MD Anderson fined $4.3M for HIPAA violations

(Jun 19, 2018) The University of Texas MD Anderson Cancer Center has been ordered to pay the U.S. Department of Health and Human Services Office for Civil Rights $4.3 million for HIPAA violations. The penalties stem from three data breaches in 2012 and 2013 involving the theft of a laptop from a MD Anderson employee and the loss of two USB thumb drives, all of which contained electronic personal health information. An OCR investigation determined all three devices were not encrypted, despite MD Anderson adopti... Read More

OCR releases guidance on sharing patient data

(Jun 18, 2018) The U.S. Department of Health and Human Services' Office for Civil Rights released guidance on patients sharing their health information for research, GovInfoSecurity reports. The guidance, called for under the 21st Century Cures Act, clarifies the definition of what "future research" is sufficient to comply with federal regulations, explains the expiration of authorizations for personal health information for research, and goes over a patient's right to revoke consent. Wiley Rein Partner Kirk N... Read More

Guidance on HIPAA and Individual Authorization of Uses and Disclosures of Protected Health Information for Research

(Jun 18, 2018) The Office for Civil Rights of the U.S. Department of Health and Human Services has released this guidance for researchers, including information on the 21st Century Cures Act of 2016 mandate and guidance on sufficient descriptions of purpose of a use and authorizations for future use, revocation of authorizations, and expiration of authorizations. (June 2018)Read Now (PDF 486KB)     ... Read More

FPF opens tech policy institute in Israel

(Jun 15, 2018) When deciding to choose where to open its first regional office, the Future of Privacy Forum considered New York and Silicon Valley but decided to set up shop in a country that has quickly become a hot spot for privacy-related activity. The FPF recently launched the Israel Tech Policy Institute, a place where privacy professionals, lawyers and academics will work together to solve pressing privacy issues. IAPP Associate Editor Ryan Chiavetta, CIPP/US, spoke with FPF CEO Jules Polonetsky, CIPP/US... Read More

FPF launches Israel Tech Policy Institute

(Jun 15, 2018) When the Future of Privacy Forum decided to open up its first regional office, there was debate as to where would be the best location. They could have chosen New York, or perhaps Silicon Valley, areas that may initially pop into your mind when thinking about technology. FPF CEO Jules Polonetsky, CIPP/US, and leadership at the organization, however, decided to set up shop in a country that has quickly become a premier destination for privacy-related activity. Co-founded with IAPP Vice President... Read More

Lawyer: Canadian doctors' use of fax machines a concern

(Jun 15, 2018) A study found two-thirds of physicians use fax machines to share medical records, a statistic one lawyer said is problematic, HalifaxToday reports. McInnis Cooper Privacy Lawyer David Fraser said no one can be certain who ends up seeing a patient’s information once it is sent, as well as concerns about duplicates. "Something that's started on a computer is then printed out, scanned in to a fax machine, faxed to the other end, printed out at the other end, and then if they want to put in into the... Read More

NHS releases audit on use of Streams app

(Jun 14, 2018) The Royal Free London NHS Foundation Trust released the findings of an audit on its use of the Streams app aimed at helping to deliver care to patients with acute kidney injuries. The audit found DeepMind Health only used patient information for the app and in controlled conditions. The audit, conducted by Linklaters, determined the appropriate systems and controls have been put in place to protect patient information. “What’s important now is that they use the findings to address the compliance... Read More

Health care field working toward GDPR compliance

(Jun 12, 2018) A joint survey by IT outsourcing service provider Harvey Nash and professional services firm KPMG found that one-third of health care chief information officers reported they would still be on the journey to compliance with the new EU General Data Protection Regulation, Becker's Hospital Review reports. The survey included nearly 4,000 CIOs and technology leaders across 84 countries. Meanwhile, in the U.S., San Francisco–based health care facilities operator Dignity Health filed a disclosure for... Read More

Programmer finds unsecured PumpUp server containing user info

(Jun 8, 2018) A freelance programmer discovered an unsecured server belonging to fitness app PumpUp, Global News reports. Oliver Hough found the server while conducting a scan for MQTT servers. The information found on the server included credit card data, personal message and Facebook accounts. An investigation found the data was not protected by any passwords. “Beyond the security researcher who originally came across the vulnerability, we are not aware of any other individuals who were aware of this situat... Read More

Alberta privacy commissioner investigating letter sent to Indigenous teen

(Jun 8, 2018) CBC News reports Alberta Privacy Commissioner Jill Clayton will investigate a letter sent to an Indigenous teenager from Alberta Health Services. A 15-year-old girl received a letter from AHS addressed to “Treaty Indian.” AHS claims the letter was an “inexcusable” data entry error. Clayton will examine whether AHS violated the province’s Health Information Act and the Freedom of Information and Privacy Act. “I think Albertans deserve to know whether this is a systemic problem or if, as AHS says,... Read More