Healthcare Data Privacy

Patients Want Easy Access to Their Health Data but Better Privacy Protections Preferred

Posted by HIPAA Journal

Patients want easy access to their health data and for their health information to be presented in a concise, easy to understand format, according to a new poll conducted by Morning Consult on behalf of America’s Health Insurance Plans (AHIP). However, patients and consumers are well aware of the threat of cyberattacks and data breaches and they do not want their private health information to be compromised. A majority (62%) of patents and consumers said they would be willing to forego easy access to their health data if it meant greater privacy protections were in place to protect their health information.

In November 2019, President Trump signed an Executive Order on Improving Price and Quality Transparency in American Healthcare to Put Patients First. In response, the Department of Health and Human Services, the Department of Labor, and the Department of the Treasury proposed a new Transparency in Coverage Rule. The rule requires “employer-based group health plans and health insurance issuers offering group and individual coverage to disclose price and cost-sharing information to participants, beneficiaries, and enrollees up front.”

With access to that information, patients would be made aware of the costs they need to cover to meet the deductible of their plan or co-pay or co-insurance requirements. It would make it much easier for patients to make cost comparisons.

The cost of medical procedures is a key consideration for patients. 74% of respondents said they were very likely (52%) or somewhat likely (22%) to research how much they would have to pay for a medical procedure or service covered by their health insurance plan, and 68% said they would be very likely or somewhat likely to choose a lower cost medical procedure than one recommended by their doctor. 66% of respondents said they would consider making an appointment with a specialist, as recommended by a doctor, if they knew they would receive the same quality of care at a lower cost.

While easier access to cost information and greater transparency would be welcomed, 3 in 4 individuals who took part in the poll said they would not support a federal regulation that increases transparency if it also meant their insurance premiums would rise.

When it comes to obtaining information on medical procedures, patients want easy to understand information rather than comprehensive information. 82% of adults said that apps and websites that provide information on a medical procedure are more valuable if they provide concise, easy to understand information rather than comprehensive information that is confusing.

The survey also revealed there is strong support for federal legislation akin to HIPAA for technology companies that collect or are provided with health data. 90% of respondents said tech companies should also have to comply with strict standards for privacy and security as is the case with healthcare organizations.

The post Patients Want Easy Access to Their Health Data but Better Privacy Protections Preferred appeared first on HIPAA Journal.

Critical ‘MDHex’ Vulnerabilities Identified in GE Healthcare Patient Monitoring Products

Posted by HIPAA Journal

Critical vulnerabilities have been identified in GE Healthcare patient monitoring products by a security researcher at CyberMDX.

Elad Luz, Head of Research at CyberMDX, identified six vulnerabilities, five of which have been rated critical and one high severity. The five critical vulnerabilities have been assigned the maximum CVSS v3 score of 10 out of 10. The other vulnerability has a CVSS v3 score of 8.5 out of 10.

Exploitation of the flaws could render the affected products unusable. Remote attackers could also alter the functionality of vulnerable devices, including changing or disabling alarm settings, and steal protected health information stored on the devices.

CyberMDX initially investigated the CARESCAPE Clinical Information Center (CIC) Pro product, but discovered the flaws affected patient monitors, servers, and telemetry systems. The vulnerabilities have been collectively named MDHex and are tracked under the CVEs: CVE-2020-6961, CVE-2020-6962, CVE-2020-6963, CVE-2020-6964, CVE-2020- 6965, and CVE-2020-6966. GE Healthcare has confirmed that the vulnerabilities could have serious consequences for patients and hundreds of thousands of devices may be affected.

CVE-2020-6961 (CVSS 10.0) is due to unprotected storage of credentials (CWE-256). The flaw could allow an attacker to obtain the SSH private key from configuration files via a SSH connection and remotely execute arbitrary code on vulnerable devices. The same SSH key is shared across all vulnerable products.

