Table Tag: personal health information

Data Privacy Day

January 30, 2023 at 5:10 pm by Amanda Canale

Every year on 28 January, the National Cybersecurity Alliance (NCA) dedicates the entire week and 28 January specifically to bring awareness to the public on data protection and data security best practices. Even though we are diving deeper and deeper into the Digital Age, there’s still a large population of people who are not tech savvy, or frankly, even tech literate. The annual international campaign is called Data Privacy Day (DPD), and heavily focuses on educating people, both individuals and businesses, on how to comply with privacy laws and regulations. Moving forward, this will help the public know how they can better protect and manage their personally identifiable information (PII).

Millions of people across the globe are unaware of the various ways their PII is being used, collected, and shared, with many not knowing it’s also being sold by third parties. It’s this reality specifically why the NCA targets anyone with any sort of online presence. How did Data Privacy Day get its start? This internationally recognized day was initially established in 2008 in North America as an extension of Data Protection Day in Europe, which has been in effect since 1981. It is the first legally binding international treaty to recognize data privacy concerns. 

Last year, the NCA expanded Data Privacy Day into a week-long initiative called Data Privacy Week. The week-long campaign, lasting from 24-28 January, is filled with various steps, goals, and webinars individuals and organizations alike can make and attend as a way of encouraging transparency about how their PII is being used. 

You can find a full list of Data Privacy Week events here on the NCA’s website. Below, we break down the major takeaways both individuals and organizations should take from the week-long event.

Data: The Story of You

While you may not think your information is important or valuable, there are plenty of people out there who would do almost anything to obtain it. When it comes to keeping our PII and personal health information (PHI) safe, it is crucial to think of your personal data as the most valuable thing you own. If you were hiding some flashy, expensive, and highly coveted family heirloom, you would do anything to protect it, right? Think of your personal information as that heirloom; it is the most precious thing you have. Critical information such as your IP address, purchase history, and location can offer hackers a wealth of knowledge as to your income, spending habits, card information, and where you live. 

Know what to expect in the privacy/convenience tradeoff

Think about the last time you downloaded an app. What kind of information did you have to grant the app access to in order to use it? Share your geographic location? Grant access to your contacts and photo albums? For example, why does a puzzle app need access to my contacts and location in order for me to play? By allowing access to these very personal and private forms of information, you may be offering up much more than necessary.

When releasing or posting any private or personal information, it is best to make informed decisions on what you should do: weigh whether or not the information they are asking for is really necessary, how the benefits weigh against the tradeoff, and, honestly, if you really need the app at all. 

Adjust your privacy settings

If you decide to deem that puzzle app worthy of your phone storage and time, try to take an extra moment or two to review the app’s privacy and security settings, and adjust them to your comfort level as necessary. (I know, who even reads an app’s Terms and Agreements anymore, right? Wrong! You should!) While you’re at it, delete those apps you no longer use. In addition to taking up useless storage on your phone, they could also still be collecting data about you and your habits. 

You can get a head start with NCA’s Manage Your Privacy Settings page to get more information.

Protect your data

While data privacy and data security are not interchangeable, they are in fact a packaged deal. By adopting these practices, such as creating long and intricate passwords, utilizing multi-factor authentication when possible, and using a password manager you can continue to keep your passwords and information secure and up to date. 

Organization Level: Respect Privacy

As an organization, your consumers’ and customers’ private data should be your utmost concern. By respecting their data and being transparent, an organization instills trust which will in turn enhance reputations and company growth. 

Conduct an assessment

In a “post-COVID” world, more than 15% of total U.S. job opportunities are now remote. Regardless of if your organization operates fully remote, in a hybrid model, or is even located outside of the continental United States, it is important to understand the privacy laws and regulations in which your business operates and to ensure they are being followed. Especially when working with remote or hybrid employees, it’s best to reevaluate your security measures, access to individuals’ personal information, what that personal information may be and if it is still relevant to keep on file, and to maintain oversight of any outside partners and vendors as well to ensure they are not misusing your consumers’ information. 

Adopt a privacy framework

By adopting a privacy framework that works best for you and your consumers, an organization can help mitigate potential risk and implement a privacy culture within your organization. The NCA recommends reviewing the following frameworks to start: NIST Privacy Framework, AICPA Privacy Management Framework, and ISO/IEC 27701 – International Standard for Privacy Information Management.

