Marvel fans know that Captain America’s shield is extraordinary, but exactly what it’s made of remains unknown – Vibranium? Adamantium? Unobtanium (oops, wrong movie)? For the time being, similar mystery shrouds the specifics of the new EU-U.S. Privacy Shield. Four months ago we posted on the European Court of Justice’s ruling that the U.S.-EU Safe Harbor was invalid. This Tuesday the European Commissioner announced negotiations with the U.S. had successfully yielded a new vehicle for compliant cross-border transfers of EU residents’ personal data, dubbed the EU-U.S. Privacy Shield. But until details of the new vehicle are disclosed, the specific features of the Privacy Shield remain murky.

All encryption tools are not created equal. Just ask the folks at Microsoft, who have recently demonstrated that encrypted Electronic Medical Record databases can leak information. Turns out that CryptDB, a SQL database add-on developed at MIT that allows searching of encrypted data, allows search queries to be combined with information in the public domain to hack the database. More on this in a minute. In the meantime, let’s consider the assumption that encryption is inviolate/ infrangible/ impervious to hacks. As I mentioned in an earlier post, encryption algorithms are too complex for most laypersons to understand, but we should at least wrap our heads around the concept that encryption is not a “set it and forget it” technology, nor is it foolproof.

In this series on establishing security classifications for your company’s information, last week’s post looked at one aspect – the widely varying definitions of Protected Information under state PII breach notification statutes. But if your organization is a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA), the definition of Protected Health information (PHI) is also a key puzzle piece for your classification scheme.

HIPAA establishes national standards for the use and disclosure of PHI, and also for the safeguarding of individuals’ electronic PHI, by covered entities and business associates. Merely having information commonly thought of as “protected health information” does not mean that HIPAA applies. And there are some surprises in which organizations are – and are not – covered by HIPAA. So, that’s the first question to answer – is your company a HIPAA covered entity or business associate?

When governing information, it works well to identify and bundle rules (for legal compliance, risk, and value), identify and bundle information (by content and context), and then attach the rule bundles to the information bundles. Classification is a great means to that end, by both framing the questions and supplying the answers. With a classification scheme, we have an upstream “if-then” (if it’s this kind of information, then it has this classification), followed by a downstream “if-then” (if it’s information with this classification, then we treat it this way). A classification scheme is simply a logical paradigm, and frankly, the simpler, the better. For day-to-day efficiency, once the rules and classifications are set, we automate as much and as broadly as possible, thereby avoiding laborious individual decisions that reinvent the wheel.

Easy so far, right? One of the early challenges is to identify and bundle the rules, which can be complicated. For example, take security rules. Defining what information fits in a protected classification for security controls can be daunting, given the various overlapping legal regimes in the United States for PII, PHI, financial institution customer information, and the like. So, let’s take a look, over several posts, at legal definitions for protected information, starting with PII under state statutes.

I’m here at RabbitHole, Inc., talking with the company’s Manager of Money in his office, which is buried in the Facilities Department, down in the building’s basement. I’m interviewing him to get a better sense of how RabbitHole manages money as a corporate asset.

Pardon my asking, but how much money does RabbitHole have?

“Frankly, no one knows – we don’t really keep track of that. We have boxes of paper currency stored off-site, but as for ‘active’ money, our employees keep that pretty much wherever they choose – in the network money systems, in their individual offices, in mobile wallets, and probably some stashed at home.”

But isn’t that your job? I mean, your title is “Manager of Money,” right? 

My New Year’s resolutions will likely be broken early and often in 2016. My consequences are mostly non-monetary: a few more pounds, a little less savings, and not winning the triathlon in my age group. Your consequences, as a HIPAA-covered entity or business associate, for not complying with the Privacy and Security Rules could be much greater, and could put you into serious debt to the HHS Office of Civil Rights (OCR). Therefore, we propose that you resolve now to become fully HIPAA compliant in 2016.

OCR delivered an early holiday gift, wrapped in the Director’s Sept. 23, 2015, report to the Office of Inspector General. In that report, she disclosed that OCR will launch Phase 2 of its HIPAA audit program in early 2016, focusing on noncompliance issues for both covered entities and business associates.

So, grab that cup of hot cocoa and peruse this review of 2014-2015 HIPAA enforcement actions, which should help identify noncompliance issues on which OCR will focus in 2016. 

2015 was quite a year for Information Governance, and it’s now time for a year-end post.  I’ve neither the prescience nor patience for making predictions, and after briefly flirting with a Star Wars/Holiday mash-up, I remembered that’s been done before, with tragic results. So, all that’s left is a single question, which may be the only question that matters  – over a tumultuous year for privacy, data security, information management, and e-discovery, what did we learn about governing information?

For those who observe it, the Christmas season (secular version 2.0) is definitely here. As a child, I cherished the thought of a man with a red suit accessing our house through the chimney. For those of us concerned about computer system security, we worry about a person with a black hat accessing our data through phishing, hacking, and malware. I hate to mention, well, you know who, but someone out there loves the thought of taking your Whoville roast beast.

Enjoy the next few days with your family and friends, but remember, it’s also time to consider your data security for 2016. Knowing you, once you’ve opened all the presents, eaten dinner, and just settled down for a moment of quiet sanity, your thoughts will inevitably turn to the new year. So, here are six holiday-themed recommendations for your consideration. If you don’t recognize the quotes below, that means you didn’t spend your childhood binge-watching classic holiday programs. Not a worry – simply unwrap the answer key at the bottom.

Today the FTC announced a $100-million settlement of its most recent data security lawsuit against LifeLock, the ubiquitous B2C provider of credit monitoring and identity theft protection to consumers.  Despite years of litigation with the FTC and 35 states’ attorneys general, LifeLock has continued with a business model that taps into consumers’ visceral fear of identity theft, and also consumers’ persistent belief that such exposure can magically disappear… all for “less than $10/ month.” But while “Nobody can conceive or imagine all the wonders there are unseen and unseeable in the world,” LifeLock’s settlement with the FTC is a reminder that there is no perfect protection against identity theft.

HIPAA and the IRS. There isn’t a whole lot of guidance out there about what to do when the IRS knocks on your organization’s door and asks for protected health information. Should the agency be treated as a cop or robber?

The most risk-averse approach for a HIPAA-covered entity or business associate to take is to treat the IRS as a potential thief and draw the deadbolt when it comes to data requests involving PHI. Such a tack would, among other things, comply fully with HIPAA’s minimum necessary requirement and, frankly, reinforce the Everyman attitude toward the agency. Moreover, PHI produced in response to an information document request (IRD) is unlikely to be treated under 45 CFR 164.512 as a disclosure required by law, a disclosure for an administrative proceeding, or a disclosure for a law enforcement purpose, because the IRS appears to lack the authority to compel compliance with an IRD. However, we should be careful that we don’t always and automatically view the IRS with HIPAA suspicion –  in some circumstances the IRS does perform a legitimate healthcare oversight function for which it may receive PHI without individual authorization, consistent with HIPAA’s treatment/ payment/ operations exception.