CVE-2020-6962 (CVSS 10.0) is an input validation vulnerability (CWE-20) in the configuration utility of the web-based system. If exploited, an attacker could remotely execute arbitrary code.

CVE-2020-6963 (CVSS 10.0) concerns the use of hard-coded Server Message Block (SMB) credentials (CWE-798). An attacker could establish an SMB connection and read or write files on the system. The credentials could be obtained through the password recovery utility of the Windows XP Embedded operating system.

CVE-2020-6964 (CVSS 10.0) is due to missing authentication for critical function (CWE-306) concerning the integrated Kavoom! Keyboard/mouse software. If exploited, an attacker could remotely input keystrokes and alter device settings on all vulnerable devices on the network without authentication.

CVE-2020- 6965 (CVSS 8.5) is due to the failure to restrict the upload of dangerous file types (CWE-434). An attacker could upload arbitrary files through the software update facility.

CVE-2020-6966 (CVSS 10.0) is due to inadequate encryption strength (CWE-326). Weak encryption is used for remote desktop control through VNC software, which cloud lead to remote code execution on vulnerable networked devices. The necessary credentials could also be obtained from publicly available product documentation.

According to a recent ICS-CERT Advisory, the following GE Healthcare products are affected:

  • ApexPro Telemetry Server, Versions 4.2 and prior
  • CARESCAPE Telemetry Server, Versions 4.2 and prior
  • Clinical Information Center (CIC), Versions 4.X and 5.X
  • CARESCAPE Telemetry Server, Version 4.3
  • CARESCAPE Central Station (CSCS), Versions 1.X; Versions 2.X
  • B450, Version 2.X
  • B650, Version 1.X; Version 2.X
  • B850, Version 1.X; Version 2.X

GE Healthcare is currently developing patches for the vulnerable products which are expected to be released in Q2, 2020. In the meantime, GE Healthcare has published a series of mitigations to reduce the risk of exploitation of the vulnerabilities.

Healthcare providers should follow standard network security best practices and ensure mission critical (MC) and information exchange (IX) networks have been configured correctly and meet the requirements outlined in the Patient Monitoring Network Configuration Guide, CARESCAPE Network Configuration Guide, and product technical and service manuals.

If connectivity is required outside the MC and/or IX networks, a router/firewall should be used. GE Healthcare recommends blocking all incoming traffic from outside the network at the MC and IX router firewall, except when required for clinical data flows.

The following ports should be blocked for traffic initiated from outside the MC and IX network: TCP Port 22 for SSH and TCP and UDP Ports 137, 138, 139, and 445 for NetBIOS and SMB as well as TCP Ports 10000, 5225, 5800, 5900, and 10001.

Physical access to Central Stations, Telemetry Servers, and the MC and IX networks should be restricted, password management best practices should be followed, and default passwords for Webmin should be changed.

Exploits for the vulnerabilities are not believed to have been made public and GE Healthcare is unaware of any attempted cyberattacks or injuries to patients as a result of the flaws.

The post Critical ‘MDHex’ Vulnerabilities Identified in GE Healthcare Patient Monitoring Products appeared first on HIPAA Journal.

Maze Ransomware Gang Publishes Research Data of Medical Diagnostic Laboratories

Posted by HIPAA Journal

The operators of Maze ransomware are following through on their threats to publish data stolen from the victims of ransomware attacks when the ransom is not paid.

In December, the Carrollton, GA-based wire and cable manufacturer Southwire refused to pay a 200 BTC ransom ($1,664,320) and the threat actors went ahead and published some of the stolen data. Southwire filed a lawsuit in the Northern District of Georgia against the Maze team and the ISP hosting the Maze Team’s website. The case was won, and the website was taken offline; however, the website was back online with a different hosting provider a few days later.

Listed on the webpage are the names of the companies that have been attacked and refused to pay the ransom demand, along with some of the data stolen in the attacks.

One of those companies is New Jersey-based Medical Diagnostic Laboratories (MDLab). According to the Maze Team, MD Lab was attacked on December 2, 2019. MD Lab made contact with the Maze team, but negotiations stalled, and no ransom was paid.

