Your SlideShare is downloading. ×
0
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Privacy update 04.29.2010
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Privacy update 04.29.2010

709

Published on

Privacy Update Slide deck

Privacy Update Slide deck

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
709
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Privacy Law Update: Red Flags, HITECH & the New Massachusetts Data Privacy Regulations
    Stephen E. Meltzer, Esquire, CIPP
  • 2. Privacy Law:
  • 3. HIPAA, ARRA and HITECH
    Red Flags
    201 CMR 17.00
  • 4.
  • 5. ?
  • 6.
  • 7. HIPAA, ARRA & HITECH
    Health Insurance Portability & Accountability Act of 1996
    Not HIPPA (Health Insurance Portability Prevention Act)
    American Recovery & Reinvestment Act
    Health Information Technology for Economic and Clinical Health
  • 8. HITECH Requirements
    Expands the definitions of “business associates.” 
    Mandates that HIPAA security standards that apply to health plans and health care providers will also apply directly to business associates.
    Establishes new security breach notice requirements.
    Entitles individuals to electronic copies of health information. 
    Calls for regulations regarding the sale of electronic health records and protected health information by mid-August, 2010.
  • 9. Business Associates
    “Business associates” are persons and organizations (typically subcontractors) that perform activities involving the use or disclosure of individually identifiable health information, such as claims processing, data analysis, quality assurance, billing, and benefit management, as well as those who provide legal, accounting, or administrative functions. 45 CFR §160.103. The HITECH Act adds as “business associates” organizations that transmit protected health information and require access on a routine basis to such information. See 42 USC §17938.
  • 10. Business Associates
    Subject to the administrative, physical, and technical security requirements of HIPAA, must implement appropriate policies and procedures, and must document their security activities. Penalties for violating these HIPAA procedures will apply to business associates, just as they now do to health plans and health care providers. 42 USC §17931.
  • 11. Breach Notification
    a health plan or health care provider that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information and discovers a breach of the information to notify each individual whose health information has been, or is reasonably believed to have been, accessed, acquired, or disclosed as a result of the breach. 42 USC §17932(a). Business associates will also be required to give notice of such a data breach to the health plan or health care provider, and will need to identify each individual whose unsecured protected health information was illegally accessed, acquired, or disclosed. 42 USC §17932(b). The health plan, health care provider, or business associate will be required to give notice of the breach without unreasonable delay, and no later than 60 calendar days after its discovery. 42 USC §17932(d). Notice must be provided by first-class mail to individuals at their last known address, or, if specified by the individual, via e-mail. 42 USC §17932(e)(1).
  • 12. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html
  • 13. Individual Patient Rights
    Individuals are entitled to copies of their health information in electronic format from any health plan or health care provider that uses or maintains electronic health records. An individual will be able to direct the health plan or health care provider to transmit the copy directly to anyone he or she designates. Fees for providing this service must not be greater than the entity’s labor costs. 42 USC 17935(e).
  • 14. Authorization
    The HITECH Act will prohibit a health plan, health care provider, or business associate from receiving payment for an individual’s protected health information without authorization from the individual. 42 USC §17935(d).
  • 15. New Penalties
    Increased Civil Penalties
    ARRA creates the following "tiers" of penalties:
    A violation without knowledge of the violation - $100 per violation, with an annual maximum amount of $25,000 in penalties.
    A violation that is due to reasonable cause - $1,000 per violation, with an annual maximum amount of $100,000 in penalties.
    A violation that is due to willful neglect - $10,000 per violation, with an annual maximum amount of $1,500,000 in penalties.
  • 16. New Enforcement
    State Attorneys General now have the authority to file suit in federal court against any person or entity that is accused of violating HIPAA in a manner that the Attorney General has reason to believe adversely affected any resident of that Attorney General's respective state.
  • 17. RED FLAGS
    June 1, 2010
  • 18. Red Flags – Who Must Comply?
    The Red Flags Rules apply to “financial institutions” and “creditors” with “covered accounts.”
  • 19. Red Flags – Financial Institutions
