HIPAA

Keeping your Facebook images private is a confounding problem. Ask Mark Zuckerberg’s sister Randi who couldn’t make sense of  FB’s privacy settings. Kashmir Hill, a privacy commentator at Forbes posted a funny analysis of the Zuckerberg predicament and easy to follow directions on how to adjust your settings to keep family photos more private. The settings are easy once you know where to look. User posting behavior sometimes doesn’t match with User privacy concerns.

Regarding content posted online as public is best– no matter what the privacy policy says.  Social media and other interactive businesses struggle  to keep their policies (and practices) current and reflective of how technology actually uses data to provide services online. Users who follow the steps in Kashmir Hill’s article and thinking before posting private content will have fewer social media privacy concerns.

Cookies are one of my favorite things.  Usually, this refers to the oatmeal raisin variety rather than those tiny bits of computer code that empower websites to remember a user’s login, keep items in a shopping cart and greet the user by name when she returns.  Warm and fuzzy, right?

Sometimes, not so much.  I once shopped for a friend on a website that she loves but is not my taste. So years later continuting to be served display ads from that website is irritating.  Another friend tweeted that “it’s creepy” when a product she was reading about on one website appears later in a display ad on a different website.  It seemed someone was spying on her.  Uncanny!  “Creepy” is a term borrowed from robotics to refer to a use of personal information that does not legally invade your privacy but is frightening because of the “stalker-like” appearance that a website knows everything about the user.

In 1890, another new technology was changing the media. Then as now, legal scholars were concerned that existing law would not protect consumers from the heretofore unheard of technology.  In The Right to Privacy inspired by the invention of “instantaneous photographs”, Justices Samuel D. Warren and Louis D. Brandeis identified privacy as the right of an individual to be left alone. William Prosser further developed Invasion of Privacy into a set of four torts (legal remedy for an injury): False Light, Appropriation of Name or Likeness, Intrusion into Seclusion and Public Disclosure of Private Facts. The body of law that developed from Warren and Brandeis’ article served to protect privacy through the 20th Century until the proliferation of electronic information in the Internet age allowed websites to identify users without using their names or likenesses.

Today it is important to understand and take steps to control the personal information tracked by websites and online technology.  Much of the technology is used to provide an internet visitor with a consistent experience across Internet Platforms. Here are descriptions of common types of technology websites use to track users:

  • Cookie. A cookie is a small file containing a string of characters that is sent to a user’s computer when the user requests a website address. When that user later returns to the website, the cookie allows that site to recognize the user’s browser. Cookies are usually discarded when the person ends the session and closes the browser.
  • Persistent Cookie. Cookies that include an expiration date will persist until the arrival of the expiration date, potentially long in the future. Cookies may store user preferences and other information. A user can reset her browser to refuse all cookies or to indicate when a cookie is being sent.
  • Pixel Tag.  A pixel tag, sometimes called a web beacon, is a tiny graphic file placed on a website, in an ad or within the body of an email for the purpose of tracking activity on websites, or notifying a sender when emails are opened or accessed, and often used in combination with cookies to connect an ad to an interested consumer.
  • Server Log.  Website servers automatically record the page requests made by visitors to the website in log files. Server logs typically record web requests, Internet Protocol addresses, browser type, browser language, the date and time of a request and one or more cookies that uniquely identify the user’s browser.
  • IP Address.  Computers connected to the Internet are assigned a unique number known as an Internet protocol (IP) address. Since these numbers are usually assigned in country-based blocks, an IP address can often be used to identify the country from which a computer is connecting to the Internet. Depending on how a user connects to the internet, the IP Address may identify one computer or may change each time the user connects to the internet.
  • Anonymous Identifier.  An anonymous identifier is a random string of characters that is used for the same purposes as a cookie on platforms, including those for mobile devices, where cookie technology is not available.

While each of these technologies may be used for administrative purposes such as noting whether a user is a return visitor, remembering the user’s preferences or providing confirmation that the correct ad was served to a particular website to allow a publisher to correctly charge the advertiser for an ad the user clicked, the same technologies may also be used by third parties to quantify and predict consumer behavior. Aggregating non-personally identifiable information stored on user’s browsers allows third party ad servers to accurately predict when a user will purchase a particular product. These third parties use web beacons to find a likely buyer and scan her cookie and log file information to analyze the value of serving a particular ad to that user.  Advertiser can then bid on the value of the ad to be served to the user.

Although the third party ad server cannot identify the human, it knows many details about the user’s browsing history and product preferences. That’s when things start to feel creepy.  This practice is not an invasion of privacy recognized by Warren, Brandeis or Prosser, but it may be actionable as a deceptive practice under the Federal Trade Commission Act.

Undressing Online: Managing User Privacy in an Interactive World

Speakers Kashmir Hill, David Hale, Josh Freemire and Moderator Al Yukna

The evolution of digital and social marketing makes it easier than ever for agencies and marketers to target consumers. But there are gaping legal pitfalls. Because of lax or downright misleading privacy policies, some of the largest online players – including Facebook, Twitter and Google – have bull’s-eyes on their backs; and the Federal Trade Commission is taking aim.

So, how can agencies and marketers stay out of the FTC’s crosshairs?  Join the AAF Baltimore and Ober|Kaler on Wednesday, January 18, 2012, for a panel discussion featuring some of the most respected privacy experts in the industry. We’ll explore the risks associated with digital advertising and mobile technology. And we’ll talk about how electronic medical and financial data is used in marketing—legally and illegally.  It’s not just tech companies that have something to worry about, many healthcare businesses sell  …

(more…)

Is HIPAA privacy compliance required when unencrypted Personal Health Information is lost on a train?

A lawyer lost a portable hard drive containing protected health information (PHI) on a commuter train, reports The Baltimore Sun. What compliance is required? From the Sun article, the hard drive, while complicated and technologically difficult to access, was not encrypted.  Loss of unencrypted data by healthcare professional or company triggers compliance under the HIPAA Privacy Rule  as a “covered entity.”  HIPAA compliance requires covered entities to notify both affected patients and the Health and Human Services Office of Civil Rights.  The lawyer’s firm was, however, as the Sun points out, not a covered entity.  According to the Sun:

… it’s unclear if the law firm would be covered by the medical record privacy law, the Health Insurance Portability and Accountability Act, commonly known as HIPAA. The incident may have exposed a loophole, said Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington and an adjunct professor at Georgetown University Law Center.

HIPAA regulates the protection of patient information by “covered entities” — providers of health care or health plans and data management companies. But malpractice attorneys aren’t expressly mentioned….

One of our colleagues in Ober|Kaler’s Health Law group, Joshua Freemire, says that a loophole for malpractice lawyers may be an oversimplification.  (more…)