To Freeze or Not to Freeze? That Is the Question

March 1, 2016June 8, 2016 Margaret Young Levi Cyber Security and Cyber Crime, Data Privacy & Security, Fraud and Abuse, Privacy & Security Commonwealth of Kentucky, credit record, credit score, Equifax, Experian, security freeze, TransUnion

UPDATE: Senate Bill 23 did not become law during 2016 Kentucky Legislative Session. The bill was passed unanimously by the Senate. It was then sent to the House, where it was read twice, amended, but never read for the third and final time.

Overview

The Commonwealth of Kentucky’s General Assembly is considering a bill which would permit parents to place security freezes on their children’s credit record. Senate Bill 23 (SB 23) was introduced in the Senate on January 6, 2016. After several readings and committee reviews, it was approved by the Senate with minor changes and sent to the House Banking & Insurance Committee on February 11, 2016. The 2016 Kentucky Legislative Session will adjourn on April 12, 2016.

Children do not have credit reports since they generally do not have credit in their names. So SB 23 provides that if there is no credit file/credit report, then the consumer reporting agency must create such a record for the protected person (as defined below).

SB 23 would require a consumer reporting agency to place a security freeze on a protected person’s record or report upon proper request by a representative. A “protected person” is defined as “an individual who is under sixteen (16) years of age at the time a request for the placement of a security freeze is made, or who is an incapacitated person or other person for whom a guardian or conservator has been appointed.”

State Laws and the Three Major Consumer Reporting Agencies Vary on Security Freezes for Children

The National Council of State Legislators reports that only “twenty-three states allow parents, legal guardians or Continue reading →

Federal Agency to Develop Model Privacy Notice for Healthcare Apps

February 29, 2016February 29, 2016 Kathie McDonald-McClure Data Privacy & Security, FTC Enforcement, Health Information Technology data privacy, data security, FTC Enforcement, mHealth, mobile apps, wearable technology

On Friday, February 26, 2016, the Office of the National Coordinator (ONC) for Health Information Technology (HIT) announced via a blog post, that ONC will be updating the Model Privacy Notice (MPN) that, in 2011, ONC developed in concert with the Federal Trade Commission (FTC) for “personal health records” (PHRs), which was the emerging technology at the time. ONC noted that since 2011, many retail healthcare apps such as exercise trackers and other wearable technology, have emerged and that consumers using such technology should be informed on how data collected through such apps is being used by the app developer and other third parties. ONC stated that the MPN is “a voluntary, openly available resource designed to help developers provide transparent notice to consumers about what happens to their data.”

Importantly, healthcare app developers should take heed that ONC is not the only federal agency interested in ensuring that there is adequate consumer protection for individuals taking Continue reading →

New HIPAA Exception Allows Covered Entities to Report Behavioral Health Considerations Applicable to Possessing a Firearm

February 22, 2016 Margaret Young Levi Privacy & Security behavioral health considerations, covered entity, Federal Law Resources, HHS, mental health prohibitor, National Instant Criminal Background Check System, NICS, PHI, protected health information, U.S. Department of Health and Human Services

As of February 5, 2016, a change in the law allows certain health care providers to report the identity of an individual who is prohibited from possessing a firearm for mental health reasons to the National Instant Criminal Background Check System (“NICS”). The Department of Health & Human Services (“HHS”) amended the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule to allow such reporting by health care providers who are a “covered entity” under HIPAA and who are: state agencies; designated by the state with lawful authority to make the adjudications or commitment decisions that make individuals subject to a “mental health prohibitor”; or serve as repositories of information for NICS reporting purposes. The Final Rule that makes this amendment to HIPAA was published in the Federal Register on January 6, 2016: click here.

Before this amendment, health care providers who are “covered entities” under HIPAA could report information to the NICS only if:

(1) the health care provider had designated itself as a “hybrid entity” where the Privacy Rule would apply only to the entity’s functions that are subject to Continue reading →

Update to “Ten Easy Cyber Security Measures to Add to Your 2016 List of New Year’s Resolutions”

January 11, 2016January 11, 2016 Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security card skimming, Cyber Security, Cybersecurity Act, FBI, gas pumps, Thorntons

One of the goals of our HITECH Law blog is to start dialogue and share information and insights in the ever changing world of cyber security. In our previous post, “Ten Easy Cyber Security Measures…”, we relayed some information from the FBI about thieves breaking into gas pumps and inserting card readers. One of our readers sent us some additional information we are passing along, with her permission.

“Some responsible retailers have studied how criminals are getting into pumps, and those retailers have invested a lot of time and money in pump protection after delivery from the manufacturer. Because the safety and security of our guests is of utmost importance to us, Thorntons has spent more than $1 million over the past 18 months to make our pumps more secure for our customers. To prevent card skimming at Thorntons’ pumps, we added Continue reading →

Kathie McDonald-McClure to present at Health Enterprises Network/HIMSS event on HIPAA in integrated healthcare

January 11, 2016January 11, 2016 WyattLLP Data Privacy & Security Bluegrass HIMSS, Health Information Technology, Healthcare integration and HIPAA, Louisville Health Enterprises Network, privacy and security of protected health information

Kathie McDonald-McClure, member of Wyatt’s Data Privacy & Security and Health Care Service Teams, will be speaking at an event presented by the Health Enterprises Network and Bluegrass Healthcare Information and Management Systems Society (Bluegrass HIMSS) entitled, “Whose Data Is It Anyway?” Ms. McDonald-McClure will share strategies for achieving a “Yes-Yes” as well as avoiding the “No-No’s” under the Health Information Portability and Accountability Act of 1996 (HIPAA) with the exchange of health information in an integrated healthcare setting.

Please click here for more information and to register.

Date: January 21, 2016
Time: 5:00 p.m. – 6:00 pm (Cocktail Hour and Registration); 6:00 – 8:00 p.m. (Presentation).

Location:
Kosair Charities Clinical & Translational Research Building
505 S. Hancock Street
Louisville, KY 40202