Why Are You Getting This?

You signed up to receive the Tips, initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB), or consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.

Rebecca

We would love to hear from you!

March Tips of the Month

• Monthly Awareness Activity
• Privacy & Security Questions and Tips
• Data Security & Privacy Beacons*
• Privacy and Security News
• Where to Find the Privacy Professor

March 1 is World Compliment Day. Commemorate it by expressing gratitude to the people in your organization responsible for privacy, information, and cyber security. 

What are they doing that helps you to know how to secure your computing devices better and protect all forms of information that you handle or otherwise access? Do they protect your information, computing, and digital storage devices when you work from home or travel? Do they give you knowledge to share with family and friends? Let them know! 

Consider too those who may not have formal responsibility but may have given you advice and direction that has helped you to protect your own privacy better, and perhaps even that of your family and friends. 

Compliments shouldn’t be restricted to work colleagues. Let your friends, family members, neighbors, etc., know if they have provided helpful information security and/or privacy insights. Unless you tell them, they may not know how valuable they are to you!

How about making World Compliment Day into World Privacy and Security Help Compliment Day? Even sending a short message such as, “Hey, I wanted to let you know that I found the information you provided about <INSERT DESCRIPTION HERE> very helpful! Thank you for sharing it.”

Here are a few ways to share compliments:

• A text message
• An email
• A phone call
• A comment response to a relevant social media post
• In person. Give a shout-out at team meetings -- live or virtual.
• A written letter or thank you note/card
• A note attached to flowers or a food/beverage treat.

What other activities do you suggest for recognizing those whose privacy and security help you appreciate? Are you planning to do my suggested activity or your own? Or are you doing an awareness event for a different recognized day or week in March? Let us know!

Here are a few questions we’ve received over the past several months about privacy, security, and current trends and products. We've received many! Those we did not get to here may be included in an upcoming issue.

Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming!

Q: My doctor sent me my online health record portal ID and password in an unencrypted email. Is this a violation of HIPAA?

A: This is a risky practice that we would advise against! However, the answer to whether or not this violates HIPAA depends upon how you may or may not have consented to allow your doctor to communicate with you before receiving your referenced message.

HIPAA allows covered entities (CEs), in this situation healthcare providers, to communicate electronically with their patients, such as through email, provided they apply reasonable safeguards. They must also communicate the risks of sending cleartext PHI (protected health information) in emails to patients and then obtain consent before they send PHI within emails and other forms of digital communications.

To avoid unintentional disclosures, medical professionals must also take precautions like following documented procedures for

• Checking the email address for accuracy before sending
• Sending an email alert to the patient for address confirmation before other communications
• Limiting the amount of PHI and other information disclosed through clear text email

CEs also need to make sure that every transmission of PHI is in compliance with the HIPAA Security Rule requirements.

While CEs are responsible for adopting these types of reasonable safeguards in order to fulfill individuals’ communications requests, CEs are not responsible for disclosure of PHI while in transmission to, or after receipt by, the individual based on the individual’s request to receive the PHI in an unsecure (cleartext) manner, if the individual made this request after the CE provided information explaining the security and privacy risks associated with making these types of unsecure transmissions. 

If you had previously agreed to receive PHI through cleartext (unencrypted) email messages after the doctor had explained the associated risks of doing so, then this would likely not be a HIPAA violation if the doctor has policies and procedures for other compensating safeguards to use for transmitting PHI in cleartext emails.

However, if you never provided such consent to receiving unencrypted emails containing PHI, or you did provide consent, but the doctor did not explain the risks to you first, this would likely be a HIPAA violation.

Q: I own/run a cancer treatment clinic. I hired a small tech company to create an online portal to allow my patients to access their health records, set appointments, ask me questions, etc. I asked the tech company if they used tracking pixels, and they said yes, but that the associated data isn’t PHI. I follow you on LinkedIn, and I remember your warning that such tracking technology was PHI, but I cannot locate that information. Can you please explain again whether or not tracking pixels are PHI? I will then show them your answer. 

A:  I’m so happy that you are thinking about these issues! Tracking pixels, and other tracking technologies, are often used online to collect and analyze information about how users interact with regulated covered entities’ (CEs’) websites and apps. 

When those tracking pixels are used in online patient or health insurance holders’ portals where PHI is involved, they are generally considered PHI. 

HIPAA requirements apply when CEs collect information through tracking technologies or disclose it to tracking technology vendors, including PHI. Some doctors share sensitive information with online tracking technology vendors, which may be unauthorized disclosures of PHI with such vendors. 

