Changes to HIPAA Privacy Rule Proposed by HHS - Find Out Who Has Accessed Your Health Records
On May 31, 2011 the Department of Health and Human Services Office for Civil Rights issued a notice of proposed rulemaking that would add substantial data privacy requirements to the HIPAA Privacy Rule. One of the requirements the HHS proposed pursuant to both the HITECH Act and its more general authority under HIPAA is for individuals to have the right to request from a covered entity (such as a health care provider or a health plan) a list of any individuals or entities that have accessed the individuals’ electronic health records. Currently, HIPAA and HHS regulations require covered entities to track access to health records, but they covered entities are not required to provide that information to patients. The proposed rule would give patients the right to request an “access report” which would document the identities of those who electronically viewed their protected health information. “This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information,” said Georgina Verdugo, Director of the Office for Civil Rights. “We need to protect peoples’ rights so that they know how their health information has been used or disclosed.”
Continue Reading..."Privacy by Design": A Key Concern for VCs and Start-Ups
(co-authored by Nicole Friess, Esq.)
The privacy landscape appears to be shifting toward a model that promotes greater consumer awareness of and control over data. Reflecting its consumer protection mission, the FTC’s Protecting Consumer Privacy in an Era of Rapid Change issued December 1, 2010 urges companies to adopt a "privacy by design" approach. Senators John Kerry (D-MA) and John McCain (R-AZ) introduced their "Commercial Privacy Bill of Rights" which adopts some of the FTC’s privacy by design principles, requiring companies to implement privacy protections when developing their products and services. The foundational principles of privacy by design, originally developed by Information and Privacy Commissioner of Canada Ann Cavoukian, address the effects of increasing complexity of data usage. With data now ubiquitously available, as well as processed and stored on a multinational level, privacy by design is becoming internationally recognized as fundamental for the protection of privacy and data integrity.
Continue Reading...A Novel Data Security Law Proposed in Colorado
There has been a lot of buzz around various privacy and security bills presented on the Federal level, including the reintroduction of the BEST PRACTICES ACT and a new privacy bill put out by Congresswoman Speier that brings "do-not-track" into the fray (not to mention the previously introduced Boucher Bill, which is now missing its named sponsor). Yet, for the most part, these types of bills have languished on the Federal level, while interesting new approaches race ahead from State legislatures (see for example, SB1386, Minnesota’s Plastic Card Protection Act, Massachusetts’ 201 CMR 17:00, et. seq., Nevada’s Security of Personal Information Law, and Washington state’s PCI Law) Over the past couple years, many predicted that new state laws would follow the lead of states like Nevada and Massachusetts, and some anticipated we could see a situation where 50 different privacy/security laws across the country. Now it looks like we are beginning to see some renewed activity on the state level. In Hawaii we have a proposed bill that would require breached entities to provide credit monitoring and call center services to impacted individuals. In my home state, Colorado, a legislator (Dan Pabon) has proposed a novel bill that takes a new approach to incentivizing companies to implement good security. In this post, we take a look at the highlights of the Colorado bill.
UPDATE -- 022810: Apparently there has been a committee vote on the Colorado bill that was split 5-5 along party lines. As such, this bill will not move forward in this session.
Continue Reading...As California Goes, so Goes the Nation? Part One
Many of you probably read earlier this month that California's Office of Administrative Law ("OAL") approved the California Department of Insurance's ("DOI") proposal to repeal certain privacy regulations. And you yawned. Or you quickly skimmed over, confident in the knowledge that this is just, well, those crazy Californians (we'll eventually fall into the ocean so no need to worry). The California changes actually have greater significance than may be apparent on a quick glance. Although rarely noted in the media coverage, State insurance privacy regulations across the country (not just in California) find their roots in the federal Gramm Leach Bliley Act (GLBA), so California's decision to make such changes provides a helpful illustration of the extraordinarily complex and confusing web of privacy regulation that governs even small organizations in this country. Also, California's move with respect to these changes contravenes the conventional wisdom that California is a renegade pro-consumer state when it comes to privacy regulation. While California was the first "mavericky" state to pass data breach legislation (SB 1386) back in the early part of the last decade, many states long ago blew past California in passing and enforcing strict privacy and security regulations (e.g., Massachusetts and Connecticut). While other states have been taking steps over the last few years to galvanize privacy and security regulations, California has moved in the opposite direction - Governor Schwarzenegger has, on numerous occasions, vetoed legislation that would have enhanced California's breach notification law (to require, for example, notice to California regulators) and now the California DOI has repealed what some might consider to be standard notice and opt-out requirements for insurance agents and brokers. (Query whether this general trend will change when the Brown administration takes office in January, and/or depending on the ultimate results of the California Attorney General race. But that's fodder for a future post, maybe Part Two of this series.) Many of our followers have asked me to break down this newest California development, so here goes. (The DOI's proposed regulation text is here; the DOI's "Statement Supporting Change Without Regulatory Effect” is here.)
