by Daniel J. Solove

The new HIPAA-HITECH regulation is here. Officially titled “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules,” this new regulation modifies HIPAA in accordance with the changes mandated by the HITECH Act of 2009. After years of waiting and many false alarms that the regulation was going to be released imminently, prompting joking references to Samuel Beckett’s play Waiting for Godot, HHS unleashed 563 pages upon the world. According to Office for Civil Rights (OCR) director Leon Rodriguez, the rule “marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” I agree with his dramatic characterization of the regulation, for it makes some very big changes and very important ones too.

The most important changes involve expanding HIPAA’s scope of coverage, to regulate business associates (BAs) and subcontractors of BAs.The regulation applies the HIPAA Security Rule and parts of the Privacy Rule to BAs, which are now directly subject to HIPAA enforcement. Subcontractors of BAs are also deemed to be BAs, and there must be a business associate agreement (BAA) between a BA and a subcontractor. In this post, I will discuss these particular changes and their implications for a wide array of businesses and cloud computing in healthcare.

A Litany of Changes

Before I focus on the issue of scope, I want to point out some other key changes that the regulation makes. The regulation strengthens people’s rights to receive electronic copies of their protected health information (PHI). The Breach Notification Rule is changed to presume that any impermissible access, use, or disclosure of PHI is a breach unless a covered entity or business associate can demonstrate a low probability PHI has been compromised. Instead of focusing on harm to the individual, the focus is on the likelihood PHI has been improperly accessed or exposed. Decedent PHI is protected for 50 years after death. Previously, HIPAA protected PHI after death without any time limitation. For patients who pay for treatment out-of-pocket, patients have a right to restrict insurance companies from accessing the PHI. And as directed by the HITECH Act, the regulations provide for much stronger penalties for violations. There are many other changes too – I’m only hitting a few highlights.

HIPAA’s Expanded Scope

In my view, the most monumental change involves the vastly expanded scope of HIPAA. The regulation applies the HIPAA Security Rule and parts of the HIPAA Privacy Rule to business associates (BAs). A BA is any person or entity that, on behalf of a covered entity, “creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing.”

Previously, business associates were only indirectly subjected to HIPAA’s requirements. Covered entities had to have a business associate agreement (BAA) with a business associate that provided adequate assurances that PHI would be safeguarded. Now, HHS has direct enforcement power over business associates.

Additionally, subcontractors are now considered BAs and are subject to the same direct HHS enforcement. The regulation includes within the definition of a BA any “subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.” Commentary to the regulation provides that “[a]pplying HIPAA privacy and security requirements directly to subcontractors also ensures that the privacy and security protections of the HIPAA Rules extend beyond covered entities to those entities that create or receive protected health information in order for the covered entity to perform its health care functions.” According to the commentary: “A subcontractor is then a business associate where that function, activity, or service involves the creation, receipt, maintenance, or transmission of protected health information.” The intent, as the regulation commentary explains, is to ensure that HIPAA protections extend “no matter how far ‘down the chain’ the information flows.” BAs are subject to the same civil and criminal penalties under HIPAA as covered entities.

What parts of the Privacy Rule apply to BAs? First, a BA is “directly liable under the Privacy Rule for uses and disclosures of protected health information that are not in accord with its business associate agreement or the Privacy Rule.” Second, a BA must disclose PHI when required by HHS for a compliance investigation. Third, when an individual requests an electronic copy of PHI from a covered entity, a BA is required to disclose PHI to the covered entity or to the individual in order to satisfy the covered entity’s obligations. Fourth, the minimum necessary rule applies to BAs.

The Implications for the Cloud

Are cloud computing service providers BAs? I believe that they would be covered. The regulation commentary provides that the “data transmission organizations that the Act requires to be treated as business associates are those that require access to protected health information on a routine basis. Conversely, data transmission organizations that do not require access to protected health information on a routine basis would not be treated as business associates.” The commentary also elaborates that “entities that manage the exchange of protected health information through a network, including providing record locator services and performing various oversight and governance functions for electronic health information exchange, have more than ‘random’ access to protected health information and thus, would fall within the definition of ‘business associate.’” Mere “conduits” of PHI, such as postal carriers or courier services are not BAs because a “conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law.”