Doctors, and all other CEs and business associates (BAs), are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other HIPAA violations.

For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, violate HIPAA requirements. Not only must CEs first obtain consent from patients before sharing data using Meta pixels with third parties, such as social media sites, to do marketing, but the CEs must also ensure each of the tracking technology vendors has signed a BA agreement in order to comply with HIPAA. 

Q: Can I tell when Meta Pixels are being used on the apps and websites I visit? Can I block these and other tracking pixels from being used, similar to how I block cookies?

A: Generally, no. Telling when tracking pixels are being used is difficult, if not impossible in some situations. You usually can’t block them like you block cookies through browser settings.  

Here’s a high-level explanation of the difference between cookies and tracking pixels (Meta Pixel is a specific type of tracking pixel, also called a web beacon or one of several other terms).

When you visit an online website, your browser and the web page interact. Any cookies you have allowed through your browser cookie settings are transferred to your computer’s hard drive, generally through the interaction from your browser. 

Unlike cookies, tracking pixels are generally not storing data on your own computer. The pixels send data to external servers, typically through the internet, to be stored within an area that is all about you, where other data about you collected from other sources are also deposited. The more apps that are used and sites a person visits, and the more files a person opens, the more repositories of data about that person exist. 

Tracking pixels facilitate taking certain information about you when you visit a digital location or have opened up a file where they are embedded. They can be embedded within the digital locations you visit, such as online social media sites, online stores, streaming media sites, and apps. They are also in files such as Word docs, PDFs, Excel spreadsheets, photos (e.g., JPGs, PNGs, etc.), audio and video files (e.g., MP3s, MP4s, etc.), and a long list of other types of locations and files. Basically, they may be in any type of digital media.

This is one of the ways for how Facebook and other social media sites, along with apps, marketing services, and a growing number of other types of data brokers, create huge profiles of millions of people, showing details about their activities. 

Simply stated, you can control cookies because the browser is on your computer, and cookies are stored on your computer. And with security settings, privacy law requirements, and technical restrictions, you must be involved to allow those cookies to be used on your computer. 

However, since tracking pixels are not storing on your computer the data they are siphoning from you, the technical blockades used by cookies do not exist. Additionally, since pixels generally are tiny, 1x1 graphic pixels, that have the same characteristics as images and are used in millions of online sites and types of files, it is much harder to identify, control, or block them. 

Additionally, cookies do not follow users across different computing devices. But, tracking pixels follow users across all the computing devices they use. This lack of transparency and the inability to identify where and when pixels are being used is how huge personal data repositories are accumulated, and profiles of millions of individuals are created. That’s why so many groups and individuals are concerned about their use.

Q: Worried Dad here. My 14-year-old daughter’s gynecologist recommended she buy a period tracker since her menstrual cycle is very irregular. But she’s only 14! I would think the irregularity is normal for a young teen just starting to menstruate. The physician gave her a list of tracker apps. I’m worried about who is getting the data from those period trackers. Does HIPAA protect that data? What should we look for in such trackers? Help! 

A: You are wise and caring. Good father! First, consider that HIPAA is a federal regulation that only applies to entities that fall under its definition of a “covered entity” (CE) and their associated “business associates” (BAs) that in some way have access to protected health information (PHI).

CEs are most healthcare providers (doctors, clinics, hospitals, etc.), healthcare insurers (your health insurance company, your employer if they are self-insuring you as a benefit of being their employee, etc.), and healthcare clearinghouses (those organizations that generally facilitate the exchange of digital PHI between covered entities). Your doctor is likely a CE under HIPAA. If your doctor wrote a prescription for your daughter to use a specific period tracker, then the data collected would typically be legally protected by HIPAA as a result of being a treatment prescribed by a doctor. 

However, very few of these health trackers are protected by HIPAA, since most are sold directly to consumers, and most healthcare providers do not write prescriptions for specific types of trackers. Some period trackers claim to be HIPAA compliant, but often this claim is misleading and often just a marketing gimmick (which likely violates Section 5 of the FTC Act). 

If you and/or your daughter want to get one of these trackers, we recommend you look for the following features in the one you choose.

