Knowledge

1/22/2021

Working with PHI (Personal Health Information) – extra caution is required – the government is watching

Government regulators are tightening controls over the processing of private information.

On January 13, 2021, the FTC announced a proposed settlement with a fertility-tracking app. The government charged the company for mishandling customers' health information.

Even though the company had obtained the storage and processing of customers' health data consent, they transferred the information to third parties without the customers' permission during the application's development.

 

The US has not enforced any Federal privacy laws, but the FTC found a way to charge the company "... that it had reason to believe that Respondent has violated the Federal Trade Commission Act ..." The FTC accused the company of distorting information about the services provided and misusing customers' data.

This example shows that companies must carefully rethink their software development practices and separate production and QA/RND/development.

Companies should:

1. Develop privacy and information handling policies and procedures.

 2. Develop appropriate consent agreements for clients explaining how they plan to use the data in clear and plain language.

3. Provide training on internal confidentiality.

 4. Developers must sign acceptable data use agreements, nondisclosure agreements.

 5. Carefully check any potential disclosures.

 6. Document and request partners' and suppliers' contractual obligations regarding any personal information processing.

 7. Review policies and procedures periodically to compare them with actual practice.

 8. All developers with access to private information must sign acceptable use agreements.

 

As usual, Digital Edge proposes to implement well-defined cybersecurity and privacy management standards. Some of the recommended standards are ISO 27001/27701 or NIST Privacy Framework. The Digital Edge cybersecurity compliance team can assist with the selection and implementation of a standards-based privacy and cybersecurity management system.

Was this article helpful?