PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

What Are the Requirements for HIPAA Training?

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
June 21, 2020

HIPAA Training Requirements - TeachPrivacy 01

HIPAA training is an specific requirement of HIPAA. HIPAA requires that covered entities (CEs) and business associates (BAs) provide HIPAA training to members of their workforce who handle protected health information (PHI).  This means administrative and clinical personnel need to be trained.  Business associates — and any of their subcontractors — must have training.  Basically, anyone who comes into contact with PHI must be trained.

HIPAA’s Privacy Rule and HIPAA’s Security Rule both have separate training requirements.  Generally, HIPAA’s training requirements in both rules are rather sparse — not a lot of guidance is provided.

The HIPAA Privacy Rule, at 45 CFR § 164.530(b)(1), says that training must be “as necessary and appropriate for the members of the workforce to carry out their functions.” HIPAA thus doesn’t require that everyone be trained in the same way.  It is also important to note that HIPAA training doesn’t mean training to make trainees experts on HIPAA. In fact, HIPAA doesn’t even state that trainees learn about HIPAA itself; instead, they must learn about how to carry out their organization’s obligations under HIPAA.

The Privacy Rule doesn’t provide much further guidance on the specific topics that should be covered.

Continue Reading

What Are the Requirements for CCPA Training?

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
June 8, 2020

What are the requirements for California Consumer Privacy Act (CCPA) training?  At Section 1798.135(a)(3), the CCPA requires that businesses “ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in Section 1798.120 and this section and how to direct consumers to exercise their rights under those sections.”

The CCPA’s training requirements specifically mention that all employees responsible for handling consumer inquiries about privacy practices must be informed of the requirements of 1798.120 and 1798.135, which primarily focus on the sale of consumer personal information.

Section 1798.120 includes:

  • the consumer’s right to opt out of the sale of personal information to third parties
  • consumers’ rights to be notified that they have a right to opt out, and
  • the opt in rights for children

Section 1798.135 includes:

  • requirement to have a link on the homepage titled “Do Not Sell My Personal Information”
  • requirement to have a description of consumer rights

Continue Reading

Cartoon: De-Identifying PHI under HIPAA

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
May 18, 2020

 

Cartoon HIPAA De-Identification - TeachPrivacy HIPAA Training 02 small

This cartoon is about de-identifying PHI under HIPAA.  De-identifying personal data is quite complicated. Researchers have been able to re-identify sets of personal data with just names, birth dates, and gender. The reason why de-identifying data is difficult is that there is more and more identified personal data online that can be matched up with de-identified data and used to link up names.

Continue Reading

Cartoon: Privacy and New Technology

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
April 26, 2020

Cartoon Privacy and Technology - TeachPrivacy Privacy Training

This cartoon is about new technology and privacy.  With each new technology, there have been outcries that privacy will be lost forever. A while ago, I wrote a post collecting headlines and book covers that proclaimed “the death of privacy” throughout the ages.

Despite being under constant threat, privacy has somehow has managed to survive.

The story from history is not apocalyptic.  Instead, with each challenge, people found ways to protect privacy.  The new technologies of today certainly make protecting privacy difficult, but it is not impossible.  Moreover, as this cartoon depicts, we should avoid being too nostalgic about the past.  I commonly hear people mention how in the past, it was easier to have privacy because people could live in greater obscurity and not be captured on video or have their data constantly gobbled up and digested by computers.

Continue Reading

Ransomware and the Role of Cyber Insurance: An Interview with Kimberly Horn

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
April 10, 2020

hacker setting up ransomware

Ransomware has long been a scourge, and it’s getting worse. I recently had the chance to talk about ransomware and cyber insurance with Kimberly Horn, the Global Claims Team Leader for Cyber & Tech Claims at Beazley. Kim has significant experience in data privacy and cyber security matters, including guiding insureds through immediate and comprehensive responses to data breaches and network intrusions.

 

Continue Reading

Cartoon: The Privacy Paradox

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
April 7, 2020

Cartoon Privacy Paradox - TeachPrivacy Privacy Training 02 small

This cartoon is about the “privacy paradox” — the phenomenon where people say that they value privacy highly, yet in their behavior relinquish their personal data for very little in exchange or fail to use measures to protect their privacy.