• Use one where all data collected is stored locally on your daughter’s phone or other type of computing device, is encrypted in storage, and the tracker never sends data from the computing device out to any other entity.
• Ensure third parties are not allowed to connect to and get access to the data on your daughter’s computing device. 
• Make sure the tracker app has a capability/option to allow you to irreversibly delete the collected data. 
• Ensure the tracker vendor provides a simple but comprehensive and easy-to-understand privacy notice on their website and transparency reports about the data collected, how it is used, processed, shared, destroyed, etc. 
• Do not get a tracker app that requires location/GPS tracking. No medical reason exists for collecting this information. If it includes this capability, make sure you can disable it.
• If you are still leaning towards a tracker that stores the data in the cloud, make sure the tracker allows the user (your daughter) to use a pseudonym and does not require real names, email addresses, phone numbers, or other information that can be used to reveal your daughter’s identity. 

Various research studies in the past year show the following period trackers as generally being the most privacy-protecting: 



• Drip
• Euki
• Periodical

Q: Are any changes coming down the pike for strengthening the privacy of reproductive health data in the US?

A: Many actions have been taken in the past year proposing laws and regulations for stronger protections of reproductive health data. A few actions at the US federal level include:

• The Department of Health and Human Services (HHS) submitted Proposed Modifications to the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (RIN 0945-AA20) on January 26, 2023. It is currently under White House review and has not yet been publicly released. Still, since it would be modifying the HIPAA Privacy Rule it would almost certainly impact health data privacy in some way.
• On July 8, 2022, the White House issued Executive Order on Protecting Access to Reproductive Healthcare Services which includes a requirement “To address the potential threat to patient privacy caused by the transfer and sale of sensitive health-related data and by digital surveillance related to reproductive healthcare services, and to protect people seeking reproductive health services from fraudulent schemes or deceptive practices.” It then instructs the FTC, HHS, Attorney General, and others to take associated actions. These actions could very well strengthen health data privacy.
• On June 21, 2022, a group of 12 U.S. Senators introduced the “My Body, My Data Act,” to create a new national standard to protect personal reproductive health data. There have not yet been any actions taken since the introduction, though.
• The American Data Privacy and Protection Act (ADPPA), if passed, would also work to protect health data. However, given the wide impacts of the proposed bill, and many statements from those in congress who oppose it, it will likely need to be modified at least once to get to the point where the needed majority of lawmakers would pass the bill. 

Other changes could come at the state level.

In case you’re wondering, in most other developed countries throughout the world, with a few caveats and exceptions here and there, such data is generally protected through comprehensive data protection (privacy) regulations, such as the EU General Data Protection Regulation (GDPR), the UK GDPR, Canada’s Consumer Privacy Protection Act (CPPA), and Japan’s Act on the Protection of Personal Information (APPI).

Q: Which IoT devices collect health data?

A: Great question! But you probably won’t like the answer. First, consider all the types of data that you have that can be used to reveal insights into your health. Your list may be endless. Now, think about some popular IoT devices. For example, Amazon Echo, Google Home Voice Controller, August Doorbell Cam, Kuri Mobile Robots, etc. 

Most of these are constantly listening and possibly recording everything in the environment where they are located, and/or they are connected to local Wi-Fi networks (home and business), and may be collecting (depending upon product settings and compromise of the IoT product) all data stored, collected, and/or transmitted through those networks. These consumer IoT devices are being widely used in healthcare settings and a wide range of other organizations. 



So, given that most IoT devices can listen, record, collect, process, and share basically anything in their environments, you can consider that generally, all IoT devices are potentially collectors of health data.

Frustrated, Marty sent a couple of questions about stopping spam from coming into his inbox; thank you, Marty! 

Q: I used the AOL spam blocker, but every spam I’m getting has a slightly different email address, so it seems the blocker is not effective. What else can I do?

A: Spam senders are definitely finding new ways to get around the spam filters. They are generating a unique email address for each of their millions of spam messages sent; often making the email addresses long, and changing just one character to generate many email addresses. 

For example, many spammers are using emails with 29 characters. My email address has 29 characters in addition to the @ sign and periods. Assume spammers have 10 numeric characters, 26 English language alpha characters, and 10 special symbols. That’s 46 different characters to choose from. With 46 unique characters, this would compute (if I’m doing my math correctly) to 15,470,386,989,126,114,963,203,586,696,161,525,760,000,000 different email addresses. WHOA!

A humongous number!!! That is a whole lotta spam messages! Large portions of these are phishing messages, trying to trick you into giving away your data. 

Spam blockers that look at the IP address rather than the email address are more effective.

