PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

The Failure of HIPAA’s Right of Access

Daniel Solove @danielsolove
Founder of TeachPrivacy
September 8, 2019

HIPAA Right to Access PHI - TeachPrivacy 02

One of the biggest sore spots in HIPAA compliance has been providing individuals with their right to access their medical records. In addition to the countless anecdotal accounts about the painful process of getting medical records, a recent study demonstrated just how far there is to go for providers to be in compliance.  More than half of medical providers included in the recent medRxiv study did not meet the basic requirements in HIPAA for providing medical records.  A further 20% of the providers would not provide records until requests were escalated to supervisors.  Which means that more than 70% of the subjects studied would not have been in compliance had the supervisors not been involved.

HIPAA provides that “an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set.” 45 CFR §164.524

I have written on numerous occasions about patient control of their own records and reforms needed to support this right.  Getting access to medical records doesn’t seem to have improved very much.  Despite HIPAA’s right of access, it doesn’t seem to be taken very seriously by providers.

Continue Reading

HIPAA Cartoon: HIPAA as an Excuse

Daniel Solove @danielsolove
Founder of TeachPrivacy
August 11, 2019

Cartoon HIPAA as an Excuse

This cartoon depicts something that happens far too often with HIPAA — HIPAA is used as an excuse not to do something (such as make disclosures or provide access to records in ways that patients request) even though HIPAA doesn’t have such a restriction.  This is often done out of a lack of knowledge about HIPAA.  Healthcare providers frequently have mistaken notions of HIPAA being far more restrictive than it actually is.  For example, last year, I wrote a post about how numerous healthcare providers wrongly use HIPAA as an excuse to refuse to email medical records to patients. Ironically, instead of forbidding it, HIPAA actually requires that medical records be emailed to patients if patients so request.

Continue Reading

The FTC Can Rise to the Privacy Challenge, but Not Without Help From Congress

Daniel Solove @danielsolove
Founder of TeachPrivacy
August 11, 2019

FTC

Over at Lawfare, I have an essay co-authored by Chris Hoofnagle and Woodrow Hartzog called The FTC Can Rise to the Privacy Challenge, but Not Without Help From Congress.  This piece is also posted at the Brooking Institution’s TechTank.  The essay begins:

Facebook’s recent settlement with the Federal Trade Commission (FTC) has reignited debate over whether the agency is up to the task of protecting privacy. Many people, including some skeptics of the FTC’s ability to rein in Silicon Valley, lauded the settlement, or at least parts of it.

Others, however, saw the five-billion-dollar fine, oversight reforms, and compliance certification measures as a drop in the bucket compared to Facebook’s profits. Two dissenting FTC commissioners and other critics pointed out that the FTC did not change Facebook’s fundamental business model nor hold Mark Zuckerberg personally liable, despite hints that the company fell out of compliance with its original 2010 FTC consent order soon after that agreement was inked. Some privacy advocates and lawmakers even argued that the limits of the settlement are evidence that the FTC, the leading privacy regulator in the U.S. since the late 1990s, is no longer the right agency to protect our personal information from Big Tech. They support creating a new, consumer privacy-focused federal agency.

We think the FTC is still the right agency to lead the US privacy regulatory effort. In this essay, we explain the FTC’s structural and cultural strengths for this task, and then turn to reforms that could help the FTC rise to modern information privacy challenges. Fundamentally, the FTC has the structure and the legal powers necessary to enforce reasonable privacy rules. But it does need to evolve to meet the challenge of regulating modern information platforms.

You can read the rest of the essay over at Lawfare.

Continue Reading

Cartoon on Data Breach

Daniel Solove @danielsolove
Founder of TeachPrivacy
August 5, 2019

Cartoon Data Security Breach 02 small

This cartoon is about evolution of data breaches, which began to grab headlines back in 2005, thanks in large part to California’s data breach notification law — the first of such laws.  Since that time, every state has passed breach notification laws, and there are breach notification laws sprouting up around the world.  Every day, we hear of more and more data breaches . . . and they are getting larger and larger.

Continue Reading

ALI Principles of Law, Data Privacy

Daniel Solove @danielsolove
Founder of TeachPrivacy
May 23, 2019

ALI Principles of Law Data Privacy

I’m thrilled that, the American Law Institute (ALI) has approved the Principles of the Law, Data Privacy. Professor Paul Schwartz and I were co-reporters on the project.  According to the ALI press release: “The Principles seek to provide a set of best practices for entities that collect and control data concerning individuals and guidance for a variety of parties at the federal, state, and local levels, including legislators, attorneys general, and administrative agency officials.”

The project involves our attempt to create a comprehensive approach to data privacy for the U.S. that bridges the divide with the EU.  For example, there are many provisions in the General Data Protection Regulation (GDPR) that are not as incompatible with U.S. law as one might think.  We bring U.S. law most of the way there, but we preserve core commitments in U.S. law that cannot readily be made consistent with the EU approach. We also have some new approaches to certain issues that haven’t yet been tried in quite the same ways in other laws before, such as our approach to transparency and notice, as well as our approach to handling the identifiability of personal data.  The Principles of the Law, Data Privacy is not an attempt to write our ideal privacy law as if drafting on a blank slate.  Nor is it an attempt to restate existing law. Instead, it is something in between. We build on foundations in existing law, look for ways the law can be advanced progressively without clashing with core commitments or introducing concepts that are without precedent.