According to the FAQ on the HHS website, “[t]he mere selling or providing of software to a covered entity does not give rise to a business associate relationship if the vendor does not have access to the protected health information of the covered entity. If the vendor does need access to the protected health information of the covered entity in order to provide its service, the vendor would be a business associate of the covered entity.” The guidance includes the following example: “[A] software company that hosts the software containing patient information on its own server or accesses patient information when troubleshooting the software function, is a business associate of a covered entity.”

The only ambiguity is if the PHI is encrypted, and the cloud provider lacks access to the unencrypted PHI, then does the cloud provider have access to it?

Overall, providers should realize that regardless of whether they provide services to covered entities or BAs, they will be deemed BAs if they create, receive, maintain, or transmit PHI for a regulated function or activity, “including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing.” In addition to having to follow key parts of the Privacy Rule and all of the Security Rule, and being subject to HIPAA enforcement and penalties, BAs are also fair game for HHS audits.

Beyond the Cloud

Beyond the Cloud, many other companies will find themselves within HIPAA’s expansive domain. HHS recognized in its commentary that small BAs might be particularly burdened with having to comply with HIPAA as they previously “may not have engaged in the formal administrative safeguards such as having performed a risk analysis, established a risk management program, or designated a security official, and may not have written policies and procedures, conducted employee training, or documented compliance as the statute and these regulations would now require.” Nevertheless, in spite of these challenges, all BAs must comply.

We are in a new regime of HIPAA enforcement, with HHS enforcing HIPAA quite vigorously, plus state attorneys general can now enforce HIPAA. The penalties are much higher now too. This new regulation will be a wake-up call to many companies.

I applaud these changes to HIPAA. They keep PHI within HIPAA’s bubble of protection, as far too frequently before PHI would flow beyond the bubble, and it would be used and handled by companies that lacked adequate protections. The new HIPAA-HITECH regulation goes far to add protections and enforcement to PHI far and wide. There will be growing pains, of course, but this is a key step in the maturation of the HIPAA regime. Of course, some flaws in HIPAA remain, but on balance, HIPAA is one of the most comprehensive and impactful of privacy rules, and now the regulation have taken it to a new level. This is a big step forward in the protection of health privacy.

Cross-posted on SafeGov and LinkedIn

The post The HIPAA-HITECH Regulation, the Cloud, and Beyond appeared first on TeachPrivacy.

The final HIPAA-HITECH regulation is finally out!  Clocking in at 563 pages long, the regulation, which is entitled “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules” will be published in the Federal Register on January 25, 2013.  You can download the PDF of the pre-publication version here.

The post Final HIPAA-HITECH Regulation appeared first on TeachPrivacy.

More About Apps and Privacy

• FPF & CDT, Best Practices for Mobile App Developers

• Pew Internet Survey, Privacy and Data Management on Mobile Devices

• TRUSTe, Get a Privacy Policy for Your Mobile App

• FTC, Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing

• New York Times Bits Blog, Consumers Say No to Mobile Apps That Grab Too Much Data

• Washington Post Post Tech Blog, App Developers, Privacy Advocates Work Out Suggestions for Policy Disclosure

The post New Video — The App from Hell appeared first on TeachPrivacy.

The benefits of cloud computing are that outside entities might be more sophisticated at managing personal data. These entities may be able to manage data more inexpensively and effectively than the educational institution could do itself. In many cases, cloud computing providers can provide better security than the educational institutions can.

The risks of cloud computing are that educational institutions no longer have as much control over the personal data. They must rely on the cloud computing provider to have the appropriate practices and policies to ensure that data is properly maintained, handled, used, or disclosed.

One risk is that a cloud computing provider can outsource some functions to countries that have little to no legal privacy protections. In one instance, a university medical center outsourced transcription of its medical records to a company in California, which then subcontracted with a person in Florida, who subcontracted with a person in Texas, who ultimately subcontracted with a person in Pakistan. The person in Pakistan wasn’t paid by the person in Texas, so she wrote to the medical center and threatened that she would expose all the records unless the medical center got involved and made the Texas person pay. This example illustrates how easy it is to lose control over information when it is outsourced.

