Texas Privacy Laws - Tough New Changes


Published on

Overview of principal Texas privacy laws and amendments that became effective September 1, 2012. Some say the new Texas law is tougher than federal HIPAA laws.

1 Like
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Texas Privacy Laws - Tough New Changes

  1. 1. Texas Privacy Laws Tough New Changes
  2. 2. SpeakerJames F. Brashear General Counsel Zix Corporation Jim Brashear is a member of the Bar of the United States Supreme Court, the California Bar Association and the State Bar of Texas. He frequently appears as a public speaker on corporate governance, data security and information technology legal topics. He currently serves the Association of Corporate Counsel on its Information Technology, Privacy & Electronic Commerce Committee as Programs Co-Chair and Cloud/SaaS Co-Chair. He received a Juris Doctorate degree, magna cum laude, from the University of San Diego School of Law, and a Bachelor of Arts degree in political science from the University of California at San Diego.Twitter @jfbrashear This program is for educational purposes only. The content does not constitute legal advice. No attorney-client relationship is created by your participation.
  3. 3. Overview Texas recently amended privacy laws protecting: – Protected Health Information (PHI) – Sensitive Personal Information (SPI) A business may be simultaneously subject to: – Texas Identity Theft Enforcement and Protection Act – Texas Medical Records Privacy Act – HIPAA and HITECH New amendments: – Broaden scope of Texas privacy laws – Add new requirements – Impose new penalties New medical privacy laws are stricter than HIPAA
  4. 4. Two Principal Texas Privacy Statutes Identity Theft Enforcement and Protection Act Medical Records Privacy Act
  5. 5. Identity Theft Enforcement and Protection ActBusiness and Commerce Code Chapter 521 http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htm Amended by H.B. No. 300 effective September 1, 2012 http://www.capitol.state.tx.us/tlodocs/82R/billtext/pdf/HB00300F.pdf
  6. 6. Broad ScopeApplies to virtually all businesses operating in Texas Includes most healthcare businesses Specifically includes nonprofit athletic or sports associations Excludes financial institutions under Gramm-Leach-Bliley Act Focus: It is not clear how the Act will be applied to: • SPI stored outside Texas • Non-Texas business SPI stored in Texas • Non-Texas business SPI of Texas residents
  7. 7. Duty to Protect Sensitive Personal InformationBusiness and Commerce Code §521.052 Business must use reasonable procedures to protect from unlawful use or disclosure any sensitive personal information collected or maintained in its regular course of business Focus: In contrast to Massachusetts 201 CMR 17.01, Texas does not mandate encryption – but Texas does: • exclude some encrypted data completely • exclude encrypted data from data breach notice rules • mitigate penalties if data was encrypted
  8. 8. Sensitive Personal Information§521.002(a)(2) defines two types of SPI: 1. Personal identifying information An individuals first name or first initial + their last name + any of their following:  social security number  drivers license number  government-issued identification number, or  account number or credit or debit card number plus any financial account security code, access code, or password Encryption exclusion for this type – If the name and the listed items are encrypted, then they are not treated as SPI at all Tip: Encrypt all sensitive data, at rest and in motion
  9. 9. Sensitive Personal Information§521.002(a)(2) defines two types of SPI: 2. Medical identifying information Information that identifies an individual and relates to their:  physical or mental health or condition  provision of health care, or  payment for provision of health care No encryption exclusion for this type . . .  Treated as SPI even if encrypted . . . but there is an encryption safe harbor from data breach notification  Consistent with HIPAA Tip: Encrypt all sensitive data, at rest and in motion
  10. 10. Data Breach from Unauthorized Acquisition§521.053(a) defines Breach of System Security Unauthorized acquisition of computerized data that compromises SPI security, confidentiality or integrity Safe harbor for encrypted data – No data breach results from unauthorized acquisition of encrypted data unless the decryption key was also acquired – No notification required Focus: The statute does not require a business to monitor its systems to detect a data breach Tip: Encrypt all sensitive data, at rest and in motion
  11. 11. Data Breach from Authorized Access Data breach can result from unauthorized use or disclosure of SPI by employee or agent – Even if their acquisition was authorized and in good faith – Even if their use or disclosure was not unlawful Safe harbor for encrypted data applies here, too Focus: Recent court decisions held that unauthorized use or disclosure of data by employees or agents did not violate the Computer Fraud and Abuse Act where their access to the data was authorized
