Is it any wonder that the organizations to whom we are entrusting out personal information do not properly protect it? Here is a blatant example.  The advertisement is for a “Privacy Tsar.”  The job description, and the Company brass, however, think that security is privacy.  This is a job for a privacy specialist, not a security geek.  I fully expect that if Border Stylo successfully snags enough consumer data, we will be seeing horrible privacy gaffes from this Company.

I admit, you can’t have privacy without proper security.  But the real shame is that the frustratingly overwhelming perception among these data-hound organizations is that if they secure data, they protect privacy.

WRONG, just wrong.  Wrong-headed, wrong-minded, wrong philosophy.  Privacy is a whole lot more than security.  If we are going to entrust our personal information to these folks, shouldn’t they at least understand that?

Your thoughts?

Related posts:

1. New Massachusetts Privacy Laws – Computer Security [Updated October 15, 2009 for compliance with new amendments to the regulations]...
2. AICPA and CICA Update Privacy Guidelines in Light of Increase in Security Breaches According to the AICPA press release: Responding to a spike in identity...
3. Senate Judiciary Committee approved Personal Data Privacy and Security Act The Senate Judiciary Committee today approved the Personal Data Privacy and Security...

WASHINGTON – U.S. Department of Health and Human Services Secretary Kathleen Sebelius today announced final rules to help improve Americans’ health, increase safety and reduce health care costs through expanded use of electronic health records (EHR).

“For years, health policy leaders on both sides of the aisle have urged adoption of electronic health records throughout our health care system to improve quality of care and ultimately lower costs,” Secretary Sebelius said.  “Today, with the leadership of the President and the Congress, we are making that goal a reality.”

Under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, eligible health care professionals and hospitals can qualify for Medicare and Medicaid incentive payments when they adopt certified EHR technology and use it to achieve specified objectives.  One of the two regulations announced today defines the “meaningful use” objectives that providers must meet to qualify for the bonus payments, and the other regulation identifies the technical capabilities required for certified EHR technology.

Announcement of today’s regulations marks the completion of multiple steps laying the groundwork for the incentive payments program.  With “meaningful use” definitions in place, EHR system vendors can ensure that their systems deliver the required capabilities, providers can be assured that the system they acquire will support achievement of “meaningful use” objectives, and a concentrated five-year national initiative to adopt and use electronic records in health care can begin.

“This is a turning point for electronic health records in America, and for improved quality and effectiveness in health care,” said David Blumenthal, M.D., National Coordinator for Health Information Technology.  “In delivering on the goals that Congress called for, we have sought to provide the leadership and coordination that are essential for a large, technology-based enterprise.  At the same time, we have sought and received extensive input from the health care community, and we have drawn on their experience and wisdom to produce objectives that are both ambitious and achievable.”

Two companion final rules were announced today.  One regulation, issued by the Centers for Medicare & Medicaid Services (CMS), defines the minimum requirements that providers must meet through their use of certified EHR technology in order to qualify for the payments.  The other rule, issued by the Office of the National Coordinator for Health Information Technology (ONC), identifies the standards and certification criteria for the certification of EHR technology, so eligible professionals and hospitals may be assured that the systems they adopt are capable of performing the required functions.

As much as $27 billion may be expended in incentive payments over ten years.  Eligible professionals may receive as much as $44,000 under Medicare and $63,750 under Medicaid, and hospitals may receive millions of dollars for implementation and meaningful use of certified EHRs under both Medicare and Medicaid.

The CMS rule announced today makes final a proposed rule issued on Jan, 13, 2010.  The final rule includes modifications that address stakeholder concerns while retaining the intent and structure of the incentive programs.  In particular, while the proposed rule called on eligible professionals to meet 25 requirements (23 for hospitals) in their use of EHRs, the final rules divides the requirements into a “core” group of requirements that must be met, plus an additional “menu” of procedures from which providers may choose.  This “two track” approach ensures that the most basic elements of meaningful EHR use will be met by all providers qualifying for incentive payments, while at the same time allowing latitude in other areas to reflect providers’ needs and their individual path to full EHR use.

