Wednesday, February 23, 2011

The fine seems to be more for “failure to kowtow” than for HIPAA violations.

http://www.phiprivacy.net/?p=6005

HHS Imposes a $4.3 Million Civil Money Penalty for Violations of the HIPAA Privacy Rule

By Dissent, February 22, 2011

The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Md., (Cignet) violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS has imposed a civil money penalty (CMP) of $4.3 million for the violations, representing the first CMP issued by the Department for a covered entity’s violations of the HIPAA Privacy Rule.

[...]

In a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.

During the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.

Read more in the Sun Herald. So far, I don’t see a copy of the press release or documentation on HHS’s web site, but I’ll keep checking.

[From the Sun Herald:

OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations. The CMP for these violations is $3 million.

… A copy of the Notice of Proposed Determination and Notice of Final Determination can be found at http://www.hhs.gov/ocr/privacy. Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr.



Future of Privacy & Surveillance?

http://www.pogowasright.org/?p=21043

Deconstructing the CALEA hearing

February 22, 2011 by Dissent

Chris Soghoian writes:

Last Thursday, the House Judiciary Committee held a hearing focused on law enforcement surveillance of modern Internet services.

Although both the New York Times and CNET have stories on the hearing, I don’t think either publication covered the important details (nor did they take the time to extract and post video clips).

The FBI is no longer calling for encryption backdoors

Read more on slight paranoia, where Chris includes excerpts from the hearing as well as his thoughts on what he thinks the FBI will be pushing for. I think Chris is dead-on in his predictions of what the FBI wants, and as he suggests, some of the “asks” will likely not get a lot of media attention – unless the privacy community gets our act together to make a lot of noise. Certainly any attempt by the government to require cloud services to provide capability for real-time interception of communications (think of the government having the ability to monitor your chats in real-time) is an issue that the public can appreciate in terms of its potential for abuse – that is, if the public doesn’t stick its collective head in the sand while it mutters, “Well, if you’ve got nothing to hide…”

One thought – based on only one cup of coffee, and hence, somewhat muddled – is whether putting a hole in the security of cloud services to enable such monitoring would somehow violate any non-U.S. laws on data protection and security or make non-U.S. entities more leery of using American cloud providers. If so, could any such “ask” or requirement put American cloud service providers at an economic disadvantage?

[From Slight Paranoia:

While Skype uses some form of proprietary end-to-end encryption (although it should be noted that the security experts I've spoken to don't trust it), and RIM uses encryption for its Enterprise Blackberry messaging suite, the vast majority of services that consumers use today are not encrypted. Those few services that do use encryption, such as Google's Gmail, only use it to protect the data in transit from the user's browser to Google's servers. Once Google receives it, the data is stored in the clear.

There is one simple reason for this, which I described in a law journal article last year ago:

It is exceedingly difficult to monetize a data set that you cannot look at.


(Related) Like your data, they “need” to track your browsing...

http://www.pogowasright.org/?p=21053

FTC Internet Privacy Proposal Slammed By Ad Industry

February 22, 2011 by Dissent

Mathew J. Schwartz reports:

Will the future see a “Do Not Track” setting in browsers that prevents data brokers and Web sites from tracking a consumer’s every click?

[...]

Industry groups, however, have slammed the FTC’s proposal, suggesting it would wreck the ability of Web sites to provide personalized content. “The Internet is comprised of millions of interconnected Web sites, networks and computers — a literal ecosystem, all built upon the flow of different types of data,” according to a statement released by the Interactive Advertising Bureau (IAB). “To create a Do Not Track program would require reengineering the Internet’s architecture.” [Bull! Bob] Instead, it suggested a new self-regulated program for online behavioral advertising.

But consumer rights groups have been arguing differently. The Center for Digital Democracy and U.S. Public Interest Research Group (PIRG) on Friday released a statement recommending that the FTC require that all surveillance technologies in use be disclosed. It also wants people to be allowed to view and correct the data collected about them, in addition to a Do Not Track feature.

Read more on InformationWeek.


(Related) How much of our lives are “Public?”

http://www.pogowasright.org/?p=21057

Is Privacy in Public a Contradiction in Terms?

February 22, 2011 by Dissent

Another thought-provoking commentary by Robert Gellman:

Is there such a thing as privacy in a public space? When you walk down the street, anyone can observe you, make notes about your location, appearance, and companions, and even take your picture. If so, then it would seem that you have no reasonable expectation of privacy.

However, most people would be unhappy if they found themselves followed all day. For most of human existence, this type of surveillance was impractical because of the great expense of following someone around.

Read his article on GeoDataPolicy


(Related)

http://news.cnet.com/8301-13577_3-20034879-36.html

Amid unrest, a hard new look at online anonymity

Some people have undoubtedly forgotten that in the years before Facebook's fast ascent, social media was dominated by anonymity: handles worthy of CB radio, vintage AOL screen names trailed by strings of numbers, LiveJournal IDs bookended with the x's and o's of emo-kid culture. And there was a sense that in this odd and very public new medium, it wasn't safe to use your real, full name.

Thanks to Facebook, and founder Mark Zuckerberg's personal philosophy, that's changed. What Facebook did, with a policy that requires proper names and the initial restriction of access based on proven university or company affiliation, was bring the idea of "real identity" to the mainstream Internet. In general, that's been considered a good thing; [By whom? Bob] but in the wake of widespread antigovernment protests across a number of Middle East and North African countries, the Facebook philosophy is facing a sharp challenge as critics suggest that a real-names-only policy could see pro-democracy activists targeted individually by autocratic governments.

A "digital freedom" nonprofit called Access Now is leading the charge, launching an online petition this week called "Unfriend the Dictators" to encourage Facebook to rethink its policy. An explanation on Access Now's site reads: "Facebook should be congratulated and condemned in one go: They've built a revolutionary platform that's catalyzed the political change sweeping the Middle East and beyond, but Facebook has also become a treasure trove of information for dictators, allowing them to identify and track down those who oppose them."


(Related) Apparently this was temporary, but who authorized it and what were they thinking?

http://yro.slashdot.org/story/11/02/23/1327221/WI-Capitol-Blocks-Pro-Union-Web-Site?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

WI Capitol Blocks Pro-Union Web Site

"State government workers are unable to connect to a pro-union web site, defendwisconsin.org, from the wifi at the state capitol."

Someone probably should let Hillary Clinton know.



Dilbert explains why you should read the fine print... on Privacy Policies, for example.

http://dilbert.com/strips/comic/2011-02-23/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+dilbert%2Fdaily_strip+%28Dilbert+Daily+Strip+-+UU%29



I think the 'free journal' idea is inevitable, and here are some indications of how they are used...

http://www.bespacific.com/mt/archives/026582.html

February 22, 2011

E-journals: their use, value and impact

E-journals: their use, value and impact [final report], 19 January 2011: "This report is the second arising from a two-year project funded by the Research Information Network to describe and assess patterns of the use, value and impact of e-journals by researchers in universities and research institutes in the UK. Publishers began to provide online access to articles in scholarly journals just over a decade ago. Numerous studies have shown how much researchers have welcomed enhanced and easy access to unprecedented numbers of journals. But until recently there has been little detailed evidence about how researchers have changed their behaviours in response to this revolution in access, about how they make use of online journals, or about the benefits that flow from that use. This two-year-long study begins to fill that gap."

[From the report:

Users in the most research-intensive universities behave differently from those in less research-intensive ones:

they view and download more articles per capita

they spend much less time on each visit

they do not use many of the online facilities provided on the publishers’ platform

they are much more likely to enter via gateway sites


No comments: