By Kevin Boyle & Alex Stout

heartbleed.pngHardly a day passes now without some new report of a security vulnerability with inevitable breaches that follow, but Monday’s news about the two-year old vulnerability in OpenSSL is (or should be) catching everyone’s attention.  The problem is a coding error in a widely used cryptographic software library for implementing secure connections between a website (or web interface on a hardware device) and its user (typically indicated by a reassuring padlock in the status

By, Jeremy M. Alexander, Natalie E. Brown & Susan A. Ebersole

The day all covered entities and business associates have been working toward is here—September 23, 2013, the deadline to comply with the changes in the HIPAA omnibus final rule, published on January 25, 2013.  Here is a review of the top three compliance categories for your checklist:

1. Business Associate Agreements (BAAs): Covered entities and business associates should double check that existing BAAs and all new BAAs

By Justin B. Cornish, Brian A. Meenagh, Alice Marsden and Omar M. Elsayed

Protecting Personal Data

Whilst it is not widely recognized that countries in the Middle East have specific established laws applicable to data protection, privacy and data protection are regulated by other laws in the region.

In Qatar, Saudi Arabia and the United Arab Emirates, the constitutions, together with certain statutes, recognize individual rights to privacy in specific circumstances. In addition, in Saudi Arabia, protection of

By Elizabeth Richards and Kevin Boyle

On June 14, 2013, the Food and Drug Administration (“FDA”) issued a draft guidance entitled, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” (“Guidance”). The Guidance was issued in response to growing concerns about IT vulnerabilities due to the increased use of wireless, Internet and network-connected devices coupled with the frequent electronic exchange of health information. To that end, the Guidance identifies a series of cybersecurity considerations manufacturers should

By Omar Elsayed

Although some surveys of privacy law suggest otherwise, privacy requirements do in fact exist in the Kingdom of Saudi Arabia (KSA)and are very relevant to companies operating there or seeking to provide services to customers in KSA.

Background

The paramount body of law in KSA is the Sharīʿah. The Sharīʿah is comprised of a collection of fundamental principles derived from a number of different sources, which include the Holy Qu’ran and the Sunnah, which are

By Susan Ambler Ebersole

HHS today published the long-awaited HIPAA/HITECH omnibus final rule.  A pre-publication version of the Rule was released on January 17.  The Rule is effective March 26, 2013, but covered entities and business associates have until September 23, 2013 to comply.  While Latham & Watkins is still engaged in a comprehensive review of the entire final rule, some of the more notable changes and clarifications in the final rule, as compared to the interim final rule

By Jennifer Archie and Suan Ambler-Ebersole

Second Highest HIPAA Settlement Amount to Date and First Paid by a State

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced Tuesday that it had reached a settlement with Alaska’s state Medicaid agency, the Department of Health and Social Services (DHSS) for $1,700,000 arising out of potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

In October 2009 a

Thumbnail image for iStock_Lock.jpgThe American Institute of Certified Public Accountants (“AICPA”) Statement of Auditing Standard No. 70, or SAS 70 as it is more commonly known, has been with us since April 1992. On 15 June 2011, it will effectively be replaced by two new standards: (i) a reporting standard for service organisations, the “Statement on Standards for Attestation Engagements No. 16” (or SSAE 16 as it will no doubt be referred to); and (ii) an audit standard for customers of

Thumbnail image for iStock_000005643842XSmall.jpgGoogle has consented to the entry of a proposed Agreement Containing Consent Order with the US Federal Trade Commission, subjecting the company to sweeping government oversight of its privacy disclosure and product development and release practices, nominally arising out of the roll-out of its Buzz product in February 2010. The auditing and reporting requirements are staggering in scope, breadth and duration, reaching Google’s entire business, not merely online communication products such as Gmail. One interpretation of the (rather amazing) document

The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009.  During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.  HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866