In 2012, the media erupted with news about employers demanding employees provide them with their social media passwords so the employers could access their accounts. This news took many people by surprise, and it set off a firestorm of public outrage. It even sparked a significant legislative response in the states.
I thought that the practice of demanding passwords was so outrageous that it couldn’t be very common. What kind of company or organization would actually do this? I thought it was a fringe practice done by a few small companies without much awareness of privacy law.
The new HIPAA-HITECH regulation is here. Officially titled “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules,” this new regulation modifies HIPAA in accordance with the changes mandated by the HITECH Act of 2009. After years of waiting and many false alarms that the regulation was going to be released imminently, prompting joking references to Samuel Beckett’s play Waiting for Godot, HHS unleashed 563 pages upon the world. According to Office for Civil Rights (OCR) director Leon Rodriguez, the rule “marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” I agree with his dramatic characterization of the regulation, for it makes some very big changes and very important ones too.
Increasingly, educational institutions and state entities handling student data are hiring outside companies to perform cloud computing functions related to managing personal information.
The benefits of cloud computing are that outside entities might be more sophisticated at managing personal data. These entities may be able to manage data more inexpensively and effectively than the educational institution could do itself. In many cases, cloud computing providers can provide better security than the educational institutions can.