SlideShare a Scribd company logo

Privacy update 04.29.2010

Download as PPTX, PDF
S
stevemeltzer

Privacy Update Slide deck

Technology
1 of 66
Privacy Law Update: Red Flags, HITECH & the New Massachusetts Data Privacy Regulations Stephen E. Meltzer, Esquire, CIPP
Privacy Law:
HIPAA, ARRA and HITECH Red Flags 201 CMR 17.00
?
HIPAA, ARRA & HITECH Health Insurance Portability & Accountability Act of 1996 Not HIPPA (Health Insurance Portability Prevention Act) American Recovery & Reinvestment Act Health Information Technology for Economic and Clinical Health
HITECH Requirements Expands the definitions of “business associates.”  Mandates that HIPAA security standards that apply to health plans and health care providers will also apply directly to business associates. Establishes new security breach notice requirements. Entitles individuals to electronic copies of health information.  Calls for regulations regarding the sale of electronic health records and protected health information by mid-August, 2010.
Business Associates “Business associates” are persons and organizations (typically subcontractors) that perform activities involving the use or disclosure of individually identifiable health information, such as claims processing, data analysis, quality assurance, billing, and benefit management, as well as those who provide legal, accounting, or administrative functions. 45 CFR §160.103. The HITECH Act adds as “business associates” organizations that transmit protected health information and require access on a routine basis to such information. See 42 USC §17938.
Business Associates Subject to the administrative, physical, and technical security requirements of HIPAA, must implement appropriate policies and procedures, and must document their security activities. Penalties for violating these HIPAA procedures will apply to business associates, just as they now do to health plans and health care providers. 42 USC §17931.
Breach Notification a health plan or health care provider that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information and discovers a breach of the information to notify each individual whose health information has been, or is reasonably believed to have been, accessed, acquired, or disclosed as a result of the breach. 42 USC §17932(a). Business associates will also be required to give notice of such a data breach to the health plan or health care provider, and will need to identify each individual whose unsecured protected health information was illegally accessed, acquired, or disclosed. 42 USC §17932(b). The health plan, health care provider, or business associate will be required to give notice of the breach without unreasonable delay, and no later than 60 calendar days after its discovery. 42 USC §17932(d). Notice must be provided by first-class mail to individuals at their last known address, or, if specified by the individual, via e-mail. 42 USC §17932(e)(1).
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html
Individual Patient Rights Individuals are entitled to copies of their health information in electronic format from any health plan or health care provider that uses or maintains electronic health records. An individual will be able to direct the health plan or health care provider to transmit the copy directly to anyone he or she designates. Fees for providing this service must not be greater than the entity’s labor costs. 42 USC 17935(e).
Authorization The HITECH Act will prohibit a health plan, health care provider, or business associate from receiving payment for an individual’s protected health information without authorization from the individual. 42 USC §17935(d).
New Penalties Increased Civil Penalties ARRA creates the following "tiers" of penalties: A violation without knowledge of the violation - $100 per violation, with an annual maximum amount of $25,000 in penalties. A violation that is due to reasonable cause - $1,000 per violation, with an annual maximum amount of $100,000 in penalties. A violation that is due to willful neglect - $10,000 per violation, with an annual maximum amount of $1,500,000 in penalties.
New Enforcement State Attorneys General now have the authority to file suit in federal court against any person or entity that is accused of violating HIPAA in a manner that the Attorney General has reason to believe adversely affected any resident of that Attorney General's respective state.
RED FLAGS June 1, 2010
Red Flags – Who Must Comply? The Red Flags Rules apply to “financial institutions” and “creditors” with “covered accounts.”
Red Flags – Financial Institutions State or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. Most of these institutions are regulated by the Federal bank regulatory agencies and the NCUA. Financial institutions under the FTC’s jurisdiction include state-chartered credit unions and certain other entities that hold consumer transaction accounts.
Red Flags – Transaction Account A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.
Red Flags - Creditor Any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors. 
Red Flags – Covered Account An account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft – for example, small business or sole proprietorship accounts
Red Flags – Exempt? Only Lawyers FTC has filed a Notice of Appeal  Judge Walton is reported to have questioned whether the term could be interpreted so broadly as to render a plumber who bills a customer after performing his work a "creditor" within the meaning of the Rule. CPA’s have filed a lawsuit
Red Flags - Requirements Develop a written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.
Red Flags – Requirements – suggested “Starting Points” alerts, notifications, or warnings from a consumer reporting agency; suspicious documents; suspicious personally identifying information, such as a suspicious address; unusual use of – or suspicious activity relating to – a covered account; and notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.
Red Flags - Penalties ,[object Object]
No private right of action,[object Object]
201 CMR 17.00 Massachusetts Data Privacy Regulations Effective March 1, 2010.
New Mandate: PI = PI Personal Information = Privacy Infrastructure
Scope of Rules
Scope of Rules Covers ALL PERSONS that own or license personal information about a Massachusetts resident Need not have operations in Massachusetts Financial institutions, health care and other regulated entities not exempt
Scope of Rules “Personal information” Resident’s first and last name or first initial and last name in combination with SSN Driver’s license or State ID, or Financial account number or credit/debit card that would permit access to a financial account