According the Maze website, 231 workstations were encrypted in the attack. When MD Lab refused to negotiate, the Maze team went ahead and published 9.5GB of the company’s private research data, including immunology research. The Maze Team then advertised the stolen data on a hacking forum in an attempt to restart negotiations with the company. According to Bleeping Computer, 100GB of data was stolen in the attack. The Maze team have demanded a ransom payment of 100 BTC ($832,880) for the keys to unlock the encrypted files and a further 100 BTC payment to destroy the stolen data.

While threats have been issued in the past to publish data stolen in ransomware attacks, there have been no confirmed cases of attackers following through on their threats until the Maze gang started publishing data in December 2019. Currently, 29 companies are listed on the website as not having paid, along with samples of data stolen in the attacks.

Earlier this month, The Center for Facial Restoration, Inc. announced it had suffered a similar fate following a November 8, 2019 ransomware attack. The attackers stole patient data before deploying ransomware and issued ransom demands to the healthcare provider as well as 10-20 patients. Photographs and personal information of up to 3,500 are believed to have been stolen in the attack.

In order to steal data, access to the network must first be gained and the attackers then need to search for sensitive data and exfiltrate it without being detected. Since these types of attacks require more skill to pull off than a standard ransomware attack, they are likely to remain relatively limited. That said, these data theft incidents are becoming more common. Several ransomware operators, including the Sodinokibi and Nemty gangs, have now adopted this tactic and have been threatening to publish or sell stolen data to pressure victims into paying.

The post Maze Ransomware Gang Publishes Research Data of Medical Diagnostic Laboratories appeared first on HIPAA Journal.

NIST Privacy Framework Version 1.0 Now Released

Posted by HIPAA Journal

On January 16, 2020, the National Institute of Standards and Technology (NIST) issued version 1.0 of its Privacy Framework. The purpose of the Privacy Framework is to help organizations of all sizes use personal data such as protected health information while effectively managing privacy risks.

The Privacy Framework is a voluntary tool that not only helps with privacy risk management, it is also useful for achieving and demonstrating compliance with privacy regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act, and the EU’s General Data Protection Regulation (GDPR).

The Privacy Framework helps organizations identify the privacy outcomes they want to achieve, provides strategies to adopt to improve privacy protections and achieve those privacy goals, clarifies privacy management concepts, and explains how it can be used in conjunction with the NIST Cybersecurity Framework and how both work together. NIST explains that organizations that have adopted the NIST Cybersecurity Framework and have a good security posture but may not have addressed all of their privacy risks.

Version 1.0 retains the structure of the September 2019 draft version but includes several updates in response to public feedback. As with the draft version, the Privacy Framework consists of three sections: Core is a set of privacy activities, Profiles helps organizations determine which activities are required to achieve their privacy goals, and the Implementation Tiers section guides organizations through the process of optimizing their resources to address privacy risks.

“What you’ll find in the framework are building blocks that can help you achieve your privacy goals, which may include laws your organization needs to follow,” explained Naomi Lefkovitz, senior privacy policy adviser at NIST. “If you want to consider how to increase customer trust through more privacy-protective products or services, the framework can help you do that. But we designed it to be agnostic to any law, so it can assist you no matter what your goals are.”

The Privacy Framework is not only concerned with protecting sensitive data such as Social Security numbers, it will help to ensure that lower value data is also protected; such as data types that could be combined with others and become sensitive as a unit. New uses for data are regularly being discovered, such as for artificial intelligence. It is therefore important to adopt a framework for managing privacy risks that rather than having a checklist of tasks to perform. Adoption of the Privacy Framework will allow organizations to develop policies, procedures, and strategies to protect data, manage privacy risks effectively, and ensure those risks continue to be managed over time.

The framework will help organizations future-proof their products and services with privacy practices that will adapt to changing technologies, policies, and new legislation. The framework also addresses some privacy aspects that are missing from HIPAA but are particularly relevant today due to advances in technology.