Continue Reading...FAQ on the "BEST PRACTICES Act" - Part Two
We recently published the first part of our FAQ series on Congressman Bobby Rush's new data privacy bill known as “Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act (a.k.a. “BEST PRACTICES Act” or “Act”). In Part One we looked at some of the key definitions and requirements concerning transparency, notice and individual choice, mandates around accuracy, access and dispute resolution, and finally data security and data minimization requirements under the Act. Part Two will focus on the “Safe Harbor” outlined in the Act, various exemptions for de-identified information, and application and enforcement of the Act.
Continue Reading...FAQ on the "BEST PRACTICES Act" - Part One
Congressman Bobby Rush has introduced a new data privacy bill to Congress known as the “Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards" Act (a.k.a. “BEST PRACTICES Act” or “Act”). Congressman Rush has been active in the data security/privacy legislation space. In December of 2009, his “Data Accountability and Trust Act” or (“DATA Act”) passed the House of Representatives. While DATA focused more on data security and breach notice, the stated focus of the BEST PRACTICES Act is as follows:
To foster transparency about the transparency about the commercial use of personal
information, provide consumers with meaningful choice about the collection, use, and disclosure of such information, and for other purposes.
This Act comes on the heels of the Boucher Bill, which also represents a comprehensive data privacy approach (for more information on the reactions to the Boucher Bill you can look here and here).
We have put together a summary of the Act in “FAQ” format. In Part One we look at some of the key definitions, requirements concerning transparency, notice and individual choice, mandates around accuracy, access and dispute resolution, and finally data security and data minimization requirements under the Act. Part Two focuses on the “Safe Harbor” outlined in the Act, various exemptions for deidentified information, and provisions concerning the application and enforcement of the Act. Final note, this is not a law, but rather only a bill -- if passed at all, it is likely that the final version will vary from this initial proposal.
Continue Reading...Health Net Agrees to $250,000 Fine and "Corrective Action Plan" to Settle Loss of PHI
It didn't take long for an Attorney General to latch onto Title XII of the American Recovery and Reinvestment Act of 2009 (a/k/a the Health Information Technology for Economic and Clinical Health Act [the HITECH Act]) in order to convince a covered entity to enter a data loss-related settlement. Indeed, Heath Net of the North East, Inc. and its various related affiliates (collectively, “Health Net”) consented to a Stipulated Judgment (Civ. No. 3:2010CV-00057(PCD)), available here, with the Connecticut Attorney General's Office and the State of Connecticut (the “Judgment”), which stands as the first example of a state Attorney General independently enforcing HIPAA violations since the HITECH Act authorized state attorneys general to do so.
Continue Reading...Do the New EU Processing Clauses Apply to You?
A new set of EU standard contract clauses (“SCCs” or “model contracts”) for processing European personal data abroad came into effect on May 15, 2010. Taken together with a recent opinion by the official EU “Article 29” working group on the concepts of “controller” and “processor” under the EU Data Protection Directive, this development suggests that it is time to review arrangements for business process outsourcing, software as a service (SaaS), cloud computing, and even interaffiliate support services, when they involve storing or processing personal data from Europe in the United States, India, and other common outsourcing locations.
Continue Reading...Information Security Standards and Certifications in Contracting
When organizations contract for outsourced IT services, they look for assurances that the vendor will provide adequate security, often in the form of a security schedule or annex to the contract, or by reference to a widely accepted information security standard. In some cases, the customer insists as well on a certification or audit by an expert third party.
