Industry Insiders Discuss HIT and HIPAA Issues March 30, 2009 by Astrid Fiano, Writer A significant part of President Obama's health care reform agenda is the push for implementing more health care technology. In the health care field privacy is always a major concern, and was the impetus of the Health Insurance Portability and Accountability Act of 1996--protecting the privacy of individually identifiable health information in all formats, and the confidentiality provisions of the Patient Safety Act--protecting identifiable information being used to analyze patient safety events. So those in the health care industry now wonder will the Administration's focus on health IT (HIT) present more challenges to privacy concerns? As part of a continuing focus on HIT issues, DOTmed interviewed industry expert Kirk J. Nahra, a partner in the Washington D.C. legal firm of Wiley Rein LLP, specializing in privacy and information security for the health care and insurance industries, and named an expert practitioner by the Guide to the Leading U.S. Healthcare Lawyers. DOTmed also interviewed Lise Rauzi, Vice President, Training Development, for Health Care Compliance Strategies (HCCS). HCCS provides online training compliance for employees. Nahra notes that regardless of the rising concern over privacy and the new HIT legislation, there have already been formal HIPAA security rules on electronic information in place for several years--the health care industry compliance has just been inconsistent. The problem -- to the extent there is one -- is that HIPAA rules are process-oriented, Nahra explained. The rules don't tell an entity what to do, but rather what to evaluate--a standard set of questions, but without a standard set of answers. For example, a covered entity has to have an internal audit, but the rules do not tell the entity how best to carry out that internal audit. Not surprisingly, different businesses have different ideas on how to implement their HIPAA evaluations

Privacy rights are accepted and, generally, honored in Europe. The wealth - literally and figuratively - of personal information made available through the internet staggers the imagination. Staggering, too, is the prospect of privacy rights being trampled. EC Consumer Protection Commissioner Meglena Kuneva has a bone to pick with internet snooping. And she's launching an investigation into deep data mining. In an official statement (to be released March 31) she will outline concerns of vague and misleading 'term of use' for access to Web sites that can breach EC privacy rules. Commissioner Kuneva was born and raised in Bulgaria during a time when snooping on people was common, legal and nasty. The European Parliament (EuroParl) voted (March 27) overwhelmingly for recommendations in a report linking data surveillance, advertising and cybercrime. The report recommends safeguards for the privacy rights of internet users. The EuroParl called for "making use of existing national, regional, and international law." The MEPs raised the "imbalance of negotiating power between (internet) users and institutions." Internet users, said the MEPs, have the right to "permanently delete" personal details. Facebook's recent change in 'terms of use' allowing it to retain personal information brought a firestorm of criticism and the social networking portal backtracked. And the EC was watching. "It wasn't regulators who spotted the proposed change of terms at Facebook, it was one of the 175 million users," said Commissioner Kuneva's spokesperson Helen Kearns. Collecting and analyzing profile data is big business. It is "the new petroleum of the Internet world," said Ms Kearns, quoted in PC World (March 30). "If you are happy trading your data that's fine, but you should at least know how valuable it is." As Google and Microsoft have learned European Commission rules, unlike American rules, tend to set a low bar for compliance. The former pr

VANDALS who attacked Fred Goodwin's mansion could have been helped by Google's new Street View, it was claimed yesterday. Security experts say the attackers may have "cased" the shamed banker's £3million Edinburgh home using the detailed images provided by the controversial new service. It could have helped them plan the attack, in which windows were smashed and a car wrecked, by showing them how to get in and escape unnoticed.

Forrester has a recommendation for CISOs struggling with how to secure corporate data: Stop trying so hard. Despite years of investments in technology and processes, protecting enterprise-wide data remains a maddeningly elusive goal for chief information security officers (CISOs). Software-as-a-service (SaaS), Web 2.0 technologies, and consumerized hardware increase the number of escape routes for sensitive information. Regulations, statutes, and contractual expectations drown CISOs in audit requests and ratchet up the pressure to do something about the problem. Hordes of vendors confuse CISOs with innumerable sales pitches. Instead of beating your head against the wall, devolve responsibility to the business, keeping controls closest to the people who use the data. IT security should be primarily responsible only for deploying data protection technologies that require minimal or no customization.

