Group items tagged

"The U.S. Department of Health and Human Services issued an interim final rule to beef up penalties for violations of the Health Insurance Portability and Accounting Act (HIPAA), as several Congressmen criticize the agency for leaving dangerous loopholes in the law. The new rules significantly increase penalty amounts that the U.S. Department of Health and Human Services can impose for HIPAA violations of patient privacy, according to a statement from HHS. The new rules reflect requirements enacted in the Health Information Technology for Economic and Clinical Health (HITECH) sections of the American Recovery and Reinvestment Act (ARRA) of 2009. Before HITECH, maximum penalties were $100 for each violation or $25,000 for all identical violations of the same provision. A covered health care provider, health plan, or clearinghouse could be exempt from civil financial penalties if it demonstrated it did not know it violated the HIPAA rule. The HITECH act increases civil financial penalties by establishing tiered ranges of increasing minimum penalties, with a maximum $1.5 million for all violations of identical provisions. And a "covered entity" can plead ignorance as a protection only if it fixes the violation within 30 days of discovery."

"In a sign that state attorneys general may be flexing the HIPAA enforcement muscle granted by the HITECH Act provisions in the Recovery Act, the Connecticut and Arizona attorneys general are investigating health plans that recently experienced data breaches that they failed to disclose for several months. Typically, state attorneys general prosecute only violations of state laws, but they now have authority to investigate and levy fines for violations of HIPAA and the HITECH Act, which requires mandatory notifications within two months of knowledge of a breach. Connecticut Attorney General Richard Blumenthal (D) has emerged as possibly the first AG to take on a HIPAA investigation, and Arizona's AG may also be pursuing a similar course. The larger of the two breaches that have come to the AGs' attention was experienced by Health Net, Inc., which lost a portable external hard drive containing seven years of data for 446,000 Connecticut residents. The lost data came from 1.5 million individuals in total, who also hailed from New Jersey and New York. Health Net reported the loss to the Connecticut AG on Nov. 19, and on the same day Blumenthal issued a scathing statement demanding answers and promising action. He specifically said he was investigating whether Health Net may have violated "federal laws," as well as his state's own data protection laws."

One of the more interesting panel discussions at the IDC Cloud Computing Forum on Feb 18th in San Francisco was about managing the complexities of security, privacy and compliance in the Cloud. The simple answer according to panelists Carolyn Lawson, CIO of California Public Utilities Commission, and Michael Mucha, CISO of Stanford Hospital and Clinics is "it ain't easy!" "Both of us, in government and in health, are on the front-lines," Lawson proclaimed. "Article 1 of the California Constitution guarantees an individual's right to privacy and if I violate that I've violated a public trust. That's a level of responsibility that most computer security people don't have to face. If I violate that trust I can end up in jail or hauled before the legislature," she said. "Of course, these days with the turmoil in the legislature, she joked, "the former may be preferable to the later." Stanford's Mucha said that his security infrastructure was built on a two-tiered approach using identity management and enterprise access control. Mucha said that the movement to computerize heath records nationwide was moving along in fits and starts, as shown by proposed systems likeMicrosoft (NSDQ: MSFT)'s Health Vault and Google (NSDQ: GOOG)'s Personal Health Record. "The key problem is who is going to pay for the computerized of health records. It's not as much of a problem at Stanford as it is at a lot of smaller hospitals, but it's still a huge problem." Mucha said that from his perspective security service providers in the cloud and elsewhere are dealing with a shrinking security parameter or fence, which is progressing from filing cabinets, to devices, to files, and finally to the individual, who under the latest Health Insurance Portability and Accountability Act (HIPAA) privacy rules has certain rights, including rights to access and amend their health information and to obtain a record of when and why their Protected Health Information (PHI) record has bee

