Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Diana S. Hare Associate General Counsel Drexel University.

Published byHelena Owens Modified over 9 years ago

Similar presentations

Presentation on theme: "1 U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Diana S. Hare Associate General Counsel Drexel University."— Presentation transcript:

1 1 U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Diana S. Hare Associate General Counsel Drexel University College of Medicine Diana.Hare@drexelmed.edu

2 2 U.S. Privacy and Security Laws Contents: I.DISCLAIMER II.Audience Participation III.What’s Protected? IV.Sources of Privacy & Security Obligations - Trends V.What’s Loss, Liability, Breach? - Sanctions/Liability VI.Lessons Learned VII.Resources

3 3 I. DISCLAIMER This presentation does not include every privacy and security law and regulation in the United States. Its purpose is to provide context, key principles and trends. Thank you!

4 4 II. Audience Participation Who knows they are covered by the FTC Guidelines on protecting consumer information collected online? Who knows they are covered by HIPAA because they have an employer-sponsored health plan? Who knows they are covered by the Red Flags Rule? (And who knows what it is?)

5 5 II. Audience Participation Who knows they are covered by state data breach notification acts other than Pennsylvania? By the new federal data breach notification act? Who has not had employees or consultants lose the company’s customers’ personally identifying information, or access such data beyond their scope of authorization?

6 6 III. What’s Protected? Identity –Individually Identifiable Information –Personal Information –Education Record –Name, social security number (cf. redacted to last 4), credit card number –HIPAA has 18 Identifiers – down to stripping the Zip Code

7 7 III. What’s Protected? Sensitive Information about a Person Drug and alcohol treatment HIV Status Genetic screening Children 13 or younger Privileged communications

8 8 III. What’s Protected? Data “CIA” = –Confidentiality –Integrity –Availability Collection, Use and Disclosure Informed Consent

9 9 IV. Sources of Privacy & Security Obligations General Sources U.S. Constitution – 4th Amendment; 14th Amendment; U.S. v. Griswold Torts – Intrusion upon Seclusion; Invasion of Privacy Privileges – Judicial Codes –Accountant –Psychologist – 42 PA C.S.A. § 5944 –Sexual Abuse Victim Counseling – 42 PA C.S.A. § 5945.1 –Attorney –Physician

10 10 IV. Sources of Privacy & Security Obligations Federal Laws and Regulations and Guidance: U.S. Constitution –see above Federal Privacy Act of 1974 – 5 U.S.C. §552a FTC Consumer Online Privacy Principles 1998; Online Behavioral Advertising Principles 2009 FTC COPPA – Children’s Online Privacy Protection Rule – 16 C.F.R. 312

11 11 IV. Sources of Privacy & Security Obligations HIPAA – Health Insurance Portability and Accountability Act of 1996 and Privacy and Security Rules, 45 CFR §§ 160, 162 and 164, as Amended by HITECH Act (see below) GLB – Gramm-Leach Bliley Act (Financial Modernization Act of 1999) 15 U.S.C. §6801 et seq. and Financial Privacy Rule 16 C.F.R. 313 and Financial Safeguards Rule 16 C.F.R. 314 Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)

12 12 IV. Sources of Privacy & Security Obligations FCRA – Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); amended by FACT Act – Fair and Accurate Credit Transactions Act of 2003 –Section 114 – Identity Theft Prevention – Red Flags Rules – 16 C.F. R. 681 –Section 116 – Proper Disposal of Consumer Information – Disposal of Consumer Report Information and Records - 16 C.F.R. 682

13 13 IV. Sources of Privacy & Security Obligations FDA – Research Data – Electronic Records and Signatures – “Part 11” – 21 C.F.R. 11

14 14 IV. Sources of Privacy & Security Obligations ARRA – American Recovery and Reinvestment Act of 2009 (“Stimulus Bill”) February 17, 2009 (www.whitehouse.gov ≥ http://frwebgate.access.gpo.gov/)www.whitehouse.gov –HITECH Act – Health Information Technology for Economic and Clinical Health Act – Division A, Title XIII of ARRA Subtitle D – Privacy - §§13400 -13424 – Amends HIPAA, substantially increases penalties (now) and new Federal Data Breach Notification as to Protected Health Information

15 15 IV. Sources of Privacy & Security Obligations State Laws: More stringent state laws on protected health information supersede HIPAA – e.g. –PA Confidentiality of HIV-Related Information Act (“Act 148”) 35 P.S §7601 et seq. Limit use of Social Security Numbers, e.g. – PA Social Security Number Privacy Act – 71 P.S. § 2601 et seq.