Business managers and lawyers often have only the vaguest notions of what these schedules, standards, and certifications mean. They rely on the organization’s IT staff or consultants for “the technical stuff.” But in the end it is the business managers and lawyers who determine what the organization needs, operationally and contractually. To do that well, they should have at least a basic understanding of the more common information security standards and certifications.
Information Governance
When it comes to creating policies for handling personal data in an organization, who decides? How are those policy decisions made and kept up to date?
These are questions of governance – I would call it “information governance.” Most large enterprises have established responsibilities and procedures for information technology governance and specifically for IT security policies, procedures, procurement, management, and training. In many cases, however, these have not been fully mapped to personal data compliance and risk management requirements, which should be defined and monitored by a somewhat different group of people, from departments beyond IT and security. Unless privacy issues are visible in the internal governance process, the organization – and the individuals that deal with it -- may be exposed to some nasty surprises.
Live from the IAPP Global Privacy Summit in Washington, DC, It's Monday Afternoon
This week, I will be providing short updates from the IAPP Global Privacy Summit in Washington, DC. The conference will be in full swing tomorrow, and I will report on various panels and topics of interest. In the meantime, as I prepare to see old and new friends at the Welcome Reception this evening, a few thoughts on what I expect to see and hear a lot over the next few days:
- How can we harmonize the EU Data Protection Directive and EU member country privacy laws with the flow of data in today's global economy? It is unfortunate that a number of IAPP participants from the EU will not make it to DC for the Summit this year due to the Icelandic volcano. Nonetheless, I expect active dialogue regarding cross-border data transfers, safe harbor v. standard contractual clauses v. binding corporate rules, and, in particular, the impact of the growth of cloud computing and other outsourcing arrangements (or, at least, the growth of the hype around cloud computing). It would also be nice to hear more about the EU Cookie Consent law - there is a panel scheduled to take place, but unknown if that will happen in light of the volcano debacle.
- HIPAA/HITECH and Medical Identity Theft: Health care privacy topics are hotter than ever, especially with the growing number of reported security breaches affecting more than 500 individuals under the new HHS breach notification rules promulgated pursuant to the HITECH Act.
- "Reasonable Security": What does Massachusetts think? What does the FTC think? What in the world is it and how in the world can organizations comply?
- On a related note, FTC Enforcement, with a focus on behavioral marketing issues and evolving notions of notice and consent. What trends will we see over the next several years, particularly with the growth of social media and online behavioral advertising?
- Social media: how it affects the workplace, corporate policies and procedures, and "reasonable expectations" of privacy.
- The forecast for federal legislation - not just on breach notification, but security requirements, online behavioral marketing and, getting lots of media attention these days, potential revisions to ECPA (being driven, once again, by the cloud computing explosion).
- Breaches, breaches, and more breaches. Of course.
A few things that appear to be missing from this year's agenda - the FTC's current review of the rules under the Children's Online Privacy Protection Act (COPPA), enforcement of the Red Flags Rule (the FTC will start enforcing the Rule June 1), and the growing number of state laws (Washington, Nevada, Minnesota) requiring compliance with the PCI Standard.
Stay tuned, I will endeavor to post developments on a daily basis.
Privacy's Trajectory
As many of our readers know, the International Association of Privacy Professionals (IAPP) will celebrate 10 years this Tuesday, March 16. In connection with that anniversary, the IAPP is releasing a whitepaper, "A Call For Agility: The Next-Generation Privacy Professional," tomorrow, March 15. Monday morning you can find the whitepaper here. I am honored that the IAPP has given me the opportunity to read and blog about the whitepaper in advance of its official release. Where exactly is privacy going in today's environment? What is the role of the privacy professional over the next 10 years? And, a lot of people I know and love (you know who you are) would ask, what in the world is a privacy professional anyway?