  12. 12. Long Arm Duty to NotifyMust disclose data breach to any individual whose SPIis reasonably believed to have been acquired – Act formerly required notice to Texas residents only Deference to other states’ laws – Texas law is satisfied by notice provided under the data breach law of states where affected individuals reside – Texas law mandates a notice when the data breach laws of those other states do not Focus: Contrast MA privacy law 201 CMR 17.00, which applies to data of MA residents no matter where it is held
  13. 13. Timing of NotificationMust disclose data breach as quickly as possible Two permitted reasons for delay: 1. As necessary to determine the scope of the breach and restore the reasonable integrity of the data system 2. At the request of a law enforcement agency  Only if that agency determined notification will impede a criminal investigation  Must provide notice as soon as that agency later determines notification will not compromise the investigation Focus: It is not clear how impede differs from compromise Focus: It is not clear how a business is expected to know if or when the agency makes its determinations
  14. 14. Form of NotificationBusiness may notify affected individuals by: written notice, or electronic noticeThree exceptions:1. If the business can demonstrate any of: – cost > $250,000 – number of affected persons > 500,000 – insufficient contact information then it may give notice by any of: – email – conspicuous posting on the business’ website – notice via major statewide media
  15. 15. Form of NotificationBusiness may notify affected individuals by: written notice, or electronic noticeThree exceptions:2. If the business: – maintains its own SPI security policy notification procedures, and – its procedures meet the statute’s notice timing requirements, then notice under that policy satisfies the statute Tip: Maintain a SPI security policy with notification procedures consistent with Texas data breach notice law
  16. 16. Form of NotificationBusiness may notify affected individuals by: written notice, or electronic noticeThree exceptions:3. If the business: – is required by the Act to notify > 10,000 persons at one time, then the business must without unreasonable delay also – notify each nationwide consumer reporting agency of the:  notice timing  notice distribution  notice content
  17. 17. Duty to Destroy Sensitive Personal InformationMust destroy or arrange for destruction of customerrecords containing SPI which are not going to beretained Destruction methods: – Shred – Erase – Make SPI unreadable or indecipherable  E.g., encryption
  18. 18. Penalties§521.151 civil penalties and injunctions Restraining order for conduct that violates the Act $2,000 to $50,000 per violation $100 per individual for each consecutive day of unreasonable delay in providing notice of a data breach – Capped at $250,000 per data breach
  19. 19. Two Principal Texas Privacy Statutes Identity Theft Enforcement and Protection Act Medical Records Privacy Act
  20. 20. Texas Medical Records Privacy ActHealth & Safety Code Chapter 181 http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.181.htm Amended by H.B. No. 300 effective September 1, 2012 http://www.capitol.state.tx.us/tlodocs/82R/billtext/pdf/HB00300F.pdf
  21. 21. Both HIPAA and Texas MRA May Apply §181.004 refers to applicability of Texas and federal law  Texas MRA refers to Covered Entity as defined in both . . . – 45 C.F.R. §160.103  Must comply with HIPAA and its Privacy Standards – Texas Health & Safety Code §181.001(b)(2)  Must comply with Texas MRA*  A business might be a . . . – Texas Covered Entity even if not a HIPAA Covered Entity – Covered Entity under both laws Tip: Consider standardizing compliance programs to meet the most restrictive applicable requirement*Subject to the partial exemptions under §181.051
  22. 22. Covered Entity Broader Than HIPAA§181.001(b)(2) expansively defines Covered Entity Generally includes persons who assemble, collect, analyze, use, evaluate, store, transmit, obtain or come into possession of PHI – Includes their employees, agents, and contractors who create, receive, obtain, maintain, use or transmit PHI – Includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, and person who maintains an Internet site Unlike HIPAA, no exception for conduit entities that only transmit PHI – E.g., couriers
  23. 23. Limited ExemptionsSubchapter B offers a few exemptions For example: §181.051 makes employers, and entities defined in the Insurance Code, subject only to Subchapter D (Prohibited Acts) §181.052 exempts certain financial institution activities, such as payment processing §181.054 exempts workers compensation activities