Three Requirements 1.Develop, implement, maintain and maintain a comprehensive, written information security program that meets very specific requirements (cWISP) 2.Heightened information security meeting specific computer information security requirements 3.Vendor Compliance (Phase-in)
Evaluating Compliance(not Evaluating Applicability) Appropriate Size of business Scope of business Type of business Resources available Amount of data stored Need for security and confidentiality Consumer and employee information
Evaluating Compliance(not Evaluating Applicability) “The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.”
Enforcement Litigation and enforcement by the Massachusetts Attorney General Massachusetts law requires notice to Attorney General of any breach, in addition to affected consumers Attorney General likely to investigate based on breach reports No explicit private right of action or penalties
Comprehensive WrittenInformation SecurityProgram 201 CMR 17.03
Information SecurityProgram “[D]evelop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards”
Comprehensive Information Security Program201 CMR 17.03 (2)(a) through (j) a. Designate b. Identify c. Develop d. Impose e. Prevent Oversee Restrict Monitor Review Document
Comprehensive Information Security Program (a) Designate an employee to maintain the WISP. (b) Identify and assess reasonably foreseeable risks (Internal and external). (c) Develop security policies for keeping, accessing and transporting records. (d) Impose disciplinary measures for violations of the program. (e) Prevent access by terminated employees. (f) Oversee service providers and contractually ensure compliance. (g) Restrict physical access to records. (h) Monitor security practices to ensure effectiveness and make changes if warranted. (i) Review the program at least annually. (j) Document responsive actions to breaches.
Comprehensive Information Security Program Third Party Compliance 1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and 2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information
Comprehensive Information Security Program Third Party Compliance Contracts entered “no later than” March 1, 2010: Two – year phase-in. Contracts entered into “later than” March 1, 2010: Immediate compliance.
Comprehensive Information Security Program “INDUSTRY STANDARDS”
Breach Reporting G.L. c. 93H § 3
Breach Reporting Breach of security – “the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.”
Breach Reporting Possessor must give notice of Breach of Security Unauthorized Use or Acquisition To Owner/Licensor of Information Owner/Licensor must give notice of Breach of Security Unauthorized Use or Acquisition To – Attorney General Office of Consumer Affairs Resident
Breach Reporting “The notice to the Attorney General and the Director of Consumer Affairs and Business Regulation shall include, but not be limited to: the nature of the breach of security or the unauthorized acquisition or use; the number of Massachusetts residents affected by such incident at the time of notification; and any steps the person or agency has taken or plans to take relating to the incident.”
Sample Breach Notification Letter http://www.mass.gov/Cago/docs/Consumer/93h_sampleletter_ago.pdf
Breach Reporting Stop Be afraid Call for help
Computer System SecurityRequirements 201 CMR 17.04
Electronic Requirements201 CMR 17.04 ,[object Object]
Security patches and firewalls
System security agents
IT Security user awarenessUse authentication protocols Secure access controls Encryption of transmittable records Mentoring systems
User Authentication Protocols Control of user IDs Secure password selection Secure or encrypted password files User accounts blocked for unusual logon attempts Examples: Passwords should be at least 9 characters, alpha numeric with special characters After 3 attempts to login users are blocked access
Secure Access Control Measures Permit “access” on a need to know basis Password protect account and login to determine level of access Example: Network Access Control Software/Hardware Consentry Sophos Audit control who is accessing what and when?
Encryption of Transmitted Records Encryption of personal information accessed over a public network Tunneling options (VPN) Faxes, VOIP, phone calls Encryption of PI on wireless Bluetooth, WEP, Wifi Encryption definition if very broad Examples: PGP and Utimaco are encryption technologies
Monitoring of Systems Require systems to detect unauthorized use of, access to personal information Some existing user account based on systems will already comply Examples: Again, Network Access Control Audit controls
Laptop and Mobile Device Encryption Encryption of PI stored on laptops Applies regardless of laptop location Encryption of PI stored on “mobile” devices Does incoming email become a problem? This applies only if you have data in motion of personal information. Email is clear text. So anyone can read any ones email on the internet.
Security Patches and Firewalls “Reasonably up-to-date firewall protection and operating systems patches” for Internet connected computers Date on operating systems All organizations should have a firewall in place (not a router a firewall) Can hire an organization to update and manage the security infrastructure: Firewall Anti-virus Patches…
Systems Security Agent Software Malware is what is infecting most enviroments. HTTP and HTTPS traffic. Your users are your worst enemy Products to look at for Malware TrendMicro Websense Webwasher Anti-malware technology required Are certain products better? What about MACs or Linux? Set to receive auto-updates
Employee Education and IT Security Training Proper training on all IT security policies User awareness Importance of PI security Proper use of the computer Everyone is involved Your employees are your weakest link to any IT security program. They need to know the rules. Suggestions: Stand up training News Letters Programs Online training
The Approach Inventory type of personal information is being kept Assess risk Plan information security strategy Data Security, Confidentially, Integrity IT infrastructure and information change processes Implement, plan and policies Technology deployment Policy implementation User awareness Continual review Security is all about vigilance… Compliance is knowing what you need to protect and building a fortress around it and testing it on a frequent basis!
Data Destruction G.L. c. 93I
Data Destruction (93I) Paper documents/ electronic Media: Redact, Burn, Pulverize, Shred So that Personal Information cannot be read or reconstructed

