Group items matching

in title, tags, annotations or url

Those who are superstitious may believe that bad things happen on Friday the 13th, but we will leave it to each individual and entity to formulate conclusions regarding the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), which Congress passed late on Friday, February 13, 2009, and President Obama officially signed into effect on February 17, 2009. The HITECH Act addresses various aspects relating to the use of health information technology (H.I.T.), including providing for federal funding by way of grants and incentive payments in order to promote H.I.T. implementation. This Alert focuses, however, on Subtitle D of the HITECH Act, which includes important, new and far-reaching provisions concerning the privacy and security of health information that will materially and directly affect more entities, businesses and individuals in more diverse ways than ever before. These changes are further elaborated upon below, but this Alert can only highlight certain prominent issues under the HITECH Act and is by no means a comprehensive review of this lengthy and complex Act. For questions and additional guidance on the HITECH Act, contact your Fox Rothschild attorney or the authors of this Alert. New Privacy and Security Requirements * Security Breach Notification Requirements: Security breach notification requirements under the HITECH Act go into effect 30 days after the date that interim final regulations are promulgated, which will be no later than 180 days after the date of enactment of the HITECH Act (August 16, 2009). Covered entities, business associates and vendors who handle personal health records are required to abide by breach notification requirements. Violations of this requirement by vendors would be treated as an unfair and deceptive act or practice in violation of the Federal Trade Commission Act. If a breach affects more than 500 individuals of a particular state, notice also must be provided to prominent media outl

Customers of CVS' pharmacy will be able to import their prescription records into a Google Health account as a result of an expanded deal between the two companies. The deal was announced Monday. An earlier deal already allowed workers whose company uses CVS Caremark to handle drug benefits to use Google Health to store their drug records. The new deal expands this to customers of CVS' network of retail pharmacies. "We now offer all of our consumers the ability to download their prescription and medication history into their Google Health Personal Health Record, whether they are CVS/pharmacy customers, CVS Caremark plan participants or visitors to our MinuteClinic locations," said CVS Caremark Executive Vice President Helena Foulkes in a statement. "By enabling patients to download their prescription information directly into their personal health record, we are helping to close the gap in today's fragmented health care system and provide a full view of a patient's health." To use the tool, the companies said, consumers need to sign up for the prescription management feature on CVS.com as well as be authenticated. With the latest deal, Google said it now believes more than 100 million Americans will have the option of viewing their drug history within Google Health. Microsoft, which is also trying to sign consumers up for its HealthVault service, announced a deal with New York-Presbyterian Hospital on Sunday which will allow patients of that hospital system to export their records to a HealthVault account.

Is it a violation of privacy that should be banned or a tool necessary to keep the internet running? Canada's privacy commissioner has opened an online discussion on deep packet inspection, a technology that allows internet service providers and other organizations to intercept and examine packets of information as they are being sent over the internet. "We realized about a year ago that technologies involving network management were increasingly affecting how personal information of Canadians was being handled," said Colin McKay, director of research, education and outreach for the commissioner's office. The office decided to research those technologies, especially after receiving several complaints, and realized it was an opportunity to inform Canadians about the privacy implications. Over the weekend, the privacy commissioner launched a website where the public can discuss a series of essays on the technology written by 14 experts. The experts range from the privacy officer of a deep-packet inspection service vendor to technology law and internet security researchers. The website also offers an overview of the technology, which it describes as having the potential to provide "widespread access to vast amounts of personal information sent over the internet" for uses such as: * Targeted advertising based on users' behaviour. * Scanning for unlawful content such as copyright or obscene materials. * Intercepting data as part of surveillance for national security and crime investigations. * Monitoring traffic to measure network performance.

The European Commission has prepared a set of questions and answers as well as a flowchart to help companies understand when they can and when they cannot send personal data abroad. The European Union's Data Protection Directive protects the personal data of EU citizens from abuse and misuse. Organisations have a duty to protect it, and that means ensuring that it is not sent to countries with poor data protection. The Directive says that data can be sent to another country "only if... the third country in question ensures an adequate level of protection". Only a handful of countries have been deemed acceptable destinations for data by the European Commission. Those are Switzerland, Canada, Argentina, the Bailiwick of Guernsey, the Isle of Man, the Bailiwick of Jersey and the US, when the data's treatment is in the Safe Harbor Privacy Principles of the US Department of Commerce The advice has been prepared by the Data Protection Unit of the Directorate-General for Justice, Freedom and Security at the European Commission. It is designed particularly to help small and medium sized companies to understand the law when it comes to transferring personal data outside of the European Economic Area (EEA). The guidance points out that in order for a transfer to be legal, data has to be properly handled in the first place according to the data protection laws of the country where the processing organisation is established. If the transfer is to a country not listed as having adequate data protections in place, a transfer can still take place, the guidance says, but only if "the data controller offers 'adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights'," says the guidance, quoting the Directive. "These safeguards may result from appropriate contractual clauses, and more particularly from standard contractual clauses issued by the Commission," it sai

It was only a matter of time! Auditor accuracy being examined in lawsuit may signal change in PCI and other compliance processes.