  24. 24. More Training Than HIPAA §181.101 requires Covered Entity to provide and record employee training in PHI protection laws  Content – Must cover federal and Texas laws concerning PHI – Tailored for the Covered Entity’s business and the employee’s responsibilities  Timing New employee: Within 60 days after hire Existing employee: Not specified All employees: Recurring every two-years – HIPAA requires training  within a reasonable amount of time after hire  when there are material changes in privacy policies  Record-keeping – Must require employees attending training to sign (can be electronic or written) a statement verifying attendance – Must maintain the signed statements (no time limit) Tip: Combine with training on policies and procedures
  25. 25. EHR Access, Notice and Consent §181.102: Must give patient an electronic copy of EHR within 15 business days of written request  HIPAA allows 30 days §181.154: Must notify individuals that PHI is subject to electronic disclosure  Can be satisfied by posting in the place of business, on the website or in any other place those individuals are likely to see the notice §181.154: Must get consent for each electronic disclosure of PHI  Consent can be electronic or written  Texas AG is to develop standard form  Not required if disclosed to a Covered Entity for treatment, payment, health care operations, insurance or HMO functions, or as authorized or required by law Tip: Add website notice of electronic disclosure of PHI
  26. 26. Sale of PHI §181.153: Covered Entity generally cannot disclose PHI for direct or indirect remuneration  Except to another Covered Entity for treatment, payment, health care operations, insurance or HMO functions, or as authorized or required by federal or state law – Remuneration for disclosing PHI for the purpose of performing an insurance or HMO function described by Insurance Code §602.053 cannot exceed the reasonable cost of preparing or transmitting the PHI – No remuneration cap otherwise §181.152 generally requires clear, unambiguous consent to use or disclose PHI for marketing
  27. 27. Audits §181.206 authorizes Texas authorities to monitor HIPAA compliance  Can ask U.S. HHS to audit HIPAA Covered Entities in Texas  Must monitor and review the results of all U.S. HHS audits of HIPAA covered entities in Texas If Texas MPA violations are egregious and constitute a pattern or practice, §181.206 authorizes Texas HSS to:  Require Covered Entity to submit results of any risk analysis required by 45 C.F.R. Section 164.308(a)(1)(ii)(A)  Ask the Texas agency that licenses the Covered Entity to conduct an audit to determine compliance with Texas MPA Texas HHS must report the number of audits to the legislature annually
  28. 28. Increased Penalties §181.201 authorizes Texas AG to institute court actions to impose civil penalties for Texas MPA violations – Texas AG incentivized by ability to retain a portion of penalties – Texas AG cannot institute an action under against a Covered Entity licensed by Texas unless the licensing agency refers the violation to the Texas AG  Annual penalties up to: – $5,000 per negligent violation – $25,000 per knowing or intentional violation – $250,000 per knowing or intentional violation if PHI is used for financial gain  Those penalties are capped at $250,000 annually if all the following apply: – For disclosure of electronic PHI in violation of §181.154 – Made only to a Covered Entity – Made only for a purpose permitted by §181.154(c) – A court finds any of the following:  The PHI was encrypted  The recipient did not use or release the PHI  At the time the PHI was disclosed, the Covered Entity had security procedures, including PHI training for employees
  29. 29. Increased Penalties (cont.) §181.201 authorizes court to assess civil penalty of up to $1.5 million annually for violations that constitute a pattern or practice – Formerly capped at $250,000  Court must consider in determining the amount of penalties: – the seriousness of the violation – if the violation poses a significant risk of financial, reputational or other harm to an individual whose PHI is involved – if Covered Entity was certified by Texas Health Services Authority for compliance with electronic PHI sharing standards – deterrence – compliance history – efforts to correct the violation – good faith compliance efforts  Federal and Texas penalties both may apply  Injunctions, administrative penalties, license actions, and Texas program bans may also apply
  30. 30. Key RecommendationsA business may benefit from: Written policies to protect Sensitive Personal Information and Protected Health Information Written procedures to protect SPI and PHI Written procedures for data breach response Annual privacy risk and data breach insurance coverage analysis Monitoring and auditing privacy and data security procedures Recurring privacy law training for employees and contractors Revising HIPAA Business Associate Agreements to cover state laws Revising written privacy policies to reflect amended state laws Updating privacy notices Encrypting SPI and PHI while at rest and in motion
  31. 31. Questions This program is for educational purposes only. Thecontent does not constitute legal advice. No attorney- client relationship is created by your participation.