CIPP US

HITECH impact on healthcare

-Provided incentive payments to hospitals and healthcare providers to adopt health IT. -"Meaningful Use"- criteria required to be met that demonstrated meaningful use of electronic health records (EHR). EHR technology must be used to achieve certain objectives.

Consumer Privacy Bill of Rights

1)Individual control. Consumers have a right to exercise control over what personal data companies collect from them and how they use it 2)Transparency. Consumers have a right to easily understandable and accessible information about privacy and security practices. 3)Respect for context. Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data 4)Security. Consumers have a right to secure and responsible handling of personal data. 5)Access and accuracy. Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. 6)Focused collection. Consumers have a right to reasonable limits on the personal data that companies collect and retain 7)Accountability. Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

Information Life Cycle Phases

1. Collect/Derive 2. Use/Process 3. Disclose/Transfer 4. Store/Retain/Archive/Delete

8 OECD Principals

1. Collection Limitation 2. Data Quality 3. Purpose Specification 4. Use Limitation 5. Security Safeguards 6. Openness 7. Individual Participation 8. Accountability

Fair Information Practices (FIP)

1. Notice and awareness 2. Choice and Consent 3. Access and Participation 4. Integrity and security 5. Enforcement and redress

The "FTC Report" emphasizes:

1. Privacy by Design; 2. Simplified consumer choice; 3. Transparency.

California SB-1 requires:

1. Written opt-in/out to share info. with nonaffiliated third-parties 2. Opt-in must be presented in an enumerated format in simple English. 3. Opt-out of info. sharing between their FIs and affiliates not in the same line of business. *no consent required to share non-medical info with wholly owned subsidiaries in the same line of business if subject to same functional regulator.

GeoCities, Inc

1st FTC Internet Privacy Action Offered websites to users, promised information would not be sold without consent. Two FTC actions for Unfair and Deceptive Practices - misrepresented how info would be used by reselling to 3rd partied - collected and maintained children's PI without parental consent Consent Order requiring privacy notice and required to obtain parental consent

Microsoft

2002 - Passport single sign-on service. FTC alleged that the representations of high-level online security were misleading because the security of the PI was within the control of a 3rd party and that they shared more PI than disclosed and had inadequate controls for children's info. First time FTC required a company to undergo biannual third-party audits

Eli Lilly

2004 - Pharma Manufacturer's website privacy notice made promises about security and privacy of the information provided by users. An email was sent to all users, revealing all of their identities First time FTC required a company to develop and maintain an information privacy and security program.

Gateway Learning Corp Hooked on Phonics

2004. Their privacy notice stated that it would not sell, rent or loan any personal information with out explicit customer consent. Instead they rented this info out to third parties regardless if they chose to opt-out and retroactively updated their privacy notice. FTC stated that the retroactive application of material changes to the data sharing policy was unfair trade practice. The FTC made them switch to an affirmative opt-in. First FTC case based on unfairness

BJ's Wholesale Club

2005. First time the FTC alleged ONLY unfair and not deceptive trade practices. Failing to implement basic security controls to protect consumer information alone constitutes an enforceable unfair trade practice. Facts: BJ's failed to encrypt personal and financial information and to secure wireless networks to prevent unauthorized access and security lapses.

Google, Inc.

2011. Google Buzz autoenrolled gmail users without consent and exposed PI. FTC alleged that auto-enrollment without prior notice and explicit consent was a deceptive trade practice. First consent decree requiring a "comprehensive privacy program" and first U.S.-EU Safe Harbor enforcement by the FTC.

Consumer Financial Protection Bureau (CFPB)

A U.S. government agency that helps protect consumers by regulating financial products and services. Can enforce against unfair and deceptive acts and abusive acts and practices. Assumes rule-making authority for specific existing laws related to financial privacy and other consumer issues such as the FCRA, GLBA and Fair Debt Collection Practices Act.

Adequate Level of Protection

A label that the EU may apply to third-party countries who have committed to protect data through domestic law making or international commitments. Conferring of the label requires a proposal by the European Commission, an Article 29 Working Group Opinion, an opinion of the article 31 Management Committee, a right of scrutiny by the European Parliament and adoption by the European Commission.

