctions and impose other sanctions for violations.

Integrating Other Privacy Bill Provisions.

The SAFE DATA Act incorporates three main bill provisions into the proposal.

First, it includes the Filter Bubble Transparency Act (don’t ask). It requires a notice on public-facing websites that use algorithmic ranking systems

Second, it contains provisions from the Deceptive Experiences To Online Users Reduction (“DETOUR”) bill (ouch!). This provision makes it unlawful for an online service with more than 100 million authenticated users to use a user interface to impair user autonomy.

Third, like the United States Consumer Data Privacy Act (CDPA), the proposal requires companies to obtain affirmative, express consent from the customer before processing or transferring individuals’ sensitive data.

According to Julie Brill, former Commissioner of the FTC, a comprehensive privacy law would also address consent and collection issues related to COVID-19 health data, while at the same time promoting racial equality and prohibiting data discrimination. Boy, that’s great; who knew this was likely to be accomplished in our lifetimes.

View the proposed Safe Data Act in full.

You may also read one of my prior blogs to learn more about HIPAA privacy rights violations and medical confidentiality.


Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals, and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or toll-free (888) 331-6620.

Sources:

Cox, Ayeisha. “Lawmakers Introduce the SAFE DATA Act.” American Health Lawyers Association (AHLA). (October 2, 2020). Web.

Traylor. Christian. “Federal Data Privacy Legislation: Will it Help the US Remain Competitive in the Global Marketplace?” JD Supra. (September 29, 2020). Web.

Panakal, Dominic Dhil. “Senate Republicans Stitch Together Safe Data Ideas into New Bill.” The National Law Review. (September 24, 2020).

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave. Suite 1000, Altamonte Springs, FL 32714, Phone: (407) 331-6620 Toll-Free: (888) 331-6620.

“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999.
Copyright © 2020 The Health Law Firm. All rights reserved.

Senate Republicans Reveal Sweeping New Legislation: The SAFE DATA Act

George IndestBy George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

On September 17, 2020, Republican members of the Senate Commerce Committee introduced sweeping federal privacy legislation. The proposed law is called the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act. The Act is a combination of bills previously introduced in the Senate: the Consumer Data Protection Act, Filter Bubble Transparency Act, and the Deceptive Experiences to Online Users Reduction Act. It hasn’t passed, yet, so let’s wait and see.

HAH! You thought you had learned all of the acronyms and abbreviations because you know what HIPAA, HITECH, FERPA, USCDPA, and FOIA mean. Let’s see how long it takes you to remember what this one stands for.

Details of the SAFE DATA Act.

This proposed legislation has three main components if passed into actual law. It:

1. Provides consumers with more choice and control over their data (allegedly),
2. Directs business to be more transparent and accountable (allegedly), and
3. Strengthens the FTC’s enforcement power (allegedly).

The Act would provide consumer rights, such as access, notice, deletion, opting-out, correction, and a right to data portability. It also prohibits covered entities from discriminating against consumers who utilize some of the proposed rights. It will prohibit organizations from denying goods or services to individuals because they have exercised any of their rights as set forth in the bill.

Implementation of the bill would be financed through a $100 million appropriation to the Federal Trade Commission (FTC) to enforce its provisions. Therefore, the FTC would gain the authority to obtain injunctions and impose other sanctions for violations.

Integrating Other Privacy Bill Provisions.

The SAFE DATA Act incorporates three main bill provisions into the proposal.

First, it includes the Filter Bubble Transparency Act (don’t ask). It requires a notice on public-facing websites that use algorithmic ranking systems

Second, it contains provisions from the Deceptive Experiences To Online Users Reduction (“DETOUR”) bill (ouch!). This provision makes it unlawful for an online service with more than 100 million authenticated users to use a user interface to impair user autonomy.

Third, like the United States Consumer Data Privacy Act (CDPA), the proposal requires companies to obtain affirmative, express consent from the customer before processing or transferring individuals’ sensitive data.

According to Julie Brill, former Commissioner of the FTC, a comprehensive privacy law would also address consent and collection issues related to COVID-19 health data, while at the same time promoting racial equality and prohibiting data discrimination. Boy, that’s great; who knew this was likely to be accomplished in our lifetimes.