There are benefits and risks to cloud computing, but the benefits can be enhanced and the risks greatly reduced if educational institutions take care and vigilance in selecting cloud computing providers and in monitoring the relationship to ensure that the provider is adequately protecting the data.

The Family Educational Rights and Privacy Act (FERPA) unfortunately provides little guidance about the selection of cloud providers and the management of these relationships. According to Department of Education, “nothing in FERPA prevents an educational institution from contracting with a person or entity outside the institution to perform services that the institution would otherwise provide for itself.” FERPA merely requires one condition – that “the party to whom the information is disclosed will not disclose the information to any other party without the prior consent of the parent or eligible student.”

But there are many other important responsibilities for cloud computing providers that FERPA ignores, such as providing for appropriate security and having an adequate accountability architecture in place. That architecture consists of having officials responsible for the privacy and security of the data (data stewards), doing routine assessments of risks, having a meaningful system of oversight and monitoring to ensure compliance, and having a training program for employees to minimize security lapses and mistakes. I provide such training programs through my company, TeachPrivacy, and I am doing so because I am a strong believer that education can work. Many privacy and security incidents are caused not be technical issues but by the human factor – the small errors people make out of carelessness or ignorance that can lead to big problems. Educational institutions should insist on cloud computing providers that provide such education – after all, educational institutions should be ardent believers in education.

Prior to engaging in business with a cloud computing provider, an educational institution should conduct due diligence on the provider and make sure that the provider has a good reputation and good privacy and security practices. The educational institution should ask the provider for details about how it stores the data, how it protects the data, and where that data is stored, as the data might be stored in a country where the government can access data without adequate restrictions.

When contracting with a cloud computing provider, an educational institution should be sure that the contract have sufficient provisions to ensure that the data is protected. An educational institution should never just outsource it and forget about it. Even when the data is outsourced to others, the buck always stops with the educational institution, which remains the primary institution with responsibility over that data. A privacy or security incident at a cloud computing provider doesn’t just tarnish the reputation of that provider, but it also can injure the reputation of the institution that trusted the cloud computing provider – especially if the institution didn’t do enough to ensure that the provider was taking adequate care of its data.

In essence, giving data to a cloud computing provider should be viewed as akin to sending children to daycare. Great care and vigilance is required both in selecting a provider and in ensuring that the provider meets its obligations and performs well.

What should contracts with cloud computing providers require? I recommend the following:

1. The cloud computing provider should agree to maintain the confidentiality of the data.

2. The cloud computing provider should have appropriate technical, administrative, and physical security safeguards to protect the data.

3. The cloud computing provider should destroy all personal data that is no longer needed. If the relationship with the cloud computing provider is terminated, the provider should not retain any of the personal data that it had previously processed for the educational institution.

4. The cloud computing providers should abide by the educational institution’s privacy policies.

5. The cloud computing provider should have appropriate training of its employees regarding following the educational institution’s policies and safeguarding the security of the data. Policies are meaningless unless there is training to back them up.

6. If cloud computing providers desire to subcontract any of their functions to other cloud computing providers, they should be required to first seek the educational institution’s prior approval.

7. The educational institution should circumscribe the ways in which the cloud provider can use the data. Data should only be used for the purposes related to providing the cloud computing service. If the cloud provider engages in uses for other purposes, these purposes should be clearly defined and limited. Educational institutions should be careful when authorizing other uses, as such uses could conflict with FERPA or other federal or state laws. Any such uses should be incorporated into the privacy policies of the educational institutions when they gather the data so that people are on notice about them.

8. The educational institution should ensure that they can impose appropriate sanctions upon the cloud computing providers if the providers fail to live up to their requirements to provide good privacy and security.

Once the contract is underway, that isn’t the end of the educational institution’s responsibilities. The educational institution should engage in routine assessments about how cloud computing providers are performing in their duties to provide privacy and security safeguards.

Cross-posed at Huffington Post and LinkedIn.

