HIPAA Compliance for Medical Practices
82.6K views | +42 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Congress must fix Obamacare if court guts it: U.S. official

Congress must fix Obamacare if court guts it: U.S. official | HIPAA Compliance for Medical Practices | Scoop.it

The U.S. Congress and states would have to fix Obamacare if the Supreme Court disallows its tax subsidies that help people pay for insurance coverage, U.S. Health and Human Services Secretary Sylvia Burwell said on Wednesday.

Anti-Obamacare libertarian activists are fighting to strip the subsidies from 6.4 million Americans in 34 states who use the plan and a ruling in their favor would mark a significant setback for President Barack Obama's signature healthcare law.

"If the court makes that decision, we're going to do everything we can," Burwell told the House of Representatives Ways and Means Committee, after she was asked in a hearing how the Obama administration would react if the court rules against it later this month in the case known as King v. Burwell.

But she added, "The critical decisions will sit with the Congress and states and governors to determine if those subsidies are available."

Burwell added she had not seen a plan in the Republican-led Congress that would repair problems that might follow if the court decides to scrap the subsidies, while at the same time protecting the basic tenets of the Affordable Care Act.

She said Obama would not sign into law proposed legislation by Senator Ron Johnson to extend the subsidies until August 2017, which has attracted the most support among other Senate Republicans.

The Supreme Court is expected to rule by the end of this month in King V. Burwell.

The plaintiffs are challenging subsidies that are paid to low- and middle-income Americans to help them afford insurance coverage on federal healthcare exchanges.

Thirteen states and the District of Columbia would not be affected by the ruling because they have their own health care exchanges. Obama has said there is no legal basis for the court to dismantle the subsidies. The administration has produced no "Plan B" in case he is wrong.

"They refuse to acknowledge that they even are thinking about a backup plan," House Ways and Means Chairman Paul Ryan, a Republican, said after the hearing.

Republicans in Congress have opposed the law since its inception. They say they will unveil a proposed solution after the court rules.

Burwell said the Johnson measure would take away the subsidies over time and repeal key parts of Obamacare, such as guaranteed coverage for people with pre-existing conditions.

No comment yet.

Does Obama privacy push have oomph?

Does Obama privacy push have oomph? | HIPAA Compliance for Medical Practices | Scoop.it
President Barack Obama’s rollout of privacy and data security policies Monday offered big promises to protect consumer information online, but the reality is his legislative ideas are a long shot in Congress and his voluntary industry initiatives lack enforcement teeth.

The package of proposals — including a data-breach notification law and a privacy bill of rights — are mostly a rehash of previous administration proposals. While some lawmakers have expressed interest in data breach and student privacy bills, such legislation has made little progress in the past. Congress has even less enthusiasm for the base-line privacy bill that Obama says he will release in coming weeks.

The president’s announcement comes on the heels of the high-profile Sony hacking case and after a year of major retail hacks that compromised millions of Americans’ credit cards. But the glacial progress of privacy and data security legislation shows just how difficult it has been for Washington to come up with workable new laws in this area.

In a 15-minute speech at the Federal Trade Commission, Obama previewed proposals that will be part of his State of the Union address on Jan. 20. Pressing Congress to take action, the president led his speech with recent headlines from the Sony hack.

“This mission, protecting our information and privacy in the information age, this should not be a partisan issue,” Obama said. “It’s one of those new challenges in our modern society that crosses the old divides — transcends politics, transcends ideology. Liberal, conservative, Democrat, Republican, everybody is online, and everybody understands the risks and vulnerabilities as well as opportunities that are presented by this new world.”

White House press secretary Josh Earnest later put it more bluntly. “I do think that, certainly, in the aftermath of some of the more recent cyberattacks we’ve seen that have been carried out against a number of private companies, including most recently Sony, hopefully that got the attention of people on Capitol Hill,” he said.