Make sure the IP address spam blocking is through the use of the host ID portion of the IP address, not the network ID portion, which often engulfs a very wide number of email addresses, including many that you may not want to block.

Q: Also from Marty…

I received an email message, spoofing the email address of one of my “acquaintances.” The message described a problem the acquaintance had purchasing a gift card from Amazon for her niece’s birthday, and I was asked to buy it. My “friend” said she would send the address and then repay me. I wisely contacted my friend and suggested she change her password, or even get a different email address. I then got a similar request from someone else with a different friend’s name. “Who should I report this to? Is this a typical phishing event? And, what should I do to keep this from happening to me again, and others?” 

A: You can report, from anywhere in the world, to the US Federal Trade Commission, or FTC, at their site, reportfraud.ftc.gov. You can forward the email message to the FTC Anti-Phishing Working Group using [email protected]

You can also report, from anywhere in the world, to econsumer.gov. They have a section for both spam, and also for imposter scams, such as this. 

Spoofing email addresses is fairly easy. However, new tools can help identify and stop such spoofed emails from entering your inbox. 

Gmail and other email services providers, along with a growing number of spam blocking tools vendors offer Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC) authentication to verify email messages are authenticated. Ask your email service provider if they offer SPF, DKIM, and/or DMARC capabilities to keep spoofed emails from getting into your inbox. Remember those initialisms: SPF, DKIM, DMARC.

Good luck, Marty! And thank you for being a Privacy Professor Tips subscriber!

Q: I have 20 domains for my small business. My domain name registrar wants me to pay $10 extra per domain to protect from "domain hijacking." They then said this extra service includes things like two-factor authentication (2FA). What? I'm already using 2FA! What is domain hijacking, and can I protect against this myself? I don't want to pay $200 for something I don't really need!

A: Domain highjacking, also known as domain theft, typosquatting, and domain shadowing, occurs when someone other than the original domain name owner changes the registration, and subsequently ownership, of the domain name without the permission of the original owner.

If the domain is for a business site, the legitimate owner of the domain name can then suffer a wide variety of financial, reputational, and regulatory damages as a result of the actions of the domain highjacker. Even if your business domain is not highjacked, you could still be negatively impacted if your contracted vendors have their domains highjacked, so you should ensure they are also implementing protections against domain highjacking as part of their own third-party security management oversight practices. 

Here are some ways to protect your domains from being highjacked:

• Domain owners can check their domain registration changes regularly, such as monthly, to identify domain transfers, dispute them and reclaim them by alerting the registrar. ICANN requires a 60-day waiting period between a change in the registration information and the actual registrar transfer, so checking every 30 – 40 days should catch such highjacking attempts.  
• Many top-level domain (TLD) registries use Extensible Provisioning Protocol (EPP) to provide an authorization code exclusively to the domain registrant as a security measure to prevent unauthorized transfers. Ask your registrar if they are using this and if they are not, request that they do. 
• Protect the domain admin email account associated with the domain. For many registrars, if you lose this email account you will lose your domain. Also, keep your email from being hacked. This is where your use of two-factor authentication will be helpful, in the event someone obtains your email password. And stay aware of phishing attempts, which will often refer to your domain or website in some way. 
• Get private domain registration. This will hide from the public all your personal details, such as your name, address, phone, and admin email address. If hackers perform a WHOIS lookup for your domain name, they will then not be able to find your name, phone number, or administrative email address. Private registration provides extra security and sometimes costs a little extra, but it is worth it, for me, for the multiple security benefits. Mine costs around $4.00 per domain. 

We wish you the best in your business adventures!

Because March 1 is World Privacy and Security Help Compliment Day (see above), we want to say, “Hey! Thank you! The following information you provided helps to improve privacy and security for all. It’s very helpful! Thank you for sharing it!”

• ZDNet for their 3 Security Gadgets I Never Leave Home Without. We agree! Use them! 
• Violentiam Ventura, a Twitter user who we do not know, posted this series of tweets that provide some very helpful information about how to be as anonymous as possible on Twitter. It is great to see such tips provided by social media folks who do not appear to be privacy pros!  
• Julie Jargon at the Wall Street Journal for “How to Block Scam Calls, the Top Source of Fraud Against Older Adults. Virtual assistants, call blocking and robocall apps can keep con artists at bay.” There is some good advice in this article. However, what needs to be added is that you need to make sure you have security settings established that are the strongest possible, and also always keep in mind that artificial intelligence (AI) tools are not perfect!! In fact, some AI tools are very unreliable. It all depends on how well the AI algorithms were engineered, tested, and kept up-to-date. So don’t put all your reliance upon AI. You still need to do your own critical thinking as well when making decisions.
• Alternatives for search tools. We found this list on many social media sites, posted by different people, and none provided attribution. So, with sadness, we will attribute this to “unknown.” If anyone knows where this list originated, please let us know!  