Recommended

California consumer privacy act and its impact on california employers
California consumer privacy act and its impact on california employersCalifornia consumer privacy act and its impact on california employers
California consumer privacy act and its impact on california employersmosmedicalreview
 
SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013- Mark - Fullbright
 
Economic Stimulus Package V4
Economic Stimulus Package V4Economic Stimulus Package V4
Economic Stimulus Package V4bakerdb
 
Valuation Testimony
Valuation TestimonyValuation Testimony
Valuation TestimonyAndy Lewis
 
Hippa training v2
Hippa training v2Hippa training v2
Hippa training v2Suzanne Guggenheim
 
NF3
NF3NF3
NF3Karna *
 
DATA BREACH CHARTS
DATA BREACH CHARTSDATA BREACH CHARTS
DATA BREACH CHARTS- Mark - Fullbright
 
Bcbs mitchigan non payment codes
Bcbs mitchigan non payment codesBcbs mitchigan non payment codes
Bcbs mitchigan non payment codesRajinikanth Dhakshanamurthi
 

Recommended

California consumer privacy act and its impact on california employers
California consumer privacy act and its impact on california employersCalifornia consumer privacy act and its impact on california employers
California consumer privacy act and its impact on california employersmosmedicalreview
 
SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013- Mark - Fullbright
 
Economic Stimulus Package V4
Economic Stimulus Package V4Economic Stimulus Package V4
Economic Stimulus Package V4bakerdb
 
Valuation Testimony
Valuation TestimonyValuation Testimony
Valuation TestimonyAndy Lewis
 
Hippa training v2
Hippa training v2Hippa training v2
Hippa training v2Suzanne Guggenheim
 
NF3
NF3NF3
NF3Karna *
 
DATA BREACH CHARTS
DATA BREACH CHARTSDATA BREACH CHARTS
DATA BREACH CHARTS- Mark - Fullbright
 
Bcbs mitchigan non payment codes
Bcbs mitchigan non payment codesBcbs mitchigan non payment codes
Bcbs mitchigan non payment codesRajinikanth Dhakshanamurthi
 
Redflags
RedflagsRedflags
RedflagsThe National Council
 
2hourhealthcarefraud
2hourhealthcarefraud2hourhealthcarefraud
2hourhealthcarefraudcccpfc
 
Hm300 week 8 part 2 of 2
Hm300 week 8 part 2 of 2Hm300 week 8 part 2 of 2
Hm300 week 8 part 2 of 2BHUOnlineDepartment
 
Claim Policies and Procedure Presentation
Claim Policies and Procedure PresentationClaim Policies and Procedure Presentation
Claim Policies and Procedure PresentationJamila Limosnero
 
What You Should Know About Your Credit Report
What You Should Know About Your Credit ReportWhat You Should Know About Your Credit Report
What You Should Know About Your Credit Report- Mark - Fullbright
 
HCAD 650 group 2 project oral presentation for the role of a compliance offi...
HCAD 650 group 2 project oral presentation for the role of a compliance offi...HCAD 650 group 2 project oral presentation for the role of a compliance offi...
HCAD 650 group 2 project oral presentation for the role of a compliance offi...Modupe Sarratt
 
Hipaa Goes Hitech
Hipaa Goes HitechHipaa Goes Hitech
Hipaa Goes HitechCandy Matheny
 
Building a Better Credit Report
Building a Better Credit ReportBuilding a Better Credit Report
Building a Better Credit Report- Mark - Fullbright
 
Consumer and Credit Reporting Webinar Powerpoints
Consumer and Credit Reporting Webinar PowerpointsConsumer and Credit Reporting Webinar Powerpoints
Consumer and Credit Reporting Webinar PowerpointsCommunity Legal Education Ontario (CLEO)
 
cis11
cis11cis11
cis11Rashid Rashid
 
Developing healthcare finance fraud (2)
Developing healthcare finance fraud (2)Developing healthcare finance fraud (2)
Developing healthcare finance fraud (2)Modupe Sarratt
 
M04 04
M04 04M04 04
M04 04Hai Nguyen
 
Adrs Flip Chart With Red Flags Rev4
Adrs Flip Chart With Red Flags Rev4Adrs Flip Chart With Red Flags Rev4
Adrs Flip Chart With Red Flags Rev4danc752
 