Obama’s data-breach proposal would impose a national standard for companies to notify consumers, in the event their information is stolen or compromised, within 30 days of the discovery of an incident. His student privacy bill, modeled on a California measure, would impose new restrictions on companies that collect or store student data while providing products and services to K-12 schools.

The president also announced that JPMorgan Chase and Bank of America are joining a list of firms making credit scores available for free to consumers to combat identity theft, the top consumer complaint for 14 years running at the FTC.

Some privacy advocates, while bullish for laws that will tighten consumer privacy, remain skeptical that Obama’s push will have any oomph behind it, seeing it more as a public relations maneuver designed to reassure European privacy officials as they work to complete a trade deal by the end of the year.

“An unannounced but intended audience for the administration’s plan is to remove a serious obstacle to its plans for a U.S.-EU trade deal, known as TTIP,” or the Transatlantic Trade and Investment Partnership, said Jeff Chester, executive director of the Center for Digital Democracy. Consumer privacy has been one of the sticking points with EU officials who worry that the U.S. doesn’t have a comprehensive privacy framework.

There is some support for a data-breach bill in the new Congress, and industry groups and the FTC have long pressed for a federal law to streamline the 49 different state breach rules they have to follow. Reps. Marsha Blackburn (R-Tenn.) and Peter Welch (D-Vt.) say they are already working on a data-breach bill.

“There has been consensus and a call from many in the business community several years running for data-breach legislation,” said Stu Ingis, a partner at Venable and counsel to the Digital Advertising Alliance, which represents several marketing and advertising groups.

But such legislation has repeatedly run into fears that a federal standard would weaken stricter rules enacted by states — a theme some privacy advocates hit again Monday.

“The Personal Data Notification and Protection Act would pre-empt stronger state laws and contains no private right of action,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center. He said the president’s student privacy plan “looks promising,” adding the country ultimately needs a more comprehensive approach to online privacy issues.

“The White House announcement is a step in that direction. But more needs to be done,” Rotenberg said.

Obama touted the 75 education tech companies that have voluntarily committed to keeping student data private, including Microsoft. Apple, which did not sign on initially, has now committed to the pledge. But other major players in the ed tech market, including Google and Pearson, are still not listed as signatories.

Concerns over student privacy have grown steadily as the use of online tools has exploded in classrooms. Ed tech companies can scoop up millions of data points on each child by monitoring them as they click through digital textbooks, educational games and online homework assignments. They can build detailed profiles of students’ academic ability — and also of their cognitive skills, including their learning styles.

The prospect of such intimate information being mined for possible commercial gain has mobilized parent privacy activists from across the political spectrum.

The administration has eyed privacy and data security measures since the president’s first term and proposed a national data-breach standard as part of a cybersecurity proposal in 2011. It unveiled a blueprint for a consumer privacy bill of rights in 2012.

Some parts of the tech industry said the president should have broadened his proposal to include surveillance reform, a key issue for Internet companies following Edward Snowden’s leaks about the National Security Agency.

“The president missed an opportunity to address the continued push by law enforcement and intelligence agencies to weaken security for the purpose of surveillance,” said Daniel Castro, senior analyst for the Information Technology and Innovation Foundation. “These actions threaten the competitiveness of the U.S. tech sector and discourage consumer confidence in digital products and services.”
No comment yet.

Obama's Breach Notification Plan Lacks Specifics

Obama's Breach Notification Plan Lacks Specifics | HIPAA Compliance for Medical Practices | Scoop.it

President Obama's call for enactment of a national data breach notification law has been widely welcomed by business groups and privacy advocates, but their endorsements come with a big proviso: What's in it? The White House hasn't provided details, yet.

The groups largely agree that a national breach notification law makes sense because it would simplify the reporting of data breaches. As-is now, businesses must comply with 47 different state statutes. With a national law, there would be only one set of rules to follow. But as the old saw goes, the devil is in the details, and the White House has yet to give a timetable for when it will reveal those particulars.

Except for a requirement that businesses notify customers within 30 days of a data breach, no other details about Obama's proposal have been made public by the White House, despite repeated requests to do so. And even the 30-day requirement is murky; exceptions to the time limit could delay notification.