A consumer reporting agency that failed to properly screen prospective customers and, as a result, sold at least 318 credit reports to identity thieves, has agreed to settle Federal Trade Commission charges that it violated federal law. Under the settlement, the company and its principal must ensure that they provide credit reports only to legitimate businesses for lawful purposes, use a comprehensive information security program, and obtain independent audits every other year for 20 years. The settlement also imposes a $500,000 penalty but suspends payment due to the defendants' inability to pay. According to the FTC, the defendants use sensitive financial data from other consumer reporting agencies to create reports that landlords use to assess potential renters. These reports contain consumers' names, Social Security numbers, birth dates, bank and credit card account numbers, credit histories, and other personal information. The Commission alleges that the company failed to properly screen new customers. The company allegedly requested only publicly-available information from applicants seeking credit reports, and it did not request supporting documentation to establish that an applicant was actually a landlord renting property. As a result, identity thieves posing as property owners were given an account with unlimited online access to credit reports, and the account was used to access at least 318 reports containing sensitive personal information. The FTC charged the defendants with violating the Fair Credit Reporting Act (FCRA) by furnishing credit reports to persons who did not have a permissible purpose to obtain them, and by failing to maintain reasonable procedures to prevent such impermissible disclosures and to verify their customers' identities and how they intended to use the information. The agency also charged them with violating the FTC Act by failing to employ reasonable and appropriate security measures to protect sensitive consumer inform

When the director of IT at a Boston-based, midsize pharmaceutical firm was first approached to participate in a data leakage audit, he was thrilled. He figured the audit would uncover a few weak spots in the company's data leak defenses and he would then be able to leverage the audit results into funding for additional security resources. "Data leakage is an area that doesn't get a lot of focus until something bad happens. Your biggest hope is that when you raise concerns about data vulnerability, someone will see the value in allowing you to move forward to protect it," the IT director says. But he got way more than he bargained for. The 15-day audit identified 11,000 potential leaks, and revealed gaping holes in the IT team's security practices. (Read a related story on the most common violations encountered.) The audit, conducted by Networks Unlimited in Hudson, Mass., examined outbound e-mail, FTP and Web communications. The targets were leaks of general financial information, corporate plans and strategies, employee and other personal identifiable information, intellectual property and proprietary processes. Networks Unlimited placed one tap between the corporate LAN and the firewall and a second tap between the external e-mail gateway and the firewall. Networks Unlimited used WebSense software on two servers to monitor unencrypted traffic. Then it analyzed the traffic with respect to company policy. Specifically, Networks Unlimited looked for violations of the pharmaceutical firm's internal confidentiality policy, corporate information security policy, Massachusetts Privacy Laws (which go into effect in 2010), Health Insurance Portability and Accountability Act (HIPAA), and Security and Exchange Commission and Sarbanes-Oxley regulations. Auditor Jason Spinosa, senior engineer at Networks Unlimited, says that while he selected the criteria for this audit, he usually recommends that companies take time to determine their policy settings based on their risk

The Federal Trade Commission today approved a final consent order settling claims that CVS Caremark violated customers' privacy and the Health Information Portability and Accountability Act (HIPAA) when it failed to dispose of records properly last year. Earlier this year, CVS Caremark agreed to settle FTC charges that it failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees, in violation of federal law. In a separate but related agreement, the company's pharmacy chain also has agreed to pay $2.25 million to resolve Department of Health and Human Services allegations that it violated HIPAA regulations. "This is a case that will restore appropriate privacy protections to tens of millions of people across the country," said FTC chairman William Kovacic following the settlement. "It also sends a strong message to other organizations that possess consumers' protected personal information. They are required to secure consumers' private information." Under the final consent order, CVS Caremark is required to rebuild its security and confidentiality program, which will be audited every two years for the next 20 years. The HHS settlement requires the company to develop a new training program to instruct employees on how to handle patient data.

Those who are superstitious may believe that bad things happen on Friday the 13th, but we will leave it to each individual and entity to formulate conclusions regarding the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), which Congress passed late on Friday, February 13, 2009, and President Obama officially signed into effect on February 17, 2009. The HITECH Act addresses various aspects relating to the use of health information technology (H.I.T.), including providing for federal funding by way of grants and incentive payments in order to promote H.I.T. implementation. This Alert focuses, however, on Subtitle D of the HITECH Act, which includes important, new and far-reaching provisions concerning the privacy and security of health information that will materially and directly affect more entities, businesses and individuals in more diverse ways than ever before. These changes are further elaborated upon below, but this Alert can only highlight certain prominent issues under the HITECH Act and is by no means a comprehensive review of this lengthy and complex Act. For questions and additional guidance on the HITECH Act, contact your Fox Rothschild attorney or the authors of this Alert. New Privacy and Security Requirements * Security Breach Notification Requirements: Security breach notification requirements under the HITECH Act go into effect 30 days after the date that interim final regulations are promulgated, which will be no later than 180 days after the date of enactment of the HITECH Act (August 16, 2009). Covered entities, business associates and vendors who handle personal health records are required to abide by breach notification requirements. Violations of this requirement by vendors would be treated as an unfair and deceptive act or practice in violation of the Federal Trade Commission Act. If a breach affects more than 500 individuals of a particular state, notice also must be provided to prominent media outl