ALI Principles of the Law Data Privacy

Thus, our goal has been to produce a balanced compromise, an approach to advance U.S. privacy law significantly without being radical.  I am certain industry and advocates will find things they like and things that they wish were different.  This isn’t the law I’d write if I were writing on a blank slate. But it is, I hope, a big step forward.

We hope this project is useful to legislatures working on privacy legislation, to other policymakers, and to everyone who is thinking about privacy law.

We want to thank our advisory group and the ALI members who contributed greatly to this project. The ALI process is a wonderful one — a thoughtful constructive discussion about how to craft meaningful regulation between practitioners, judges, and academics, among others.

The final draft will be released very soon.  Paul and I will be posting the blackletter portion of the project. The entire document, which consists of our commentary, notes, and illustrations — including the support for and rationales behind the provisions — will be available from the ALI.  Please stay tuned.

As a teaser, below is the table of contents

Continue Reading

Profiling and the GDPR: An interview with Mark Singer and Raf Sanchez

Daniel Solove @danielsolove
Founder of TeachPrivacy
June 12, 2019

I had the opportunity to interview Mark Singer and Raf Sanchez, both at Beazley, about the issue of profiling and the GDPR. Mark Singer is a member of the Cyber & Executive Risk Group at Beazley. Mark handles insurance coverage issues arising out of cybersecurity, technology errors and omissions, data privacy, intellectual property, media and advertising liabilities. Raf Sanchez leads the international Beazley Breach Response Services team at Beazley and is responsible for incident response in all territories outside the US and Canada.

Continue Reading

Cartoon: Data Subject Access Requests Under the CCPA and GDPR

Daniel Solove @danielsolove
Founder of TeachPrivacy
June 11, 2019

Cartoon Data Subject Access Requests (DSARs) - TeachPrivacy CCPA Training 02

This cartoon is about data subject access requests (DSARs) — sometimes called “subject access requests” (SARs).  The GDPR Article 15 provides for DSARs.  The new California Consumer Privacy Act (CCPA) provides individuals with a right to learn about the personal data collected and shared about them over the past 12 months.

For more background about DSARs, see this great guide to DSARs by WireWheel.

Continue Reading

A Major Move to Weaken HIPAA

Daniel Solove @danielsolove
Founder of TeachPrivacy
May 12, 2019

HIPAA Penalties Reduced

Quietly, at the end of April, HIPAA was significantly weakened.  HHS published what sounds like an innocuous notification in the Federal Register: Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties.  This notification is actually an enormous change to the HIPAA penalty structure, a drastic reduction in HIPAA fines.

The existing penalty structure under HIPAA is based on the HITECH Act of 2009, which increased HIPAA’s fines in an attempt to give teeth to HIPAA enforcement.  Since HIPAA began being enforced in 2003 until the HITECH Act, fines had barely been issued despite an enormous amount of HIPAA violations.  HITECH was Congress’s rebuff to this weak enforcement approach.  After HITECH’s more potent penalty structure, HHS finally began issuing fines.  The chart below is how HHS has been interpreting the HITECH penalty framework since the HITECH Act:

HIPAA Penalties Table 1

There were some ambiguities under the HITECH Act as to these penalty tiers, but HHS had long interpreted these tiers according to the above chart.  But now, HHS has suddenly changed its mind and adopted a very different interpretation. Under this new interpretation, the penalty tier limits are now as follows:

HIPAA Penalties Table 2

Notice the new annual limits.  There are severe reductions in the annual limits for nearly every category except for uncorrected willful neglect. This change yanks many of the teeth out of HIPAA enforcement.Teeth Pulling

Continue Reading

Cartoon: Data Minimization

Daniel Solove @danielsolove
Founder of TeachPrivacy
May 9, 2019

Cartoon Data Minimization - TeachPrivacy Privacy Awareness Training 02 small

This privacy cartoon is about data minimization, a principle embodied in many privacy laws.  Under the data minimization principle, organizations are to collect, process, or share only the minimum necessary personal data to achieve their purpose.  There’s a lot of hat tipping to data minimization, but this principle is often not followed enough.  Far too often, personal data is collected without any particular purpose in mind and far too much is shared than necessary.

Continue Reading

Anatomy of a Privacy Law

Daniel Solove @danielsolove
Founder of TeachPrivacy
May 5, 2019

Anatomy of a Privacy Law - Prof Daniel Solove 01

I was recently giving a presentation about new privacy laws, and I created the infographic above to catalog the various elements that privacy laws often have.  Going through this list can help to assess how complete a privacy law is.  For example, the California Consumer Privacy Act (CCPA) is often compared to the General Data Protection Regulation (GDPR), and I’ve heard it sometimes referred to as a GDPR in the United States.  But the CCPA is far different from the GDPR, as the GDPR is significantly more comprehensive and has many more dimensions than the CCPA.  For example, the GDPR has a broader scope (covers more types of entities) and has many provisions about responsibilities and governance that the CCPA lacks.   Indeed, the GDPR has most of the elements in this list. In the US, HIPAA comes the closest to the GDPR in terms of how many items it has from the last, but HIPAA is just limited to certain forms of health data.

Click here for a larger PDF version of the infographic.

The vast majority of privacy laws have provisions relating to their scope and applicability, a definition of the personal information that they regulate, individual rights and organizational responsibilities, enforcement provisions, and a particular position with regard to preemption.

Continue Reading