    State or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. Most of these institutions are regulated by the Federal bank regulatory agencies and the NCUA. Financial institutions under the FTC’s jurisdiction include state-chartered credit unions and certain other entities that hold consumer transaction accounts.
  • 20. Red Flags – Transaction Account
    A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.
  • 21. Red Flags - Creditor
    Any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors. 
  • 22. Red Flags – Covered Account
    An account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft – for example, small business or sole proprietorship accounts
  • 23. Red Flags – Exempt?
    Only Lawyers
    FTC has filed a Notice of Appeal
     Judge Walton is reported to have questioned whether the term could be interpreted so broadly as to render a plumber who bills a customer after performing his work a "creditor" within the meaning of the Rule.
    CPA’s have filed a lawsuit
  • 24. Red Flags - Requirements
    Develop a written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.
  • 25. Red Flags – Requirements – suggested “Starting Points”
    alerts, notifications, or warnings from a consumer reporting agency;
    suspicious documents;
    suspicious personally identifying information, such as a suspicious address;
    unusual use of – or suspicious activity relating to – a covered account; and
    notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.
  • 26. Red Flags - Penalties
    • $3,500 per violation
    • 27. No private right of action
  • http://www.ftc.gov/bcp/edu/microsites/redflagsrule/index.shtml
  • 28. 201 CMR 17.00
    Massachusetts Data Privacy Regulations
    Effective March 1, 2010.
  • 29. New Mandate:
    PI = PI
    Personal Information = Privacy Infrastructure
  • 30.
  • 31. Scope of Rules
  • 32. Scope of Rules
    Covers ALL PERSONS that own or license personal information about a Massachusetts resident
    Need not have operations in Massachusetts
    Financial institutions, health care and other regulated entities not exempt
  • 33. Scope of Rules
    “Personal information”
    Resident’s first and last name or first initial and last name in combination with
    SSN
    Driver’s license or State ID, or
    Financial account number or credit/debit card that would permit access to a financial account
  • 34. Three Requirements
    1.Develop, implement, maintain and maintain a comprehensive, written information security program that meets very specific requirements (cWISP)
    2.Heightened information security meeting specific computer information security requirements
    3.Vendor Compliance
    (Phase-in)
  • 35. Evaluating Compliance(not Evaluating Applicability)
    Appropriate
    Size of business
    Scope of business
    Type of business
    Resources available
    Amount of data stored
    Need for security and confidentiality
    Consumer and employee information
  • 36. Evaluating Compliance(not Evaluating Applicability)
    “The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.”
  • 37. Enforcement
    Litigation and enforcement by the Massachusetts Attorney General
    Massachusetts law requires notice to Attorney General of any breach, in addition to affected consumers
    Attorney General likely to investigate based on breach reports
    No explicit private right of action or penalties
  • 38. Comprehensive WrittenInformation SecurityProgram
    201 CMR 17.03
  • 39. Information SecurityProgram
    “[D]evelop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards”
  • 40. Comprehensive Information Security Program201 CMR 17.03 (2)(a) through (j)
    a. Designate
    b. Identify
    c. Develop
    d. Impose
    e. Prevent
    Oversee
    Restrict
    Monitor
    Review
    Document
  • 41. Comprehensive Information Security Program
    (a) Designate an employee to maintain the WISP.
    (b) Identify and assess reasonably foreseeable risks (Internal and external).
    (c) Develop security policies for keeping, accessing and transporting records.
    (d) Impose disciplinary measures for violations of the program.
    (e) Prevent access by terminated employees.
    (f) Oversee service providers and contractually ensure compliance.
    (g) Restrict physical access to records.
    (h) Monitor security practices to ensure effectiveness and make changes if warranted.
    (i) Review the program at least annually.
    (j) Document responsive actions to breaches.
  • 42. Comprehensive Information Security Program
    Third Party Compliance
    1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and
    2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information
  • 43. Comprehensive Information Security Program
    Third Party Compliance
    Contracts entered “no later than” March 1, 2010:
    Two – year phase-in.
    Contracts entered into “later than” March 1, 2010:
    Immediate compliance.
  • 44. Comprehensive Information Security Program
    “INDUSTRY STANDARDS”
  • 45. Breach Reporting
    G.L. c. 93H § 3
  • 46. Breach Reporting
    Breach of security –