16 16 IV. Sources of Privacy & Security Obligations Data Breach Notification Acts – –California and Massachusetts lead the trends –PA – Breach of Personal Information Notification Act – 73 P.S. § 2301 –NJ – New Jersey Identity Theft Prevention Act – N.J.S.A. § 56:11- 44 et seq. and new draft rules with comment period closed 2/13/09 –DEL – Computer Security Breaches – Title 6, Chapter 12B

17 17 IV. Sources of Privacy & Security Obligations Torts – see above Privileges – Judicial Codes (see above)

18 18 IV. Sources of Privacy & Security Obligations Industry Standards – PCI – Payment Card Industry

19 19 IV. Sources of Privacy & Security Obligations Key obligations shared: Risk assessment Administrative, Physical and Technical Safeguards Policies and Procedures Training Sanctions

20 20 - Trends in Privacy and Security Laws Trends in Laws: Mandatory encryption Mandatory and prompt reporting of data breaches Increased penalties; enforcement Increased third party vendor oversight, liability Board level responsibility (e.g. Red Flags Rule)

21 21 -Trends in Privacy and Security Data breaches Increased Identity Theft Class Actions

22 22 V. What’s Loss, Liability, Breach? Unauthorized Access Loss that reasonably could lead to theft

23 23 - Sanctions/Liability for Violations: Examples Laws: Section 5 of the FTC Act - unfair or deceptive acts States – “Baby FTC Acts” HIPAA  HITECH Act

24 24 - Sanctions/Liability for Violations: Enforcement Actions; Lawsuits: –Providence Health – unencrypted tapes – OCR/CMS/HIPAA sanction; 1 st monetary penalty ($100K) - Treatment Assocs of Victoria – TX AG – charge - unlawfully dumping client records in publicly accessible garbage; TX Identity Theft Act and Baby FTC Act –Heartland Payment Systems, N.J. – (payment card processor); hacker; PCI standards; Class Action – on behalf affected financial institutions

25 25 - Sanctions/Liability for Violations: Enforcement Actions; Lawsuits: –CVS – dumped prescription labels in dumpster. OCR and FTC JT enforcement: HIPAA Privacy Rule and FTC Act; $2.25 million; FTC 20 year monitoring. –Premier Capital Lending – GLB Privacy and Security Rules; customer data. Mortgage broker gave access that was used improperly. –Mortgage Broker Gregory Navone – consumer info into unsecured dumpster; FCRA Disposal Rule violation charged w/failure to implement training & exercise oversight of service providers.

26 26 VI. Privacy & Security – Lessons Learned Access is key; audit logs Audit/Assessment of Risks Effective Policies and Procedures Sanction employees Train employees It is internal employees and consultants with authorized access

27 27 VI. Privacy & Security – Lessons Learned Vendor management/Due diligence – not just contractual language required by HIPAA, GLB, Red Flag Rules, etc. Encryption Data Breach – Prepare Incident Reporting Team/Committee Mandatory Reporting Insurance

28 28 VII. Privacy & Security - Resources Data breach remedial products: –Credit monitoring products – negotiate contract (Experian) –Debix –Insurance coverage purchased (Data breach for one company cost $65K in postage alone!)

29 29 VII. Privacy & Security - Resources FTC.gov OCR Listserv (Office of Civil Rights – DHHS) CMS – HIPAA Security Rule NIST - National Institute of Standards and Technology www.nist.gov; Computer Security Resource Center (http://csrc.nist.gov); (Draft) Guide to Protecting Confidentiality of Personally Identifiable Information - 1/13/09 www.nist.govhttp://csrc.nist.gov IAPP www.privacyassociation.orgwww.privacyassociation.org

30 30 U.S. Privacy & Security Laws Questions? Diana S. Hare Associate General Counsel Drexel University College of Medicine 215.255.7842 Diana.Hare@drexelmed.edu

Download ppt "1 U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Diana S. Hare Associate General Counsel Drexel University."

Similar presentations

Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP www.ScottandScottllp.com.

Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.

P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
CHAPTER © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2 HIPAA, HITECH, and Medical Records.

CHAPTER © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2 HIPAA, HITECH, and Medical Records.
Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.

Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.
Regulatory Issues in Campus Computing Privacy and Security in a Digital World Presented by David Gleason, Esq. University Counsel University of Maryland,

Regulatory Issues in Campus Computing Privacy and Security in a Digital World Presented by David Gleason, Esq. University Counsel University of Maryland,
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Similar presentations

Ads by Google