News Alerts and Breach Report for Week of April 17, 2023
Definition of Protected Data Under HIPAA to Expand
The Department of Health and Human Services (HHS) just launched an investigation into online health data collection via its Office for Civil Rights. This follows a move by HHS last December to expand its definition of protected data under the Health Insurance Portability and Accountability Act (HIPAA). That expansion continued last week with a Notice of Proposed Rulemaking, as the HHS seeks to expand HIPAA to cover data belonging to people who cross state lines to obtain a legal abortion. One result of the targeted enforcement of healthcare privacy is that compliance teams in the healthcare industry, specifically telehealth, are on high alert. Politico reports that, “In the first three months of 2023, telemedicine firms spent a quarter of what they did on targeted Facebook and Google ads during the same period last year, according to data from MediaRadar, an ad industry intelligence platform. Meanwhile, MediaRadar data shows nonprofit health systems also halved their spending on targeted ads during that same three-month period year-over-year.”
EU Parliament Committee Rejects EU-U.S. Data Privacy Framework
The European Parliament Committee on Civil Liberties, Justice and Home Affairs voted to adopt a nonbinding rejection of the proposed data transfer framework set to replace Privacy Shield. In a press release, Members of the European Parliament (MEPs) noted that “EU citizens need legal certainty and a future-proof regime,” as well as the right to redress and access information, and that the current proposal is likely to be invalidated by a court ruling. Additionally, “MEPs note that the framework still allows for bulk collection of personal data in certain cases, does not make bulk data collection subject to independent prior authorisation, and does not provide for clear rules on data retention.”
ChatGPT Earns Privacy Complaints
Following Italy’s temporary ban of AI chatbot ChatGPT, France has also announced an investigation into the chatbot’s impact on minors and data transparency. France’s data protection organization, CNIL, has said that it is following up on numerous privacy complaints, while Spain aims to put the topic of ChatGPT on the European Data Protection Committee’s discussion schedule, reports CPO Magazine. The outlet notes that, “the issue of employees feeding sensitive internal data into ChatGPT has already arisen as Samsung workers were found to be entering sensitive source code and the contents of internal meetings. The worst-case scenario would be if someone handling very sensitive personal data, such as health or financial information, decided to lighten their workload by plugging it into ChatGPT’s training model. Right now there is little to stop this from happening besides internal company policies and vigilance.”
Breach Report:
* * * * * * *
To read our latest article and guide to Iowa’s Data Privacy Bill, click here.
Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!
Our most recently released episodes:
90 | AdTech Meets Privacy Laws (with Guest Susan Israel)
89 | Quantum Technologies: What is Possible, Where We Are Headed & Policy Issues to Consider (with Chris Jay Hoofnagle)
88 | TikTok: A Path for Election Interference and Open Source Intelligence? (with guests Berit Anderson, and Evan Anderson)
To browse our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.