2013 compliance ppt
2013 compliance ppt2013 compliance ppt
2013 compliance pptscottsvilleems
 
Billing compliance results management-2013
Billing compliance results management-2013Billing compliance results management-2013
Billing compliance results management-2013nbattah
 
Healthcare Compliance 2016-Demo
Healthcare Compliance 2016-DemoHealthcare Compliance 2016-Demo
Healthcare Compliance 2016-DemoMichael Reynolds, CPC, CCP-P, CPMB, CBCS, OS
 
Fraud prevention in dme claims
Fraud prevention in dme claimsFraud prevention in dme claims
Fraud prevention in dme claimsDoug Brockway
 
Prevention of doctor shopping
Prevention of doctor shoppingPrevention of doctor shopping
Prevention of doctor shoppingDoug Brockway
 
Medicare And Medi Cal Investigations And Coordination Lacba Presentation
Medicare And Medi Cal Investigations And Coordination Lacba PresentationMedicare And Medi Cal Investigations And Coordination Lacba Presentation
Medicare And Medi Cal Investigations And Coordination Lacba PresentationDavid
 
Ra 9510 credit information system
Ra 9510 credit information systemRa 9510 credit information system
Ra 9510 credit information systemeir_antig
 
The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1stevemeltzer
 
Massachusetts data privacy rules v6.0
Massachusetts data privacy rules v6.0Massachusetts data privacy rules v6.0
Massachusetts data privacy rules v6.0stevemeltzer
 

More Related Content

What's hot

2hourhealthcarefraud
2hourhealthcarefraud2hourhealthcarefraud
2hourhealthcarefraudcccpfc
 
Claim Policies and Procedure Presentation
Claim Policies and Procedure PresentationClaim Policies and Procedure Presentation
Claim Policies and Procedure PresentationJamila Limosnero
 
What You Should Know About Your Credit Report
What You Should Know About Your Credit ReportWhat You Should Know About Your Credit Report
What You Should Know About Your Credit Report- Mark - Fullbright
 
HCAD 650 group 2 project oral presentation for the role of a compliance offi...
HCAD 650 group 2 project oral presentation for the role of a compliance offi...HCAD 650 group 2 project oral presentation for the role of a compliance offi...
HCAD 650 group 2 project oral presentation for the role of a compliance offi...Modupe Sarratt
 
Developing healthcare finance fraud (2)
Developing healthcare finance fraud (2)Developing healthcare finance fraud (2)
Developing healthcare finance fraud (2)Modupe Sarratt
 
Adrs Flip Chart With Red Flags Rev4
Adrs Flip Chart With Red Flags Rev4Adrs Flip Chart With Red Flags Rev4
Adrs Flip Chart With Red Flags Rev4danc752
 
Billing compliance results management-2013
Billing compliance results management-2013Billing compliance results management-2013
Billing compliance results management-2013nbattah
 
Fraud prevention in dme claims
Fraud prevention in dme claimsFraud prevention in dme claims
Fraud prevention in dme claimsDoug Brockway
 
Prevention of doctor shopping
Prevention of doctor shoppingPrevention of doctor shopping
Prevention of doctor shoppingDoug Brockway
 
Medicare And Medi Cal Investigations And Coordination Lacba Presentation
Medicare And Medi Cal Investigations And Coordination Lacba PresentationMedicare And Medi Cal Investigations And Coordination Lacba Presentation
Medicare And Medi Cal Investigations And Coordination Lacba PresentationDavid
 
Ra 9510 credit information system
Ra 9510 credit information systemRa 9510 credit information system
Ra 9510 credit information systemeir_antig
 

What's hot (20)

Redflags
RedflagsRedflags
Redflags
 
2hourhealthcarefraud
2hourhealthcarefraud2hourhealthcarefraud
2hourhealthcarefraud
 
Hm300 week 8 part 2 of 2
Hm300 week 8 part 2 of 2Hm300 week 8 part 2 of 2
Hm300 week 8 part 2 of 2
 
Claim Policies and Procedure Presentation
Claim Policies and Procedure PresentationClaim Policies and Procedure Presentation
Claim Policies and Procedure Presentation
 
What You Should Know About Your Credit Report
What You Should Know About Your Credit ReportWhat You Should Know About Your Credit Report
What You Should Know About Your Credit Report
 
HCAD 650 group 2 project oral presentation for the role of a compliance offi...
HCAD 650 group 2 project oral presentation for the role of a compliance offi...HCAD 650 group 2 project oral presentation for the role of a compliance offi...
HCAD 650 group 2 project oral presentation for the role of a compliance offi...
 
