PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

HIPAA Turns 10: Analyzing the Past, Present, and Future Impact

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
April 8, 2013

by Daniel J. Solove

In the April issue of the Journal of AHIMA, I authored two short pieces about HIPAA:

HIPAA Turns 10: Analyzing the Past, Present, and Future Impact
84 Journal of AHIMA 22 (April 2013)

HIPAA Mighty and Flawed: Regulation has Wide-Reaching Impact on the Healthcare
Industry
84 Journal of AHIMA 30 (April 2013)

The first piece provides an overview of HIPAA and its evolution. The second involves an analysis of HIPAA’s strengths and weaknesses. Overall, I find HIPAA to be one of the most effective privacy regulatory regimes.  HIPAA is very effective in large part because it requires privacy and security officials who have responsibility over these issues.  These officials develop policies and procedures, perform assessments, and provide HIPAA training to employees, among other things. Privacy laws are not self-executing, and enforcement agencies have limited enforcement resources. The effectiveness of the law depends upon each organization taking compliance seriously, and this starts with a governance structure, awareness training, and things that create a culture of compliance.  Many other privacy laws don’t realize this, and fail to include the robust governance components of HIPAA.

The entire issue is here. Copyright belongs to Journal of AHIMA.

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics.  

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter

Please join one or more of Professor Solove’s LinkedIn Discussion Groups:
* Privacy and Data Security
* HIPAA Privacy & Security
* Education Privacy and Data Security

The HIPAA-HITECH Regulation, the Cloud, and Beyond

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
January 26, 2013

HIPAA HITECH Privacy Trainingby Daniel J. Solove

The new HIPAA-HITECH regulation is here. Officially titled “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules,” this new regulation modifies HIPAA in accordance with the changes mandated by the HITECH Act of 2009. After years of waiting and many false alarms that the regulation was going to be released imminently, prompting joking references to Samuel Beckett’s play Waiting for Godot, HHS unleashed 563 pages upon the world. According to Office for Civil Rights (OCR) director Leon Rodriguez, the rule “marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” I agree with his dramatic characterization of the regulation, for it makes some very big changes and very important ones too.

Continue Reading

Final HIPAA-HITECH Regulation

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
January 17, 2013

posted by Daniel J. Solove

The final HIPAA-HITECH regulation is finally out!  Clocking in at 563 pages long, the regulation, which is entitled “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules” will be published in the Federal Register on January 25, 2013.  You can download the PDF of the pre-publication version here.

Notable Privacy and Security Books 2012

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
December 28, 2012

Here are some notable books on privacy and security from 2012. To see a more comprehensive list of nonfiction works about privacy and security, Professor Paul Schwartz and I maintain a resource page on Nonfiction Privacy + Security Books.

Continue Reading

New Privacy by Design Training Video

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
December 9, 2012

I recently created this 2-minute comical cartoon vignette to teach about the importance of privacy and apps.  Far too often, apps are not designed with privacy in mind, and people install apps without considering the privacy implications.

[Video no longer available online – please contact us if you’d like to see it]

More About Apps and Privacy

FPF & CDT, Best Practices for Mobile App Developers

Pew Internet Survey, Privacy and Data Management on Mobile Devices

TRUSTe, Get a Privacy Policy for Your Mobile App

FTC, Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing

New York Times Bits Blog, Consumers Say No to Mobile Apps That Grab Too Much Data

Washington Post Post Tech Blog, App Developers, Privacy Advocates Work Out Suggestions for Policy Disclosure

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics.  This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 600,000 followers.

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter

Please join one or more of Professor Solove’s LinkedIn Discussion Groups:
* Privacy and Data Security
* HIPAA Privacy & Security
* Education Privacy and Data Security

Educational Institutions and Cloud Computing: A Roadmap of Responsibilities

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
December 1, 2012

by Daniel J. Solove

Increasingly, educational institutions and state entities handling student data are hiring outside companies to perform cloud computing functions related to managing personal information.

The benefits of cloud computing are that outside entities might be more sophisticated at managing personal data. These entities may be able to manage data more inexpensively and effectively than the educational institution could do itself. In many cases, cloud computing providers can provide better security than the educational institutions can.

Continue Reading

Employer Social Media Policies: A Brave New World

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
October 18, 2012

Posted by Daniel J. Solove

Social Media Policies and TrainingThe frequent use of social media by employees has created a new domain of risk for employers – employees who reveal confidential or sensitive information or who otherwise say things that damage their institution’s reputation or create strife with their colleagues.

For example, in the healthcare context, in a number of widely-publicized incidents, employees revealed confidential information about patients on their blogs and social network profiles. For example, according to a Boston Globe story, an emergency room physician posted data online about the patient. The physician thought that it was safe to post about as long as she did not include the patient’s name. But others could identify the patient.  There are numerous recent cases where hospital staff have posted photos and other information about patients online.

Continue Reading

Yes, Young People Do Care About Privacy

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
October 10, 2012

Young People Privacy Attitudes

A common argument I hear is that young people just don’t care about privacy.  If they cared about privacy, why would they share so much personal data on Facebook?  Why would they text so much?  Why would they be so cavalier about their privacy?  Privacy will be dead in a generation, the argument goes.

This argument is wrong for several reasons.  Studies show that young people do care about privacy.  A few years ago, a study by Chris Hoofnagle and others revealed that young people’s attitudes about privacy didn’t differ much from older people’s attitudes.   A more recent study sponsored by Microsoft found that “[p]rivacy and security rank as college students’ #1 concern about online activity.”

But what accounts for the behavior of sharing so much personal data online?  First, young people—especially teenagers—might not be thinking through the consequences of their actions.  It doesn’t mean they will never care about privacy; they might care about privacy at a point in the future.

Continue Reading

Data Security and the Human Factor: Training and Its Challenges

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
October 3, 2012

Posted by Daniel J. Solove

According to a stat in SC Magazine, 90% of malware requires a human interaction to infect.  One of the biggest data security threats isn’t technical – it’s the human factor.  People click when they shouldn’t click, put data on portable devices when they shouldn’t, email sensitive information, and engage in a host of risky behaviors.  A lot of hacking doesn’t involve technical wizardry but is essentially con artistry.  I’m a fan of the ex-hacker Kevin Mitnick’s books where he relates some of his clever tricks.  He didn’t need to hack in order to get access to a computer system – he could trick people into readily telling him their passwords.

There have been a number of good recent articles on data security and data security training.  Robert O’Harrow, Jr.’s recent piece in the Washington Post discusses the human element to data security in his piece, “In Cyberattacks, Hacking Humans is Highly Effective Way to Access Systems.”  The article describes the increasing sophistication of phishing.  The old misspelled lottery scam emails are now your grandfather’s phishing.  Today’s phishing is more personalized – and much more likely to trick people.  According to O’Harrow’s article: “The explosive growth of cyberspace has created a fertile environment for hackers. Facing the flood of e-mail, instant messages and other digital communication, many people have a hard time judging whether notes or messages from friends, family or colleagues are real. Many don’t even try.”  O’Harrow goes on to note that “Hackers are so confident about such permissiveness that they sometimes begin their attacks in social media three or four steps removed from their actual targets. The hackers count on the malicious code spreading to the proper company or government agency — passed along in photos, documents or Web pages.”

Continue Reading