Good Monday – The East Coast prepares for Apocalypse (Sn)ow.

In the meantime, here are three privacy-related tidbits for your day.

Privacy Concerns Cause Scale Back of Release of HealthCare.gov Data

We spend a fair amount of time warning about third party vendors and the risk that such vendors can pose to sensitive data.   Just ask Target.   Last week, the Associated Press revealed that the healthcare insurance exchange, HealthCare.gov, was connecting with third party analytics sites and others and operating much like any commercial website — except that it is not.  The AP reported over the weekend that the Obama Administration has “reversed itself” and scaled back the release of (or access to) consumer data — including anonymized data.     According to the AP’s Saturday follow-up, an analysis of the Federal exchange showed that the number of third party companies with connections embedded in the site, thus giving them access to consumer data, “dropped from 50 to 30.”

Read more:

The Hill – The Centers for Medicare and Medicaid Services will encrypt additional data when customers use the Window Shopping feature on HealthCare.gov.

New York Times — Is the data usage “industry standard” and much ado about SOP?

CNN Money

New Jersey Becomes Latest State to Mandate Encryption for Health Information

All health insurance carriers in New Jersey, including health, hospital and medical insurance corporations, will be required by law to encrypt protected health information (PHI), including a patient’s name linked with a Social Security number, driver’s license or other state-issued identification, address, etc.   NJ Governor Chris Christie last week signed legislation that effectively exceeds HIPAA in its requirement that health insurers compiling or maintaining computerized records with personal information secure that information by encryption or another “method or technology rendering it unreadable, undecipherable or otherwise unusable by an unauthorized person.”   The legislation comes a year after two laptops with unencrypted data were stoled from the state’s largest health insurer, Horizon Blue Cross Blue Shield.   That theft put the personal information of nearly 850,000 Horizon members at risk.   The law also applies to PHI both at rest (stored) and in transit “across public networks.”

Under the law, personal information is defined to include an individual’s first name or first initial and last name linked with a Social Security number, a driver’s license or state identification card number, an address, or identifiable health information.

The law becomes effective August 1, 2015 and failing to comply with these standards is punishable by a maximum fine of $10,000 for a first offense and $20,000 for a second or any subsequent offense. A violation can also bring cease and desist orders issued by the attorney general and the AG can seek treble damages for injured parties.

Australia’s Data Protection Office Publishes Guide to “Reasonable Security”

The Office of the Australian Information Commissioner has published a sensible guide to “reasonable security” that could be a good roadmap for any business coming up to Data Privacy Day, no matter where you are in the world.   The Guide sets forth five considerations for the protection

of personal information at all points during the information lifecycle:

  1. considering whether it is actually necessary to collect and hold personal information in order to carry out your functions or activities
  2. planning how personal information will be handled by embedding privacy protections into the design of information handling practices (otherwise known as “Privacy-by-Design”)
  3. assessing the risks associated with the collection of the personal information due to a new act, practice, change to an existing project or as part of business as usual
  4. taking appropriate steps and putting into place strategies to protect personal information that you hold; and
  5. destruction or de-identification of the personal information when it is no longer needed. Good advice.