“CMS received more than 2,000 comments on our proposed rule,” said Marilyn Tavenner, Principal Deputy Administrator of CMS.  “Many comments were from those who will be most immediately affected by EHR technology – health care providers and patients.  We carefully considered every comment and the final meaningful use rules incorporate changes that are designed to make the requirements achievable while meeting the goals of the HITECH Act.”

Requirements for meaningful use incentive payments will be implemented over a multi-year period, phasing in additional requirements that will raise the bar for performance on IT and quality objectives in later years.  The final CMS rule specifies initial criteria that eligible professionals (EPs) and eligible hospitals, including critical access hospitals (CAHs), must meet.  The rule also includes the formula for the calculation of the incentive payment amounts; a schedule for payment adjustments under Medicare for covered professional services and inpatient hospital services provided by EPs, eligible hospitals and CAHs that fail to demonstrate meaningful use of certified EHR technology by 2015; and other program participation requirements.

Key changes in the final CMS rule include:

• Greater flexibility with respect to eligible professionals and hospitals in meeting and reporting certain objectives for demonstrating meaningful use.  The final rule divides the objectives into a “core” group of required objectives and a “menu set” of procedures from which providers may choose any five to defer in 2011-2012.  This gives providers latitude to pick their own path toward full EHR implementation and meaningful use.
• An objective of providing condition-specific patient education resources for both EPs and eligible hospitals and the objective of recording advance directives for eligible hospitals, in line with recommendations from the Health Information Technology Policy Committee.
• A definition of a hospital-based EP as one who performs substantially all of his or her services in an inpatient hospital setting or emergency room only, which  conforms to the Continuing Extension Act of 2010
• CAHs within the definition of acute care hospital for the purpose of incentive program eligibility under Medicaid.

CMS’ and ONC’s final rules complement two other recently issued HHS rules.  On June 24, 2010, ONC published a final rule establishing a temporary certification program for health information technology. And on July 8, 2010 the Office for Civil Rights announced a proposed rule that would strengthen and expand privacy, security, and enforcement protections under the Health Insurance Portability and Accountability Act of 1996.

As part of this process, HHS is establishing a nationwide network of Regional Extension Centers to assist providers in adopting and using in a meaningful way certified EHR technology.

“Health care is finally making the technology advances that other sectors of our economy began to undertake years ago,” Dr. Blumenthal said.  “These changes will be challenging for clinicians and hospitals, but the time has come to act.  Adoption and meaningful use of EHRs will help providers deliver better and more effective care, and the benefits for patients and providers alike will grow rapidly over time.”

A CMS/ONC fact sheet on the rules is available at http://www.cms.gov/EHRIncentivePrograms/

Technical fact sheets on CMS’s final rule are available at http://www.cms.gov/EHRIncentivePrograms/

A technical fact sheet on ONC’s standards and certification criteria final rule is available athttp://healthit.hhs.gov/standardsandcertification.

via HHS.

Related posts:

1. FRB Issues Final Rules on Regulation Z Important Note: On January 12, 2010, the Federal Reserve Board announced final...
2. Can Electronic Medical Records Be Secured? This is a long but really great article from Information Week regarding...
3. ACLU Sues RI Health Department Over Failure to Adopt Rules Protecting Patient Privacy Claiming that not enough has been done to protect the privacy...

View the original HERE.

Related posts:

1. Privacy is Precious – Privacy Awareness Video ...
2. Three Google execs convicted over Italian bullying video Three Google executives were handed suspended six month prison sentences by a...
3. New Humor Post – Access and excess at privacy’s expense (Video) Poetic eloquence from Shannon Matesky ...

HHS Strengthens Health Information Privacy and Security through New Rules

New health privacy website launched

HHS Secretary Kathleen Sebelius today announced important new rules and resources to strengthen the privacy of health information and to help all Americans understand their rights and the resources available to safeguard their personal health data.  Led by the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR), HHS is working with public and private partners to ensure that, as we expand the use of health information technology to drive improvements in the quality and effectiveness of our nation’s health care system, Americans can trust that their health information is protected and secure.