The post Educational Institutions and Cloud Computing: A Roadmap of Responsibilities appeared first on TeachPrivacy.

The frequent use of social media by employees has created a new domain of risk for employers – employees who reveal confidential or sensitive information or who otherwise say things that damage their institution’s reputation or create strife with their colleagues.

For example, in the healthcare context, in a number of widely-publicized incidents, employees revealed confidential information about patients on their blogs and social network profiles. For example, according to a Boston Globe story, an emergency room physician posted data online about the patient. The physician thought that it was safe to post about as long as she did not include the patient’s name. But others could identify the patient.  There are numerous recent cases where hospital staff have posted photos and other information about patients online.

Despite the dangers, roughly two-thirds of hospitals still do not have a social media use policy, and I suspect a very large percentage lack any training about appropriate social media use by employees.

Beyond healthcare, another survey found that of all types of employers, only 23% have a specific social media policy; 17% have “informal guidelines” and only 10% have social media training for employees.

I recommend that employers should have a social media policy.  Such a policy is important to provide clear guidance to employees about how they can avoid creating severe problems by their use of social media.

I also believe it is important to train employees about the dangers of inappropriate social media use.  Employees might make anonymous comments and think they are untraceable.  They don’t realize the severe legal consequences that can follow from disclosing confidential information or for spreading gossip and rumor about others.  Good training can go a long way toward reducing the risk of employees making foolish mistakes with social media.  A policy will not be effective unless employees know about it and understand the importance of following it and the consequences of not following it.

But before developing a policy or launching a training program, it is very important to be aware of the pitfalls.

When creating a social media policy, one might think that all that is required is to try to put down on paper some common sense rules.  But many rules that seem quite sensible can actually run afoul of the National Labor Relations Act (NLRA).  The NLRA deals with union activities, provides certain limits on the kinds of policies and discipline employers can impose.  The NLRA can apply to both unionized and non-unionized employers.  Employers need to be aware of how to avoid trouble with the NLRA.

Under the NLRA Section 7, employees (whether unionized or not) have a right to engage in “concerted activity” to complain about workplace conditions and other issues pertaining to the terms and conditions of employment.  An employer can violate the NLRA if it has a social media policy will reasonably chill employees in exercising their Section 7 rights.

In August 2011, the National Labor Relations Board (NLRB) and the U.S. Chamber of Commerce issued reports.  In January 2012, the NLRB issued a second report and in May 2012 it issued a third report.   These reports contained summaries of several cases where employer social media policies were found to be overbroad and in violation of the NLRA.  And in September 2012, the NLRB found that Costo’s social media policy was overbroad.

Although the cases don’t provide very clear rules for employers, they do provide some degree of guidance.  The NLRA gives employees some latitude in saying vulgar and damaging things if pertaining to Section 7 activities.  One key is that the expression must be part of concerted activity and not just an individual outburst.  This means that employees who merely raise workplace gripes to friends or family aren’t covered.  Employees must use social media to raise workplace complaints with other employees.  Moreover, they must be complaining about the workplace terms and conditions.  Merely insulting people or the company, or revealing confidential information, is not covered.

The most important take away from the NLRB guidance is that policies must be clear that employees may engage in Section 7 activities.  Otherwise, broad language that restricts disparaging comments, defamatory comments, or vulgar comments might be construed by employees to apply to Section 7 activities and be deemed by the NLRB to chill such activities.

The post Employer Social Media Policies: A Brave New World appeared first on TeachPrivacy.

A common argument I hear is that young people just don’t care about privacy.  If they cared about privacy, why would they share so much personal data on Facebook?  Why would they text so much?  Why would they be so cavalier about their privacy?  Privacy will be dead in a generation, the argument goes.

This argument is wrong for several reasons.  Studies show that young people do care about privacy.  A few years ago, a study by Chris Hoofnagle and others revealed that young people’s attitudes about privacy didn’t differ much from older people’s attitudes.   A more recent study sponsored by Microsoft found that “[p]rivacy and security rank as college students’ #1 concern about online activity.”