Hipaa Goes Hitech
Hipaa Goes HitechHipaa Goes Hitech
Hipaa Goes Hitech
 
Building a Better Credit Report
Building a Better Credit ReportBuilding a Better Credit Report
Building a Better Credit Report
 
Consumer and Credit Reporting Webinar Powerpoints
Consumer and Credit Reporting Webinar PowerpointsConsumer and Credit Reporting Webinar Powerpoints
Consumer and Credit Reporting Webinar Powerpoints
 
cis11
cis11cis11
cis11
 
Developing healthcare finance fraud (2)
Developing healthcare finance fraud (2)Developing healthcare finance fraud (2)
Developing healthcare finance fraud (2)
 
M04 04
M04 04M04 04
M04 04
 
Adrs Flip Chart With Red Flags Rev4
Adrs Flip Chart With Red Flags Rev4Adrs Flip Chart With Red Flags Rev4
Adrs Flip Chart With Red Flags Rev4
 
2013 compliance ppt
2013 compliance ppt2013 compliance ppt
2013 compliance ppt
 
Billing compliance results management-2013
Billing compliance results management-2013Billing compliance results management-2013
Billing compliance results management-2013
 
Healthcare Compliance 2016-Demo
Healthcare Compliance 2016-DemoHealthcare Compliance 2016-Demo
Healthcare Compliance 2016-Demo
 
Fraud prevention in dme claims
Fraud prevention in dme claimsFraud prevention in dme claims
Fraud prevention in dme claims
 
Prevention of doctor shopping
Prevention of doctor shoppingPrevention of doctor shopping
Prevention of doctor shopping
 
Medicare And Medi Cal Investigations And Coordination Lacba Presentation
Medicare And Medi Cal Investigations And Coordination Lacba PresentationMedicare And Medi Cal Investigations And Coordination Lacba Presentation
Medicare And Medi Cal Investigations And Coordination Lacba Presentation
 
Ra 9510 credit information system
Ra 9510 credit information systemRa 9510 credit information system
Ra 9510 credit information system
 

Viewers also liked

The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1stevemeltzer
 
Massachusetts data privacy rules v6.0
Massachusetts data privacy rules v6.0Massachusetts data privacy rules v6.0
Massachusetts data privacy rules v6.0stevemeltzer
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4stevemeltzer
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4stevemeltzer
 
The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)stevemeltzer
 
Learn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionLearn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionIn a Rocket
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting PersonalKirsty Hulse
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerLuminary Labs
 

Viewers also liked (9)

The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1
 
Massachusetts data privacy rules v6.0
Massachusetts data privacy rules v6.0Massachusetts data privacy rules v6.0
Massachusetts data privacy rules v6.0
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
 
sacramentos
sacramentossacramentos
sacramentos
 
The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)
 
Learn BEM: CSS Naming Convention
Learn BEM: CSS Naming ConventionLearn BEM: CSS Naming Convention
Learn BEM: CSS Naming Convention
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting Personal
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI Explainer
 

Similar to Privacy update 04.29.2010

Dorland Webinar Slide Managed Care
Dorland Webinar Slide Managed CareDorland Webinar Slide Managed Care
Dorland Webinar Slide Managed Caresusie4050
 
2022 Fraud, Waste, & Abuse Training
2022 Fraud, Waste, & Abuse Training2022 Fraud, Waste, & Abuse Training
2022 Fraud, Waste, & Abuse TrainingWindstoneHealth
 
Basics-of-Medical-Billing-Coding CBP CBP
Basics-of-Medical-Billing-Coding CBP CBPBasics-of-Medical-Billing-Coding CBP CBP
Basics-of-Medical-Billing-Coding CBP CBPxt4v7gfdbq
 
Guide to Help You Improve Your Medical Office Workflow
Guide to Help You Improve Your Medical Office WorkflowGuide to Help You Improve Your Medical Office Workflow
Guide to Help You Improve Your Medical Office WorkflowMedical Business Systems
 
IIAC Young Agents - Protecting Your Insureds\' Private Information
IIAC Young Agents - Protecting Your Insureds\' Private InformationIIAC Young Agents - Protecting Your Insureds\' Private Information
IIAC Young Agents - Protecting Your Insureds\' Private InformationJason Hoeppner
 
Transforming the Business of Oncology Through Science and Technology
Transforming the Business of Oncology Through Science and TechnologyTransforming the Business of Oncology Through Science and Technology
Transforming the Business of Oncology Through Science and TechnologyPYA, P.C.
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
Mrc White Paper Mmsea Section 111
Mrc White Paper Mmsea Section 111Mrc White Paper Mmsea Section 111
Mrc White Paper Mmsea Section 111shaysedai
 
http1500cms.comBECAUSE THIS FORM IS USED BY VARIOUS .docx
http1500cms.comBECAUSE THIS FORM IS USED BY VARIOUS .docxhttp1500cms.comBECAUSE THIS FORM IS USED BY VARIOUS .docx
http1500cms.comBECAUSE THIS FORM IS USED BY VARIOUS .docxpooleavelina
 
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance ServiceTBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance Servicegorsline
 
Fraud and Abuse Presentation
Fraud and Abuse PresentationFraud and Abuse Presentation
Fraud and Abuse PresentationBarney Cohen
 