Dr. Jay Holland of Little Rock and two former employees of St. Vincent Infirmary Medical Center pleaded guilty Monday to misdemeanor violations of the federal medical records privacy law, the U.S. Attorney's Office and the FBI in Little Rock announced. Holland, Sarah Elizabeth Miller of England and Candida Griffin of Little Rock admitted accessing "without any legitimate purpose" the medical records of Anne Pressly, the KATV-TV, Channel 7, reporter who was fatally attacked in her home in October. For the violations of the Health Insurance Portability and Accountability Act, each faces up to one year in prison, a fine of up to $50,000, or both. Sentencing has not been scheduled.

"All Facebook users can deactivate their profiles, but doing so quietly might not make quite the same statement as using another service to slam the door on the site. One such service, Seppukoo.com, created by the Italian group Les Liens Invisibles, drew attention late last year after launching a campaign to convince people to commit Facebook suicide. Wannabe ex-Facebook members can provide Seppukoo.com with their names and passwords and Seppukoo then not only deactivates their profiles, but also creates a "memorial" page that it sends to users' former Facebook friends. Facebook evidently isn't happy about this development. Last month, the company fired off a cease-and-desist letter to Les Liens Invisibles, complaining that users who provide log-in data are violating Facebook's terms of service. The company also alleges that the scraping of its data violates a host of laws, including an anti-hacking law, the federal spam law and the copyright statute. "

FaceBook is sooooo concerned about our privacy!

Every day for one hour, Olympic-level athletes all over the world have an appointment they cannot break. The swimmer Dara Torres, a 12-time Olympic medalist, squeezes her hour into training, running errands and caring for her 3-year-old daughter. The curler Nicole Joraanstad schedules her hour at dawn, but says it often interrupts her sleep. The Olympic decathlon champion Bryan Clay makes himself available at night, when he is most likely to be home with family. Since Jan. 1, Olympic-level athletes have had to schedule their daily availability - hour and place - three months in advance so drug testers can find them, according to new World Anti-Doping Agency rules. And violating those rules can have serious repercussions. Three missed drug tests within an 18-month period during an athlete's appointed hour count as a positive drug test and can result in a one- to two-year ban from competition. Because the element of surprise is crucial to effective testing, athletes are also subject to random out-of-competition tests at any time. And they are tested at competitions. Jacques Rogge, the president of the International Olympic Committee said, "Sports today has a price to pay for suspicion." But some athletes say the rules have gone too far. "It's absolutely too much," Torres said in a telephone interview. "Why make this more cumbersome when we do so much already? We're at the point where we have to find a middle ground." Never before has there been so much protest regarding out-of-competition testing. Athletes in nearly every sport as well as organizations like FIFA, soccer's international governing body, have publicly criticized the doping agency's regulations. At least one lawsuit challenging the rules is in court. Sixty-five Belgian athletes, including the world-class Quick Step cycling team and its star Tom Boonen, filed a class-action lawsuit claiming that the new rules violate European privacy laws.

Two companies that collect, analyze and sell prescription information are mounting a Supreme Court challenge to New Hampshire's first-in-the-nation law making doctors' prescription writing habits confidential. In an appeal filed March 27, IMS Health Inc. of Norwalk, Conn., and Verispan LLC of Yardley, Pa., tell the high court that the law violates their First Amendment right to free speech in pursuit of their business. The law, aimed at thwarting hard-sell tactics by drug companies to doctors, makes it a crime for pharmacies and others to transfer information disclosing a doctor's prescribing history if the information could be used for marketing of prescription drugs in New Hampshire. Patients' names are not included in the data. The companies say that the ruling by the 1st U.S. Circuit Court of Appeals in Boston that upheld the law's constitutionality could be broadly applied to newspaper publication of stock market information and many other services that gather large amounts of information. The money made by selling the information to drug makers, the companies say, allows them to provide the same material to researchers and humanitarian organizations at little or no cost. The law first took effect in 2006. The following year, U.S. District Judge Paul Barbadoro in Concord ruled in the companies' favor and said the law violated the First Amendment. Another federal judge subsequently ruled against a similar law in Maine, relying heavily on the New Hampshire decision. But the 1st Circuit overruled Barbadoro, calling the law a valid step to promote the delivery of cost-effective health care. "Even if the Prescription Information Law amounts to a regulation of protected speech - a proposition with which we disagree - it passes constitutional muster," the court said. "In combating this novel threat to cost-effective delivery of health care, New Hampshire has acted with as much forethought and precision as the circumstances permit and the