    “the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.”
  • 47. Breach Reporting
    Possessor must give notice of
    Breach of Security
    Unauthorized Use or Acquisition
    To Owner/Licensor of Information
    Owner/Licensor must give notice of
    Breach of Security
    Unauthorized Use or Acquisition
    To –
    Attorney General
    Office of Consumer Affairs
    Resident
  • 48. Breach Reporting
    “The notice to the Attorney General and the Director of Consumer Affairs and Business Regulation shall include, but not be limited to:
    the nature of the breach of security or the unauthorized acquisition or use;
    the number of Massachusetts residents affected by such incident at the time of notification; and
    any steps the person or agency has taken or plans to take relating to the incident.”
  • 49. Sample Breach Notification Letter
    http://www.mass.gov/Cago/docs/Consumer/93h_sampleletter_ago.pdf
  • 50. Breach Reporting
    Stop
    Be afraid
    Call for help
  • 51. Computer System SecurityRequirements
    201 CMR 17.04
  • 52. Electronic Requirements201 CMR 17.04
    • Laptop and mobile device encryption
    • 53. Security patches and firewalls
    • 54. System security agents
    • 55. IT Security user awareness
    Use authentication protocols
    Secure access controls
    Encryption of transmittable records
    Mentoring systems
  • 56. User Authentication Protocols
    Control of user IDs
    Secure password selection
    Secure or encrypted password files
    User accounts blocked for unusual logon attempts
    Examples:
    Passwords should be at least 9 characters, alpha numeric with special characters
    After 3 attempts to login users are blocked access
  • 57. Secure Access Control Measures
    Permit “access” on a need to know basis
    Password protect account and login to determine level of access
    Example:
    Network Access Control Software/Hardware
    Consentry
    Sophos
    Audit control who is accessing what and when?
  • 58. Encryption of Transmitted Records
    Encryption of personal information accessed over a public network
    Tunneling options (VPN)
    Faxes, VOIP, phone calls
    Encryption of PI on wireless
    Bluetooth, WEP, Wifi
    Encryption definition if very broad
    Examples:
    PGP and Utimaco are encryption technologies
  • 59. Monitoring of Systems
    Require systems to detect unauthorized use of, access to personal information
    Some existing user account based on systems will already comply
    Examples:
    Again, Network Access Control
    Audit controls
  • 60. Laptop and Mobile Device Encryption
    Encryption of PI stored on laptops
    Applies regardless of laptop location
    Encryption of PI stored on “mobile” devices
    Does incoming email become a problem?
    This applies only if you have data in motion of personal information.
    Email is clear text. So anyone can read any ones email on the internet.
  • 61. Security Patches and Firewalls
    “Reasonably up-to-date firewall protection and operating systems patches” for Internet connected computers
    Date on operating systems
    All organizations should have a firewall in place (not a router a firewall)
    Can hire an organization to update and manage the security infrastructure:
    Firewall
    Anti-virus
    Patches…
  • 62. Systems Security Agent Software
    Malware is what is infecting most enviroments. HTTP and HTTPS traffic.
    Your users are your worst enemy
    Products to look at for Malware
    TrendMicro
    Websense
    Webwasher
    Anti-malware technology required
    Are certain products better?
    What about MACs or Linux?
    Set to receive auto-updates
  • 63. Employee Education and IT Security Training
    Proper training on all IT security policies
    User awareness
    Importance of PI security
    Proper use of the computer
    Everyone is involved
    Your employees are your weakest link to any IT security program.
    They need to know the rules.
    Suggestions:
    Stand up training
    News Letters
    Programs
    Online training
  • 64. The Approach
    Inventory type of personal information is being kept
    Assess risk
    Plan information security strategy
    Data
    Security, Confidentially, Integrity
    IT infrastructure and information change processes
    Implement, plan and policies
    Technology deployment
    Policy implementation
    User awareness
    Continual review
    Security is all about vigilance…
    Compliance is knowing what you need to protect and building a fortress around it and testing it on a frequent basis!
  • 65. Data Destruction
    G.L. c. 93I
  • 66. Data Destruction (93I)
    Paper documents/ electronic Media:
    Redact, Burn, Pulverize, Shred
    So that Personal Information cannot be read or reconstructed
  • 67. Data Destruction (93I)
    Violations:
    Attorney General: Unfair and Deceptive Practices remedies - 93H
    Civil Fine-$100/data subject not to exceed $50,000/instance – 93I
  • 68. What To Do Now
  • 69. Thank You
    Meltzer Law Offices
    http://www.meltzerlaw.com
    508.872-0000

×