Overview Privacy is a fundamental human right. It underpins human dignity and other values such as freedom of association and freedom of speech. It has become one of the most important human rights of the modern age.[1] Privacy is recognized around the world in diverse regions and cultures. It is protected in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and in many other international and regional human rights treaties. Nearly every country in the world includes a right of privacy in its constitution. At a minimum, these provisions include rights of inviolability of the home and secrecy of communications. Most recently written constitutions include specific rights to access and control one's personal information. In many of the countries where privacy is not explicitly recognized in the constitution, the courts have found that right in other provisions. In many countries, international agreements that recognize privacy rights such as the International Covenant on Civil and Political Rights or the European Convention on Human Rights have been adopted into law. Defining Privacy Of all the human rights in the international catalogue, privacy is perhaps the most difficult to define.[2] Definitions of privacy vary widely according to context and environment. In many countries, the concept has been fused with data protection, which interprets privacy in terms of management of personal information. Outside this rather strict context, privacy protection is frequently seen as a way of drawing the line at how far society can intrude into a person's affairs.[3] The lack of a single definition should not imply that the issue lacks importance. As one writer observed, "in one sense, all human rights are aspects of the right to privacy."[4]

LOS ANGELES-Fifteen hospital workers have been fired and another eight disciplined for looking at medical records of octuplet mother Nadya Suleman without permission, hospital officials said Monday. Kaiser Permanente reported the violations of health care privacy laws to the state and has warned employees at its Bellflower facility to keep away from Suleman's records unless they have a medical purpose, said hospital spokesman Jim Anderson. "Despite the notoriety of this case, to us this person is a patient who deserves the privacy that all our patients get," Anderson told The Associated Press. Anderson would not elaborate on how the other eight employees were reprimanded, saying only that the punishments were significant. A similar privacy breach at UCLA hospitals led to celebrities' medical information getting leaked to tabloids in recent years, including details of Farrah Fawcett's cancer treatment showing up in the National Enquirer. Anderson said Kaiser does not believe any of Suleman's information was shared with the media, based on the results of their inquiry. The 33-year-old single mother of 14 gave birth to her octuplets on Jan. 26 at Kaiser's hospital in Bellflower, about 17 miles southeast of Los Angeles. Her attorney Jeff Czech said Suleman does not plan to file a lawsuit, though he suspects Kaiser employees were looking for medical information on Suleman's sperm donor. He said the name is not listed on the Advertisement medical records. "She trusts Kaiser and they said they'd look into it," Czech said. "We feel that they're on top of it and are taking care of it." Anderson could not provide details about when Suleman's medical records were accessed and by what kind of hospital employee. He said Kaiser had warned its employees about patient confidentiality rules before Suleman checked into the hospital in December. "Even though no one knew she was there, they knew she was going to have a lot of babies," Anderson said. "The extra monitoring he

Supercharging the HVA Engineering and Maintenance Risk Assessment in the Healthcare Setting Webinar Registration Hospitals have been under close scrutiny for years to insure they evaluate and mitigate risks and exposures that could impact their ability to deliver healthcare services under all conditions. A staple of this activity is the "Hazard Vulnerability Assessment". A traditional HVA looks at specific threats within four categories (natural, technological, human and hazardous materials). While the HVA is useful for auditors looking to confirm minimum compliance, it does not properly arm the organization to assess how risk, mitigation strategies and limited capital can effectively be deployed for maximum benefit. Come hear from leaders of Deaconess Health Systems Engineering and Maintenance team on how they partnered with Virtual Corporation to execute an effective risk assessment methodology and toolkit across the DHS enterprise. Participants will see examples of innovative risk mapping and reporting methods that yield high information density in simple, understandable format. Presenters: Mark Merrill, Facility Engineer, Deaconess Health System Tom Barnett, Manager, Engineering and Maintenance, Deaconess Health System Scott Ream, President, Virtual Corporation Webinar Registration Hospitals have been under close scrutiny for years to insure they evaluate and mitigate risks and exposures that could impact their ability to deliver healthcare services under all conditions. A staple of this activity is the "Hazard Vulnerability Assessment". A traditional HVA looks at specific threats within four categories (natural, technological, human and hazardous materials). While the HVA is useful for auditors looking to confirm minimum compliance, it does not properly arm the organization to assess how risk, mitigation strategies and limited capital can effectively be deployed for maximum benefit. Come hear from leaders of Deaconess H

Is it a violation of privacy that should be banned or a tool necessary to keep the internet running? Canada's privacy commissioner has opened an online discussion on deep packet inspection, a technology that allows internet service providers and other organizations to intercept and examine packets of information as they are being sent over the internet. "We realized about a year ago that technologies involving network management were increasingly affecting how personal information of Canadians was being handled," said Colin McKay, director of research, education and outreach for the commissioner's office. The office decided to research those technologies, especially after receiving several complaints, and realized it was an opportunity to inform Canadians about the privacy implications. Over the weekend, the privacy commissioner launched a website where the public can discuss a series of essays on the technology written by 14 experts. The experts range from the privacy officer of a deep-packet inspection service vendor to technology law and internet security researchers. The website also offers an overview of the technology, which it describes as having the potential to provide "widespread access to vast amounts of personal information sent over the internet" for uses such as: * Targeted advertising based on users' behaviour. * Scanning for unlawful content such as copyright or obscene materials. * Intercepting data as part of surveillance for national security and crime investigations. * Monitoring traffic to measure network performance.

