Recently, the International Association of Privacy Professionals (IAPP) released a ranking of law schools based on their educational programs in privacy law. Although I applaud the effort to focus more attention on the issue of teaching privacy law in law schools, there are many aspects of the project that I would do differently. In this post, I will discuss the elements of what I believe would constitute a robust privacy law educational program at law schools.
First, a bit of background about IAPP’s rankings. IAPP ranks schools into three tiers. Tier 1 is for schools offering a “certification or formal concentration in privacy law.” Tier 2 is for schools that “offer at least one three-credit course in privacy annually.” Tier 3 is for schools that “have a privacy offering, such as a one-credit seminar” rather than a three-credit offering or that have offered privacy courses but not on a “consistent basis.”
Unfortunately, the data that IAPP has assembled thus far is incomplete and needs quite a number of corrections. For example, many schools listed in Tier 3 have a 3-credit annual offering.
Additionally, I don’t agree with the set of criteria used to rank the schools. Having a certificate doesn’t put a school’s program in the top tier. There are many other factors to consider. Presenting the data in a rankings format is counterproductive because the data needs a lot of correcting plus the criteria are incomplete and not properly weighted. I think a more useful endeavor would be to improve the data, gather data on some other criteria, and just present the data rather than try to rank. IAPP’s project is just a starting point, and I hope that my suggestions here are constructive and will help shape the project.
The complaint, received in August 2018, involved a mother who waited over 9 months to receive prenatal records from Bayfront Health in St. Petersburg. She requested the records of her unborn child in October 2017 and after receiving incomplete records in March 2018, she did not receive the complete records until August 2018 (via her lawyers). It was not until after the OCR’s investigation in February 2019 that she received the complete records directly. HIPAA requires medical records to be provided within 30 days of the request.
The OCR concluded that Bayfront violated 45 C.F.R. § 164.524 by failing to provide access to PHI. Bayfront has paid $85,000 and agreed to a corrective action plan. The corrective actions include written policies and procedures around access rights, increased training and incident reporting among others.
I applaud the OCR bringing this case, but it is quite shocking that this is the first enforcement action with a fine for a violation of the right to access in HIPAA’s history. More than 15 years went by before this single action. A lot more enforcement must start happening.
One of the biggest sore spots in HIPAA compliance has been providing individuals with their right to access their medical records. In addition to the countless anecdotal accounts about the painful process of getting medical records, a recent study demonstrated just how far there is to go for providers to be in compliance. More than half of medical providers included in the recent medRxiv study did not meet the basic requirements in HIPAA for providing medical records. A further 20% of the providers would not provide records until requests were escalated to supervisors. Which means that more than 70% of the subjects studied would not have been in compliance had the supervisors not been involved.
HIPAA provides that “an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set.” 45 CFR §164.524
This cartoon depicts something that happens far too often with HIPAA — HIPAA is used as an excuse not to do something (such as make disclosures or provide access to records in ways that patients request) even though HIPAA doesn’t have such a restriction. This is often done out of a lack of knowledge about HIPAA. Healthcare providers frequently have mistaken notions of HIPAA being far more restrictive than it actually is. For example, last year, I wrote a post about how numerous healthcare providers wrongly use HIPAA as an excuse to refuse to email medical records to patients. Ironically, instead of forbidding it, HIPAA actually requires that medical records be emailed to patients if patients so request.
Facebook’s recent settlement with the Federal Trade Commission (FTC) has reignited debate over whether the agency is up to the task of protecting privacy. Many people, including some skeptics of the FTC’s ability to rein in Silicon Valley, lauded the settlement, or at least parts of it.
Others, however, saw the five-billion-dollar fine, oversight reforms, and compliance certification measures as a drop in the bucket compared to Facebook’s profits. Two dissenting FTC commissioners and other critics pointed out that the FTC did not change Facebook’s fundamental business model nor hold Mark Zuckerberg personally liable, despite hints that the company fell out of compliance with its original 2010 FTC consent order soon after that agreement was inked. Some privacy advocates and lawmakers even argued that the limits of the settlement are evidence that the FTC, the leading privacy regulator in the U.S. since the late 1990s, is no longer the right agency to protect our personal information from Big Tech. They support creating a new, consumer privacy-focused federal agency.
We think the FTC is still the right agency to lead the US privacy regulatory effort. In this essay, we explain the FTC’s structural and cultural strengths for this task, and then turn to reforms that could help the FTC rise to modern information privacy challenges. Fundamentally, the FTC has the structure and the legal powers necessary to enforce reasonable privacy rules. But it does need to evolve to meet the challenge of regulating modern information platforms.
You can read the rest of the essay over at Lawfare.