Employer 0409
Employer 0409Employer 0409
Employer 0409dgade
 
Current Payor Audits & Defending Them
Current Payor Audits & Defending ThemCurrent Payor Audits & Defending Them
Current Payor Audits & Defending ThemNexsen Pruet
 
Accounting and-bookkeeping
Accounting and-bookkeepingAccounting and-bookkeeping
Accounting and-bookkeepingTechweek
 

Similar to Privacy update 04.29.2010 (20)

Waste, Fraud & Abuse Training
Waste, Fraud & Abuse TrainingWaste, Fraud & Abuse Training
Waste, Fraud & Abuse Training
 
Dorland Webinar Slide Managed Care
Dorland Webinar Slide Managed CareDorland Webinar Slide Managed Care
Dorland Webinar Slide Managed Care
 
Hm300 week 8 part 2 of 2
Hm300 week 8 part 2 of 2Hm300 week 8 part 2 of 2
Hm300 week 8 part 2 of 2
 
Hi103 week 7 chpt 18
Hi103 week 7 chpt 18Hi103 week 7 chpt 18
Hi103 week 7 chpt 18
 
2022 Fraud, Waste, & Abuse Training
2022 Fraud, Waste, & Abuse Training2022 Fraud, Waste, & Abuse Training
2022 Fraud, Waste, & Abuse Training
 
Basics-of-Medical-Billing-Coding CBP CBP
Basics-of-Medical-Billing-Coding CBP CBPBasics-of-Medical-Billing-Coding CBP CBP
Basics-of-Medical-Billing-Coding CBP CBP
 
Guide to Help You Improve Your Medical Office Workflow
Guide to Help You Improve Your Medical Office WorkflowGuide to Help You Improve Your Medical Office Workflow
Guide to Help You Improve Your Medical Office Workflow
 
IIAC Young Agents - Protecting Your Insureds\' Private Information
IIAC Young Agents - Protecting Your Insureds\' Private InformationIIAC Young Agents - Protecting Your Insureds\' Private Information
IIAC Young Agents - Protecting Your Insureds\' Private Information
 
HIPAA 2015 webinar
HIPAA 2015 webinarHIPAA 2015 webinar
HIPAA 2015 webinar
 
Transforming the Business of Oncology Through Science and Technology
Transforming the Business of Oncology Through Science and TechnologyTransforming the Business of Oncology Through Science and Technology
Transforming the Business of Oncology Through Science and Technology
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
 
Mrc White Paper Mmsea Section 111
Mrc White Paper Mmsea Section 111Mrc White Paper Mmsea Section 111
Mrc White Paper Mmsea Section 111
 
MRC White Paper - MMSEA Section 111
MRC White Paper - MMSEA Section 111MRC White Paper - MMSEA Section 111
MRC White Paper - MMSEA Section 111
 
http1500cms.comBECAUSE THIS FORM IS USED BY VARIOUS .docx
http1500cms.comBECAUSE THIS FORM IS USED BY VARIOUS .docxhttp1500cms.comBECAUSE THIS FORM IS USED BY VARIOUS .docx
http1500cms.comBECAUSE THIS FORM IS USED BY VARIOUS .docx
 
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance ServiceTBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
 
HITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAAHITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAA
 
Fraud and Abuse Presentation
Fraud and Abuse PresentationFraud and Abuse Presentation
Fraud and Abuse Presentation
 
Employer 0409
Employer 0409Employer 0409
Employer 0409
 
Current Payor Audits & Defending Them
Current Payor Audits & Defending ThemCurrent Payor Audits & Defending Them
Current Payor Audits & Defending Them
 
Accounting and-bookkeeping
Accounting and-bookkeepingAccounting and-bookkeeping
Accounting and-bookkeeping
 