“People continue to yearn for more guidance on how to do privacy risk management,” said Naomi Lefkovitz. “We have released a companion roadmap for the framework to point the way toward more research to address current privacy challenges, and we are building a repository of guidance resources to support implementation of the framework. We hope the community of users will contribute to it to advance privacy for the good of all.”

The NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management is available for download on NIST’s website (PDF).

The post NIST Privacy Framework Version 1.0 Now Released appeared first on HIPAA Journal.

California Bill Proposes Further Health Data Exemptions for CCPA

Posted by HIPAA Journal

On January 1, 2020, the California Consumer Protection Act (CCPA) came into effect. CCPA enhanced privacy protections for state residents and gave Californians new rights over their personal data.

Healthcare data covered by the Health Insurance Portability and Accountability Act (HIPAA) Rules and California’s Confidentiality of Medical Information Act (CMIA) were exempted from CCPA but there is still potential for CCPA to cause compliance headaches for healthcare organizations.

A new bill – AB 713 – has now been introduced which aims to simplify compliance by adding further categories of data to the CCPA exemptions, specifically health data that has been de-identified in accordance with HIPAA Rules, personal information used for public health and safety purposes, medical research data, and health information collected, maintained, or used by business associates of HIPAA-covered entities. The bill was unanimously approved by the State Senate Health Committee this month.

The change to the exemption for deidentified health data is required as the definitions of deidentified data differ under HIPAA and CCPA and data de-identified in accordance with HIPAA could still contain data covered by CCPA. HIPAA only require identifiers to be removed that could be used to identify patients. It does not require the removal of identifiers for workforce members or providers, which is covered by CCPA.

AB 713 adds a new exemption for health data that is deidentified in accordance with HIPAA, provided the following three conditions are met:

Data is deidentified through either the safe harbor or expert determination method detailed in 45 CFR § 164.514 (b); data is derived from protected health information, medical information, individually identifiable health information, or identifiable private information, consistent with the Federal Policy for the Protection of Human Subjects (Common Rule); the business or business associate does not try to or actually re-identify individuals from the data.

The exemption applies to information deidentified in accordance with HIPAA. This exemption would therefore also apply to entities not covered by HIPAA.

While AB 713 would exempt deidentified information, a business will be required to disclose, via a consumer-facing public notice, if deidentified information will be provided to third parties and the method used to deidentify the data.

CCPA does not cover certain types of personal information used for research, such as data collected for clinical trials subject to the Common Rule. AB 713 adds further exemptions for personal information collected or used in biomedical research studies subject to institutional review board standards, the ethics and privacy requirements of the Common Rule, the International Council for Harmonization’s good clinical practice guidelines, or the FDA’s human subject protection requirements. An exemption is also added for personal information collected for or used in research, subject to all applicable ethics and privacy laws, if the information is either individually identifiable health information (45 CFR § 160.103) or medical information governed by the California Confidentiality of Medical Information Act (CMIA).

AB 713 also adds an exemption for personal information that is only used for the following purposes, provided the information is protected in accordance with all confidentiality and privacy provisions applicable under federal or state law:

  • Product registration and tracking consistent with applicable FDA regulations and guidelines.
  • Public health activities and purposes detailed in 45 CFR § 164.512
  • FDA-regulated quality, safety, and effectiveness activities

The post California Bill Proposes Further Health Data Exemptions for CCPA appeared first on HIPAA Journal.

Support for Windows 7 Finally Comes to an End

Posted by HIPAA Journal

Microsoft is stopping free support for Windows 7, Windows Server 2008, and Windows Server 2008 R2 on January 14, 2020, meaning no more patches will be released to fix vulnerabilities in the operating systems. Support for Office 2010 has also come to an end.

The operating systems will be up to date as of January 14, 2020 and all known vulnerabilities will have been fixed, but it will only be a matter of time before exploitable vulnerabilities are discovered and used by cybercriminals to steal data and deploy malware.

