[governance] Re: story to post Laws bolster penalties for privacy breaches inCalifornia

Jeffrey A. Williams jwkckid1 at ix.netcom.com
Sun Nov 23 04:05:04 EST 2008 

Debbie and all,

  This is IMO a good law, but not good enough, sorry to say.  Many
patients may not even have access or good access to lawyers whom
are willing and able to take on these cases to a successful end, and
when they do, the max fine is rarely levied, which at $250k is hardly
steep enough to even in many cases, cover the legal fees for the
wronged.  And in Texas, as you know, punitive damages are almost
never levied.  So stronger revision of these statutes and a federally
mandated statute is sorely needed here.

  As a security and privacy issue, this sort of thing also needs IMO
an international legal framework that is readily enforceable.  With the
International house of Justice now prosecuting civil cases, which
such a framework may be built, but I would prefer a criminal framework
to emphasize the importance and serve better as a deterrent.

  We can only hope that companies like Google, will disengage
from the sorts of activities it has significantly engaged in in 
respect to privacy related data, but has thus far decided for 
whatever reason not to do so sufficiently to date.  As a result, 
many consumers are thus greatly exposed and have little or no 
control to prevent such.  That's not expectable.  But there are 
things consumers can do, one in respect to Google is to discontinue 
using any Google products, which is draconian indeed and unfortunate, 
but effective to a significant degree in as much as limiting the
damage.  The other, which is related, is to have a watch list of 
websites/domain names that have demonstrated such lax security practices 
that may impact or expose private data to the public.  A recent one I 
mentioned recently is consumersinternational.org.

See:

http://member.dnsstuff.com/tools/dnslite.php?r=homepage&domain=consumersinternational.org
and
http://private.dnsstuff.com/tools/dnsreport.ch?domain=consumersinternational.org&token=1140487061c0016606a0758720779019
and
http://member.dnsstuff.com/tools/dnslite.php?r=homepage&domain=ciroap.org
and
http://private.dnsstuff.com/tools/dnsreport.ch?domain=ciroap.org&token=07b040c1680509b00230148903d99019

Although these warnings and errors are not of a overly serious sort,
they demonstrate a lack of concern and consideration for consumers that 
demonstrates sloppiness and disrespect for the consumers they purport to 
advocate for on in behalf of.  

  Yet niether of these two suggestions will be enough either as awarness
will take a long time to be widely diciminated.  Ergo, individuals when
they run across such web sites should be encouraged to report same to
relevant and appropriate authorities and than follow up with them to
emphisize that real action needs and indeed must be taken to greater
good of us all.


Deborah Peel wrote:

> http://www.ama-assn.org/amednews/2008/12/01/bisa1201.htm
>
> [amednews.com]
>
> BUSINESS
>
> Laws bolster penalties for privacy breaches in California
>
> In the wake of multiple high-profile cases of snooping, the state
> cracks down on unauthorized looks at medical files.
>
> By Pamela Lewis Dolan, AMNews staff. Dec. 1, 2008.
> -----------------------------------------------------------------------
> Eyes will be on California starting next year, but they won't be
> peeking into medical records.
>
> At least that's Gov. Arnold Schwarzenegger's hope; in September he
> signed into law two bills that put some teeth into patient privacy
> rules and give doctors good reason to comply.
>
> Under the new laws taking effect Jan. 1, 2009, the state has
> significantly increased fines not only for the illegal use of medical
> records but also for unauthorized access of records. The laws also
> open the door for patients to sue doctors when their records are
> accessed, even if there is no damage.
>
> Other states have privacy laws that require notification of a breach,
> but the California bills are thought by experts to be the first to
> place a strong focus on enforcement.
>
> Experts predict California's actions will lead to more states
> following suit, as well as tougher enforcement of HIPAA privacy and
> security rules, which have gone largely unenforced since they took
> effect in 2003 and 2005, respectively.
>
> California law requires hospitals to notify patients within 5 days if
> their medical records are inappropriately accessed.
>
> For physicians, "the idea behind all this is don't wait until the
> 500-pound gorilla is pounding on your door," said attorney Peter
> MacKoul, president of Sugar Land, Texas-based HIPAA Solution, a
> consultancy that helps practices become HIPAA-compliant. "It's called
> preventative action."
>
> About the same time the California governor signed the two patient
> privacy bills into law, a report published by the California Health
> Dept. found snooping incidents at the UCLA Medical Center were much
> worse than initially thought. The study found that since 2003,
> hospital workers inappropriately accessed the electronic medical
> records of 1,041 patients, including those of California first lady
> Maria Shriver. Some of those employees were feeding celebrity
> information to the media, the report said.
>
> Both of the new state laws require that medical facilities safeguard
> patient records and implement controls that would prevent not only
> malicious theft of patient information but also unauthorized access.
>
> Under SB 541, if a snooping incident like those at UCLA occurs, the
> hospital must notify the patient within five days and if it fails to
> do so, fines of $100 per patient per day can be imposed, up to a total
> of $250,000.
>
> Under AB 211, which deals with individual physicians and other health
> care professionals, patients can collect damages up to $1,000. And
> licensed health care workers who violate the law could receive a civil
> penalty of up to $25,000 per violation; any person or entity that uses
> records for financial gain could received a penalty up to $250,000. SB
> 541 also created the Office of Health Information Integrity, which
> will be responsible for the enforcement of the laws.
>
> The California Medical Assn. initially rejected AB 211 for being too
> vague. Amendments were made to allow enforcement officials to consider
> the size and complexity of the physician practice when deciding on
> remediation for violations. The bill then gained CMA's support.
>
> Patients in California can collect damages up to $1,000 if their
> medical records are inappropriately accessed.
>
> "It allows some customization to make sure the goal is to educate and
> train and make sure the physician can meet the requirement of the
> law," said Teresa Kline, associate director for CMA Government
> Relations. The CMA issued no opinion on the Senate bill.
>
> The American Medical Association has not analyzed the California
> bills. It has policy supporting patient privacy that instructs
> physicians to obtain patient permission before releasing information
> to the media or any other unauthorized person not involved with the
> care of that patient.
>
> Privacy experts say many physicians haven't done much beyond drafting
> a policy, and enforcement of HIPAA's privacy and security rules has
> been virtually nonexistent. Enforcement is the responsibility of the
> Office of Civil Rights, which receives no budget for enforcement
> activities.
>
> In an October report to the Centers for Medicare & Medicaid Services,
> Inspector General Daniel R. Levinson wrote that "CMS had no effective
> mechanism to ensure that covered entities were complying with the
> HIPAA Security Rule or that [electronic personal health information]
> was being adequately protected."
>
> Richard Cauchi, health program director for the National Conference of
> State Legislatures, expects to see federal legislation introduced that
> will address these issues, but expects more states to take matters
> into their own hands first. The NCSL is a bipartisan research group
> that does not take positions on legislative matters.
>
> "I think there is a possibility for federal laws to change. But there
> is a different pace of action for federal laws. Whereas states can
> look at something and if there is desire for change .... states can
> act quickly and achieve bipartisan consensus in a short period of
> time," he said.
>
> Back to top.
> -----------------------------------------------------------------------
>
> ADDITIONAL INFORMATION:
>
> Eye on snooping
>
> Six reports by the California Dept. of Public Health found snooping at
> the University of California, Los Angeles, Medical Center was worse
> than first thought. The incidents involve more than 100 employees and
> more than 1,000 patients. Summaries are paraphrased from the reports:
>
> April 4 report stemming from March 17 investigation: An audit found
> six employees inappropriately accessed a celebrity's records in
> September 2005. The same celebrity was admitted on Jan. 31, and a
> total of 55 employees, including eight physicians, inappropriately
> accessed the patient's old file from September 2005. Hospital admits
> on March 17 that the incidents were not reported to Dept. of Public
> Health, as required by state law.
>
> April 4 report stemming from March 18 investigation: Nineteen hospital
> personnel and five medical staff inappropriately accessed a celebrity
> record and that of her child between Sept. 14, 2005, and Sept. 15,
> 2005. One employee attempted to access inappropriately the files of
> the same celebrity on Jan. 1 but instead found the celebrity's
> September 2005 file.
>
> April 28 report stemming from April 3 investigation: An investigation
> found one employee accessed the records of 61 patients from July 1,
> 2006, to May 21, 2007. Some were celebrities, others were hospital
> employees. The offender was authorized to access the files but had no
> reason to do so. A co-worker's ID and password were used in more than
> half the incidents. The same investigation found 13 other employees
> (including three physicians) accessed one celebrity's records between
> July 1, 2006, and May 21, 2007. At least one employee accessed records
> from home after the patient was released.
>
> July 3 report stemming from May 16 investigation: Two employees
> accessed a celebrity's record in May 2005 and again in November 2005.
> Another employee accessed the same celebrity's file 21 times between
> Oct. 28, 2004, and Nov. 9, 2004. It was later found the same employee
> accessed the files of 939 patients between April 13, 2003, and May 21,
> 2007. Three employees looked at the record of a celebrity who was in
> the hospital's emergency department on April 18.
>
> Source: California Dept. of Public Health; (www.cdph.ca.gov)
>
> __________ Information from ESET Smart Security, version of virus
> signature database 3633 (20081124) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com

Regards,

Spokesman for INEGroup LLA. - (Over 284k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln
"YES WE CAN!"  Barack ( Berry ) Obama

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1 at ix.netcom.com
My Phone: 214-244-4827
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.cpsr.org
To be removed from the list, send any message to:
     governance-unsubscribe at lists.cpsr.org

For all list information and functions, see:
     http://lists.cpsr.org/lists/info/governance

More information about the Governance mailing list