The Caveat

The National Retail Federation endorses Obama's call to nationalize data breach notification, but "with a caveat," says NRF Media Relations Director Stephen Schatz. "We do remain a bit concerned about the 30-day timeframe," he says. "We don't know all of the details; we don't know if there's any loopholes or restrictions or delays based on certain patterns or metrics. All we know is that you heard 30 days."

Consumer rights advocates also have expressed concerns about Obama's proposal, especially if a national statute would weaken strong protections some states furnish in their laws. They say states should be allowed to implement more stringent requirements if the federal law isn't as tough as some state statutes.

"It's good that the president has re-focused on privacy and data security issues, but it would be terrible if his proposals preempt stronger state laws and offer less protection," says John Simpson, privacy project director at the not-for-profit advocacy group Consumer Watchdog. "Any national consumer privacy laws should be a floor, not a ceiling. States must be allowed to enact stronger measures."

Yet that wouldn't placate most businesses that seek simplification brought on by a single law. "Any federal standard should therefore contain strong state pre-emption language," says Elizabeth Hyman, executive vice president for public advocacy at TechAmerica, a high-tech industry trade group.

Flashback to 2011

To get an idea what might be in Obama's new proposal, look at the White House's 2011 national data breach notification initiative. That bill would have given businesses up to 60 days to notify consumers and the Federal Trade Commission of a breach unless there was no reasonable risk of harm or fraud. Other provisions in the 2011 legislative proposal included:

  • Businesses receiving a 30-day extension in reporting breaches in order to conduct further investigation.
  • Businesses being exempted from reporting if they would conduct risk assessments that show the breach didn't harm individuals whose personally identifiable information was exposed, the exposed data were rendered unusable through technology generally accepted by IT security experts; or participate in a security program that effectively blocked the use of the sensitive PII.
  • Instituting civil penalties of up to $1,000 a day per individual affected by a breach, up to a maximum of $1 million a violation unless such conduct was found to be intentional.
  • Businesses having to notify the local news media if more than 5,000 individuals were affected by the breach within any state. For larger breaches, businesses also would have had to notify national credit reporting agencies.

The 2011 legislation also would have required certain breaches to be reported to an entity designated by the secretary of Homeland Security, including cases affecting more than 5,000 individuals; breaches involving a database containing information on more than 500,000 individuals nationwide; breaches involving databases owned by the federal government; or breaches involving employees or contractors to the federal government involved in national security or law enforcement.

Timing Behind Obama Proposal

White House Press Secretary Josh Earnest, at a briefing Jan. 12, sidestepped a question on how the new proposal differs from the 2011 one. But he said the timing is right to propose such legislation because the Sony breach gets the attention of lawmakers.

"The proposal that we have sent up, or will send up, is one that does have the strong support of consumer groups because they recognize how important it is for companies to fulfill their obligations to communicate clearly with their consumers and their customers to make sure those customers can take appropriate steps to protect their privacy and protect against identity theft," Earnest said. "At the same time, this is also welcome news to industry, because this clarity associated with one specific national standard would make it clear to them what sort of obligations they need to fulfill to their customers."

Notwithstanding the president's proposal, lawmakers who have sponsored data breach notification bills in the past, including Democratic Sens. Patrick Leahy of Vermont and Dianne Feinstein of California, says they'll do so again in the current Congress. "In just the last 18 months, many millions of Americans have had data stolen in hacks of Target, Neiman Marcus, Home Depot, Sony, JP Morgan Chase and other companies," Feinstein says. "Cyber-attacks cost the economy hundreds of billions of dollars a year, and this will only get worse. Congress must take steps to minimize the damage."

