M. Scott Koller

By Amy Crafts

Following a two year investigation by the Massachusetts Attorney General’s Office (“AGO”), a local Massachusetts hospital has agreed to pay $775,000 to resolve allegations that it failed to protect the personal and confidential health information of more than 800,000 consumers. The investigation and settlement resulted from a data breach disclosed by South Shore Hospital in 2010, where the information disclosed included individuals’ names, Social Security numbers, financial account numbers and medical diagnoses.

In February 2010, South Shore Hospital retained a third-party service provider to erase 473 unencrypted back-up tapes that contained the personal information and protected health information of over 800,000 individuals. While the third-party service provider was retained before the Regulations were implemented, the AGO noted that South Shore Hospital did not notify the third-party service provider that the tapes contained such sensitive information, and also did not verify that the third-party service provider had adequate safeguards in place to protect the sensitive information.

In June 2010, South Shore Hospital learned that only one of the boxes was accounted for, and that two of the boxes were missing. There have been no reports of unauthorized use of the personal information or protected health information to date. An investigation conducted by South Shore Hospital indicated that the back-up tapes were likely disposed of in a secure commercial landfill and were therefore unrecoverable.

Full Story via Proskauer Privacy Blog

Originally Authored by M. Scott Koller and Marcia L. Augsburger and published by the American Health Lawyers Association, HIPAA and Emerging Technologies, 14 HIT News 3, 6 (November 2011).

The Health Insurance Portability and Privacy Act of 1996 (HIPAA) is 15 years old this year – still acting a bit like an uncertain, wide-eyed teenager responding to new developments. Although more mature, clarified by regulations, and supplemented by the HITECH Act, at its core HIPAA has remained relatively unchanged since its enactment. Societal changes implicating HIPAA, however, have been significant. Over the past five years alone, we saw the rise of Facebook, the domination of Google, and the introduction of powerful personal electronic devices such as Apple’s iPhone and iPad. In addition, technologies such as cloud computing, wireless communication, and telemedicine have reached a level of reliability and affordability that has allowed healthcare providers to expand their reach and services. With every emerging technology, the specter of HIPAA compliance remains a key concern, while its application becomes more murky.

Read the full article here: HIPAA and Emerging Technologies Article

Two privacy-related bills are on the move in California. The California Genetic Information Privacy Act would prohibit the unauthorized collection, testing and distribution of DNA data. “We have laws to protect the privacy of our financial information, our medical records and even the books we check out from the local library,” said the bill’s author, State Sen. Alex Padilla (D-Pacoima), adding, “We need genetic privacy protections because nothing is more personal than our DNA.” The bill passed the Senate Judiciary Committee on Tuesday, according to a GovTech report. Meanwhile, the California Location Privacy Bill passed the Senate Public Safety Committee earlier this week after a certain disclosure provision was removed.

Source:

The chief of California’s Office of Privacy Protection says the office will soon release guidelines for mobile app developers on data collection, data sharing and written privacy policies, PCWorld reports. Chief Joanne McNabb, CIPP/G, CIPP/IT, CIPP/US, says the guidelines, likely to be released in July, will be developed with an advisory panel of experts and industry stakeholders. Though the office itself has no regulatory power, the guidelines will help companies comply with state laws, McNabb said, adding that the “practices and recommendations we come up with are not a floor of legal compliance nor are they a ceiling of ideal. I think of them as about chair-rail height. You want to push higher than developers are required to go.”

Source: IAPP

Later today the White House will release its long-awaited privacy report entitled, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” The report is the follow-up to the Commerce Department’s Internet Policy Task Force Green Paper entitled: “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework,” which was issued in December 2010. The cornerstone of the White House report is a “Privacy Bill of Rights” aimed at improving consumers’ privacy protections and providing greater certainty to businesses in order to foster innovation and growth in the Internet economy. The report contemplates a stakeholder-driven process to specify how these new rights will apply to specific business contexts, a process which will be spearheaded by the Commerce Department’s National Telecommunications and Information Administration, and envisions “strong enforcement” by the Federal Trade Commission. In addition, the report also calls for greater interoperability between the privacy frameworks of the United States and its international partners.

A White House statement released on Wednesday revealed that the Privacy Bill of Rights will provide consumers with the following rights:

·         Individual Control:  Consumers have a right to exercise control over what personal data organizations collect from them and how they use it.

·         Transparency: Consumers have a right to easily understandable information about privacy and security practices.

·         Respect for Context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.

·         Security: Consumers have a right to secure and responsible handling of personal data.

·         Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.

·         Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.

·         Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

The White House also announced in its statement that the companies responsible for the delivery of nearly 90% of online behavioral advertisements have agreed to honor consumers’ privacy choices made via Do Not Track technology on web browsers. The companies that make this commitment to Do Not Track technology will be subject to enforcement by the Federal Trade Commission.

Source:

In the case of the Unitied States vs. Jones,  Supreme Court has held that a warrant is required prior to the use of GPS tracking.  Writing for the majority, Justice Antonin Scalia wrote, ”We hold that the government’s installation of a G.P.S. device on a target’s vehicle, and its use of that device to monitor the vehicle’s movements, constitutes a ‘search,’ ”

Opinion

At the annual meeting of the Office of the National Coordinator for Health IT yesterday, Leon Rodriguez, the director of the HHS Office for Civil Rights (OCR), said he “fully expects” the government will institute a permanent HIPAA compliance audit program after the current pilot program wraps up in 2012,GovInfoSecurity reports. The agency will conduct 150 audits over the next 11 months. Rodriguez said the audits are intended to help entities improve compliance with HIPAA. During his presentation, he also addressed the call by Sen. Al Franken (D-MN) for the OCR to “hurry up” and release its final rules for HIPAA modifications. “We indeed are hurrying up,” Rodriguez said.
Full Story

The HHS Office for Civil Rights (OCR) will begin HIPAA audits on covered entities this month, Health Data Management reports. KPMG has been contracted to conduct the audits–at least 150 by the end of next year–on HIPAA’s privacy, security and breach notification rules. The OCR has said an initial 20 audits will act as a test run to determine how future assessments will be conducted. Entities will be notified of an impending audit in writing 30 to 90 days prior, but the OCR has not yet indicated how it will select which firms to visit.

Source: Full Story

The Federal Trade Commission has updated its website to show a list of rules currently under review.  In addition, the FTC has also posted a chart showing its review schedule for the next ten years.   This is a great resource to see what potential changes are on the horizon.

Get a sneak peak at:

http://www.ftc.gov/ftc/regreview/fednotices.shtml

and

http://www.ftc.gov/ftc/regreview/rev-schedule.pdf