The Interior Department's inspector general has found widespread mishandling and erratic tracking of special passports issued to department officials traveling overseas, alleging that in numerous instances employees violated federal privacy laws by improperly securing passports and passport application forms. In some cases, officials couldn't account for expired passports of former employees, and could not locate a passport once issued to former Interior secretary Gale Norton. The inspector general's report warned that such mismanagement and lax protection could result in cases of fraud or identity theft impacting current and former employees. "Given the risk of misuse that missing and unsecured passports, visas and passport applications pose, we cannot understate the importance of acting swiftly to address these violations and prevent their recurrence," Acting Inspector General Mary L. Kendall wrote in a memo sent with a copy of the report last week to Interior Secretary Ken Salazar.

Difficult economic times can be the breeding ground for increased fraudulent activities. In July 2009, the Financial Crimes Enforcement Network (www.fincen.gov) published its 12th edition of The SAR Activity Review - By the Numbers. SARs (Suspicious Activity Reports) are one key aspect of FinCEN's efforts related to its responsibility for regulatory administration of the Bank Secrecy Act of 1970. Many different financial industries such as banks, credit unions, insurance companies, check-cashing services, broker/dealers, and casinos are required to complete and file SARs. According to FinCEN's press release on the SAR Activity Review, "The report reveals that of the 20 different violation types tracked, seven of the categories relate specifically to fraud and all seven showed an increase in SAR filings during the year. While these categories represent one-third of the possible violation types, they accounted for nearly half of the increase in total SAR filings from 2007 to 2008, with all of the fraud categories seeing double-digit increases in percentage of filings in 2008. These categories are: check fraud, mortgage loan fraud, consumer loan fraud, wire transfer fraud, commercial loan fraud, credit card fraud, and debit card fraud." Could any of this apply to you? Are your control and monitoring processes able to identify these examples of common patterns of suspicious activity that FinCEN has identified?

The Kaiser Permanente hospital in Bellflower has been hit with a $187,500 fine for failing for a second time to prevent unauthorized access to confidential patient information, state pubic health officials said today. [Updated at 3 p.m.: A spokesman for the hospital said the fine was part of the ongoing investigation into employees improperly accessing the medical records of Nadya Suleman and her children. Disciplinary action has been taken against the employees, said Jim Anderson, a hospital spokesman. All the incidents occurred in January; a previous post said they had occurred in April and May.] State officials said Kaiser Permanente Bellflower Medical Center compromised the privacy of four patients when eight employees improperly accessed records. This is the second penalty against the hospital, officials said. The hospital was fined $250,000 in May for failing to keep employees from snooping in the medical records of Nadya Suleman, the woman who set off a media frenzy after giving birth to octuplets in January. The fine was the first penalty imposed and largest allowed under a new state law enacted last year after the widely publicized violations of privacy at UCLA Medical Center involving Farrah Fawcett, Britney Spears, California First Lady Maria Shriver and other celebrities. "We are very concerned with violations of patient confidentiality and their potential harm to the residents of California," said Dr. Mark Horton, director of the California Department of Public Health. "Medical privacy is a fundamental right and a critical component of quality medical care in California."

Personal profiles on Facebook and other social-networking sites are a trove of inappropriate and embarrassing photographs and discomfiting breaches of confidentiality. You might expect that from your friends and even some colleagues - but what about your doctor? A new survey of medical-school deans finds that unprofessional conduct on blogs and social-networking sites is common among medical students. Although med students fully understand patient-confidentiality laws and are indoctrinated in the high ethical standards to which their white-coated profession is held, many of them still use Facebook, YouTube, Twitter, Flickr and other sites to depict and discuss lewd behavior and sexual misconduct, make discriminatory statements and discuss patient cases in violation of confidentiality laws, according to the survey, which was published this week in the Journal of the American Medical Association. Of the 80 medical-school deans questioned, 60% reported incidents involving unprofessional postings and 13% admitted to incidents that violated patient privacy. Some offenses led to expulsion from school.