Even though Microsoft has given a long notice period that the operating system was reaching end of life, it is still the second most used operating system behind Windows 10. According to NetMarketShare, 33% of all laptop and desktop computers were running Windows 7 in December 2019.

Many healthcare organizations are still using Windows 7 on at least some devices. The continued use of those devices after support is stopped places them at risk of cyberattacks and violating the HIPAA Security Rule.

The natural solution is to update Windows 7 to Windows 10, although that may not be straightforward. In addition to purchasing licenses and upgrading the operating system, hardware may also have to be upgraded and some applications may not work on newer operating systems. The upgrade is therefore likely to be a major undertaking that may take a great deal of time.

If upgrading Windows 7 devices and Windows 2008 servers is not possible, steps should be taken to protect the devices and reduce the likelihood of a compromise and the impact of a cyberattack.

Steps to take to reduce the likelihood of a compromise include preventing the Windows 7 devices from accessing untrusted content. That means not using the devices for accessing email and browsing the internet and portable storage devices and removable media should not be used.

Local administrator rights should be removed from all Windows 7 devices and firewall protection should be strengthened. The devices should not be used for accessing sensitive data, such as protected health information and any sensitive data stored on the devices should be moved to devices running supported operating systems.

Since there is a greater chance of a malware infection on devices running unsupported operating systems, it is essential for anti-virus software to be installed and for it to be kept up to date. Regular scans should be conducted on the devices for malware and the devices should be monitored for potential cyberattacks in progress.

Microsegmentation can help to limit the harm caused in the event of a compromise. All devices running unsupported operating systems should be isolated from other networks and the devices should only be allowed to access critical services. Access to core servers and systems should be removed. It is also strongly advisable to review and revise business continuity plans to ensure that in the event of a compromise, critical business operations can continue. While it is costly to pay for extended support it is strongly recommended.

These measures can reduce risk, but they will not eliminate it. Organizations should therefore be accelerating their plans to upgrade their operating systems and hardware. Moving to a supported operating system is the only way to ensure devices remain secure.

The post Support for Windows 7 Finally Comes to an End appeared first on HIPAA Journal.

Hospital Employee Pleads Guilty to Five-Year Account Hacking Spree

Posted by HIPAA Journal

The U.S. Department of Justice (DOJ) has announced that a former employee of a New York City hospital has pleaded guilty to using malicious software to obtain the credentials of coworkers, which he subsequently misused to steal sensitive information.

Richard Liriano, 33, of the Bronx, New York, was IT worker at the unnamed NYC hospital. As an IT worker, Liriano had administrative-level access to computer systems. He misused those access rights to steal information, which he copied onto his own computer for personal use.

He used a keylogger to obtain the credentials of dozens of co-workers at the hospital between 2013 and 2018. Those credentials allowed Liriano to login to coworkers’ computers and online accounts and obtain sensitive information such as tax documents, personal photographs, videos, and other private documents and files. Other malicious software was also used to spy on his coworkers.

Liriano stole credentials to coworkers’ personal webmail accounts, social media accounts, and other online accounts. Liriano also gained access to hospital computers containing sensitive patient information. According to the DOJ, Liriano’s computer intrusions cost his employer around $350,000 to remediate.

Between 2013 and 2018, Liriano accessed coworkers’ computers and personal accounts on multiple occasions looking for sensitive information. The majority of his 70+ victims were female. The DOJ reports that Liriano conducted searches of their personal accounts looking for sexually explicit photos and videos.

The computer intrusions were discovered and Liriano was arrested on November 14, 2019. On December 20, 2019, Liriano pleded guilty to one count of transmitting a program to a protected computer to intentionally cause damage.

“Liriano’s disturbing crimes not only invaded the privacy of his coworkers; he also intruded into computers housing vital healthcare and patient information, costing his former employer hundreds of thousands of dollars to remediate,” said  Geoffrey S. Berman, the United States Attorney for the Southern District of New York. “He will now be held accountable for his actions.”