There are plenty of rumors out in the cyberworld about the future of Twitter, a popular social networking site, and whether the company will be acquired or partner with another company. Some believe one of the suitors is Google Inc. Rumor has it, the two companies are considering collaborating on a Google real time search engine. To make it work, Google could pay cash, stock or a combination of both. Google wouldn't comment on these rumors. Nevertheless, it's an intriguing idea for a company created three years ago that has, to date, not made any money. Analysts think this would be a good marriage, according to MarketWatch. Gartner Inc. analyst Jeff Mann, for one, told the website it's a pretty good idea. "The culture and ambitions of Twitter and Google match." Not only that, there are lots of indications of growth. Twitter's content is now growing by 6 million tweets per day, and that's a win-win situation for Google, for sure.

Beware of web sites offering free money Iain Thomson in San Francisco vnunet.com, 04 Mar 2009 The Federal Trade Commission (FTC) is warning of a rash of online scams offering payouts under the economic stimulus plan passed by Congress. Businesses and individuals are being targeted by the scammers using web sites and emails, the organisation warned. Recipients are typically offered 'grants' from the government, and must either surrender bank details to get the funds or make a small payment. Advertisement"Web sites may advertise that they can help you get money from the stimulus fund. Many use deceptive names or images of president Obama and vice president Biden to suggest that they are legitimate. They are not," said Eileen Harrington, acting director of the FTC's Bureau of Consumer Protection. "Don't fall for it. If you do, you'll get scammed." Several variants have also been discovered that use malware to steal important data. These include pages that purport to offer links to sites that show how to get the federal funds. The pages are loaded with malware that can penetrate an improperly patched browser. "Consumers who may already have fallen for these scams should carefully check their credit card bills for unauthorised charges, and report the scam to the FTC," said Harrington.

The Federal Trade Commission (FTC) is planning to regulate online viral marketing that uses blogs and social networking sites. Marketers are spending billions worldwide to get the endorsements of key bloggers and groups on social networking sites. One tactic, used by Microsoft and others, is to send products to bloggers on 'long-term loans' on the understanding that they will comment about them on their sites. AdvertisementUnder the new regulations being proposed, such bloggers would be legally liable if they make untrue statements about the products or services. The companies too would face sanctions. "This impacts every industry and almost every single brand in our economy, and that trickles down into social media," Anthony DiResta, an attorney representing several advertising associations, told The Financial Times. This is the first revision of the rules on this kind of advertising by the FTC since 1980 and is needed, according to the organisation, because new forms of communication have opened up new fields to marketing. "The guides needed to be updated to address not only the changes in technology, but the consequences of new marketing practices," said Richard Cleland, assistant director for the FTC's division of advertising practices. " Word-of-mouth marketing is not exempt from the laws of truthful advertising." Advertisers are resisting the changes, however, which threaten a highly effective form of marketing new products and services. "Regulating these developing media too soon may have a chilling effect on blogs and other forms of viral marketing, as bloggers and other viral marketers will be discouraged from publishing content for fear of being held liable for any potentially misleading claim," Richard O'Brien, vice president of the American Association of Advertising Agencies, said in an advisory to the FTC.

The Federal Trade Commission (FTC) is getting tough on online viral marketing using blogs and other social networking sites. The proposed rules would make bloggers legally liable if they make untrue statements about products or services. Companies would face sanctions, too, if they use blogs and social networking sites to make untrue claims. "This impacts every industry and almost every single brand in our economy, and that trickles down into social media," Anthony DiResta, an attorney representing several advertising associations, told vnunet.com. The rules have been a long time coming. It's the first revision of the FTC's advertising rules since 1980. New kinds of marketing have sprouted in the last 30 years, but this is the first time the FTC is paying attention to these kinds of advertising practices. Not everyone agrees that this is a good idea. Richard O'Brien, vice-president of the American Association of Advertising Agencies, told the website, "Regulating these developing media too soon may have a chilling effect on blogs and other forms of viral marketing, as bloggers and other viral marketers will be discouraged from publishing content for fear of being held liable for any potentially misleading claim."