When CardSystems Solutions was hacked in 2004 in one of the largest credit card data breaches at the time, it reached for its security auditor's report. In theory, CardSystems should have been safe. The industry's primary security standard, known then as CISP, was touted as a sure way to protect data. And CardSystems' auditor, Savvis Inc, had just given them a clean bill of health three months before. Yet, despite those assurances, 263,000 card numbers were stolen from CardSystems, and nearly 40 million were compromised. More than four years later, Savvis is being pulled into court in a novel suit that legal experts say could force increased scrutiny on largely self-regulated credit card security practices. They say the case represents an evolution in data breach litigation and raises increasingly important questions about not only the liability of companies that handle card data but also the liability of third parties that audit and certify the trustworthiness of those companies. "We're at a critical juncture where we need to decide . . . whether [network security] auditing is voluntary or will have the force of law behind it," says Andrea Matwyshyn, a law and business ethics professor at the University of Pennsylvania's Wharton School who specializes in information security issues. "For companies to be able to rely on audits . . . there needs to be mechanisms developed to hold auditors accountable for the accuracy of their audits." The case, which appears to be among the first of its kind against a security auditing firm, highlights flaws in the standards that were established by the financial industry to protect consumer bank data. It also exposes the ineffectiveness of an auditing system that was supposed to guarantee that card processors and other businesses complied with the standards. Credit card companies have touted the standards and the auditing process as evidence that financial transactions conducted under their purview are secur

The D.C. agency that handles college financial aid requests said yesterday that it had accidentally e-mailed personal information from 2,400 student applicants to more than 1,000 of those applicants. The Office of the State Superintendent of Education (OSSE) said it has notified all students of the breach, which occurred when an employee of the agency's Higher Education Financial Services Program inadvertently attached an Excel spreadsheet to an e-mail. The information included student names, e-mail and home addresses, phone and Social Security numbers and dates of birth. The disclosure involved the "DC OneApp," an online application that allows D.C. students to apply for a series of grant programs. They include DCTAG, which provides awards of up to $10,000 toward the difference between in-state and out-of-state tuition at public four-year-colleges in the 50 states. The accidental disclosure went to about 1,250 DCTAG applicants, officials said. OSSE never publicly announced the breach, which occurred Wednesday. It did express regret for the incident in an e-mail sent to students and parents the next day. A parent made the e-mail available to The Washington Post over the weekend.

There is pervasive fear of identity theft. Victims spend an extraordinary amount of time and money recovering from it. The government is doing something about it, but businesses may not be pleased to hear that the government's latest action is another unfunded mandate. New rules concerning identity theft prevention at financial companies go into effect on Friday May 1, 2009, but for most organizations, complying with the FTC's Red Flags Rule could be as simple as writing down rules and procedures already in place and having them certified by the Board. The rules are about procedures, not about data security, said Tiffany George, attorney for the division of privacy and identity protection at the FTC. She spoke on Tuesday at the FTC's workshop for businesses held on the campus of Fordham University in New York City. "The Red Flags Rule covers what to do when, despite our best efforts, thieves steal data," she said. As new regulations go, the FTC's Red Flags Rule will be less painful than many other recently enacted rules. For example, while Sarbanes-Oxley is considered a burden to many public companies, requiring several full-time staff, the Red Flags Rule can likely be handled by legal or compliance staff already in place.

The Federal Trade Commission today approved a final consent order settling claims that CVS Caremark violated customers' privacy and the Health Information Portability and Accountability Act (HIPAA) when it failed to dispose of records properly last year. Earlier this year, CVS Caremark agreed to settle FTC charges that it failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees, in violation of federal law. In a separate but related agreement, the company's pharmacy chain also has agreed to pay $2.25 million to resolve Department of Health and Human Services allegations that it violated HIPAA regulations. "This is a case that will restore appropriate privacy protections to tens of millions of people across the country," said FTC chairman William Kovacic following the settlement. "It also sends a strong message to other organizations that possess consumers' protected personal information. They are required to secure consumers' private information." Under the final consent order, CVS Caremark is required to rebuild its security and confidentiality program, which will be audited every two years for the next 20 years. The HHS settlement requires the company to develop a new training program to instruct employees on how to handle patient data.