Liriano faces a maximum jail term of 10 years and has been scheduled to be sentenced on April 15, 2020 by U.S. District Judge Lewis A. Kaplan.

The post Hospital Employee Pleads Guilty to Five-Year Account Hacking Spree appeared first on HIPAA Journal.

HIPAA Enforcement in 2019

Posted by HIPAA Journal

It has been another year of heavy enforcement of HIPAA compliance. HIPAA enforcement in 2019 by the Department of Health and Human Services’ Office for Civil Right (OCR) has resulted in 10 financial penalties. $12,274,000 has been paid to OCR in 2019 to resolve HIPAA violation cases.

2019 saw one civil monetary penalty issued and settlements were reached with 9 entities, one fewer than 2018. In 2019, the average financial penalty was $1,022,833.

HIPAA Enforcement in 2019 by the HHS' Office for Civil Rights

 

Particularly egregious violations will attract financial penalties, but some of the HIPAA settlements in 2019 provide insights into OCRs preferred method of dealing with noncompliance. Even when HIPAA violations are discovered, OCR prefers to settle cases through voluntary compliance and by providing technical assistance. When technical assistance is provided and covered entities fail to act on OCR’s advice, financial penalties are likely to be issued.

This was made clear in two of the most recent HIPAA enforcement actions. OCR launched compliance investigations into two covered entities after being notified about data breaches. OCR discovered in both cases that HIPAA Rules had been violated. OCR chose to provide technical assistance to both entities rather than issue financial penalties, but the covered entities failed to act on the guidance and a financial penalty was imposed.

Sentara Hospitals disagreed with the guidance provided by OCR and refused to update its breach report to reflect the actual number of patients affected. West Georgia Ambulance was issued with technical guidance and failed to take sufficient steps to address the areas of noncompliance identified by OCR.

If you are told by OCR that your interpretation of HIPAA is incorrect, or are otherwise issued with technical guidance, it pays to act on that guidance quickly. Refusing to take corrective action is a sure-fire way to guarantee a financial penalty, attract negative publicity, and still be required to change policies and procedures in line with the guidance.

There were two important HIPAA enforcement updates in 2019. OCR adopted a new interpretation of the Health Information Technology for Economic and Clinical Health (HITECH) Act’s requirements for HIPAA penalties and a new enforcement initiative was launched.

The HITECH Act of 2009 called for an increase in the penalties for HIPAA violations. On January 25, 2013, the HHS implemented an interim final rule and adopted a new penalty structure. At the time it was thought that there were inconsistencies in the language of the HITECH Act with respect to the penalty amounts. OCR determined that the most logical reading of the HITECH Act requirements was to apply the same maximum penalty of $1,500,000 per violation category, per calendar year to all four penalty tiers.

In April 2019, OCR issued a notice of enforcement discretion regarding the penalties. A review of the language of the HITECH Act led to a reduction in the maximum penalties in three of the four tiers. The maximum penalties for HIPAA violations were changed to $25,000, $100,000, and $250,000 for penalty tiers, 1, 2, and 3. (subject to inflationary increases).

2019 saw the launch of a new HIPAA Right of Access enforcement initiative targeting organizations who were overcharging patients for copies of their medical records and were not providing copies of medical records in a timely manner in the format requested by the patient.

The extent of noncompliance was highlighted by a study conducted by Citizen Health, which found that 51% of healthcare organizations were not fully compliant with the HIPAA Right of Access. Delays providing copies of medical records, refusals to send patients’ PHI to their nominated representatives or their chosen health apps, not providing a copy of medical records in an electronic format, and overcharging for copies of health records are all common HIPAA Right of Access failures.

The two HIPAA Right of Action settlements reached so far under OCR’s enforcement initiative have both resulted in $85,000 fines. With these enforcement actions OCR is sending a clear message to healthcare providers that noncompliance with the HIPAA Right of Access will not be tolerated.