Electronic medical recordkeeping may not cut the overall cost of care, but by eliminating redundant procedures and reducing errors, quality may be improved. When physician Andrew Wiesenthal needs to work out a problem, he runs around Lake Merritt, across the street from his Oakland (Calif.) office at Kaiser Permanente. As one of the main drivers behind Kaiser's decades-long, multibillion-dollar effort to overhaul the way patient health records are kept, Wiesenthal has had a lot of laps to run. Doctors and other medical professionals across the country will be working through similar challenges in the coming years. President Barack Obama plans to spend $17.2 billion to induce care providers to maintain patient records electronically, scrapping the current paper-based system. The Obama Administration wants electronic health records for every American by 2014. Obama's predecessor also made a big push for electronic recordkeeping, and many doctors and hospital administrators see upgrading recordkeeping as a good way to improve care. Yet, fewer than 2% of acute care hospitals have a comprehensive electronic health record system in place, with another 8% to 12% using a basic system, according to a study published by The New England Journal of Medicine in March. Adoption isn't much better among physicians. Only 4% have a comprehensive system in place, with another 13% using basic systems, according to a study published in the journal in July. Kaiser Permanente is one of the few exceptions. Today, all of its medical clinics and two-thirds of its hospitals operate in a paperless environment and the rest are scheduled to be completely digitized by next year. Across the system, about 14,000 physicians access electronic medical records for 8.7 million patients in nine states and the District of Columbia.

WASHINGTON -- Few tech policy debates are plumped up with more rhetoric than those concerning Net neutrality and privacy restrictions for advertisers. It should be a noisy year at the Federal Communications Commission. Here at the Cable Show, the annual conference hosted by the National Cable and Telecommunications Association, advisors to the three current commissioners outlined some of the simmering issues that are likely to boil up at the FCC this year, and those two are on the short list. Rick Chessen, acting chief of staff for interim FCC Chairman Michael Copps, said the agency could move toward adding to its Internet policy statement a fifth principle that would explicitly bar ISPs from discriminating against certain traffic on their networks. "The principle would be one of nondiscrimination, but you would recognize the need for reasonable network management," Chessen said. The FCC's broadband principles comprised the policy document that was at the center of last year's action against Comcast, where the agency found that the cable giant had unfairly blocked peer-to-peer traffic on its network without notifying its subscribers it was doing so. The new principle Chessen suggested would seek to clarify the agency's stance against the selective blocking of traffic. Comcast is challenging last year's ruling in a court case where the outcome could broadly shape how Congress proceed with Net neutrality policy. Rosemary Harold, the legal advisor to Republican Commissioner Robert McDowell, said her boss is more cautious than the two Democrats on the matter.

Promoting Privacy And Free Speech Is Good Business This Guide will help you make smart, proactive decisions about privacy and free speech so you can protect your customers' rights while bolstering the bottom line. Failing to take privacy and free speech into proper account can easily lead to negative press, government investigations and fines, costly lawsuits, and loss of customers and business partners. By making privacy and free speech a priority when developing a new product or business plan, your company can save time and money while enhancing its reputation and building customer loyalty and trust.

Online advertising firm Phorm is pressing ahead with plans to launch more than a year after it first drew criticism from some privacy advocates. Phorm executives will meet with members of the public on Tuesday, following a similar meeting in 2008. The service has proved controversial for some campaigners who believe it breaks UK data interception laws. The firm received clearance from the Home Office and police closed a file on BT trials of the technology. "We have been supported or endorsed by all of the leading stakeholders," Phorm chief executive Kent Ertugrul told BBC News. "Ofcom, the Information Commissioner's Office, the Home Office, leading privacy advocates like Simon Davies, the advertising industry and publishers have all backed our service," he said. He added: "We are very, very happy with where we are one year on." Trawling websites Phorm's system works by "trawling" websites visited by users whose ISPs have signed up to the service and for whom the technology is switched on, and then matches keywords from the content of the page to an anonymous profile. Users are then targeted with adverts that are more tailored to their interests on partner websites that have signed up to Phorm's technology.

