Category:Privacy & Security
GDPR and HIPAA: Next Steps in the U.S. Healthcare Industry
The EU General Data Protection Regulation (“GDPR”) is now in effect as of May 25, 2018, and has been a prominent topic of international debate across multiple sectors as companies look to adjust to new stringent regulations in data management. With a wide scope (the GDPR now applies to all organizations possessing personal data of individuals based in the EU) and steep penalties for companies that fail to comply, companies across the globe are spending millions of dollars in preparation.
Is Your Fitness Tracker Violating Your Privacy Rights?
An increasing number of companies are providing fitness trackers for their employees as a part of their benefits package. The use of fitness trackers has been steadily growing over the past few years, and is predicted to hit a shipment size of 240.1 million devices by 2021. Even though the popularity of these fitness trackers has boomed, their compliancy with HIPAA has not kept up with them as quickly. A few companies that make fitness trackers have become HIPAA compliant, such as Fitbit and Apple. However, some companies have remained silent as to whether they are or plan on becoming compliant. While fitness trackers have been shown to have an overall positive effect in corporate wellness programs, corporations should remain up to date with how to keep their employees’ health information secure as well as ensure that the fitness tracker that they are providing is HIPAA compliant.
Trump Administration Creates New Division of Health and Human Services
The Trump administration has established a new division within the Department of Health and Human Services (HHS) called the Conscience and Religious Freedom Division. The stated purpose of this office is to “restore federal enforcement of our nation’s laws that protect the fundamental and unalienable rights of conscience and religious freedom.”
One day after the creation of this division, HHS proposed a new rule, providing further protections to healthcare workers who object to providing certain types of care to patients—including elective sterilization, gender reassignment surgery, or emergency contraception—based on their personal religious beliefs. Additionally, the Trump administration issued a new directive, reversing an Obama administration directive which prohibited states from refusing to send federal funds to qualified providers. This new division, new rule, and new directive serve to ensure the already-existing rights of physicians, nurses, and healthcare staff at the expense of their patients.
What Happens When The Police Demand PHI
It happens in every emergency department: a law enforcement officer comes into the ER at two o’clock in the morning and demands to test the blood alcohol levels of a patient brought in after an auto accident. The officer pulls an exhausted nurse to the side in the hopes that the nurse will forget his or her training, or become anxious enough to give up the information for fear of being arrested. Yet no matter the specific facts, the question remains: can a hospital give law enforcement officers a patient’s PHI without authorization from the patient? In some situations, is it even required?
There is a provision under the HIPAA Privacy Rule that allows, and in some cases, requires, entities to disclose patient’s PHI to law enforcement without the patient’s authorization. However, state law can complicate this picture with more restrictive regulations and guidance.
Equifax Compromises Millions of Consumer’s Information, How Is This Possible?
On September 7, 2017, the credit bureau Equifax announced a giant security breach affecting the personal information of approximately 143 million US consumers, as well as thousands of consumers overseas. With numerous lawsuits piling up against the company and almost half of our nation’s population at a significant increased risk of identity theft, Americans are left wondering why this happened, how it could have been prevented, and what will become of Equifax and our credit reporting systems.
When Selfies Go Wrong
On September 25th, a former Okaloosa County, Florida paramedic, Christopher Wimmer, was sentenced to six months jail time and three years’ probation for taking “selfies” with incapacitated victims in ambulances last year and sending them to a co-worker. He and his co-worker, Kaylee Renee Dubois, were engaged in a “selfie war” with each other and snapped images and videos of patients in ambulances who were unconscious, sedated, intoxicated, or incapacitated. In total, 101 photos, 64 videos, and 41 patients were photographed or recorded during the so-called war, and a mere three patients consented to photographs being taken of them. Employees’ missteps with the privacy rights of patients have a negative lasting effect on their employer, their own career, and their patients.
Cybersecurity Breaches Increasing in Healthcare Organizations
According to data from HHS’ Office of Civil Rights (OCR), healthcare data breaches in 2017 are set to outpace those from 2016. Security experts have determined this increase is due to two factors: getting entry into a system has become easier, and organizations are now more inclined to report breaches. Yet despite the increase in data breaches and the costs of settling with HHS OCR, a majority of healthcare organizations are still only spending 1-6% of their budgets on cybersecurity measures.
Privacy in Insecurity
Though the rain has stopped falling, Houston is still dealing with the aftermath of Hurricane Harvey, one of the largest and most destructive rainfall events on record. Healthcare providers in particular find themselves struggling to keep up with the various health problems caused by the flooding itself, on top of getting life-sustaining care to individuals with chronic or preexisting conditions. Crises like Harvey create serious problems for the delivery of care, but also for regulating it—circumstances are so uniquely devastating that standards can feel like barriers to necessary medical attention. And when family and friends are desperate to know if their loved one is out of danger, even the right of privacy seems negligible.
However, natural disasters and emergency events shouldn’t be used as an excuse to regulate away protections individuals depend on, such as the privacy and confidentiality of their personal information. Regulators must be careful when determining how to respond in a crisis—overreaching for the sake of bringing relief or under-regulating for flexibility can leave the public high and dry when the floodwaters recede.
Securing All The Things: Cybersecurity, D-Link, and the Expansion of IoT
The internet of things (IoT) holds promise for new ways to interact with and leverage technology; however, ever-expanding connectivity brings increased vulnerability. Addressing security and privacy issues is necessary for the continued growth of the IoT—and, as the U.S. Federal Trade Commission’s case against D-Link Corporation demonstrates, one of vital interest to regulatory lawmaking bodies as well.
HIPAA Punctuality: Always Insist On It In Your Subordinates
In an unprecedented act, the Office for Civil Rights (OCR) entered into a settlement agreement with Presence Health Network based on the healthcare system’s failure to timely report a breach of unsecured protected health information (PHI). Under the Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) a covered entity must notify affected individuals, the Department of Health and Human Services (HHS), and the media for breaches affecting 500 people or more. Presence Health will pay $475,000 and implement a corrective action plan (CAP) to address misunderstandings in workforce member roles and responsibilities relating to the notification process.