“To improve the health of individuals and communities, health information must be available to those making critical decisions, including individuals and their caregivers,” said HHS Secretary Kathleen Sebelius. “While health information technology will help America move its health care system forward, the privacy and security of personal health data is at the core of all our work.”

Through the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, current health information privacy and security rules will now include broader individual rights and stronger protections when third parties handle individually identifiable health information.

The proposed rule announced today would strengthen and expand enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Enforcement Rules by:

• expanding individuals’ rights to access their information and to restrict certain types of disclosures of protected health information to health plans.
• requiring business associates of HIPAA-covered entities to be under most of the same rules as the covered entities;
• setting new limitations on the use and disclosure of protected health information for marketing and fundraising; and
• prohibiting the sale of protected health information without patient authorization.

“The benefits of health IT can only be fully realized if patients and providers are confident that electronic health information is kept private and secure at all times,” said Georgina Verdugo, OCR director at HHS. “This proposed rule strengthens the privacy and security of health information, and is an integral piece of the administration’s efforts to broaden the use of health information technology in health care today.”

HHS is also looking more closely at entities that are not covered by HIPAA rules to understand better how they handle personal health information and to determine whether additional privacy and security protections are needed for these entities.

“Giving more Americans the ability to access their health information wherever, whenever and in whatever form is a critical first step toward improving our health care system,” said HHS’ national coordinator for health information technology, David Blumenthal, M.D., M.P.P. “Empowering Americans with real-time and secure access to the information they need to live healthier lives is paramount.”

HHS also launched today a privacy website at http://www.hhs.gov/healthprivacy/index.html to help visitors easily access information about existing HHS privacy efforts and the policies supporting them. The site emphasizes HHS’ deep commitment to privacy in the collection, use, and exchange of personally identifiable information. This new resource provides Americans with confidence that their personal information is secure and underscores HHS’ goal of greater openness and transparency in government.

The HITECH Act established the position of Chief Privacy Officer in ONC. Joy Pritts recently assumed the new position and is leading HHS efforts to develop and implement privacy and security programs and polices related to electronic health information.

“HHS strongly believes that an individual’s personal information is to be kept private and confidential and used appropriately by the right people, for the right reasons,” said Pritts.  “Without such assurances, an individual may be hesitant to share relevant health information.”

Related posts:

1. HIPAA covered entities need to get their HITECH houses in order More than 90 percent of health care companies are not ready to...
2. HITECH Breach Notification Interim Final Rule HHS issued regulations requiring health care providers, health plans, and other entities...
3. HITECH Act: Business Associates Unprepared for the Longer Arm of the Law A recent survey by the Healthcare Information and Management Systems Society found...

From the new site:

Health Data Privacy and Security Resources

HHS respects the privacy of your personal information, and this page will help you find privacy resources throughout HHS.

This page provides key messages and access to resources emphasizing HHS’ commitment to privacy as a fundamental consideration in its collection, use, and exchange of personally identifiable information. This central resource helps visitors easily access information about existing HHS privacy efforts and the policies supporting them.

In support of HHS’ vision for Open Government and Transparency, this resource is to provide further confidence in the expectations Americans have for the privacy of their personal information and is to inspire added trust in HHS’ efforts to improve our nation’s health through safe and secure health information exchanges. HHS strongly believes that an individual’s personal information is to be kept private, confidential and used appropriately by the right people, for the right reasons. Without such assurances, an individual may be hesitant to share relevant health information.

More information about HHS’ commitment to health data privacy can be found in the notice of proposed rulemaking (NPRM) issued July 8, 2010; in the Frequently Asked Questions (FAQs); and theOCR/ ONC Joint statement on the NPRM.

Read more HERE.

