Practical Steps to Minimize Privacy Risks: Understanding The Intersection Between Information Management and Privacy Law Presented by Alexandria McCombs Vice President & General Counsel Pinnacle Partners In Medicine Dallas, TX
Disclaimer This presentation is intended to be an informative overview of statutes and regulations related to the protection of personal and corporate data. This should not be considered a comprehensive review of every law, rule and regulation applying to privacy and security. 2
Privacy and Security Risk Areas Identity Theft (an identity is stolen every 3 seconds) Data Breach Damage to Information Systems Credibility/Public Relations problems Class Action Federal Law violations State Law Violations 3
Commonly Applicable Laws Federal Privacy Act of 1974 – 5 U.S.C. §552a FTC Consumer Online Privacy Principles 1998; Online Behavioral Advertising Principles 2009 FTC COPPA – Children’s Online Privacy Protection Rule – 16 C.F.R. 312 HIPAA – Health Insurance Portability and Accountability Act of 1996 and Privacy and Security Rules, 45 CFR §§ 160, 162 and 164, as Amended by HITECH Act (see below) GLB – Gramm-Leach Bliley Act (Financial Modernization Act of 1999) 15 U.S.C. §6801 et seq. and Financial Privacy Rule 16 C.F.R. 313 and Financial Safeguards Rule 16 C.F.R. 314 Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) 4
Commonly Applicable Laws (cont’d) FCRA – Fair Credit Reporting Act (15 U.S.C et seq.); amended by FACT Act – Fair and Accurate Credit Transactions Act of 2003 ▫Section 114 – Identity Theft Prevention – Red Flags Rules – 16 C.F.R. 681 enforced by the Federal Trade Commission FDA – Research Data – Electronic Records and Signatures – “Part 11” – 21 C.F.R. 11 ARRA – American Recovery and Reinvestment Act of 2009 (“Stimulus Bill”) February 17, 2009 ( ≥ ▫HITECH Act – Health Information Technology for Economic and Clinical Health Act – Division A, Title XIII of ARRA Subtitle D – Privacy - §§ – Amends HIPAA, substantially increases penalties (now) and new Federal Data Breach Notification as to Protected Health Information 5
State Law In Texas, there are instances where state law is more stringent than the corresponding Federal laws. For instance, HIPAA requires that a covered entity provide an individual access to their own health records within 60 days of the written request with provision for a 30 day extension if the records are held offsite. Texas requires access in 15 days regardless of where the records are stored. 6
Regulatory Update FACTA – Fair & Accurate Credit Transactions Act (Red Flag Rules) ▫Originally was to be enforced November 1, 2008 but was delayed six months primarily due to objections by the health care industry. Many felt that physicians and hospitals were not creditors. FTC determined that these rules indeed did apply to health care organizations and the enforcement date was set for May 1, On April 30, 2009 an additional 3 months delay was announced to allow more entities to complete the requirements. 7
Regulatory Update The Red Flag Rules require “creditors” to have a written customer protection identity theft prevention plan for “covered accounts” What is a “Creditor”? The FTC applied the definition of “creditor” that is found in the Equal Credit Opportunity Act (ECOA) of An entity “who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit”. This has been interpreted within the Red Flag rules as any organization that does not collect full payment at the time of service. 8
Regulatory Update Red Flag Rules (cont’d) The FTC had defined a “covered account” in the Final Rule as: ▫an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft – for example, small business or sole proprietorship accounts. The customer protection program must include policies and procedures for: ▫(i) detecting warning signs or “Red Flags” of identify theft, ▫(ii) responding to any such Red Flags in a manner that will prevent or mitigate the identify theft, and ▫(iii) updating the Program. The customer protection program must be managed by the Board of Directors or senior employees of the company if there is no Board of Directors. 9
Examples of Red Flags Photo doesn’t match person seeking service i.e. Different race, age, gender No home address, just P.O. Box or mail drop or pager/answering service Patient or customer complains he/she isn’t getting statements Complaints of getting bill for another person Customer or patient receiving these services Records do not appear to be accurate Recent change of address not corroborated 10
Regulatory Update Changes to HIPAA from ARRA American Recovery & Reinvestment Act of 2009 (Stimulus Bill) Some significant changes affect “covered entities” and “business associates”. Covered entities under HIPAA are: ▫a health care provider that conducts certain transactions in electronic form (called here a “covered health care provider”). ▫a health care clearinghouse. ▫a health plan. (all self insured groups have a portion of their organization that falls under this definition. Normally it is the department or subsection of employees that deal with employee health insurance.) Business Associates are: ▫an individual or corporate “person” that: performs on behalf of the covered entity any function or activity involving the use or disclosure of protected health information and is not a member of the covered entity's workforce. 11
Regulatory Update 12 Changes to HIPAA from ARRA (cont’d) Security Rule Provisions now apply to Business Associates ▫Business Associates will be treated in a similar manner as covered entities such as physicians and hospitals under this provision. Generally, business associates will now have to: ▫Establish administrative safeguards to protect electronic Protected Health Information (ePHI); ▫Implement technical safeguards for electronic information systems that control access to; and ▫Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the HIPAA Security Rule and maintain proper documentation Notification Requirement for Covered Entities and Business Associates ▫Covered entities and business associates that hold, use, or disclose “unsecured PHI” now have a legal duty to notify certain parties in the event of a breach. Currently, a covered entity is not required to notify individuals of privacy or security breaches unless the covered entity determines that such notification is necessary to mitigate damage to the individual immediately and HHS will post information relating to the breach on its website.
Regulatory Update Changes to HIPAA from ARRA (cont’d) New Minimum Necessary Standard Coming in Fall 2009 ▫ Under HIPAA, the general rule is that if covered entities are using PHI for any other purpose besides treatment purposes, then covered entities must provide only the “minimum necessary” information to accomplish the purpose of the disclosure. The new law requires HHS to issue guidance on what constitutes “minimum necessary” within 18 months Significant Overhaul of Civil Monetary Penalties ▫The civil monetary penalties are significantly increased for violations. Currently, the amount of the penalty is generally $100 for each violation. This $100 amount (and its related cap of $25,000 for multiple violations) increases to $1,000 per violation for a violation due to “reasonable cause and not to willful neglect” (with a maximum penalty of $100,000); $10,000 for each violation that was due to willful neglect and is corrected (subject to a $250,000 maximum penalty); and $50,000 for each violation if the violation is not corrected properly (subject to a maximum penalty of $1,500,000 during a calendar year). These changes are immediately effective (i.e., they are in effect today) and represent a dramatic increase in the penalties under HIPAA 13
Looking ahead In this environment of increased regulation and scrutiny, it will benefit organizations to pay close attention to the evolving laws and to train and prepare dedicated staff to address the multiple regulatory compliance issues. 14
Questions or Comments 15