Gramm-Leach-Bliley Act (GLBA)

A law that requires banks and financial institutions to alert customers of their policies and practices in disclosing customer information. Does not preempt stricter state laws No private right to action Enforced by: FTC, CFPB, AGs, Federal Financial Regulators

Madrid Resolution

A resolution that was adopted by the International Conference of Data Protection and Privacy Commissioners, consisting of 80 data protection authorities from 42 countries around the world, including members of the Article 29 Working Party. Principles include: lawfulness and fairness; purpose specification; proportionality; data quality; openness; accountability.

Access

Ability to view personal information held by an organization

3 types of data safeguards

Administrative Safeguards. Physical Safeguards. Technical Safeguards.

APEC (Asia-Pacific Economic Cooperation)

Adopted a self-regulatory code of contact designed to create more consistent

FACTA - Fair & Accurate Credit Transactions Act

Amendment to FCRA. Provides help with identity theft and credit fraud, employee misconduct investigations by third parties.

FACTA - Fair and Accurate Credit Transaction Act

Amends FCRA to help fight identity theft CFPB = authority Mandates limits on information sharing Entitles consumers to annual free credit report Allows one to place fraud alerts, credit freezes requires businesses to truncate credit/debit card numbers on receipts Mandates businesses to secure and properly dispose of sensitive personal information in a consumer's credit report Red Flag Rules requires financial institutions and creditors to implement a written identity theft prevention program

Privacy Notice

An external communication from an organization to consumers, customers or users to describe an organization's privacy practices.

data processor

An individual or organization, often a third-party outsourcing service, that processes data on behalf of the data controller.

Major countries that have been deemed adequate by the EU

Andorra, Argentina, Canada, Iceland, Isreal, Liechtenstein, Switzerland and Uruguay

Example of Processing Personal Data

Anything you do with PI. Use, retrieval, consultation, erasure, destruction, recording, dissemination, organization, linking, storage, updating, collection

What is privacy?

Appropriate use of Personal Information under the circumstances. An individual's right to control the collection, use and disclosure of personal information.

Financial Privacy

CFPB Federal Reserve Office of the Comptroller of the Currency Gramm-Leach-Bliley Act

Which countries take a co-regulatory approach to privacy protection?

Canada, Australia and New Zealand

Four Models of Privacy Protection

Comprehensive Model Co-regulatory Model Sectoral model Self-regulatory Model

Dodd-Frank Wall Street Reform and Consumer Protection Act

Created the Consumer Financial Protection Bureau (CFPB) to oversee the relationship between consumers and providers of financial products and services.

Education Privacy

Dept of Education for the Family Educational Rights and Privacy Act

CALEA (Communications Assistance for Law Enforcement Act) is also known as

Digital Telephony Act

Four Steps for Information Management

Discover Build Communicate Evolve

FTC 5 priorities

Do not track Mobile Data Brokers Large platform providers Enforceable self-regulatory codes

Examples of technical safeguards

Encryption Password authentication smart cards

Workplace Privacy

Equal Employment Opportunity ADA

A website's privacy notice clearly states that it will not encrypt sensitive personal information, and the website operator does not, in fact, encrypt the data.

Example of Unfair Trade Practice because the website operator is not being deceptive but the potential harm caused by not encrypting the sensitive data clearly outweighs the cost of providing encryption, a commonplace and inexpensive security control.

An organization promises to honor opt out requests within 10 days but fails to honor opt out requests within stated timeframe

Example of deceptive trade practice. When companies state they will safeguard personal information but fail to do so. A violation of a promise made in a privacy notice is an example of deceptive trade practice.

21st Century Cures Act 2016

Expedite research, quicken drug approval, reform mental health Certain biomedial research exempt from FOIA Researchers can remotely view PHI info blocking prohibited certificates of confidentiality for research can share mental health/substance abuse info with family

FCRA was amended by

FACTA (Fair Credit Reporting Act)

Protecting Consumer Privacy in an Era of Rapid Change

FTC Report 2012

Telemarketing/Marketing Privacy

Federal Communications Commission and FTC Telephone Consumer Protection Act

Unfairness

For a practice to be considered unfair, the injury must be: 1)Substantial 2)Without offsetting benefits 3)One that consumers cannot reasonably avoid

GPEN

Global Privacy Enforcement Network Aims to promote cross-boarder information sharing as well as investigation and enforcement corporation

FTC primary method of enforcement 2000

Harm-based model addressing substantial injury under the unfairness authority

HITECH name

Health Information Technology for Economic and Clinical Health Act

HIPPA applies to

Healthcare providers that conduct certain electronic transactions health plans (insurers) Healthcare clearinghouses (3rd parties)

2 examples of administrative safeguards

Incident Management Plan Privacy Policy

Self-regulatory Model

Industry associations establish rules or regulations that are adhered to by industry participants. Examples include the Payment Card Industry (PCI DSS) and the privacy seal programs administered by the Online Privacy Alliance.