Now that behavioral targeting has become more pervasive (and more effective), it is being talked about not only by publishers and advertisers, but also by privacy advocates -- organizations like the NAI and IAB and, in Washington, the FTC. At issue is if BT players are doing enough to disclosure to consumers how BT works and offering them the opportunity to opt out of being tracked by BT vendors and publishers. There has been much discussion about how to regulate behavioral marketers; but no solution that satisfies everyone. The BT industry so far has contended that website privacy policies are sufficient disclosure since many of them contain links to opts out opportunities like the NAI site. Google and Bluekai have announced 'preference pages' or registries that allow Web users to say what type of BT they are interested in receiving. But, the other, more common option is to put that information in the Privacy Policy of the site. But the problem with that is that no matter where disclosures are placed on the service provider's site, most people won't ever see them. How will a customer visiting Retail SiteX know that Company Y is going to use their browsing behavior to later display relevant ads to them as they surf the Web on Network Z? The average customer won't. The only way a customer will know what forms of BT advertisers are using is if the advertisers themselves tell them. I think that it's time for advertisers to step up in this privacy debate. Thus far the pressure for disclosure has been placed on networks, behavioral marketing providers and publishers. The key players in those industries have done a good job of becoming more transparent (though there is still work ahead of us), while advertisers haven't been asked to do anything. Advertisers are clearly benefiting from behavioral marketing, and its time they disclosed what type of behavioral marketing they participate in, and allow customers to opt-out. How they do this is open for discussion: Tag each

Some consumers say they like the way Internet retailers will suggest new purchases to them based on what they've bought previously. Others feel creeped out when a banner ad seems to know a bit too much about their Web surfing habits. It's called behavioral advertising, and it's central to the business success of all manner of Internet commerce, from bookstores to newspapers. The practice needs regulation, says Rep. Rick Boucher , the Virginia Democrat who chairs the House Energy and Commerce Subcommittee on Communications, Technology and the Internet. Boucher says legislation to protect consumer privacy online will spur people to surf more. But Internet advertising companies are not happy about regulation, especially because Boucher's plan would require, in some cases, that consumers agree in advance before their surfing habits could be tracked. Such an approach "would really be a sea change in the U.S. regulatory framework," says Mike Zaneis, vice president for public policy at the Interactive Advertising Bureau. Virtually all consumer protection laws, he says, permit people to opt out of solicitation, for instance, with a "do not call" registry. For the Internet, Congress has done almost nothing. "To suddenly move toward a draconian opt-in standard," he says, "would really be damaging not just to businesses but consumers." Zaneis, whose group includes such news heavyweights as the New York Times Co. and Conde Nast Publications, says now is not the time to upend Internet companies' business models, right when the economy is in the tank and print advertising is drying up. He argues further that new Web browsers make the issue moot by giving consumers the ability to easily block the electronic "cookies" that track their online movements. The issue promises to be a lobbying extravaganza. Last year, when the Federal Trade Commission (FTC) was developing self-regulatory guidelines for Web companies engaging in behavioral advertising, it

WASHINGTON -- For more than a year, the nation's largest cable companies have been staking their hopes to thrive in a data-driven, interactive advertising market on Canoe Ventures. Born Project Canoe, the venture aims to cull the vast troves of data that cable companies have about their customers, from subscriber demographics to the clicks of a remote control, to bring Web-like ad targeting to the television platform. Here at the Cable Show, the annual conference hosted by the National Cable and Telecommunications Association, Canoe CEO David Verklin proclaimed that his firm is ready for prime time, with its first product set to roll out in the next six weeks. "We're going to turn television into a platform," Verklin said in a panel discussion with several cable executives. Canoe's forthcoming product, called community addressable messaging, will enable an advertiser running a national TV campaign to customize it with local insertions to reach targeted demographics defined by data supplied from the cable providers. Verklin hailed it as the first application of local insertion technology to a national campaign.

Three out of four Americans believe that individuals are responsible for protecting their own privacy online. That's the bottom line of a new survey conducted by TRUSTe, a company that certifies the compliance of websites with privacy standards and statements. Nonetheless, The New York Times reports that the Federal Trade Commission is trying to put more responsibility on website operators: Last month, the F.T.C. revised its suggestions for behavioral advertising rules for the industry, proposing, among other measures, that sites disclose when they are participating in behavioral advertising and obtain consumers' permission to do so. One F.T.C. commissioner, Jon Leibowitz, warned that if the industry did not respond, intervention would be next. "Put simply, this could be the last clear chance to show that self-regulation can -- and will -- effectively protect consumers' privacy," [FTC commissioner Jon] Leibowitz said, or else "it will certainly invite legislation by Congress and a more regulatory approach by our commission." Behavioral advertising, which records individual users' Web usage by inserting cookies into their browsers and keeping a log of where they go and what they do, is the most high-profile privacy issue today. Google-owned DoubleClick is tracks Web users across many sites, combining them into one profile at DoubleClick's end to be used for ad targeting. Some survey respondents use cookie-deleting browsers and anonymizing software to thwart tracking systems. Privacy advocates, TRUSTe, and the FTC all strongly encourage companies to post meticulous privacy statements for online visitors, and to follow them to the letter. Still, only 15 percent of TRUSTe's survey respondents said they actually read privacy statements.