Educate employees

By creating an office culture surrounded by data privacy and data security, you are educating your employees on not only how to keep their personal information safe but how to better serve your consumers and their information. Engage staff by asking them how they view your current privacy culture, implement mandatory training and webinars, and consistently assess your current standards. 

In addition to these methods, transparency about how your collect, use, and share consumer information is crucial. Be up front and honest with your clients, users, or consumers about what they can expect their information to be used for and offer them other settings to protect their information by default.

And lastly, when your information-bearing media reaches end-of-life — whether hard drives, portable IT storage, or even paper — securely destroy it to prevent leaks and data breaches down the road.

Making Sense of HIPAA

December 21, 2010 at 11:30 am by SEM

What is HIPAA?

HIPAA is an acronym for Health Insurance Portability Accountability Act which was enacted in 1996. It requires the Secretary of the U.S. Department of Health and Human Services to develop regulations protecting the privacy and security of certain health information.

The HIPAA law applies to anyone that has visited any health care facility, basically everyone. Before the law was enacted, the fates of our medical records were left in the hands of the health care professionals. Some disposed of them properly but some just threw them into the dumpster. As with our old credit card statements and other mail or personal information, once they are thrown in the dumpster they are community property and anyone can have access to them.

HIPAA Medicine doctor working with computer interface as medical

Your Health Information Is Protected By Federal Law

Most of the population believes that medical and health information is private and should be protected, and want to know who has access to this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals’ protected health information, whether electronic, written, or oral. The Security Rule, a Federal law that protects health information in electronic form, requires entities covered by HIPAA to ensure that electronic protected health information is secure.

How Our Information Is Treated and Disposed Of

The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form. This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information. In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use. Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI.

Further, covered entities must ensure that their workforce members receive training on and follow the disposal policies and procedures of the covered entity, as necessary and appropriate for each workforce member. Therefore, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers.

Thus, covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. However, the Privacy and Security Rules do not require a particular disposal method. Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual’s reputation.

In general, examples of proper disposal methods may include, but are not limited to:

    • For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
    • Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.

In addition, for practical information on how to handle sanitization of PHI throughout the information life cycle, readers may consult NIST SP 800-88. Guidelines for Media Sanitization

NIST Guidelines

Destruction of media is the ultimate form of sanitization. After media is destroyed, it cannot be reused as originally intended. Physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverizing, shredding, and melting.

If destruction is decided upon due to the high security categorization of the information or due to environmental factors, any residual medium should be able to withstand a laboratory attack.

Disintegration, incineration, pulverization, and melting: these sanitization methods are designed to completely destroy the media. They are typically carried out at an outsourced metal destruction or incineration facility with the specific capabilities to perform these activities effectively, securely, and safely. End-of-life data destruction machines can also be purchased to destroy the material on site.

Shredding: paper shredders can be used to destroy paper and in some models, flexible media such as diskettes once the media are physically removed from their outer containers. The shred size of the refuse should be small enough that there is reasonable assurance in proportion to the data confidentiality level that the information cannot be reconstructed.

Optical mass storage media, including compact disks (CD, CD-RW, CD-R, CD-ROM), optical disks (DVD), Blue-ray Discs (BDs) and magneto-optic (MO) disks must be destroyed by pulverizing, crosscut shredding or burning. Destruction of media should be conducted only by trained and authorized personnel. Safety, hazmat, and special disposition needs should be identified and addressed prior to conducting any media destruction.

Enforcement and Penalties for Noncompliance

The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering and enforcing the standards and may conduct complaint investigations and compliance reviews.

The OCR will seek the cooperation of covered entities and may provide technical assistance to help them comply voluntarily with the Privacy Rule. Covered entities that fail to comply voluntarily with the standards may be subject to civil money penalties. In addition, certain violations of the Privacy Rule may be subject to criminal prosecution.

Civil Money Penalties

OCR may impose a penalty on a covered entity for a failure to comply with a requirement of the Privacy Rule. Penalties will vary significantly depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity’s failure to comply was due to willful neglect. Penalties may not exceed a calendar year cap for multiple violations of the same requirement. Criminal Penalties A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm. The Department of Justice is responsible for criminal prosecutions under the Privacy Rule.

Summary

HIPAA covers a broad area of responsibilities. We are all involved in this as we all have our personal records out of our personal control and in such are subject to having our personal information compromised. To understand HIPAA is to understand the relationship between the importance of our PHI and our health care providers and the realization that somebody could potentially obtain our information if the proper safeguards are not adhered to. HIPAA sets these guidelines to protect everybody.