Right of Access violations aside, the same areas of noncompliance continue to attract financial penalties, especially the failure to conduct a comprehensive, organization-wide risk analysis. 2019 also saw an increase in the number of cited violations of the HIPAA Breach Notification Rule.

HIPAA Compliance Issues Cited in 2019 Enforcement Actions

Noncompliance Issue Number of Cases
Risk Analysis 5
Breach Notifications 3
Access Controls 2
Business Associate Agreements 2
HIPAA Right of Access 2
Security Rule Policies and Procedures 2
Device and Media Controls 1
Failure to Respond to a Security Incident 1
Information System Activity Monitoring 1
No Encryption 1
Notices of Privacy Practices 1
Privacy Rule Policies and Procedures 1
Risk Management 1
Security Awareness Training for Employees 1
Social Media Disclosures 1

OCR’s HIPAA enforcement in 2019 also clearly demonstrated that a data breach does not have occurred for a compliance investigation to be launched. OCR investigates all breaches of 500 or more records to determine whether noncompliance contributed to the cause of a breach, but complaints can also result in an investigation and compliance review. That was the case with both enforcement actions under the HIPAA Right of Access initiative.

 

The post HIPAA Enforcement in 2019 appeared first on HIPAA Journal.

Discussion Draft of Federal Data Privacy Bill Released by House Energy and Commerce Committee

Posted by HIPAA Journal

A discussion draft of a new bipartisan data privacy bill has been released by the House Energy and Commerce Committee. The bill calls for national standards for privacy and security and would place restrictions on the collection, use, and retention of consumer data by U.S. businesses.

The draft legislation calls for all businesses to have a privacy program and to publish a privacy policy, written in clear language, which explains what data will be collected, how it will be used, how long it will be retained, and with whom consumer information will be shared.

Data security measures would also need to be implemented, which should be appropriate for the size of the business and the nature and complexity of data activities. In the event of a breach of consumer information, businesses would be required to report the breach to the Federal Trade Commission.

The Federal Trade Commission has been tasked with creating a Bureau of Privacy which would be responsible for developing rules, issuing guidance, and enforcing compliance. The FTC would also need to set a data retention time frame and create rules covering the disclosure of personal information to third parties.

The bill would give consumers much greater control over their personal data and how it can be used by businesses. Consumers will have the right to view and correct their data, control who can access their personal information, and request that businesses delete their personal information.

To help consumers find out which businesses have their personal information, the draft legislation calls for the creation of a centralized repository of data brokers. Consumers could use that repository and find out who holds a copy of their data and find out how they can exercise their right to access that data, make corrections, and arrange for their personal data to be deleted.

“This draft seeks to protect consumers while also giving data collectors clear rules of the road. It reflects many months of hard work and close collaboration between Democratic and Republican Committee staff,” explained a spokesperson for the Energy and Commerce Committee.

The release follows a Senate Commerce Committee hearing in which two data privacy bills proposed by Senate Commerce Committee Chairman, Roger Whicker (R-Miss) and Senator Maria Cantwell (D-Wash) were discussed. Both camps could not reach a consensus on what should be included in the bill, but it was agreed that the only way forward was for bipartisan legislation to be passed.

Two of the sticking points from the competing bills was whether the federal privacy bill should preempt state laws and if a private cause of action should be included. Sen. Cantwell’s bill calls for a private cause of action to allow consumers to sue companies for privacy violations, which is opposed by Congressman Wicker. Wicker’s bill calls for the new federal privacy law to replace state laws, whereas Sen. Cantwell wants state laws to be retained to provide greater protection for consumers. The discussion draft of the bill avoids both of these issues.

Feedback is being sought from industry stakeholders on the draft legislation. Comments will be accepted until the middle of January 2020.

The post Discussion Draft of Federal Data Privacy Bill Released by House Energy and Commerce Committee appeared first on HIPAA Journal.