Keeping it Real (current): I’m back

im back 2Hello everyone! I am back. I wasn’t sure I would be, but based on comments this week at the Privacy, Security, Risk conference in Austin by IAPP – some people have missed me. I’m so sorry.

I thought blogs were out of style (Should I do YouTube or podcast?), but apparently, a couple of people do like to read what I write.

So here we are.

Today, I had the honor to moderate a panel of fantastic professionals – all women. All so very fabulous. The session was on Leadership and Privacy – and beyond featuring Agnes Bundy Scanlan (Treliant Risk Advisors), Liisa Thomas (Sheppard Mullin Richter and Hampton), and Katie Licup (Discover).  The session was centered around these women and what they have learned in their practices over the years. Seriously – Agnes hired Trevor Hughes, president and CEO of IAPP, 16 years ago when she was the first chair of IAPP.  Liisa had some great advice that she had received in law school from one of her favorite professors who told her to always shoot for the best job and the right pay. If she doesn’t, she is jeopardizing everyone else. And given that her professor himself aimed for the best job and made it…. President of the U.S. (Barack Obama) – she takes that advice to heart. So do I.

Other great programs. Surrounded by privacy peeps. The world doesn’t get much better. Well, until I went to eat Cooper’s BBQ. WOW. and gluten free. I was in brisket heaven.

So I will write. or I will video. or I will cast?  If either of you are reading this, let me know your thoughts.

Advertisements

How to break into Privacy as a Career

This topic seems to be more important than ever given the global demand (okay, mainly the European demand) for experienced privacy professionals. But how do you get experience if no one will hire you – and how do you get hired without having experience?

For privacy in particular, the IAPP has stepped up its efforts – recognizing the need to train professionals quickly and maintain quality. They offer online training in the General Data Protection Regulation and European data protection, available online and in person.  In addition, there is a Privacy Law Specialist recognized through the American Bar Association (squeee – very excited for this).

But what if you are not a member of the IAPP?  First, join it. There are people who have personal issues with either the IAPP or with certifications, but frankly, with very little else in the world to compete with this recognition – it’s pretty much the only game in town. There are other certifications and groups, don’t get me wrong – there are health care privacy certifications, research certifications, ISO27k certifications, CISSP, and many more. But still, CIPP, is what companies look for when looking for someone skilled in privacy.

Does being certified in information privacy mean you are an expert – no. But it is a way of demonstrating that you passed an objective measurement that indicates that you have a baseline knowledge. Call me old-fashioned, but to me, if you have been measured and found acceptable, then I expect you to demonstrate that knowledge. I am often disappointed – don’t get me started on registered nurses, doctors, and attorneys that I consider to be incompetent. That’s a whole ‘nother blog.

Back to the point of the post – you can break into the privacy field, whether you are an attorney or not. Play to your strengths and enter through a related position. If you are a litigator, start litigating on privacy issues. If you work in a bank, get into the privacy office. If you are in insurance . .. well, you should get the point. Contact the people in the privacy area of where you work, or want to work, and be upfront with them.

Make connections. Network. And keep in mind that networking, while you hope it will benefit you at some point, is not about you. It is about the person you want to know.  What can you do for them?  And then don’t be afraid to use your network to help others. Good deeds will come around.

Be active in discussion groups. Comment on stories that people post. Engage others – and on intellectual points, not in arguments. Get your name out there.

Start writing articles for industry publications. They love new blood and insight.

Join committees and work.  Don’t just lurk. Work.

And most of all, pay attention. Right now, the application for the Privacy Law Specialist is due. Today.  And I completely missed the news on it, being heavily engaged in actual working. So… sigh. I won’t be in the inaugural group, which sucks. But it underscores a key point – pay attention and execute on a timely basis.

Make sure your name, when called, is meaningful.

If you have other suggestions, please comment. If you have questions, please ask.

 

What did May 26 look like?

33676491_623981061299514_5048776413415473152_o

A week or so ago, I spoke at the Governance of Emerging Technologies & Science (GETS):
Law, Policy and Ethics at the Sandra Day O’Connor College of Law at Arizona State University on – GDPR: what does May 26 look like? Well, today looked awesome!  I was at the Phoenix Comic Fest – and it is an interesting dichotomy in privacy, because people are pretending to be someone else! Or someone they usually are not in their daily lives. It’s like burlesque dancers who are accountants by day and not-so-much by night.

No one talked about privacy. Other than to keep your hands to yourself. Cosplay is not consent.

That’s actually not a bad way to frame the European Union’s General Data Protection Act – keep your data fingers to yourself and to those who consent. Living in this world, online, in commerce, is not consent.