Related posts:

1. FTC Website Educates Kids about Privacy and Fraud Today, the Federal Trade Commission opened new areas of a “virtual mall”...
2. OR: State launches inquiry into agency data breach The inquiry follows last Sunday’s story in the Statesman Journal, which described...
3. FTC Website down! UPDATE: 8:00 pm – it’s back It’s 5:15 pm est and...

Related posts:

1. Genetics Commission attacks police DNA database The Human Genetics Commission (HGC) has called for more control to be...
2. Growing outrage over Dutch fingerprint database Amsterdam – More than 3,000 people in the Netherlands have signed a...
3. British cops arrest people just to add them to the DNA database Britain’s cops have the largest DNA database in the world, and it’s...

The Massachusetts secretary of state’s office, which is charged with enforcing financial rules for investment companies, accidentally released confidential personal information earlier this year on 139,000 investment advisers registered with the state.

The data, including the advisers’ Social Security numbers, were on a CD-ROM sent to IA Week, an investment industry publication that had requested public information from the Securities Division, which Secretary of State William F. Galvin oversees.

IA Week had asked for a list of registered investment companies. The Securities Division responded by sending a list of individual investment professionals.

In addition to their names and Social Security numbers, this list included their dates and locations of birth, height, weight, hair color, and eye color.

“It’s a pretty big mistake,’’ said Carl Ayers, IA Week’s publisher. “It’s pretty shocking, because it’s such a large number of people.’’

IA returned the database to the Securities Division in June and wrote about the episode last week.

via The Boston Globe.

Related posts:

1. Penn. State Students’ social security numbers compromised A Penn State professor’s grade book from 2001 to 2004 that contained...
2. NC: Kids’ Social Security numbers on school postcards RALEIGH — The Wake County school system accidentally sent out about 5,000...
3. NE: Security breach compromises information on 1,400 students A security breach discovered last month at the University of Nebraska involved...

Claiming that not enough has been done to protect the privacy rights of patients, the Rhode Island ACLU today filed suit against the R.I. Department of Health (DOH), challenging the inadequacy of rules the agency has adopted to implement a centralized database of patient health care records in the state. The Health Information Exchange (HIE), established by legislation approved by the General Assembly in 2008, will allow medical personnel to routinely access a patient’s entire medical file, including mental health records and other sensitive medical information.

Last year, when the DOH proposed regulations to implement the statute, the ACLU objected that the proposed regulations provided virtually no details as to how the system would actually work, and how it would protect the privacy, confidentiality and informed consent interests of patients. The Affiliate has been battling over these issues since the HIE proposal was first floated some years ago.

In written testimony about the DOH’s proposed regulations, the ACLU noted that there are no fewer than seven provisions in the HIE statute that require implementing details about the system to be fleshed out by DOH through a public rule-making process. However, the ACLU argued that those issues were only minimally addressed, if at all, in the regulations. When the ACLU sought an explanation as to why they had not been addressed, the DOH responded that it felt that they could better be handled through internal “policies” that were not subject to the public notice and comment requirement that agency regulations must undergo.

The ACLU’s lawsuit, filed in R.I. Superior Court by volunteer attorney Frederic Marzilli, argues that the Department’s position violates the Administrative Procedures Act (APA), “since all department policies that have general application and which implement, interpret or prescribe law” are subject to the APA’s public vetting process. The suit seeks a court order declaring unenforceable the DOH’s adoption of non-promulgated policies, rather than regulations adopted through a public rule-making process, and requiring DOH to promulgate “regulations that completely fulfill its obligation” under the HIE statute.

Noting the significant privacy issues raised by the HIE, the ACLU called it crucial that regulations setting up the system be as detailed as possible, explaining, for example, the rights patients have to opt out of the system, to correct information contained in it, and to ensure appropriate confidentiality of the data. RI ACLU volunteer attorney Marzilli said today: “In light of the important privacy and confidentiality issues raised by an electronic health records system, the legislature clearly envisioned the adoption of detailed regulations through a transparent process of public input. This lawsuit simply seeks to carry out that intent.”

