Privacy & Security
It happens in every emergency department: a law enforcement officer comes into the ER at two o’clock in the morning and demands to test the blood alcohol levels of a patient brought in after an auto accident. The officer pulls an exhausted nurse to the side in the hopes that the nurse will forget his or her training, or become anxious enough to give up the information for fear of being arrested. Yet no matter the specific facts, the question remains: can a hospital give law enforcement officers a patient’s PHI without authorization from the patient? In some situations, is it even required?
There is a provision under the HIPAA Privacy Rule that allows, and in some cases, requires, entities to disclose patient’s PHI to law enforcement without the patient’s authorization. However, state law can complicate this picture with more restrictive regulations and guidance.
Google answered Amazon’s Echo Dot by recently launching their own pint-sized smart speaker, the Google Home Mini. Recently, Google was forced to disable one of the features on the Home Mini after it was discovered that a technical glitch led to near 24/7 audio recording. Google responded quickly and appropriately, investigating the cause and quickly releasing an update to disable the hardware responsible for the glitch. The Equifax hack – a breach of personal data including social security numbers, driver’s license information, and other credit details – exposed nearly half the country and waited months to respond. Upcoming European legislation that can significantly impact American companies with European Union clients may be part of the reason for their drastically different responses.
On September 7, 2017, the credit bureau Equifax announced a giant security breach affecting the personal information of approximately 143 million US consumers, as well as thousands of consumers overseas. With numerous lawsuits piling up against the company and almost half of our nation’s population at a significant increased risk of identity theft, Americans are left wondering why this happened, how it could have been prevented, and what will become of Equifax and our credit reporting systems.
In the last month, multiple large-scale data breaches were reported by various entities, with 3 breaches reported in the past week alone. Unfortunately, even the most well-known entities do not stand a chance against increasing technological abilities of bad actors. Since the Equifax breach in early September, Whole Foods, Sonic, Deloitte and the Securities Exchange Commission, among others, had similar large-scale breaches affecting consumers across the country.
Illinois’ Personal Information Protection Act (“PIPA”) became effective on January 1, 2017. Illinois is just one of many states that recently strengthened their data breach notification systems and created data security laws to enhance protection of personal information. Like other state provisions, Illinois created stronger safeguards for personal information transmitted electronically. This act requires that all personal information provided electronically must be encrypted or redacted. The amendments to PIPA (1) broadened the statute’s definition of personal information; (2) clarified the safe harbor for encryption; (3) addressed required notification to residents after a breach; and (4) established limited exemptions.
Section 702 of the Foreign Intelligence Surveillance Act (FISA) allows the United States government to obtain access to the communications (e.g. emails) of non-U.S. citizens without a warrant. The rationale behind the law is its potential for use in gathering intelligence on potential terrorists and potential terrorist activity. The law has become controversial because intelligence on U.S. citizens has incidentally occurred as well, as emails and phone calls from U.S. citizens have been contained in intelligence-storing databases. As the law expires at the end of 2017, Congress is considering changing the ways intelligence is collected pursuant to the collection procedures stipulated under the law.
On September 25th, a former Okaloosa County, Florida paramedic, Christopher Wimmer, was sentenced to six months jail time and three years’ probation for taking “selfies” with incapacitated victims in ambulances last year and sending them to a co-worker. He and his co-worker, Kaylee Renee Dubois, were engaged in a “selfie war” with each other and snapped images and videos of patients in ambulances who were unconscious, sedated, intoxicated, or incapacitated. In total, 101 photos, 64 videos, and 41 patients were photographed or recorded during the so-called war, and a mere three patients consented to photographs being taken of them. Employees’ missteps with the privacy rights of patients have a negative lasting effect on their employer, their own career, and their patients.
According to data from HHS’ Office of Civil Rights (OCR), healthcare data breaches in 2017 are set to outpace those from 2016. Security experts have determined this increase is due to two factors: getting entry into a system has become easier, and organizations are now more inclined to report breaches. Yet despite the increase in data breaches and the costs of settling with HHS OCR, a majority of healthcare organizations are still only spending 1-6% of their budgets on cybersecurity measures.
Though the rain has stopped falling, Houston is still dealing with the aftermath of Hurricane Harvey, one of the largest and most destructive rainfall events on record. Healthcare providers in particular find themselves struggling to keep up with the various health problems caused by the flooding itself, on top of getting life-sustaining care to individuals with chronic or preexisting conditions. Crises like Harvey create serious problems for the delivery of care, but also for regulating it—circumstances are so uniquely devastating that standards can feel like barriers to necessary medical attention. And when family and friends are desperate to know if their loved one is out of danger, even the right of privacy seems negligible.
However, natural disasters and emergency events shouldn’t be used as an excuse to regulate away protections individuals depend on, such as the privacy and confidentiality of their personal information. Regulators must be careful when determining how to respond in a crisis—overreaching for the sake of bringing relief or under-regulating for flexibility can leave the public high and dry when the floodwaters recede.
The internet of things (IoT) holds promise for new ways to interact with and leverage technology; however, ever-expanding connectivity brings increased vulnerability. Addressing security and privacy issues is necessary for the continued growth of the IoT—and, as the U.S. Federal Trade Commission’s case against D-Link Corporation demonstrates, one of vital interest to regulatory lawmaking bodies as well.