But what accounts for the behavior of sharing so much personal data online?  First, young people—especially teenagers—might not be thinking through the consequences of their actions.  It doesn’t mean they will never care about privacy; they might care about privacy at a point in the future.

Second, new technologies are a major fact of their lives.  We live in a world now where it is becoming increasingly hard to forgo using these technologies, especially when they are very useful and beneficial.

Third, the technologies can make it easier for people to share information without the normal factors that can make people fully comprehend the consequences.  If people were put in a packed auditorium, would they say the same things they say online?  Most likely not.  That’s because when people post online, they don’t see hundreds or thousands of faces staring at them.  Seeing all those people visually drives home the consequences more than just seeing a computer screen.  People also say things online that they’d never say to another person face-to-face.

Fourth, young people have a very nuanced understanding of privacy.  They don’t see privacy as simply keeping secrets.  They understand privacy as controlling information flow.  It is rare these days to be able to hide information from absolutely everyone.  There are too many technologies that capture images and information.  Instead, people control who sees their information.  They set their social media profiles to allow certain people to have access but others not to have access.  They allow some companies to have their data but do not want others to access it or want it used in some ways but not others.  Privacy isn’t all-or-nothing – it’s about modulating boundaries and controlling data.

The post Do Young People Care About Privacy? appeared first on TeachPrivacy.

According to a stat in SC Magazine, 90% of malware requires a human interaction to infect.  One of the biggest data security threats isn’t technical – it’s the human factor.  People click when they shouldn’t click, put data on portable devices when they shouldn’t, email sensitive information, and engage in a host of risky behaviors.  A lot of hacking doesn’t involve technical wizardry but is essentially con artistry.  I’m a fan of the ex-hacker Kevin Mitnick’s books where he relates some of his clever tricks.  He didn’t need to hack in order to get access to a computer system – he could trick people into readily telling him their passwords.

There have been a number of good recent articles on data security and data security training.  Robert O’Harrow, Jr.’s recent piece in the Washington Post discusses the human element to data security in his piece, “In Cyberattacks, Hacking Humans is Highly Effective Way to Access Systems.”  The article describes the increasing sophistication of phishing.  The old misspelled lottery scam emails are now your grandfather’s phishing.  Today’s phishing is more personalized – and much more likely to trick people.  According to O’Harrow’s article: “The explosive growth of cyberspace has created a fertile environment for hackers. Facing the flood of e-mail, instant messages and other digital communication, many people have a hard time judging whether notes or messages from friends, family or colleagues are real. Many don’t even try.”  O’Harrow goes on to note that “Hackers are so confident about such permissiveness that they sometimes begin their attacks in social media three or four steps removed from their actual targets. The hackers count on the malicious code spreading to the proper company or government agency — passed along in photos, documents or Web pages.”

The Washington Post also recently ran a piece called “Companies Seeking to Train Employees on Cybersecurity.”  In a survey by SC Magazine nearly 90% agreed that data security training is important.

Because I provide such data security training with TeachPrivacy, I’m quite excited by all the attention to the issue, as I have long stressed two points:

1. Many data security vulnerabilities are human rather than technical.

2. Training is essential to reduce the human vulnerabilities.

But challenges remain.  According to SC Magazine:”80% of West Point cadets clicked on a link embedded in a phishing email after four hours of security training.”

I have long believed quantity of hours in training is not the key to driving the message home.  Doing so takes telling stories.  People respond best to stories.  Stories stick in people’s minds.  Moreover, stories are more effective than a list of do’s and don’ts because stories also motivate – they explain the consequences of one’s behavior.  Training should not just educate, but motivate. I’ve often found that although people know they should be more careful, they often take shortcuts when they don’t fully understand the gravity of the situation.  Data security often makes things less convenient and it requires constant vigilance.  Unless people really care, they might make choices for convenience or have lapses in vigilance.

The post Data Security and the Human Factor: Training and Its Challenges appeared first on TeachPrivacy.

Professor Solove has been asked by LinkedIn to be among 150 “thought leaders” who provide commentary and blog posts at the site.  You can follow Professor Solove by finding his name among those listed at this link.

The post My Commentary at LinkedIn appeared first on TeachPrivacy.