Recently uploaded

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 

Recently uploaded (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 

Privacy update 04.29.2010

  • 1. Privacy Law Update: Red Flags, HITECH & the New Massachusetts Data Privacy Regulations Stephen E. Meltzer, Esquire, CIPP
  • 3. HIPAA, ARRA and HITECH Red Flags 201 CMR 17.00
  • 4.
  • 5. ?
  • 6.
  • 7. HIPAA, ARRA & HITECH Health Insurance Portability & Accountability Act of 1996 Not HIPPA (Health Insurance Portability Prevention Act) American Recovery & Reinvestment Act Health Information Technology for Economic and Clinical Health
  • 8. HITECH Requirements Expands the definitions of “business associates.”  Mandates that HIPAA security standards that apply to health plans and health care providers will also apply directly to business associates. Establishes new security breach notice requirements. Entitles individuals to electronic copies of health information.  Calls for regulations regarding the sale of electronic health records and protected health information by mid-August, 2010.
  • 9. Business Associates “Business associates” are persons and organizations (typically subcontractors) that perform activities involving the use or disclosure of individually identifiable health information, such as claims processing, data analysis, quality assurance, billing, and benefit management, as well as those who provide legal, accounting, or administrative functions. 45 CFR §160.103. The HITECH Act adds as “business associates” organizations that transmit protected health information and require access on a routine basis to such information. See 42 USC §17938.
  • 10. Business Associates Subject to the administrative, physical, and technical security requirements of HIPAA, must implement appropriate policies and procedures, and must document their security activities. Penalties for violating these HIPAA procedures will apply to business associates, just as they now do to health plans and health care providers. 42 USC §17931.
  • 11. Breach Notification a health plan or health care provider that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information and discovers a breach of the information to notify each individual whose health information has been, or is reasonably believed to have been, accessed, acquired, or disclosed as a result of the breach. 42 USC §17932(a). Business associates will also be required to give notice of such a data breach to the health plan or health care provider, and will need to identify each individual whose unsecured protected health information was illegally accessed, acquired, or disclosed. 42 USC §17932(b). The health plan, health care provider, or business associate will be required to give notice of the breach without unreasonable delay, and no later than 60 calendar days after its discovery. 42 USC §17932(d). Notice must be provided by first-class mail to individuals at their last known address, or, if specified by the individual, via e-mail. 42 USC §17932(e)(1).
  • 13. Individual Patient Rights Individuals are entitled to copies of their health information in electronic format from any health plan or health care provider that uses or maintains electronic health records. An individual will be able to direct the health plan or health care provider to transmit the copy directly to anyone he or she designates. Fees for providing this service must not be greater than the entity’s labor costs. 42 USC 17935(e).
  • 14. Authorization The HITECH Act will prohibit a health plan, health care provider, or business associate from receiving payment for an individual’s protected health information without authorization from the individual. 42 USC §17935(d).
  • 15. New Penalties Increased Civil Penalties ARRA creates the following "tiers" of penalties: A violation without knowledge of the violation - $100 per violation, with an annual maximum amount of $25,000 in penalties. A violation that is due to reasonable cause - $1,000 per violation, with an annual maximum amount of $100,000 in penalties. A violation that is due to willful neglect - $10,000 per violation, with an annual maximum amount of $1,500,000 in penalties.
  • 16. New Enforcement State Attorneys General now have the authority to file suit in federal court against any person or entity that is accused of violating HIPAA in a manner that the Attorney General has reason to believe adversely affected any resident of that Attorney General's respective state.
  • 17. RED FLAGS June 1, 2010
  • 18. Red Flags – Who Must Comply? The Red Flags Rules apply to “financial institutions” and “creditors” with “covered accounts.”
  • 19. Red Flags – Financial Institutions State or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. Most of these institutions are regulated by the Federal bank regulatory agencies and the NCUA. Financial institutions under the FTC’s jurisdiction include state-chartered credit unions and certain other entities that hold consumer transaction accounts.
  • 20. Red Flags – Transaction Account A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.
  • 21. Red Flags - Creditor Any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors. 
  • 22. Red Flags – Covered Account An account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft – for example, small business or sole proprietorship accounts
  • 23. Red Flags – Exempt? Only Lawyers FTC has filed a Notice of Appeal  Judge Walton is reported to have questioned whether the term could be interpreted so broadly as to render a plumber who bills a customer after performing his work a "creditor" within the meaning of the Rule. CPA’s have filed a lawsuit
  • 24. Red Flags - Requirements Develop a written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.
  • 25. Red Flags – Requirements – suggested “Starting Points” alerts, notifications, or warnings from a consumer reporting agency; suspicious documents; suspicious personally identifying information, such as a suspicious address; unusual use of – or suspicious activity relating to – a covered account; and notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.
  • 26.
  • 27.
  • 28. 201 CMR 17.00 Massachusetts Data Privacy Regulations Effective March 1, 2010.
  • 29. New Mandate: PI = PI Personal Information = Privacy Infrastructure
  • 30.
  • 32. Scope of Rules Covers ALL PERSONS that own or license personal information about a Massachusetts resident Need not have operations in Massachusetts Financial institutions, health care and other regulated entities not exempt
  • 33. Scope of Rules “Personal information” Resident’s first and last name or first initial and last name in combination with SSN Driver’s license or State ID, or Financial account number or credit/debit card that would permit access to a financial account
