How to Communicate a Data Breach Externally
External communication and notification after a breach is often essential to the public’s perception of the data breach. Whether laws of the jurisdiction mandate notice, or whether the company is taking the initiative to disclose the breach and its impact, communication that is organized and carefully disseminated can minimize confusion, garner goodwill, mitigate damages, and demonstrate transparency and cooperation.
HIPAA and Workplace Wellness Programs
April 30, 2015
by Kimberly C. Metzger, Partner
Many employers offer health and wellness programs to benefit employees and reduce absenteeism and health care costs. These workplace wellness programs may result in the collection and creation of individually-identifiable health information from and about program participants. Do the HIPAA Privacy, Security, and Breach Notification Rules ("HIPAA Rules") apply to this information?
Evaluating the Severity of a Data Breach
In the event of a data breach, a response team may be charged with identifying the severity of the breach. Detection and analysis of a breach are often difficult tasks. Legitimate symptoms of a breach are usually mixed with false positives, unreliable indicators, or hidden among other acceptable activity. For example, a company may be experiencing a cyber-attack which is only meant to mask an earlier theft of data. Therefore, the breach response team must be fully capable of evaluating the severity of the breach.
Your Data Breach Response Team
A critical component of a company’s breach response is the breach response team. A breach response team is a core team of responders comprising legal counsel, business personnel, compliance officers, IT personnel, public relations, and executive level decision makers. Additional personnel like vendors and external forensic experts may also be engaged.
Ice Miller Attorneys Team Up with the FDA
Ice Miller attorneys, James Banister, Bob Cochran, and Lu Carole West teamed with FDA district director Art Czabaniuk to present at the Indiana Medical Device Manufacturers Council April 15th Workshop "A Deep Dive into Inspection Preparedness" in Indianapolis.
Developing the Breach Response Plan
Public announcements of major data breaches have become an almost daily occurrence. Last year was notorious for data breaches and 2015 has begun with major data breaches continuing to make headlines. Without a doubt, a data breach can be devastating to a business. Along with financial harm, a business can suffer reputational, legal and other consequences resulting from a data breach. As devastating as a data breach can be, it is often the response to a breach that can cause the most damage to a company.
Preparing for the Phase 2 HIPAA Audits
Recent comments by the OCR indicate that the Phase 2 HIPAA Audits will likely begin soon. In preparation of the Phase 2 Audits, what should covered entities and business associates do to prepare?
Setting Expectations for the Phase 2 HIPAA Audits
Previously, the Office of Civil Rights (OCR) had announced that during the Phase 2 HIPAA Audits, it would utilize “desk audits” rather than onsite visits. However, recent announcements by the OCR indicate that while most audits in Phase 2 will still be desk audits, the OCR is planning to conduct more on-site, comprehensive audits than previously planned. While the Phase 1 Audits were conducted by outside contractors, the OCR will personally conduct the Phase 2 Audits.
How the Phase 1 HIPAA Audits will Impact Phase 2
With the Phase 2 HIPAA Audits coming soon, do you know how you will be impacted? In March 2014, the Office of Civil Rights (OCR) announced that it would implement a second phase of audits to begin in the fall of 2014 for covered entities and 2015 for business associates (the “Phase 2 Audits”). In the fall of 2014, the OCR announced that the Phase 2 Audits have been delayed until the OCR is able to implement a new web portal which audited entities will use to submit information. Recent comments by the OCR indicate that the Phase 2 Audits will likely begin soon.
Federal Circuit Ruling Highlights the Benefits of an Early CBM Petition
April 2, 2015
by Kevin O'Shea, Partner
In a divided decision, a Federal Circuit panel ruled on April 1, 2015 that it does not have jurisdiction to hear an interlocutory appeal from a district court’s ruling on a motion to stay pending a Covered Business Method Review (“CBMR”) proceeding unless the Patent Trial and Appeal Board has instituted the CBMR.