The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) recently released several new tools and guidance to ensure that patients and their family members can gain access to information needed to prevent and address opioid abuse and overdose, as well as mental health crises. The materials are focused on the Health Insurance Portability and Accountability Act (HIPAA) and also serve to fulfill certain clarification requirements on HIPAA and research under the 21st Century Cures Act (the “Cures Act”). The Cures Act was passed by Congress in 2016 and requires, in part, that “health care providers, professionals, patients and their families, and others involved in mental [health] or substance use disorder treatment have adequate, accessible, and easily comprehensible resources relating to appropriate uses and disclosures of protected health information (PHI) under . . . [HIPAA].”
Category: Privacy
EU May Soon Decide “Adequate” Status for Japan
The European Union (EU) may soon decide whether Japan will have “adequate” status for transfers of personal data from the EU. Reuters reported on December 15, 2017 that the European Union is aiming to finalize a data transfer agreement with Japan by early 2018.
Set to be implemented in May 2018, the EU’s General Data Protection Regulation (GDPR) will require that EU citizens’ personal data be transferred to only countries with an adequate data protection status, forbidding companies from storing EU citizens’ personal data in foreign countries deemed to have an “inadequate” level of privacy protection.
Under the EU’s privacy framework, the European Commission has the power to determine, based on Article 25(6) of Directive 94/46/EC, whether a foreign country has an “adequate” level of data protection under that country’s domestic laws or international commitments. If a foreign country is deemed adequate, personal data can flow from the 28 EU countries (and three EEA member countries of Norway, Liechtenstein, and Iceland) to the foreign country without further safeguards.
The commission has so far deemed only 12 countries – Andorra, Argentina, Canada, Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, the United States (under the EU-US Privacy Shield), and Uruguay – as providing adequate protection. The EU does not include the United States among its adequate protection countries. But Decision 2016/1250 on the adequacy of protection of the EU-US Privacy shield, commonly known as the EU-US Privacy Shield, was designed as a program whereby participating US companies or companies doing business in the US are deemed to have adequate protection.
An adequacy determination for Japan would be monumental for Japanese companies and companies doing business in Japan, with EU Justice Commissioner Vera Jourova recently stating that”[a]n adequacy decision would be great news for business as it would allow for the transfer of personal data from the EU to Japan without the need for extra authorisations.”
First Annual Joint Review of EU – U.S. Privacy Shield Addresses Six Areas of Concern
In relation to the first annual Joint Review of the EU-U.S. Privacy Shield Framework, the Article 29 Data Protection Working Party (WP29), an independent European advisory body on data protection and privacy, issued its findings on November 28, 2017.
The EU-U.S. Privacy Shield Framework provides a method for companies to transfer personal data to the U.S. from the EU in a way that is consistent with EU Law. As we discussed in a previous blog post, the framework is based on a certification system whereby U.S. companies commit to adhere to a set of Privacy Shield Principles. Other mechanisms for transferring personal data to the U.S. from the EU are through binding corporate rules, model contracts, or use of one of a number of derogations to the EU’s restrictions on cross-border data transfers.
The report reflects the Working Party’s views in relation to the first annual joint review of the Privacy Shield program. It acknowledges both the progress and the efforts to implement Privacy Shield, but it raises a number of concerns and calls on the European Commission and U.S. authorities to restart discussions to address those concerns by May 25, 2018, which is the date the General Data Protection Regulation (GDPR) takes effect.
Protecting Students’ Online Privacy: An FTC & ED Joint Workshop on EdTech
On Friday, December 1, the Federal Trade Commission and the Department of Education hosted a workshop examining student privacy in the burgeoning field of “EdTech.” Both agencies regulate certain educational technology aimed at K-12 students. However, FTC rules implementing the Children’s Online Privacy Protection Act (“COPPA”) are not identical to ED regulations implementing the Family Educational Rights and Privacy Act (“FERPA”). To better understand how both rules interact in practice, the agencies solicited public comment and convened panels of experts and stakeholders – including vendors, schools, parents, and regulators.
The workshop explored several key issues, including when a school may provide consent on behalf of participating students; how record retention (and deletion) should be noticed and executed; and what limits to impose on vendors collecting personal student information. In closing, both agencies expressed a desire to provide clear, workable regulatory oversight while meaningfully protecting student privacy.
Continue reading “Protecting Students’ Online Privacy: An FTC & ED Joint Workshop on EdTech”
Another State-Lead Data Breach Action Results in High Fines and Strict Compliance Requirements
Massachusetts Attorney General Maura Healey and Multi-State Billing Services (MSB), a Medicaid billing company that provided processing services for 13 public schools, signed a no-fault consent judgment settling a 2014 data breach resulting from a stolen laptop that put 2,618 children at risk for identity theft and fraud. The MSB laptop contained unencrypted personal information, including names, social security numbers, Medicaid identification numbers and birth dates.
The settlement requires MSB to pay $100,000 and implement improved security practices after an investigation by the attorney general’s office determined it violated state consumer protection and data security laws. More specifically, the judgment requires MSB to continue to develop, implement and maintain a written and comprehensive information security program and review and update its existing policies and procedures for compliance with data security laws. It must also train its staff on how to protect personal information and regularly report on its compliance with such requirements to the state attorney general’s office.
Smartwatch News: Privacy Edition
As smartwatches gain in popularity, innovative uses for the wearable technology, along with privacy concerns, continue to pop up. In this roundup, we look at a new app that can help in atrial fibrillation studies and privacy concerns regarding smartwatches for children.
New app identifies irregular heartbeats for medical study
Apple recently launched the Apple Heart Study App, described as a “first-of-its-kind research study using Apple Watch’s heart rate sensor to collect data on irregular heart rhythms and notify users who may be experiencing atrial fibrillation.” Atrial fibrillation is a leading cause of stroke and other heart conditions.
Apple Watch users will be able to enroll in a joint study with Stanford University School of Medicine, which will use the device’s heart rate monitor to check for an irregular heart rate. If an irregular heart rhythm is identified, the participant will receive a notification on his Apple Watch and iPhone, a free consultation with a study doctor, and an electrocardiogram patch for additional monitoring. This is the first study that Apple itself is sponsoring. Apple will run the study and submit data to the U.S. Food and Drug Administration for approval as a regulated software.