Of late, I have found myself reiterating, and getting a lot of positive feedback for, the following proposition: with data (massive amounts of it) as the new currency, the explosion in outsourcing to "trusted partners," and the growth of legal risks associated with an ever-expanding body of privacy and data security regulation, the role for professionals who understand privacy is becoming increasingly important. Further, such professionals are uniquely positioned to bring together various key stakeholders in an organization, including Information Security, Legal, IT, and various business units. Why? Because privacy professionals are, by virtue of what they do, multidisciplinary. And the growing opportunities for such professionals are inextricably intertwined with that quality. The IAPP has summed this up succinctly, and eloquently in its whitepaper, as follows:
Continue Reading...The TJX Case: It Lives! With a New Theory of Liability: "Unfairness"
However, two financial institutions (Amerifirst Bank and SELCO Community Credit Union - hereinafter "Issuing Banks" or plaintiffs) have pressed forward with an appeal of various dismissals and class certification motions to the U.S Court of Appeals for the First Circuit (the "Appellate Court"). The 1st Circuit's opinion sheds some more (high level) light on the liability risk of payment card data breach security cases. Ultimately, the Appellate Court allowed three theories of liability to proceed, including a previously dismissed theory alleging that TJX's inadequate security amounted to an unfair business practices under Massachusetts's unfair and deceptive business practices law.
Continue Reading...Highlights of the FTC's Self-Regulatory Principles for Online Behavioral Advertising
Earlier this year the Federal Trade Commission released an FTC Staff Report entitled "Self-Regulatory Principles for Online Behavioral Advertising" (the "Report"). The Report arose after over a year of public comments and debate by both marketers and consumer privacy advocates. The Principles allow for a self-regulatory approach that purportedly strikes a balance between marketing innovation and consumer benefits, and protecting consumer privacy. The following is a summary of some of the key points of the report on the Principles.
Continue Reading...New Jersey Security Requirements (including encryption of personal information)
A proposed New Jersey regulation that may be come law in 2008. It has very specific requirements around encryption of personal information at rest and in transit. In particular, if these rules pass organizations would be required to encrypt according to the Federal Information Processing Standard (FIPS) recommended standard, which is the Advanced Encryption Standard (AES) 128-bit to 256-bit. This law also has 20 other fairly specific security requirements.
How will these specific requirements related to other State, Federal, International security requirements? Do the specifics in this regulation harken a movement away from a "technology neutral" approach to information security regulation?
- Cyber Insurance: An Efficient Way to Manage Security and Privacy Risk in the Cloud?
- NLRB Issues Second Report Reviewing Social Media Enforcement Actions
- NIST Issues Finalized Guidelines for Managing Security & Privacy in Public Cloud Computing
- The Legal Implications of Social Networking Part Three: Data Security
- Twitter Followers = Trade Secrets?
- Privacy Hot Topics for 2012
- A Handful of 2012 Privacy & Security Predictions
- FTC Seeks Public Comments on Facial Recognition Technology
- Contracting for Cloud Computing Services
- InfoLawGroup and ACE USA Social Media Risk Podcast
-
Tanya Forsheit
Tanya L. Forsheit is a Founding Partner of InfoLawGroup LLP and a former partner with Proskauer, where she was Co-Chair of that firm’s Privacy...More...
Stay Connected with Tanya Forsheit
-
David Navetta
David Navetta is one of the Founding Partners of the Information Law Group. David has practiced law for over twelve years, including technology, priv...More...
Stay Connected with David Navetta
-
W. Scott Blackmer
W. Scott Blackmer is one of the Founding Partners of InfoLawGroup LLP. He has practiced information technology law since 1982. Scott has been listed...More...
Stay Connected with W. Scott Blackmer
-
Boris Segalis
Mr. Segalis is a Partner at InfoLawGroup LLP. He counsels clients regarding a broad range of privacy, information security and information management...More...
Stay Connected with Boris Segalis
-
Jamie Rubin
Jamie Rubin joined Information Law Group as a partner in June 2011. Jamie is a media, promotions and intellectual property lawyer who works with clie...More...
Stay Connected with Jamie Rubin
-
Justine Gottshall
Justine Young Gottshall joined Information Law Group as a partner in June 2011. Justine has practiced law for over sixteen years, and has focuse...More...
Stay Connected with Justine Gottshall
- Center for Democracy & Technology
- Concurring Opinions
- Cyb3rcrim3
- Dot Indicia
- Electronic Frontier Foundation
- GigaLaw.com
- ITAC Blog
- Info/Law
- Krebs on Security
- Payment Card Security & IT Controls Explained
- Privacy Lives
- Rational Survivability
- Schneier on Security
- Secure Business Growth
- Securosis
- Technology & Marketing Law Blog
- The Falcon's View
- The Smart Grid Security Blog
- apophenia
- beSpacific