"Recently, the Federal Trade Commission (FTC) has gotten tough with US companies that have not lived up to their own privacy promises to European consumers. In particular, it has filed complaints against seven US companies that claimed that they were adhering to the European Union's Safe Harbor Program, but allegedly were not. (The FTC issues or files a complaint when it has "reason to believe" that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The complaints themselves are not a finding or ruling that the named parties have violated the law.) By taking action, the FTC has shown that the Safe Harbor program, as applied to US companies, is not a set of empty promises. Rather, the FTC is keeping watch over businesses and will sanction those that misrepresent their own policies. In this column, I will explain how the Safe Harbor program works, and also discuss the recent FTC enforcement actions."

"Iconix Brand Group, Inc. will pay a $250,000 civil penalty to settle Federal Trade Commission charges that it violated the Children's Online Privacy Protection Act (COPPA) and the FTC's COPPA Rule by knowingly collecting, using, or disclosing personal information from children online without first obtaining their parents' permission. Iconix owns, licenses, and markets - both offline and online - several popular apparel brands that appeal to children and teens, including Mudd, Candie's, Bongo, and OP. Iconix required consumers on many of its brand-specific Web sites to provide personal information, such as full name, e-mail address, zip code, and in some cases mailing address, gender, and phone number - as well as date of birth - in order to receive brand updates, enter sweepstakes contests, and participate in interactive brand-awareness campaigns and other Web site features. Since 2006, Iconix knowingly collected and stored personal information from approximately 1,000 children without first notifying their parents or obtaining parental consent, according to the FTC's complaint. On one Web site, MyMuddWorld.com, Iconix also enabled girls to publicly share personal stories and photos online, according to the complaint. "Companies must provide parents with the opportunity to say 'no thanks' to the collection and disclosure of their children's personal information," said FTC Chairman Jon Leibowitz. "Children's privacy is paramount, and Iconix really missed the boat by denying parents control over their kids' information online.""

The Supreme Court upheld a U.S. government crackdown on profanity on television, a policy that subjects broadcasters to fines for airing a single expletive blurted out on a live show. In its first ruling on broadcast indecency standards in more than 30 years, the high court handed a victory on Tuesday to the Federal Communications Commission, which adopted the crackdown against the one-time use of profanity on live television when children are likely to be watching. The case stemmed from an FCC decision in 2006 that found News Corp's Fox television network violated decency rules when singer Cher blurted out an expletive during the 2002 Billboard Music Awards broadcast and actress Nicole Richie used two expletives during the 2003 awards. No fines were imposed, but Fox challenged the decision. A U.S. appeals court in New York struck down the new policy as "arbitrary and capricious" and sent the case back to the FCC for a more reasoned explanation of its policy.

"Fomer UCLA Healthcare System researcher Huping Zhou has pleaded guilty to violating parts of the Health Insurance Portability and Accountability Act and could be one of the first people in the country convicted under the law, federal authorities announced Friday. After learning he was to be let go, the 48-year-old is alleged to have accessed the UCLA patient records system 323 times during the three-week period, mostly to check out the files of celebrities, according to the U.S. Attorney's Office. The names of the targeted stars have not been revealed. Federal authorities say Zhou admitted to accessing the records -- cruising files that were not necessary to view as part of his job -- under a plea agreement. He'll face a judge for sentencing March 22. It's not clear what kind of punishment the U.S. Attorney's Office will recommend in exchange for his cooperation."

"Faced with increasing pressure from Washington, the Interactive Advertising Bureau launched a public service campaign on Thursday aimed at educating consumers about behavioral targeting. The online campaign, created pro bono by WPP's Schematic, features rich media banner ads with copy like "Advertising is creepy" and "Hey, this banner can tell where you live. Mind if we come over and sell you stuff?" More than one dozen publishers -- including Microsoft, Google's YouTube, and AOL -- have committed to donate a combined 500 million impressions for the initiative. The campaign comes as policymakers are questioning whether data collection by marketers violates consumers' privacy. Rep. Rick Boucher (D-Va.) has said he plans to introduce a bill that could require Web companies to notify users about online ad targeting, and in some circumstances, obtain their explicit consent. In addition, the Federal Trade Commission has criticized the industry for using dense privacy policies to inform people about behavioral targeting, or tracking people online and sending them ads based on sites visited. In a meeting with reporters Thursday morning, IAB President and CEO Randall Rothenberg said one goal of the campaign is to address regulators' concerns that consumers don't understand behavioral advertising. "