• Privacy Picks
  • Posts
  • New HIPAA security risk assessment tool, AI prompt notice requirements under GDPR, and more

New HIPAA security risk assessment tool, AI prompt notice requirements under GDPR, and more

Including: Why CA employers should update their HR contracts under the CCPA, COPPA consent requirements for Edtech providers, and privacy news.

Welcome to Privacy Picks! In this issue, we highlight a few developments from different corners of the data privacy world, including:

  • An updated HIPAA security risk assessment tool for small to mid-sized covered entities.

  • GDPR notice requirements when using an individual’s personal information for your AI prompts.

  • Why California-based employers subject to the amended CPPA should think about updating their HR contracts.

  • COPPA consent requirements for Edtech providers.

  • Another unsuccessful defense in a BIPA lawsuit.

  • In the news . . .

Please enjoy and feel free to subscribe to stay up on the latest Privacy Picks for business owners.

Compliance with HIPAA privacy and security rules can pose a significant challenge for small healthcare entities, particularly as breaches continue to escalate.

In fact, private practices and physicians rank as the second most common targets for enforcement actions, trailing only behind general hospitals. In 2022, a startling 65% of fines are levied against small practices. To address these concerns, the Office of the National Coordinator for Health Information Technology (ONC) has updated its Security Risk Assessment (SRA) Tool to version 3.4.

Specifically designed for small to mid-sized healthcare organizations susceptible to breaches and HIPAA violations, the tool aims to streamline compliance with the HIPAA Security Rule. The rule mandates that healthcare organizations conduct risk assessments to adhere to data security standards.

Available as either a desktop application or an Excel workbook, the SRA Tool provides multiple-choice questions, conducts threat assessments, manages assets, and delivers comprehensive reports for compliance monitoring.

The latest version includes enhanced features such as a remediation report, glossary, tool tips, and references to the Health Industry Cybersecurity Practices 2023 Edition, along with bug fixes and usability improvements.

GDPR and AI Prompts: Privacy Notice Requirements

As this article points out, the applicability of GDPR notice requirements to AI prompts depends on the source of the personal information being used.

For example, if you collect personal data directly from an individual and use that in your prompt, under GDPR Article 13(1), you would need to provide a compliant privacy notice "at the time when personal data are obtained."

However, if the data for your AI prompt is sourced from a third party, such as being scraped from the internet, the GDPR generally allows the controller to issue a privacy notice "within a reasonable period", but no later than one month, after collection.

Certain notice exceptions also exist, like when the individual already possesses the information in the notice, or when providing the notice would be impossible, entail disproportionate effort, or is legally prohibited under European law.

Updating Your HR Contracts Under CCPA

As of January 1, 2023, California employers must now scrutinize how they disclose employee and job applicant data to HR vendors to ensure they are not "selling" it under the California Consumer Privacy Act (CCPA).

The act defines "selling" as sharing personal information for money or valuable consideration, triggering additional compliance requirements like opt-out options and website disclosures.

And, as this article points out, it’s still not clear if providing certain information to an HR vendor, such as payroll, benefits, insurance, and applicant tracking vendors, would constitute a “sale” under the CCPA.

However, employers can avoid these obligations by updating contracts with HR vendors, effectively converting them into "service providers" under the CCPA. An employer’s disclosure of personal information to a “service provider” will not constitute a “sale”.

But - take caution! The contract must contain specific terms required by the CCPA.

If you’re in the EdTech space, don’t assume you can shift your privacy compliance obligations to your educational clients.

For example, back in May, the FTC obtained an order, including a $6 million penalty, against former EdTech company Edmodo for violating Children's Online Privacy Protection Act (COPPA) rules.

As a reminder, COPPA mandates that commercial websites and online services must obtain verifiable parental consent when collecting, using, or disclosing the personal information of children under 13.

Edmodo failed to do this, instead shifting the responsibility of obtaining consent to schools.

The company used the collected personal data for commercial purposes, specifically for contextual advertising.

To lawfully rely on school authorization as a substitute for parental consent, Edmodo would have needed to 1) provide direct notice to schools about their data collection, use, and disclosure practices and 2) limit the use of such information to services requested by the school, rather than for commercial purposes.

The incident serves as a cautionary tale for other EdTech providers, emphasizing the importance of obtaining direct parental consent when data is being collected, used, or disclosed for commercial purposes in accordance with COPPA.

Identity Crisis: How Misunderstanding BIPA's Scope Could Cost Employers Big

The Illinois Biometric Information Privacy Act (BIPA) sets stringent regulations on collecting, using, and disseminating biometric data such as fingerprints, retina scans, face scans, and voice recordings.

The law is particularly critical for employers to heed, as it has been the basis for a rising number of putative class-action lawsuits.

To comply with BIPA, employers must formulate a written policy outlining the management of biometric data, inform employees or data owners about it, and explicitly obtain their consent for data collection.

As this article points out, technical defenses against BIPA-based lawsuits have proven to be ineffective, as demonstrated by the case of Lewis vs. Maverick Transportation.

In Lewis, the defendant argued that their use of biometric data did not serve to, according to the statute, “identify an individual” and thus was not covered under BIPA. However, the court dismissed this argument, stating that the primary goal of BIPA is to ensure that data subjects are fully informed about how their biometric information will be used, who will have access to it, and for what duration.

As the article emphasizes, employers are therefore advised to strictly adhere to BIPA regulations to avoid legal repercussions.

Importantly, BIPA comes with a five-year statute of limitations, further underscoring the need for employers to act cautiously and responsibly in handling biometric data.

In the News

On October 12, new regulations will come into effect for the U.K.-U.S. Data Bridge, a framework laid down by U.K. Secretary of State for Science, Innovation and Technology Michelle Donelan. The framework allows for secure personal data transfers between certified organizations in the U.K. and the U.S., eliminating the need for additional safeguards like international data transfer agreements, and comes backed by extensive analysis of U.S. privacy safeguards.

Regulators in Poland are investigating OpenAI following a complaint from a ChatGPT user. The complaint alleges data mishandling, lack of transparency, and false information generation.

Effective July 1, 2024, the Florida Digital Bill of Rights (FDBR) will introduce unique privacy provisions including expanded opt-out rights and protections for children online, while setting higher jurisdictional thresholds that make fewer entities subject to the law.

Delaware Governor John Carney signed the Delaware Personal Data Privacy Act into law on September 11, 2023, effective January 1, 2025, adding Delaware to the list of U.S. states with consumer privacy laws. Unique aspects of the Delaware law include its applicability to controllers processing data of at least 35,000 Delaware residents, its lack of exemptions for nonprofits and higher education institutions, and the granting of broad consumer rights including opt-out provisions for targeted advertising and data sales.