Privacy Policy

Internal, detailed statement for users of personal information that defines handling practices

FCRA (Fair Credit Reporting Act)

Mandates accurate and relevant data collection, provides consumers with the ability to access and correct their information, and limits the use of consumer reports to defined permissible purposes

What are abusive acts and practices under CFPB?

Materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service takes unreasonable advantage of a consumer's lack of understanding of the risks, costs and conditions, inability to protect their own interests or reasonable reliance that the company is acting in the consumer's best interest

Four Options for Transferring Personal Data out of the EU to a county that has not been deemed adequate

Model Contracts Binding Corporate Rules (BCRs) Safe Harbor Program Unambiguous Consent

Is the US deemed adequate by the EU

NO.

Does FCRA preempt State law

No - FCRA does not preempt state from creating stronger laws

In which countries is a person's tax return considered public record?

Norway, Finland and Sweden These countries also include a person's salary as public record

Bank Secrecy Act Record Retention Requirements

Not all records must be maintained, only those with a high degree of usefulness. Must include: Borrower name and address credit amount purpose and date of credit Maintain for 5 years

FTC primary method of enforcement 1990

Notice and Choice Approach. Required privacy notices to be placed on websites.

Medical Privacy Laws

Office for Civil Rights, Dept of health & Human Services (HHS) Health Insurance Portability & Accountability Act (HIPPA)

Difference between opt-in and opt-out

Out-In is express. Must give permission. Out-out is implied. No permission needed, failure to answer means PI will be shared.

Safe Harbor Program

Permits the transfer of personal data out of the EU to the US to companies that agree to participate in the program

CA Security Breach Notification Law SB1386

Personal Information = Name plus one or more: SSN, DL#, ID#, Credit Card #

FTC primary method of enforcement 2009

Requirement of a comprehensive privacy program in consent decrees

Gramm-Leach-Bliley Act Safeguards Rule

Requires FI to maintain security controls to protect the confidentiality and integrity of personal consumer information, including both electronic and paper records. Requires the creation of an information security program to address administrative, technical and physical safeguards

FACTA Disposal Rule 2003

Requires appropriate measures to dispose of sensitive information derived from consumer reports Enforced by: FTC, CFPB and Federal Banking Regulators Violations: Civil liability, federal and state enforcement

FACTA Red Flags Rule

Requires certain FI to develop and implement written identity theft detection programs that can identify and respond to the red flags that signal identity theft.

Correct formula for assessing risk

Risk = Threat X Vulnerability X Loss

2 examples of physical safeguards

Security Guards for a building Cable locks for laptops

In which service model of cloud computing are applications hosted by the cloud provider in the cloud and typically accessed by users through a web browser?

Software as a Service (SaaS)

Under Gramm-Leach-Bliley Act's privacy provisions, FI's are required to

Store personal financial info in a secure manner provide notice of their policies regarding the sharing of PFI provide consumers with choice to opt-out and process same within 30 days

HITECH Act of 2009

Strengthened HIPPA to address privacy impact on electronic health records Breach: must notify individuals within 60 days if more than 500 people, notify HHS immediately if 500 or more in same jurisdiction, notify media Avoid liability for using encryption software

Bank Secrecy Act is AKA

The Currency and Foreign Transaction Reporting Act

EU Data Protection Directive

The EU Directive was adopted in 1995 and became effective in 1998 and protects individuals' privacy and personal data use. The Directive recognizes the European view that privacy is a fundamental human right, and establishes a general comprehensive legal framework that is aimed at protecting individuals and promoting individual choice regarding the processing of personal data.

Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy

The White House Report. 2012

Choice

The ability to specify whether personal information will be collected and/or how it will be used or disclosed. Choice can be express or implied.

Bank Secrecy Act

The act establishing the US Treasury Department as the lead agency for developing regulation in connection with anti-money laundering programs, which require broker/dealers to establish internal compliance procedures to detect abuses. Requires FIs to keep records and files reports on certain financial transactions (transactions over $10K, bank checks, drafts, cashier's checks, money orders over $3K)

Under FCRA employee investigation is not treated as a consumer report so long as

The employer complies with FCRA No credit info is used Notice is given to the employee if adverse action is taken

OECD - Purpose Specification

The purposes for which personal data are collected should be specified not later than at the time of collection and the subsequent use limited to the fulfilment of those purposes as specified o each occasion of change of purpose.