Advancing the State of the Union Address

Obama outlined his latest data breach notification proposal along with other initiatives aimed at protecting consumer online privacy and battling identity theft during a Jan. 12 speech at the Federal Trade Commission. The president is spending the first half of this week promoting his cyber agenda in advance of his State of the Union address that will feature steps to promote and safeguard the digital world. On Jan. 13, Obama will visit the Department of Homeland Security to outline his cyberthreat information sharing plan, and on Jan. 14 he travels to Iowa to promote broadband access. "I'm laying out some new proposals on how we can keep seizing the possibilities of an Information Age, while protecting the security and prosperity and values that we all cherish," he said in his FTC speech.

Also on Jan. 13, Obama is meeting with key lawmakers to discuss his cyber agenda. One of those lawmakers is the newly minted chairman of the Senate Commerce, Science and Transportation Committee, John Thune, R-S.D. Thune says he's ready to work with the president on data breach notification and other cybersecurity legislation. But his statement about the president's agenda had a partisan ring to it: "I welcome President Obama back to the discussion on cybersecurity in the wake of the highly publicized cyber-attack on Sony Pictures," says Thune, who took over chairmanship of panel, which would consider data breach notification legislation, after the Republican victory in November's election.

Thune complains that Obama didn't do enough late last year to get the then-Democratic majority in the Senate to enact other cybersecurity-related bills, including one to share cyberthreat information. "President Obama's engaged support for similar legislation this Congress would help address cyberthreats, improve privacy protections and would also begin to address concerns over the president's go-it-alone approach of unilateral executive actions on cyber and other issues."

White House's Disappointment with Congress

Earnest, at the press briefing, declined to explain how the cyberthreat information sharing proposal the president will present on Jan. 13 differs from the House-passed Cyber Intelligence Sharing and Protection Act, a measure that the White House twice threatened a veto in the past two congresses. "Well, we'll save tomorrow's news for tomorrow," he said. "But you have heard me say on a number of occasions that we've been pretty disappointed that Congress has not fulfilled their responsibility that they have to deal with this critically important issue."

The administration threatened a veto because White House officials contend CISPA didn't go far enough to protect individuals' privacy and went too far in furnishing liability protection to businesses that shared cyberthreat information.

"We would hope that that would not be something that would get bogged down in partisan debates," Earnest said. "This is something we should all be able to agree on. We'll see. I think the same thing - same description could apply to the kinds of cybersecurity legislation that the president looks forward to talking about tomorrow. But for the details of that, we'll have more on that for you."

Claire Gorman's curator insight, January 15, 2015 11:42 AM

We selected this article because it's current, topical and of relevance to the students in terms of data protection. 


we do agree that there is an inherent risk of data being breached and putting the country's security and reputation at risk. (Refer to this week's events - hacking of military data). We also agree that there should only be one law to make things clearer. Public awareness needs to be raised immediately. We question the benchmark figure before the media needs to be notified of a breach.


Obama Unveils Cyberthreat Info Sharing Plan

Obama Unveils Cyberthreat Info Sharing Plan | HIPAA Compliance for Medical Practices | Scoop.it

It looks like 2015 is beginning where 2014 left off regarding cyberthreat information-sharing legislation.

President Obama on Jan. 13 unveiled his legislative proposal to promote cybersecurity information sharing between business and government, a proposal Congress has debated for years, but has been unable to enact.

Obama's proposal, according to a summary released by the White House, would provide stronger privacy protections than did the Cyber Intelligence Sharing and Protection Act, the bill passed in the last Congress by the Republican-controlled House of Representatives and which the administration threatened to veto . Cyberthreat information-sharing legislation never came up for a vote in the then-Democratic-controlled Senate.

A senior administration official, speaking on background, says the White House's position on CISPA that led to the veto threat has not changed. The administration says its proposal would safeguard Americans' personal privacy by requiring businesses to comply with certain privacy restrictions, such as removing unnecessary personal information and taking measures to protect any personal information that must be shared, in order to qualify for liability protection. CISPA didn't do that, and that's one reason the White House threatened a veto. The White House also said CISPA provided too broad of liability protections for businesses. The new proposal offers targeted liability protection to businesses that share cyberthreat information.