• Sven Taylor at Restore Privacy for writing “Firefox Privacy - The Complete How-To Guide for 2023.” Very informative! 
• Washington state's Emergency Management Division for providing a guide to take a step every month for the next 12 months to be prepared for emergencies. Great advice!
• U.S. Federal Trade Commission (FTC) for bringing an action for violating The FTC Act Section 5, for unfair and deceptive business practices, and (finally, for the first time since it was enacted) for violation of the Health Breach Notification Rule that was enacted in April 2009. The actions were against GoodRX for using a variety of online tracking pixels to share health data with a wide range of third parties after promising their consumers that they would never share personal health information with advertisers or other third parties. GoodRX must pay a $1.5 million civil penalty and implement a corrective action plan (CAP) for strengthening their security and privacy programs. We also like the FTC’s, “The top scams of 2022” information. It is very informative with a lot of great stats!   
• Social Catfish for their tools and advice. They include being able to check images from profiles of people asking you to connect to them in online social media sites and groups, so you can see if the profiles are actually fraudulent.
• US Cybersecurity & Infrastructure Security Agency (CISA) for their page of free cybersecurity tools and services, for individuals and businesses.
• AARP for their advice in, "Best and Worst Things to Keep in a Safe Deposit Box."
• A few sites that provide information about GDPR privacy fines and penalties (thank you, Jo, for sending us this list and beacon suggestion).
• https://easygdpr.eu/en/gdpr-fines/
• https://gdpr-fines.inplp.com/list/
• https://www.cnil.fr/en/sanctions-issued-cnil
• https://www.dsgvo-portal.de/gdpr-fine-database/
• https://www.enforcementtracker.com/
• https://www.privacyaffairs.com/gdpr-fines/
• PoppinPod for their privacy pods. They also have ADA-compliant pods. I suggested to them, though, that it would improve privacy even more to include a wide opaque strip all around the pod in the area where the occupants would be seen speaking to more effectively protect privacy by preventing lip-reading, viewing of laptop screens, etc.

*Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Hey! Did you know that we have a Privacy & Security Brainiacs page on LinkedIn? Well, we do! Please “follow” our page. We provide a lot of news, tips, advice, and other useful information on our site. Our goal is to post 3-4 times a week. We’d love to also see your comments and thoughts on our posts. 

We now have a new page dedicated to HIPAA and healthcare news, here. This is in addition to our other three news pages for specific news topics! We also have a separate news page for IoT security and privacy news. You can see it here. And, we have news for Log4j security and privacy vulnerabilities, patches, exploits, and everything else related, here. You can also get to them all from our Privacy & Security Brainiacs News Page

We have updated and reorganized our Privacy & Security Brainiacs home page. We have also updated our “Online Learning” landing page. The courses provide real-world examples and advice, and the quiz questions support critical thinking, which results in longer-term retention of the concepts. Real-world examples help professionals identify where they need to beef up their own compliance practices. They also learn about HIPAA rights in the U.S. that they’ve never heard of before. 

We just released our latest course, “HIPAA Basics for Covered Entities 2023 Edition.” Our course includes more direct experience insights, examples, guidance, supporting supplemental materials, and more meaningful course quizzes and associated certificates of completion than other vendors. Please check it out! 

We have also created a landing page for our new Master Experts “Online Education” services.

Students of each class receive certificates of completion, showing the course name, length of the class to use for their continuing professional education (CPE) credits for the class, date completed, and any applicable information about the associated exam score. The certificates will also reflect how well students did in the class, and much, much more. Ask us about our deeply discounted beta testing user pricing.

Congratulations to Rebecca for being recognized as one of the

Top 40 Data Privacy Pioneers!

The Privacy Professor | Website

Privacy & Security Brainiacs| Website

Permission to Share



If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:

Source: Rebecca Herold. March 2023 Privacy Professor Tips

www.privacysecuritybrainiacs.com.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Information

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or

2) making a request directly to Rebecca Herold or 

3) connecting with Rebecca Herold on LinkedIn. 

When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at [email protected]. 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.