Preemption

The right of a federal law or a regulation to preclude enforcement of a state or local law or regulation.

Users of consumer reports must meet which requirements?

Third party data for decision making must be accurate, current and complete Consumers must receive notice when 3rd party data is used to make adverse decisions May only be used for permissible purposes Consumers must have access to their consumer reports and an opportunity to dispute or correct errors

Sectoral Model

This framework protects personal information by enacting laws that address a particular industry sector. In these countries, enforcement is achieved through various mechanisms, including regulatory bodies such as the FTC. Used by the US and Japan.

The EU Protection Directive States that personal data should not be precessed unless 3 categories of conditions are met:

Transparency legitimate purpose proportionality

Texas Privacy Laws (Texas HIPAA)

Under the Texas law, covered entities (health care providers, health insurers, and health clearinghouses) must provide customized employee training regarding the maintenance and protection of electronic protected health information (PHI). Covered entities are required to tailor the employee training to reflect the nature of the covered entity's operations and each employee's scope of employment as they relate to the maintenance and protection of PHI. New employees must complete the training within 60 days of hire and all employees must complete training at least once every two years. Covered entities must maintain training attendance records for all employees. The Texas law requires covered entities to provide patients with electronic copies of their EHR within fifteen days of the patient's written request for the records. This provision of the Texas law reduces the timeframe a covered entity has to produce EHR following a patient's request from thirty days under HIPAA. The law charges the Texas Health and Human Services Commission with establishing a standard format for releasing patient EHR that is consistent with federal laws. HB 300 also requires the Texas Attorney General (AG) to establish and maintain a website that states and explains patients' privacy rights under Texas and federal law. The website will list the state agencies that regulate covered entities, and provide the agencies' contact information and each agency's complaint enforcement process. Under the new law, the AG must issue an annual report regarding the number and types of complaints pertaining to patient privacy issues.

FTC Section 5

Unfair and Deceptive Acts or Practices in or affecting commerce are unlawful

Co-regulatory Model

Used in Canada, Australia and New Zealand, this model emphasizes industry development of enforceable codes or standards for privacy and data protection, against the backdrop of legal requirements by the government.

Comprehensive Model

Used in the EU, this method of data protection to govern the collection, use and dissemination of personal information in the public and private sectors, generally with an official or agency responsible for overseeing enforcement.

Deceptive trade practice under FTC Section 5.

When companies state they will safeguard personal information but fail to do so. A violation of a promise made in a privacy notice is an example of deceptive trade practice.

Does FACTA preempt state laws

Yes but states retain some powers to enact laws addressing identity theft

A consumer report is

any communication by a CRA related to an individual that pertains to a person's: Creditworthiness Credit standing credit capacity character general reputation personal characteristics mode of living and that is used in whole or in part for the purpose of serving as a factor in establishing a consumer's eligibility for credit, insurance, employment or other business purpose

FCRA regulates

any consumer reporting agency that furnishes a consumer report.

When should choice and consent solicitations be made?

at the point of collection or as soon as practical afterwards

GINA (Genetic Information Nondiscrimination Act)

became law on May 21, 2008; its basic purpose is to protect people from discrimination by health insurers and employers based on genetic information. Amended: ERISA, SSA, Civil Rights Act No private right to action

FCRA violations include

civil/criminal penalties statutory damages of $1,000 per violation and $3,756 for willful violations

FCRA is enforced by

dispute resolution, private right to action, and government actions (FTC, CFPB, State AGs)

EPHI

electronic protected health information

PHI

protected health information, individually identifiable health information transmitted or maintained in any form, held by a covered entity or its associate which identifies the individual or provides reasonable basis for identification.

Under FCRA, CRA's are required to

provide consumers with access to info in report and chance to dispute/correct errors ensure maximum possible accuracy of report not report negative info that is outdates (7 yrs old) provide reports only to entities that have permissible purpose maintain records regarding entities that received reports provide consumer assistance as required by FTC

Data Controller

someone who determines why and how personal data is processed

CRA notice provided to users must include

users must have a permissible purpose Users must provide certifications of permissible purpose user must notify consumers when adverse actions are taken and must include specific information about the CRA, the adverse action, statement of the users rights