I recently wrote an article about the privacy paradox: The Myth of the Privacy Paradox, forthcoming 89 Geo. Wash. L. Rev.  You can download it on SSRN for free.

Download Article Solove Myth of the Privacy Paradox

Commentators typically make one of two types of arguments about the privacy paradox. On one side, privacy regulation skeptics contend behavior is the best metric to evaluate how people actually value privacy. Behavior reveals that people ascribe a low value to privacy or readily trade it away for goods or services. The argument often goes on to contend that privacy regulation should be reduced.

Continue Reading

Cartoon: GDPR Lawful Basis

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
February 23, 2020

Cartoon GDPR Lawful Basis - TeachPrivacy GDPR Training

This cartoon is about the GDPR’s lawful basis requirement to process personal data. One of the biggest differences between U.S. and EU privacy law is that in the U.S., organizations can collect and use personal data in nearly any way they choose as long as they state what they are doing in their privacy notice and follow what they say.  In the EU, in contrast, the GDPR requires that organizations have a “lawful basis” to collect and process personal data. The GDPR specified six lawful bases, including consent, performance of a contract, compliance with a legal obligation, public interest, protect the vital interests of the data subject or other people, and legitimate interest in processing the data.

Many organizations use legitimate interest as their lawful basis.

Article 6(1)(f) of the GDPR provides: 

1.Processing shall be lawful only if and to the extent that at least one of the following applies:

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Continue Reading

Notable Changes in the Modified Draft CCPA Regulation

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
February 10, 2020

CCPA Regulation - TeachPrivacy CCPA Training 01

Updated on March 27, 2020 — The California AG came out with a modified modified draft of the CCPA regulation on March 11, 2020.  Most notably, a few of the changes in the February 7 draft were walked back.  I will discuss the details below. 

On Friday, February 7, 2020, the California AG dropped a new modified draft CCPA regulation.  Comments are due by February 24, 2020 at 5 PM Pacific Time.

Here are some notable changes:

(1) IP Addresses Can Somehow Escape from Being Personal Information 

New text of the regulation:

§ 999.302. Guidance Regarding the Interpretation of CCPA Definitions
(a) Whether information is “personal information,” as that term is defined in Civil Code section 1798.140, subdivision (o), depends on whether the business maintains information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” For example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.”

This last sentence about IP addresses was stricken in the new modified CCPA regulation of March 11.

Continue Reading

A Terrifying New Dimension of Ransomware

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
February 10, 2020

Ransomware

Ransomware has long been a scourge. Since at least 2012, ransomware has grown dramatically. Ransoms have increased — the average ransom payout is now more than $40,000.   Organizations most hit are public sector, software services, professional services, and healthcare.  Healthcare, in particular, is a soft target because of the need to get systems back and running quickly. According to a McAfee report, ransomware attacks more than doubled in 2019.  An FBI warning from fall 2019 didn’t indicate an increase in the number of attacks but did show an increase in the targeting and severity of the attacks: “Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent. Since early 2018, the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information.”

For a long time, a debate has raged about whether to pay the ransom.  Some argue that the ransom should never be paid, but organizations facing the loss of their data might not have much of a choice. But if organizations back up their data, then they can they can avoid paying the ransoms and restore their data. But now there’s a new development in ransomware that is particularly troubling and that makes paying the ransoms a necessity even when data is backed up.  Ransomware groups are now threatening to release an organization’s data online if the ransom isn’t paid.

Ransomware Threaten to Disclose DataThis year, five law firms were hit with Maze Ransomware.  Instead of just encrypting the data, the ransomware group exfiltrated it first and then posted a small amount of it online. The group threatened to post the remainder of the data online unless the ransom was paid. According to one article: “Recent reports have shown the hacking group behind Maze ransomware has been steadily posting the data of its victims online after the organizations fail to pay the ransom demand. A compiled list of victims shows the data of several healthcare organizations are included in those postings, despite a lack of public reporting of those incidents.”

Continue Reading