  • 34. Three Requirements 1.Develop, implement, maintain and maintain a comprehensive, written information security program that meets very specific requirements (cWISP) 2.Heightened information security meeting specific computer information security requirements 3.Vendor Compliance (Phase-in)
  • 35. Evaluating Compliance(not Evaluating Applicability) Appropriate Size of business Scope of business Type of business Resources available Amount of data stored Need for security and confidentiality Consumer and employee information
  • 36. Evaluating Compliance(not Evaluating Applicability) “The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.”
  • 37. Enforcement Litigation and enforcement by the Massachusetts Attorney General Massachusetts law requires notice to Attorney General of any breach, in addition to affected consumers Attorney General likely to investigate based on breach reports No explicit private right of action or penalties
  • 39. Information SecurityProgram “[D]evelop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards”
  • 40. Comprehensive Information Security Program201 CMR 17.03 (2)(a) through (j) a. Designate b. Identify c. Develop d. Impose e. Prevent Oversee Restrict Monitor Review Document
  • 41. Comprehensive Information Security Program (a) Designate an employee to maintain the WISP. (b) Identify and assess reasonably foreseeable risks (Internal and external). (c) Develop security policies for keeping, accessing and transporting records. (d) Impose disciplinary measures for violations of the program. (e) Prevent access by terminated employees. (f) Oversee service providers and contractually ensure compliance. (g) Restrict physical access to records. (h) Monitor security practices to ensure effectiveness and make changes if warranted. (i) Review the program at least annually. (j) Document responsive actions to breaches.
  • 42. Comprehensive Information Security Program Third Party Compliance 1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and 2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information
  • 43. Comprehensive Information Security Program Third Party Compliance Contracts entered “no later than” March 1, 2010: Two – year phase-in. Contracts entered into “later than” March 1, 2010: Immediate compliance.
  • 44. Comprehensive Information Security Program “INDUSTRY STANDARDS”
  • 45. Breach Reporting G.L. c. 93H § 3
  • 46. Breach Reporting Breach of security – “the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.”
  • 47. Breach Reporting Possessor must give notice of Breach of Security Unauthorized Use or Acquisition To Owner/Licensor of Information Owner/Licensor must give notice of Breach of Security Unauthorized Use or Acquisition To – Attorney General Office of Consumer Affairs Resident
  • 48. Breach Reporting “The notice to the Attorney General and the Director of Consumer Affairs and Business Regulation shall include, but not be limited to: the nature of the breach of security or the unauthorized acquisition or use; the number of Massachusetts residents affected by such incident at the time of notification; and any steps the person or agency has taken or plans to take relating to the incident.”
  • 49. Sample Breach Notification Letter http://www.mass.gov/Cago/docs/Consumer/93h_sampleletter_ago.pdf
  • 50. Breach Reporting Stop Be afraid Call for help
  • 52.
  • 55. IT Security user awarenessUse authentication protocols Secure access controls Encryption of transmittable records Mentoring systems
  • 56. User Authentication Protocols Control of user IDs Secure password selection Secure or encrypted password files User accounts blocked for unusual logon attempts Examples: Passwords should be at least 9 characters, alpha numeric with special characters After 3 attempts to login users are blocked access
  • 57. Secure Access Control Measures Permit “access” on a need to know basis Password protect account and login to determine level of access Example: Network Access Control Software/Hardware Consentry Sophos Audit control who is accessing what and when?
  • 58. Encryption of Transmitted Records Encryption of personal information accessed over a public network Tunneling options (VPN) Faxes, VOIP, phone calls Encryption of PI on wireless Bluetooth, WEP, Wifi Encryption definition if very broad Examples: PGP and Utimaco are encryption technologies
  • 59. Monitoring of Systems Require systems to detect unauthorized use of, access to personal information Some existing user account based on systems will already comply Examples: Again, Network Access Control Audit controls
  • 60. Laptop and Mobile Device Encryption Encryption of PI stored on laptops Applies regardless of laptop location Encryption of PI stored on “mobile” devices Does incoming email become a problem? This applies only if you have data in motion of personal information. Email is clear text. So anyone can read any ones email on the internet.
  • 61. Security Patches and Firewalls “Reasonably up-to-date firewall protection and operating systems patches” for Internet connected computers Date on operating systems All organizations should have a firewall in place (not a router a firewall) Can hire an organization to update and manage the security infrastructure: Firewall Anti-virus Patches…
  • 62. Systems Security Agent Software Malware is what is infecting most enviroments. HTTP and HTTPS traffic. Your users are your worst enemy Products to look at for Malware TrendMicro Websense Webwasher Anti-malware technology required Are certain products better? What about MACs or Linux? Set to receive auto-updates
  • 63. Employee Education and IT Security Training Proper training on all IT security policies User awareness Importance of PI security Proper use of the computer Everyone is involved Your employees are your weakest link to any IT security program. They need to know the rules. Suggestions: Stand up training News Letters Programs Online training
  • 64. The Approach Inventory type of personal information is being kept Assess risk Plan information security strategy Data Security, Confidentially, Integrity IT infrastructure and information change processes Implement, plan and policies Technology deployment Policy implementation User awareness Continual review Security is all about vigilance… Compliance is knowing what you need to protect and building a fortress around it and testing it on a frequent basis!
  • 66. Data Destruction (93I) Paper documents/ electronic Media: Redact, Burn, Pulverize, Shred So that Personal Information cannot be read or reconstructed
  • 67. Data Destruction (93I) Violations: Attorney General: Unfair and Deceptive Practices remedies - 93H Civil Fine-$100/data subject not to exceed $50,000/instance – 93I
  • 68. What To Do Now
  • 69. Thank You Meltzer Law Offices http://www.meltzerlaw.com 508.872-0000