Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

CLIENT ALERT: The European Union's New Data Privacy Law Goes Into Effect

Client Alert
June 5, 2018

On May 25, 2018, the European Union’s (“the EU”) new data privacy law went into effect.[1]   The General Data Protection Regulation (“GDPR”) concerns the processing of personal data that can be searched according to specified criteria such as geographical scope. 

Who it affects

The GDPR applies to all organizations that maintain offices or store data in the EU.  It also applies to many of the core organizations on the web.  For instance, it applies to social media, apartment rental, e-commerce, and internet search sites.  If your website conducts business in the EU, then the GDPR will apply.  Additional factors that would require a company to be GDPR compliant include sales or marketing to EU citizens, accepting any EU country’s currency, an EU country domain suffix, shipping services to the EU, or language translation or website in an EU language.

General global marketing does not require GDPR compliance.  If you use Google Adwords, and an EU citizen and resident visits your webpage as a result of this ad, the GDPR would not apply because there was no targeted interface with EU citizens.  The fact that an unsolicited EU citizen can and does visit your website does not require your organization to be GDPR compliant.  If you take no steps to interface with EU citizens, GDPR compliance is not required. 

Steps you should take now if your organization must be GDPR compliant

  • Provide customers and website visitors with detailed information on how data will be collected and used.
  • Redesign consent forms so that users must affirmatively agree to all uses of their data, and they can select those uses to which they agree and those to which they decline.
  • Create forms that distinguish between consent versus agreement to general terms and conditions.
  • Store customer preferences.
  • Audit data regularly, including where data is stored, why data is collected, how data is obtained, and how much duplication of data exists across multiple sites.
  • Audit your service providers’ data, and review their data procedures.
  • Understand whether your organization is a data processor or data controller. A processor processes personal data on behalf of a controller, whereas a controller determines the purpose and means of how data is processed.
  • Ask for explicit consent from consumers anytime you want to use data for ad targeting purposes.
  • Use “group data” that isn’t precise enough to target individual consumers.
  • Implement procedures and technology that ensures data can be permanently erased.
  • Appoint a Data Protection Officer who is knowledgeable about the GDPR to oversee compliance with respect to data collection, storage, and data processing.
  • Train all employees that have access to personal data on the GDPR requirements, including the requirement that internal data on employees must comply with the GDPR.
  • Prepare for data breaches by creating internal processes to detect, report, and investigate breaches in compliance with the GDPR.

What organizations should NOT do if you are required to be GDPR complaint

  • Rely on the E.U.-U.S. Privacy Shield to avoid compliance with the GDPR. Companies are still required to comply with the GDPR in order to receive Privacy Shield coverage, and the scope of the GDPR is much wider than the scope of the Privacy Shield.
  • Create exposure to the hefty penalties imposed by the GDPR for non-compliance. Companies are liable for 4% of their annual turnover or 20 million Euros, whichever is greater.
  • Risk reputational damage by receiving attention for non-compliance. The first companies to be penalized are more likely to receive significant media coverage for their noncompliance. 

There may be legal challenges to GDPR regarding applicability to non-EU companies 

This is a new, unprecedented law. The previous European data privacy law, the Data Protection Directive, was implemented in 1998, and was much narrower in scope.  The GDPR’s applicability and requirements are vast, and non-EU companies are likely to bring legal challenges in terms of its applicability to them. 

Who to contact with questions

Should you have any questions concerning the General Data Protection Regulation, please contact Matthew A. Heinle, Esq. (maheinle@bmdllc.com), who is a partner at Brennan, Manna & Diamond.

 

[1] General Data Protection Regulation, https://gdpr-info.eu/.

International Law
Client Alert

The Future of the Families First Coronavirus Response Act

February 3, 2021Over the last year we all have had to adjust to the new normal ushered in by the coronavirus pandemic. Schools and daycares closed, businesses transitioned from in-office work to work from home, bars and restaurants have closed their doors...all to slow the spread and try to prevent this pandemic from spiraling out of control. The start of the pandemic was utter pandemonium. Working parents trying to balance both caring for their now at-home children and their livelihood. Businesses trying to decide how to implement leave policies with limited information. Employees determining if they could financially afford to take time off. We were all flying by the seat of our pants trying to adjust to our new normal.Client Alert

Ohio Supreme Court Clarifies Medical Statute of Limitations

February 1, 2021The Ohio Supreme Court issued a decision in late December that clarifies and finalizes the Ohio law regarding the period of time in which patients can assert claims for medical malpractice. The Court was examining the interplay between three different statutes being the statute of limitations, the statute of repose, and the savings statute.Client Alert

Ohio Hospitals and Healthcare Clinics: It’s Time to Revisit Your Billing and Collection Practices

February 1, 2021According to a recent Cuyahoga County case, certain healthcare entities may not be protected from liability when engaging in unfair or deceptive billing acts. This decision is consistent with the growing trend across the country to encourage price transparency and eliminate unfair surprise billing practices by health care organizations. Now is the time for hospitals and other health care organizations to revisit their billing and collection policies and procedures to confirm that they are legally defensible and consistent with best practices.Client Alert

HIPAA Business Associate Agreements: Why These Contracts Matter

January 27, 2021No one loves drafting, reading or negotiating HIPAA Business Associate Agreements (BAAs). Yet many of us need to do so, and some of us do so daily. They are often boring, dense and technical, but BAAs are important from both a legal and a business perspective, and they deserve our attention. Failure to enter a BAA when one is required can constitute a HIPAA violation that results in substantial liability, as demonstrated by certain recent Department of Health & Human Services (HHS) settlements.1 A business associate who makes a disclosure that is not authorized by the applicable BAA or required by law can be subject to civil and, in some cases, criminal penalties. Further, parties are often presented with BAAs that contain onerous one-sided indemnification and other provisions that can be devasting to an organization in the event of a HIPAA breach. The significance of a BAA is often not fully understood by the parties until something goes wrong (e.g., a HIPAA security incident or breach, an Office of Civil Rights (OCR) audit or a fracture in the relationship between the parties) and, at that point, there is limited opportunity to mitigate legal and business risk. Ideally, attention should be given at the commencement of the business associate relationship, when the parties are able, to thoughtfully addressing regulatory requirements, planning and preparing for potential adverse events and appropriately allocating risk among the parties. As with most healthcare regulatory compliance initiatives, a proactive approach with respect to BAAs is preferable. This article provides a broad overview of certain BAA requirements and some practical negotiating tips for the parties involved.Client Alert

“I’m Out Of Here!” Now What?

January 27, 2021We all know that the healthcare industry is experiencing a wave of integration. This trend has been evident for many years. Fewer physicians are willing to assume the legal, financial and other business risks associated with owning their own practices. More and more physicians, including anesthesiologists, are becoming employed by large physician groups, health systems and national providers. This shift necessarily involves not only entry into new employment arrangements but also the termination of existing relationships. And those terminations are often governed by written employment agreements, state and federal healthcare laws and employer benefit plans and other policies and procedures. Before pursuing their next opportunity, physicians should pause for a moment and first attend to the arrangement that they are leaving. Departing physicians need to understand their legal rights and obligations when leaving their current employment relationships in order to avoid unintended consequences and detrimental missteps along the way. Here are a few words of practical advice for physicians contemplating an exit from their current employment arrangements.
Older posts
Newer posts