But as privacy professionals, we are not magicians, but perhaps we do resemble immortal warriors. Put on this earth alongside the tech gods – to fight with or against. So what did May 26 look like – pretty much any other a day, with a lot of action happening behind the scenes.

 

National Nurses’ Week

this is a week to celebrate nurses. There are many nurses in my life aside from myself: family, friends, past colleagues, and students. Amazing individuals and I’m proud to be one (once a nurse, always a nurse)!

For this post, I’m sharing one of my favorite experiences. My time as a cancer and hospice nurse is still the most impactful time of my life. My patients taught me so much. They gave me courage, tears, honesty, love, respect, humility, hope, acceptance, and a calm view of the totality of life.

Back in 1996, I worked at the University of Tennessee medical center (go Vols! But orange ain’t my color), while Peyton was quarterback there. Night nurse. 7 on and 7 off. Brutal, but continuity for patients. We became family – dysfunctions and sacrifices.

They found out I did not know how to Macarena. Shocking! They them flashmobbed me at 2 am… And I do mean flashed. Hospital gowns, IV poles, and catheters. Not pretty. But they were enthusiastic, cheering, laughing, and successful. I learned the Macarena, but I also learned to enjoy the small things.

So thank a nurse. You never know what happens when you’re not there with your loved ones. Sometimes, it’s just not something we would be document in a chart!

Royal Privacy

This week, we visited the Palace of Versailles, not too far outside Paris. It was simply amazing. But privacy…. not a thing. Originally, King Louis XIII built this “hunting lodge” as a way to escape palace life- to gain some moments of privacy.

palace and gardens

 

His son, King Louis XIV (any inaccuracies are completely mine….) expanded this lodge to a palace and moved the French court and seat of government to Versailles, where a complete town grew up around it to support the influx of nobles and their needs.

But Louis XIV essentially had no privacy. From the waking up ceremony at 8:30 am witnessed by over 100 members of the court to activities, dining, and retiring to bed, he was constantly in company. The court considered it a right to be in the presence of the Sun King.

 

Even childbirth was in front of hundreds of witnesses until Marie Antoinette, wife to Louis XVI, nearly died in childbirth. Hundreds of people from nobles to chimneysweeps (the latter of which climbed onto sofa backs to have a better, direct view) crowded the chamber to witness the birth. A royal birth must be witnessed to ensure the babe is truly the royal one.  Marie Antoinette fainted, supposedly from the heat caused by all the bodies, lack of air flow, and stress of a long birth. King Louis XVI, quite scandalously in love with his queen, had everyone removed (some forcibly) and the windows thrown open. He then declared that no royal births would be so public. The witnesses were thereafter decreased to those necessary, which still number a few dozen.

 

 

So, if one is a Royal (present author excluded), privacy is a rare and unexpected gift.

HIPAA – not what you think it is

HIPAA pedestal

HIPAA (the Health Insurance Portability and Accountability Act of 1996 along with its subsequent amendments) was never intended to interfere with patient care. It was about insurance – it is not the Health Information Privacy Protection Act aka HIPPA that does not and has never actually existed.

For one, it does not apply everywhere you have medical information. Here is where it does not typically apply (there may be a few exceptions, but in general, HIPAA does not apply here)

  • your employer for pre-employment physicals, wellness, or workers’ comp
  • your kids’ school (other privacy laws may apply FERPA)
  • your health apps and devices, like Fitbit or Loseit
  • DNA companies, like 23andme

 

Surprised?  I could write papers on any one of these topics, and I probably have written papers on them. But here’s another kicker – HIPAA does not automatically apply to your doctor or hospital.

Okay, so in reality, HIPAA probably does apply to most everyone’s doctor and hospital, but it’s not automatic just because they provide medical treatment. They have to engage in particular data transmissions related to health plans, claims, and care (for the actual definitions, see HIPAA, particularly sections 1172 and 1173) or in general here. So if you see a provider who does not file on insurance and does not send information about your care or status electronically, then HIPAA does not apply.

But also, HIPAA does not interfere in patient care. A medical provider can share information about a patient if it is deemed to be in the patient’s best interest to do so (barring perhaps the patient specifically restricting information being given to a particular person). HIPAA also does not prevent a family member from accompanying a patient to other parts of a facility for testing. I’ve seen this often when staff takes a patient to get x-rays and tells family members that they are unable to accompany the patient due to HIPAA. There may be other reasons, but HIPAA is not one of them – unless the facility is in flagrant violation of any sense of confidentiality expectations.

