USA

HIPAA Security Rule

Francoise Gilbert

On February 20, 2003, the U.S. Department of Health and Human Services (HHS) published the final draft of the new National Standards for Safeguards to Protect Personal Health Information that is maintained or transmitted electronically (“Security Rule“). Required as part of the administrative simplification provisions included in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), these standards are separate from, and in addition to, those set in the HIPAA Privacy Rule.

Most covered entities have until April 21, 2005 to comply with the standards; small health plans have an additional year to comply.

The Security Rule lists measures that health plans, health care clearinghouses, and health care providers (“covered entities”) must take to protect the confidentiality, integrity, and availability of individually identifiable health information in electronic form in their custody, or while transmitting it to third parties. These measures include Administrative, Physical, and Technical Safeguards, Organizational Requirements and Policy Procedures and Documentations Requirements. The Security Rule labels these measures as “standards” and “implementation specifications. (more…)

Read More

What Limits for Behavioral Targeting

Francoise Gilbert

An individual uses a travel site to check hotels in New York, but does not book any hotel room. Later the individual visits the website of a local newspaper to read about the Chicago Cubs baseball team. While on the newspaper’s website, the individual is served an advertisement from an airline featuring flights from Chicago to New York. The method used to develop the consumer’s profile – someone interested in travelling to New York from his home base in Chicago – in order to serve target ads is named “behavioral advertising” or “behavioral targeting.”

Behavioral targeting is a marketing technique that tracks a user’s online activities over time in order to build a profile of that individual and to deliver advertizing that is targeted to the assumed interests of this individual. The information about a user is collected through a combination of cookies and pixel tags. It could include what searches were conducted, what pages were visited, how long she stayed on a particular page, on which links or advertisements she clicked. This information may then be combined with other information about that individual, such as her geographic location. It is then shared with advertisement networks, which serve advertisements at websites across the Internet.

Many consumers and advocacy groups are concerned about the privacy issues that are associated with such practices. For example, the manner in which the consumer information is collected is not visible to the consumer. Further, sensitive information regarding health, finances, or children could be used for unanticipated purposes.

(more…)

Read More

How to Protect Children from Child Predators and Cyberbullies in Social Networking Sites

Francoise Gilbert

It is easy register as a user on a site using a different identity than the actual one. A 14 year old can pretend to be 25 and set up a profile on most social networking sites. As a result, minors have been able to find their way onto sites that were intended for adults. In some cases, they have become the victims of child predators whom they met online. Governments and legislators are looking at age verification as a way to protect minors from inappropriate contacts on the Internet. This article explores some of the issues raised by age verification and looks at the status of laws and government enforcement actions that focus on keeping minors out of sites that are not intended for them, or not prepared to handle them.

(more…)

Read More

Internal Investigations: Think Before You Peek

Francoise Gilbert

The directors and officers of a company are responsible for preserving the company’s most valuable assets, such as strategic plans or intellectual property assets. When leaks of company confidential or proprietary assets occur, and there is a suspicion of illegal practices by certain individuals, the company management has an obligation and a legitimate need to make these practices stop. To do so, it is necessary to identify those who are responsible for the leakage of information.

These investigations present a delicate challenge. It might be tempting to try to obtain access to an employee’s personal telephone records, in order to identify the source of the leak or the recipient of the leaked information. Don’t do it!

Think before to you try to peek at your employees’ personal telephone records. This practice is prohibited by the Telephone Records and Privacy Protection Act (“TRPPA”). (more…)

Read More