The FTC has entered into a Consent Agreement with PayPal, Inc., settling allegations that PayPal, through its operation of Venmo, had violated Section 5 of the FTC Act and the Gramm-Leach-Bliley Act’s (“GLBA”) Privacy and Safeguards Rules. PayPal operates Venmo, a payment and social networking application and website that allows consumers to make peer-to-peer payments, which also shares information regarding such payments through a social network feed. The agreement will be subject to public comment for 30 days.
Category: Privacy
New Initiative Examines Ethics of Research Using ‘Pervasive’ Data
Data – big or small – has tremendous potential for use (and misuse). For example, using mobile apps to keep track of one’s own physical activity or caloric intake may empower individuals to improve their health. Should other parties (e.g., that app’s developer, physician, employer, insurance company, online friends) be able to access the same information, and if so, under what conditions? As another example, expressing one’s own feelings and preferences on a social media platform may strengthen bonds within a professional community or a family group, expedite academic collaborations, and/or improve an individual’s sense of belonging. However, may those same messages – freely expressed in a public domain – be re-purposed for a study of mental health trends or for marketing strategies; and if so – when/how/by whom, or why/why-not? Questions like these touch on a host of ethical and legal issues that only recently began to be explored in depth, even as new norms of individual behavior, human interactions, and treatment of data are evolving.
Continue reading “New Initiative Examines Ethics of Research Using ‘Pervasive’ Data”
European Commission Issues GDPR Guidance
The European Commission (EC) recently issued online guidance on the General Data Protection Regulation (GDPR), a sweeping European Union (EU) data protection legislation that will take effect on May 25, 2018. The guidance is intended to be used as a tool to help businesses as well as the EC, national data protection authorities, EU Member States, and other national administrations prepare for the GDPR. To date, only 2 EU Member States – Germany and Austria – have adopted the relevant national legislation to be in compliance with GDPR.
Information Injury Workshop Covers Non-Financial Harms Faced By Consumers
The Federal Trade Commission held its Information Injury Workshop in December in Washington D.C. The goal of the workshop was to explore how to characterize and measure information injuries to consumers.
Information injury is the harm that a victim suffers as a result of privacy or data security breach. Financial, health and safety injury are the most common types of alleged injuries that the FTC has seen in privacy and data security in the past few years. Yet, injury that does not cause financial harm can be challenging to quantify.
Continue reading “Information Injury Workshop Covers Non-Financial Harms Faced By Consumers”
FDA Approves Software Application That Alerts Providers of Potential Stroke in Patients
On February 13, 2018 FDA approved a software application with clinical-decision support capability, in this case alerting providers of a potential stroke in patients. The system, “Viz.AI Contact,” is developed by a US/Israeli company named Viz.ai, which uses artificial intelligence and machine deep learning for analyzing medical images. Earlier in January, this system also received a CE Mark from the European authorities.
Stroke is caused by an interrupted blood supply to the brain; for example, due to a blood vessel’s rupture. Stroke is among leading causes of mortality and long-term disability in the U.S. and other countries. The Viz.AI Contact system analyzes brain computed tomography (CT) scans, identifies a suspected large vessel blockage, and sends a text notification to the health care specialist.
Involuntary Dissolution Does Not Absolve Business Associate of HIPAA Obligations
A receiver appointed to liquidate the assets of Filefax, Inc. has agreed to pay $100,000 to the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) in a no-fault settlement regarding potential violations of the Health Insurance Portability and Accountability Act (HIPAA).
Filefax, an entity involuntarily dissolved by the Illinois Secretary of State in August 2017, previously provided services to HIPAA covered entities, including storage, maintenance, and delivery of medical records. On February 10, 2015, OCR received an anonymous complaint alleging that an individual had transported medical records obtained from Filefax to a shredding and recycling facility to sell on February 6 and 9, 2015. OCR investigated the matter and confirmed that an individual had left medical records that contained the protected health information (PHI) of approximately 2,150 patients at the shredding and recycling facility. OCR’s investigation indicated that Filefax had either left the PHI in an unlocked truck in its parking lot or granted permission to an unauthorized person to remove the PHI from Filefax, and left the PHI unsecured outside of the Filefax facility.
Continue reading “Involuntary Dissolution Does Not Absolve Business Associate of HIPAA Obligations”