Acting in Good Faith

That liability protection is important to businesses because they don't want to face lawsuits from disgruntled shareholders and others because the information they share might disclose vulnerabilities in their IT systems. "The president's proposal to grant targeted liability protections will foster greater industry participation, while helping to progress what has traditionally initiated the barriers to sound and meaningful threat-sharing policy," says Elizabeth Hyman, executive vice president of public advocacy at the high-tech industry group TechAmerica. "Organizations acting in good faith should be incentivized to partner with the federal government."

Obama's proposal also would require the Department of Homeland Security and the attorney general to develop guidelines governing the receipt, retention, use and disclosure of cyberthreat information received from businesses.

In addition, the administration plan would encourage businesses to share appropriate cyberthreat information with the National Cybersecurity and Communications Integration Center, the Homeland Security agency responsible for information sharing and analysis to protect the federal government and critical infrastructure. NCCIC (pronounced n-kick), as the center is known, would then share the information in as close to real time as practicable with relevant federal agencies and with private sector-developed and operated Information Sharing and Analysis Centers.

More ISACs

The White House proposal would encourage industries that do not have ISACs to form them. But to be most effective, the respective industries running the ISACs need to make sure they don't cede too much authority to the federal government, says Chris Blask, who chairs the Industrial Control System ISAC.

Too often, he says, ISACs are more about what the federal government wants rather than what industry needs. "This is not at all bad, but it does not intrinsically speak to the needs and interests of various private-sector demographics," Blask says.

Reaction to Obama's plan from business and privacy groups was generally cautious. The Financial Services Roundtable, in a statement, says it applauds Obama for raising "this important discussion on information sharing and looks forward to reviewing the details of the proposal."

Harley Greiger, senior counsel at the Center for Democracy and Technology, an online advocacy group, is taking a wait-and-see approach on the Obama plan. "The White House proposal relies heavily on privacy guidelines that are currently unwritten," he says. "What these guidelines say and when they are applied will be critical to protecting Internet users. Privacy protections and use restrictions must be in effect before information sharing occurs."

Partisan Rhetoric

In the Capitol, the partisan rhetoric of the 113th Congress reverberated in the new 114th Congress as some lawmakers responded to the president's plan with a bit of mockery. "While it took an attack on Hollywood for the president to re-engage Congress on cybersecurity, I welcome him to the conversation," says House Homeland Security Committee Chairman Mike McCaul, R-Texas, referring to the Sony Pictures Entertainment breach.

A more straightforward response came from Rep. David Nunes, the California Republican who's the new chairman of the House Intelligence Committee.

"I am glad to see President Obama putting forth his ideas to address this critical issue," he says. "They will receive close consideration as the House Intelligence Committee crafts a cyber-bill."

The senior administration official sounded more optimistic about prospects for passage of cyberthreat sharing legislation. "Everybody has indicated a willingness to talk and to move things forward and move beyond that straight-up piece of legislation," the official says. "The administration is serious about working on this issue and has clearly articulated its position going into those discussions with the Hill. And I look forward to some good, productive discussions with the folks up on various committees this spring."

Prosecuting Botnet Sales

Another legislative initiative proposed by Obama would strengthen law enforcement to combat cybercrime. If enacted, the legislation would:

  • Allow the prosecution of those who sell botnets;
  • Expand federal law enforcement authority to deter the sale of spyware used to stalk or commit identity theft;
  • Give courts the authority to shut down botnets engaged in distributed denial-of-service attacks and other criminal activity.

"Much like possession of robbery tools is a criminal offense for those who are arrested trying to break and enter into a house, this proposal focuses on the tools - botnets, spyware, etc. - that are used in furtherance of breaches, IP theft and identity theft," says Christopher Pierson, former president of the Phoenix chapter of InfraGard, an FBI-private sector partnership that shares threat information. "This is a step in the right direction, but, of course, the application depends on the ability to capture and prosecute the persons involved in the crime."