Via Rhode Island Affiliate, American Civil Liberties Union (ACLU).

Related posts:

1. CT: AG sues Health Net over data breach Following a security breach involving health information, social security numbers and bank...
2. Personal information stolen from Detroit’s health department Police are investigating two incidents in which patients’ medical records — including...
3. NY:Lincoln Medication & Mental Health Center-FedEx loses thousands of patient records Sometime between March 16 and 24, 2010, a weekly shipment of...

TJX announced yesterday that it had settled the lawsuit on Friday. A lawyer for the Louisiana police retirement fund, which filed its lawsuit in Delaware, where Framingham-based TJX is incorporated, did not return calls seeking comment. Bloomberg News reported the case was settled for $595,000 in legal fees and enhanced oversight of customer files.

“TJX and the current and former directors deny all allegations of wrongdoing and liability, and the settlement contains no such admissions,’’ spokeswoman Debra McConnell said in an e-mail. “TJX agreed to the settlement to eliminate the burden and expense of further litigation.’’

Between 2005 and 2007, TJX was hit by a massive Internet security breach, when a Miami-based computer hacker, Albert Gonzalez, stole 45.6 million credit card numbers from the company’s computer network. He was also involved in stealing 130 million credit card numbers from Heartland Payment Systems, a major credit card processing firm, as well as thefts from several other retailers, including BJ’s Wholesale Club in Natick. In March, a federal judge in Boston sentenced Gonzalez to 20 years in prison.

TJX’s McConnell said that the cost of the latest settlement will be covered by a $178 million cash reserve TJX had set aside in 2008 to compensate victims of the breach. The company has already settled lawsuits filed by banks and credit card issuers, as well as class-action suits by individuals.

via The Boston Globe.

Related posts:

1. Heartland, MasterCard Settle Over Data Breach Heartland Payment Systems has made a third settlement deal, this time with...
2. Countrywide settlement over ID theft gets initial OK A federal judge has given preliminary approval to a settlement between Countrywide...
3. Court in Mass. Rejects Request to Consolidate TJX Hacker Cases A federal judge in Massachusetts has rejected a request from U.S. attorneys...

On June 25, 2010, federal district court judge Reggie B. Walton of the United States District Court for the District of Columbia entered a stipulated court order (.pdf) directing the  Federal Trade Commission (FTC) to delay enforcement of the FTC’s Red Flags Rule against doctors and medical practices represented by the American Medical Association (AMA) and American Osteopathic Association.  The FTC and AMA agreed to this delay in a Joint Stipulation (.pdf), filed in the lawsuit initiated by the AMA and other medical associations to exclude doctors and other medical professionals from the application of the Red Flags Rule.

The key issue in the case is whether medical practices should be considered “creditors” under the Red Flags Rule and the Fair and Accurate Credit Reporting Act (FACTA or the FACT Act).  The case follows lawsuits filed beginning in 2009 by the American Bar Association (ABA) and the American Institute of Certified Public Accountants (AICPA) to exclude lawyers and accountants from the scope of the new rules.  In October 2009, Judge Walton ruled that lawyers were not “creditors” subject to the Red Flags Rule.  The FTC has appealed the order and the Unites States Court of Appeals for the District of Columbia Circuit is expected to issue a decision clarifying the scope of the law.

In the recently approved stipulation, the AMA and the FTC have agreed to stay their dispute until the Court of Appeals issues its opinion.  The FTC has also agreed to delay enforcement of the Red Flags Rule for 90 days after the Appeals Court issues its ruling.

via Security, Privacy and The Law.

Related posts:

1. US District Court Explains Ruling that Red Flags Rule Doesn’t Apply to Lawyers On December 1, Judge Reggie Walton of the U.S. District Court for...
2. Court Limits Scope of FTC’s Red Flags Rule Yesterday, the U.S. District Court for the District of Columbia issued the...
3. Lawsuit: Red Flags Rule Violates Doctor/Patient Relationship Medical and osteopathic associations today sued the Federal Trade Commission for covering...