Also, and I have done this myself, HIPAA does not stop an individual from providing information about a patient to a medical provider. If the facility is doing or not doing something to your loved one as a patient that concerns/worries/bothers you, you can absolutely call them and provide information and relay your concerns. This nonsense about providers and staff refusing to talk to someone because HIPAA forbids it is ridiculous. They cannot provide information that is confidential (unless there is an exception), but they can certainly listen. And often, they need to listen because it may be information they are missing that could be critical to the patient’s care.

Last, when you go to a new doctor and they ask you to fill out forms for your prior doctor to get your past medical records – uh, HIPAA actually does not require that. It has become the industry practice to do so and in general, is a good practice to ensure that it really is you asking for your specific records to go to this new doctor… but HIPAA does not require authorization for health care purposes (treatment or payment). If that form is interfering with obtaining necessary medical care – there is a problem.

So, HIPAA is not everything you may think it is. If you have questions, let me know. I am happy to write about privacy.

“I have a quick question…..”

quick question.png

The conversation starts with …. I have a quick question..It’s never quick to ask or quick to answer – especially when to really answer the question, more information is required. I should never say never. If your question is “Is it okay to kidnap a stranger and keep them locked up for ten years while I bilk all their life savings?” – the answer is really quick. No.

Otherwise, most of the time when someone wants to ask a quick question of an attorney, they are generally looking for a valid legal response, even if the attorney disclaims it is not legal advice.

Don’t get me wrong, most of us love intellectual debates and/or discussing our passions. Asking me about privacy is like asking a new mom about her babe – it’s a miracle if I ever shut up. (Those who know me..quit laughing! I am limited to one cup of coffee daily)

The point is – there is rarely a “quick question.” If you really do intend it to be a quick question, do your homework first and only ask the remaining issue. Here’s a good scenario:

Quick question: 
“Should I report my doctor for a HIPAA breach if they mailed me the wrong lab results?”

Why it’s not quick:

  • Who are you thinking you should report the doctor to – the medical board, the U.S. Office for Civil Rights, a non-US regulatory authority, state attorney general, state insurance office, employer, insurer? The list can be very long.
  • Is your doctor under any requirements that address privacy, other than the physician requirement for confidentiality? (HIPAA does not apply to everyone)
  • What information did you receive and how do you know it’s not you? – are the lab results for a test you did not have, is there another name on the test, is it not your patient ID, was the address wrong and the post office delivered it to the right address or post office delivered it to the wrong address? – lots of ways this could be wrong.
  • Did you discover this yourself or were you informed?
  • Why do you want to report it? (public obligation, anger, want to sue, etc.)
  • Have you been harmed? (not necessarily critical to being a breach, but is important)
  • Has the other patient been harmed? (or would they be)
  • Do you still have the information?
  • Have you reported this to the doctor? if so, what what his/her response?

and other questions would follow based on responses.

My quick answer would be – you should let the doctor know and return the information to him/her without keeping a copy, but take notes on the entire interaction. This may or may not be the correct answer depending on the responses to the questions above that I would not know if I did not ask. 

And the “quick questioner” will probably still ask a follow-up question or respond with more information. Making the quick question and quick-perhaps accurate- response still not so quick.

If people really wanted to ask a quick question – they would do the homework and come to the attorney (or privacy officer) with a really quick question –

“Hey, my doctor in Indiana mailed me the lab results for another patient with that patient’s name on it and it is HIV results. I know it is a breach under HIPAA, but it appears my address is connected to that name. I told the doctor’s office and I shredded it, but should I report this to the Office for Civil Rights?”

Quick answer:
“Oh, that’s bad. Yes, you can report to the Office for Civil Rights, although you don’t have to, and they can match it to your doctor’s breach disclosure list, which is not required until the year is over for one-offs. You can also follow up and ask your doctor if they let the other patient know, but they don’t have to tell you. Make sure they correct your address linked to that patient and make sure your name is not on his/her address and no information on you has been sent there.”

This is not unique to privacy or to attorneys. This happens to pretty much everyone. If the quick question is a conversation starter, because you are looking for a way to start chatting, fine. It could be awkward and you might get a rude response or create a bad impression.

If, however, you really do think that you can ask someone who knows (perhaps an “expert”) a question related to their knowledge and expertise and the person is a friend, good acquaintance, or close work colleague – sure, do it. But be respectful, do your homework, and provide concise, clear, and critical facts. Do not turn it into a verbal essay and please explain up front that if it is not so quick from their point-of-view just to say so – you get that there may be complexities that you don’t see.

If this person does answer, you should provide them with a thank you, such as a gift card to their favorite coffee or food place, flowers, thank you item, or effusive thank you card. They won’t expect it – cause who does that? – and it will become a pleasurable experience for them and you.