Obama's proposal also would apply to cybercriminals the Racketeering Influenced and Corrupt Organizations Act, the statute known as RICO that government lawyers use to prosecute those involved in organized crime. It also would clarify the penalties for computer crimes, and ensures these penalties are in line with other similar non-cybercrimes.

The cybercrime legislative proposal would criminalize the overseas sale of stolen U.S. financial information, such as credit card and bank account numbers. But some security experts question the effectiveness of such a law. "For it to be effective, we need to have cooperation of the law enforcement authorities in the countries where the data is being sold and purchased," says cybersecurity expert Gene Spafford of Purdue University. "We do not have authority to shut down sites or arrest people in other countries, even if what they are doing is illegal here. We need international cooperation."

No comment yet.

Obama's data-breach initiative has privacy advocates optimistic, cautious

Obama's data-breach initiative has privacy advocates optimistic, cautious | HIPAA Compliance for Medical Practices | Scoop.it

There may finally be a standard set of rules for how US companies protect customer's data in the aftermath of a breach, if new proposed rules from the president become law.

For years, companies in America have contended with a patchwork of laws regarding how they treat customer information. Some states have strict rules, designed to ensure consumer protection. Others have none.

President Barack Obama wants that to change, and so do consumers. A Pew Research study conducted last year found 18 percent of consumers have seen their credit card, bank account, or Social Security number stolen, up from 11 percent only six months earlier.

They have reason to be concerned. The Identity Theft Resource Center said data breaches in the US were up 27.5 percent in 2014 over the year before. The past couple of years have been filled with headlines about catastrophic data breaches from Target and Home Depot, as well as arts and crafts chain Michaels and restaurant chain P.F. Chang's. In November, Sony Pictures suffered one of the worst hacks in corporate history.

Now, the government may step in, at least to ensure consumers are protected. President Obama on Monday proposed a new law called the Personal Data Notification and Protection Act, which would create a basic set of rules for how companies handle their customer information. It also would criminalize international trade in stolen personal identity information.

Aside from one specific rule that would require companies to notify customers within 30 days of the discovery of a data breach, there aren't many other details available yet about Obama's proposal. The president is expected to outline more specifics in his State of the Union speech next week.

In the mean time, tech industry executives and privacy advocates are excited at the prospect of a renewed effort to create a national standard. They say the bills that succeed are typically aimed at the government and how it handles information, rather than corporations.

Now that could change.

"This is a huge shot in the arm to a much-needed advancement for our legislative protections," said Scott Talbott, who heads up government relations for the trade group Electronic Transactions Association.

Some, like Alvaro Bedoya, the executive director of the Center on Privacy and Technology at Georgetown University, are cautiously optimistic. "Some states tend to have very strong data breach laws," he said. "We're going to need to put the Obama proposal side-by-side with those states' laws and see how they stack up."

Many questions still remain

While 47 states have laws requiring companies to at least notify consumers of security breaches involving their personal information, according to the National Conference of State Legislatures, the similarities often end there.

The toughest state laws, said Bedoya, have strong provisions for credit monitoring, requiring companies give affected consumers at least a year of free credit protection. Companies must notify consumers that their information has been compromised within 30 days. California, for example, lets its residents attempt to recover damages, making it one of most aggressive.

But South Dakota, Alabama and New Mexico have no data breach protections at all for consumers, according to Heidi Shey, a security and risk analyst at research firm Forrester.

The Electronic Privacy Information Center, a research group that tracks privacy and civil liberties issues, said the proposal would greatly impact consumers in those places, while also creating a minimum set of rules that all companies would have to follow.

President Obama isn't the first to propose such nationwide measures. In the previous session of Congress alone, which lasted from 2013 to 2015, there were four similar bills in the House of Representatives and two in the Senate. All of them went nowhere.

But that was before the latest string of privacy breaches. "It's important to have this in place from a consumer perspective," said Forrester's Shey. "If we have 50 separate laws, it makes it so much harder for a company to respond. It gets easy to drop the ball."

No comment yet.