Cyber Babel: Finding the Lingua Franca in Cybersecurity Regulation

Cybersecurity regulations have proliferated over the past few years as the significance of the threat has drawn more attention. With breaches making headlines, the public and their representatives are imposing requirements on those that hold sensitive data with renewed vigor. As high-value targets that hold large amounts of sensitive data, financial institutions are among the most heavily regulated. Regulations are necessary. However, regulations also come with costs that impact both large and small companies, their customers, and local, national, and international economies. As the regulations have proliferated so have those costs. The regulations will inevitably and justifiably diverge where different governments view the needs of their citizens differently. However, that should not prevent regulators from recognizing areas of agreement. This Note examines the regulatory regimes governing the data and cybersecurity practices of financial institutions implemented by the Securities and Exchange Commission, the New York Department of Financial Services, and the General Data Protection Regulations of the European Union to identify areas where requirements overlap, with the goal of suggesting implementations that promote consistency, clarity, and cost reduction

Identification and Assessment of Children and Youth with Special Health Care Needs in Medicaid Managed Care: Approaches from Three States

Increasingly, states are relying on managed care delivery systems to serve Medicaid enrollees that have historically been exempt from enrollment in managed care, such as children and youth with special health care needs (CYSHCN). The federal Medicaid managed care regulations establish the broad requirements for states to identify and assess individuals with special health care needs. However, little has been recently documented about specific state policies or procedures for identifying and assessing CYSHCN. This reportlooks at such approaches in three states -- California, Massachusetts and Michigan -- and includes some promising practices states may consider in implementing Medicaid managed care for this vulnerable population

Substance Use Disorder Treatment Confidentiality Boot Camp

[Excerpt]: INTRODUCTION: The Health Law and Policy Programs at UNH School of Law, Institute for Health Policy and Practice, and the NH Citizens Health Initiative have contracted with several of the New Hampshire Building Capacity for Transformation Delivery System Reform Incentive Payment (DSRIP) Integrated Delivery Networks (IDN) to provide technical assistance to the IDNs as they develop confidentiality tools related to substance use disorder services projects. A UNH Team assisted the IDNs by providing an educational summary of federal and state confidentiality requirements, focusing on 42 CFR Part 2, and hosting IDN interdisciplinary teams in three Substance Use Disorder (SUD) Treatment Confidentiality Boot Camp sessions providing technical assistance to assist each IDN partner with their SUD confidentiality project goals. The “boot camp” consisted of several guided meetings with assigned homework to follow, leading to the ultimate development of processes, plans, and draft forms and policies to implement Part 2 confidentiality. The process incorporated learning from the Citizens Health Initiative’s existing New Hampshire Behavioral Health Integration Learning Collaborative. The Project was implemented during half-day working sessions between May 15 – July 30, based upon the availability of IDN interdisciplinary teams and as arranged in collaboration with the IDNs. The IDNs committed to including project leaders with knowledge about and authority to investigate issues regarding projects, patient flow, and privacy. The project teams were multi-disciplinary. IDN participants were encouraged to review issues, forms, and ideas with their individual legal counsel at any point. The technical assistance provided as part of this project is not and does not take the place of legal advice

The RFID PIA – developed by industry, agreed by regulators

This chapter discusses the privacy impact assessment (PIA) framework endorsed by the European Commission on February 11th, 2011. This PIA, the first to receive the Commission's endorsement, was developed to deal with privacy challenges associated with the deployment of radio frequency identification (RFID) technology, a key building block of the Internet of Things. The goal of this chapter is to present the methodology and key constructs of the RFID PIA Framework in more detail than was possible in the official text. RFID operators can use this article as a support document when they conduct PIAs and need to interpret the PIA Framework. The chapter begins with a history of why and how the PIA Framework for RFID came about. It then proceeds with a description of the endorsed PIA process for RFID applications and explains in detail how this process is supposed to function. It provides examples discussed during the development of the PIA Framework. These examples reflect the rationale behind and evolution of the text's methods and definitions. The chapter also provides insight into the stakeholder debates and compromises that have important implications for PIAs in general.Series: Working Papers on Information Systems, Information Business and Operation

Online Personal Data Processing and EU Data Protection Reform. CEPS Task Force Report, April 2013

This report sheds light on the fundamental questions and underlying tensions between current policy objectives, compliance strategies and global trends in online personal data processing, assessing the existing and future framework in terms of effective regulation and public policy. Based on the discussions among the members of the CEPS Digital Forum and independent research carried out by the rapporteurs, policy conclusions are derived with the aim of making EU data protection policy more fit for purpose in today’s online technological context. This report constructively engages with the EU data protection framework, but does not provide a textual analysis of the EU data protection reform proposal as such

Design Challenges for GDPR RegTech

The Accountability Principle of the GDPR requires that an organisation can demonstrate compliance with the regulations. A survey of GDPR compliance software solutions shows significant gaps in their ability to demonstrate compliance. In contrast, RegTech has recently brought great success to financial compliance, resulting in reduced risk, cost saving and enhanced financial regulatory compliance. It is shown that many GDPR solutions lack interoperability features such as standard APIs, meta-data or reports and they are not supported by published methodologies or evidence to support their validity or even utility. A proof of concept prototype was explored using a regulator based self-assessment checklist to establish if RegTech best practice could improve the demonstration of GDPR compliance. The application of a RegTech approach provides opportunities for demonstrable and validated GDPR compliance, notwithstanding the risk reductions and cost savings that RegTech can deliver. This paper demonstrates a RegTech approach to GDPR compliance can facilitate an organisation meeting its accountability obligations

Legal Solutions in Health Reform: Privacy and Health Information Technology

Identifies gaps in the federal health privacy standard and proposes options for strengthening the legal framework for privacy protections in order to build public trust in health information technology. Presents arguments for and against each option

Privacy and Health Information Technology

The increased use of health information technology (health IT) is a common element of nearly every health reform proposal because it has the potential to decrease costs, improve health outcomes, coordinate care, and improve public health. However, it raises concerns about security and privacy of medical information. This paper examines some of the “gaps” in privacy protections that arise out of the current federal health privacy standard, the Health Insurance Portability and Accountability (HIPAA) Privacy Rule, the main federal law which governs the use and disclosure of health information. Additionally, it puts forth a range of possible solutions, accompanied by arguments for and against each. The solutions provide some options for strengthening the current legal framework of privacy protections in order to build public trust in health IT and facilitate its use for health reform. The American Recovery and Reinvestment Act (ARRA) enacted in February 2009 includes a number of changes to HIPAA and its regulations, and those changes are clearly noted among the list of solutions (and ARRA is indicated in the Executive Summary and paper where the Act has a relevant provision)