View the proposed Safe Data Act in full.

You may also read one of my prior blogs to learn more about HIPAA privacy rights violations and medical confidentiality.


Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals, and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or toll-free (888) 331-6620.

Sources:

Cox, Ayeisha. “Lawmakers Introduce the SAFE DATA Act.” American Health Lawyers Association (AHLA). (October 2, 2020). Web.

Traylor. Christian. “Federal Data Privacy Legislation: Will it Help the US Remain Competitive in the Global Marketplace?” JD Supra. (September 29, 2020). Web.

Panakal, Dominic Dhil. “Senate Republicans Stitch Together Safe Data Ideas into New Bill.” The National Law Review. (September 24, 2020).

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave. Suite 1000, Altamonte Springs, FL 32714, Phone: (407) 331-6620 Toll-Free: (888) 331-6620.

“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999.
Copyright © 2020 The Health Law Firm. All rights reserved.

Senate Republicans Announce Comprehensive Privacy Legislation: The SAFE DATA Act

George IndestBy George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

On September 17, 2020, Republican members of the Senate Commerce Committee introduced sweeping federal privacy legislation. The proposed law is called the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act. The Act is a combination of bills previously introduced in the Senate: the Consumer Data Protection Act, Filter Bubble Transparency Act, and the Deceptive Experiences to Online Users Reduction Act. It hasn’t passed, yet, so let’s wait and see.

HAH! You thought you had learned all of the acronyms and abbreviations because you know what HIPAA, HITECH, FERPA, USCDPA, and FOIA mean. Let’s see how long it takes you to remember what this one stands for.

Details of the SAFE DATA Act.

This proposed legislation has three main components if passed into actual law. It:

1. Provides consumers with more choice and control over their data (allegedly),
2. Directs business to be more transparent and accountable (allegedly), and
3. Strengthens the FTC’s enforcement power (allegedly).

The Act would provide consumer rights, such as access, notice, deletion, opting-out, correction, and a right to data portability. It also prohibits covered entities from discriminating against consumers who utilize some of the proposed rights. It will prohibit organizations from denying goods or services to individuals because they have exercised any of their rights as set forth in the bill.

Implementation of the bill would be financed through a $100 million appropriation to the Federal Trade Commission (FTC) to enforce its provisions. Therefore, the FTC would gain the authority to obtain injunctions and impose other sanctions for violations.

Integrating Other Privacy Bill Provisions.

The SAFE DATA Act incorporates three main bill provisions into the proposal.

First, it includes the Filter Bubble Transparency Act (don’t ask). It requires a notice on public-facing websites that use algorithmic ranking systems

Second, it contains provisions from the Deceptive Experiences To Online Users Reduction (“DETOUR”) bill (ouch!). This provision makes it unlawful for an online service with more than 100 million authenticated users to use a user interface to impair user autonomy.

Third, like the United States Consumer Data Privacy Act (CDPA), the proposal requires companies to obtain affirmative, express consent from the customer before processing or transferring individuals’ sensitive data.

According to Julie Brill, former Commissioner of the FTC, a comprehensive privacy law would also address consent and collection issues related to COVID-19 health data, while at the same time promoting racial equality and prohibiting data discrimination. Boy, that’s great; who knew this was likely to be accomplished in our lifetimes.

View the proposed Safe Data Act in full.

You may also read one of my prior blogs to learn more about HIPAA privacy rights violations and medical confidentiality.


Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals, and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or toll-free (888) 331-6620.

Sources:

Cox, Ayeisha. “Lawmakers Introduce the SAFE DATA Act.” American Health Lawyers Association (AHLA). (October 2, 2020). Web.

Traylor. Christian. “Federal Data Privacy Legislation: Will it Help the US Remain Competitive in the Global Marketplace?” JD Supra. (September 29, 2020). Web.

Panakal, Dominic Dhil. “Senate Republicans Stitch Together Safe Data Ideas into New Bill.” The National Law Review. (September 24, 2020).

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave. Suite 1000, Altamonte Springs, FL 32714, Phone: (407) 331-6620 Toll-Free: (888) 331-6620.

“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999.
Copyright © 2020 The Health Law Firm. All rights reserved.

Go to Top