The problem with securing data and insuring its safety is that there is simply so much more stored electronically these days that opportunities for outside hackers or insiders to steal valuable, confidential information off a company's computer systems are growing exponentially, according to those in the insurance industry who make it their business to cover this expanding exposure. Indeed, "you can take out more data in a thumb drive now than people could take out in a super-computer 10 years ago," according to Kevin Kalinich, co-national managing director for Professional Risk Solutions at Aon. The risk of a data breach is very real for companies large and small across almost any industry, noted Mr. Kalinich. He cited a report from the University of California, Berkeley, that more data has been aggregated and stored in the last three years than in the entire history of mankind. He also noted that between 75 and 85 percent of Fortune 2000 companies have suffered a "material data breach," meaning there is a growing market for those selling insurance coverage for liability and repair costs, as well as loss control services. Companies that take an "it won't happen to me" approach to securing data need only look at news headlines to see that organizations are often hit by breaches, and as more data is being stored electronically, the potential for, and impact of possible breaches increase. Princeton, N.J.-based credit and debit processing company Heartland Payment Systems reported that it had been compromised in 2008 in a breach that involved up to 100 million records, which would be tops for number of records accessed in a breach. The Heartland incident would displace the 2007 breach of TJX, in which over 45.6 million credit and debit card numbers were stolen. The TJX breach, in turn, took the record set by a breach of CardSystems Solutions in 2005.

The federal government would subsidize up to 65% of COBRA health insurance payments for many individuals who have lost their jobs since Sept. 1, 2008, under an $825 billion stimulus package unveiled by House Democrats. COBRA provisions are supported by health insurance groups, including America''s Health Insurance Plans and the National Business Group on Health. However, AHIP said other parts of the plan tying increased investment in health information technology to stricter scrutiny of how health IT records are handled would make it more difficult for plans to coordinate care and streamline administrative costs. Dubbed the American Recovery and Reinvestment Act, the House bill allocates $39 billion to aid individuals attempting to continue paying health insurance premiums through the 23-year-old Consolidated Omnibus Budget Reconciliation Act program. COBRA allows employees who are terminated or leave their jobs voluntarily to remain in their former employer''s group health plan for up to 18 months, which can be extended to 36 months for those with extenuating life circumstances. However, because COBRA enrollees can be charged up to 102% of the full cost of coverage, many find the plans prohibitively expensive and, according to Hewitt Associates Inc., only about 20% enroll. A recent report by the consumer group Families USA found monthly COBRA premiums for family coverage were $1,069, or 83.6% of the average monthly unemployment insurance benefit of $1,278. In nine states, average COBRA payments exceeded unemployment benefits, the group found. Health groups have been largely supportive of the proposal, with AHIP President Karen Ignagni writing in a letter to House Speaker Nancy Pelosi that the group believes the move would "help ensure continuity of coverage and serve as an important lifeline for many workers who do not qualify for Medicaid, but still need help paying their health insurance premiums."

"The attempted attack on a Detroit-bound flight last week, along with the events preceding and following it, has provided a snapshot of the ongoing struggle to balance civil liberties and national security. President Obama on Tuesday admitted a "systemic failure" on multiple levels in the run-up to the attempted bombing. Suspect Umar Farouk Abdulmutallab was in a terror database of more than a half-million people but was not on a "no-fly" list. The administration has initiated a review of airport security and the watch-list system in the wake of the failed plot. But so far, analysts say what happened is emblematic of the struggle between privacy and security interests. "It's just (an) inability to understand the right way to strike the balance that's at fault," said constitutional attorney David Rivkin. Airlines don't have access to the government's comprehensive terrorist database. They screen travelers based on the smaller, "no-fly" list."

Perhaps this is more a question of trust (not privacy) versus security. Do we really trust our government and its agents to handle private information securely?

As Forrest Gump said, "Stupid is as stupid does." The 2009 Verizon Business data breach investigation report confirmed what the 2008 report revealed -- attackers usually gain a foothold through stupid, basic errors. "In virtually all the cases, we found that lots of the things that were simple and straightforward, had they been deployed, would have stopped the attack," said Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions. "Simple things like changing the password from the word "password" on the system, those basic errors were somewhere, endlessly; they were everywhere." In fact, the 2009 Verizon Business Data Breach Investigations Report showed that 67% of the 90 confirmed data breaches that Verizon investigated last year revealed that kind of error, usually on a third-party system, often tangential to the heart of the enterprise. But they open the door to the good stuff: thousands or even millions of customer records.

Like this http://www.hdfilmsaati.net Film,dvd,download,free download,product... ppc,adword,adsense,amazon,clickbank,osell,bookmark,dofollow,edu,gov,ads,linkwell,traffic,scor,serp,goggle,bing,yahoo.ads,ads network,ads goggle,bing,quality links,link best,ptr,cpa,bpa. www.killdo.de.gg