The Privacy Professional

Right on the heels of South Dakota, who passed their data protection bill in February of this year, Alabama is the 50th and final State to pass a data protection bill. Alabama SB 318 was passed this month. The codification of state data protection laws began in 2003 with California. To date all remaining states have followed suit. SB 318 , seemingly incorporates Health Insurance Portability Accountability Act's ( HIPAA ) terminology and some application. Class of protected The statute applies to individuals residing within the state. Individuals rights Individuals are afforded protection from the breach , which is defined as the unauthorized acquisition of personally identifiable information (PII). PII is also referred to as personal data , in some jurisdictions. Data Protected The statute outlines the type of PII that is protected under the statute as “electronic data ” that can be any of the following : Identification number (military, driver’s

What is Personal Data? In the US personal data is known as personally identifiable  information (PII).   Generally, it is defined as information that can be reasonably linked to an individual, using persistent identifiers.  Federal and State statutes determine a more specific definition of PII (GLBA, HIPAA, Privacy Act, ect). For example, under HIPAA there are 18 points of personally identifiable information . The pieces of identifiable information are as follows:  Name, address, city, county, zip, precinct, DOB, admission date, discharge date, date of death, ages over 80, Telephone/Fax #, Email address, SSN, Medical record #, Health plan #, Account#, Certificate/license #, Vehicle (VIN, Plate#), Device ID and Serial #, URL, Biometric ID (finger print, voice print), Full-face photographs,  and ny other unique identifiers. In the   EU (GDPR), personal data is defined as data related to an identifiable natural person, who can be identified (directly or indirectly) by reference

Health Information Technology for Economic and Clinical Health (HITECH) is the also known as the HIPAA (healthcare) security Rule. The purpose of this rule is to ensure the confidentiality, integrity and availability (CIA) of all Personal Health Information (PHI) the Covered Entity (CE) and or Business Associate (BA) creates, receives, maintains and transmits. In order to achieve this, the CE or BA must implement safeguards. An example of a physical safeguard are locks on a door. An example of a administrative safeguards is a Privacy Officer assigning role base access of PHI for employees. So that only employees who are involved in the patients care can access the PHI of that patient. Technical Safeguards include : configured computer servers and the encryption of PHI during transmission or at rest.  Further, HITECH requires CEs to provide notice to individuals IF there is an unauthorized disclosure of that PHI and there a risk of harm that exposure o

HIPAA regulations make up two main parts: The Privacy (HIPAA) Rights of individuals related to their Personally Healthcare Information (PHI) and the Security (HITECH) of the healthcare information held by Covered Entities .  The Privacy Rule requires covered entities to provide individuals with a copy of their notice of privacy practices, at the first visit/date of service. Covered Entities must be able to prove that patients received these notices; thus they generally require individuals to sign a document called "receipt of notices of privacy practices." These notices must contain information on how the covered entity's   use   and disclosures of the PHI. For example, there should be   a statement   that the PHI will be used consistent with payment of claims, treatment of the individual and for business operations (quality control, auditing or internal monitoring). In addition, the notice should contain information on instances when a signed release would be re

Risk Assessment Stages  First, we must determine if there is a need for the risk assessment to be performed. Then, we will need to describe the flow of information (data life cycle) such as collection, processing, storage, usage and deletion. Next, we will identify privacy and related risks –including threats and vulnerabilities. Moreover, recording and summarizing risk assessment findings in a digestible, concise and readable format for the end user is necessary step. Finally, implementing the assessment findings and solutions into the project plan is the last step.

Privacy Tableau Workbook   I have created these worksheets, using publicly available data sets, in order to display 2017 data breach statistics and the costs associated with various types of breaches. You can access these worksheets in Tableau by clicking the link provided above.