Recent Developments in U.S. Law: Privacy and Information Technology Health

Transcription

1 Recent Developments in U.S. Law: Privacy and Information Technology Health Amyt M. Eckstein Moses & Singer LLP 405 Lexington Avenue New York, NY (212)

2 What Does Privacy Mean? The term "privacy" has different meanings in different contexts. In a business context, the term privacy generally means the legal protections given to certain pieces of data belonging to human beings. The rise of criminal identity theft has been a significant factor in the increase of data protection laws in the U.S. and around the world. 2

3 What Laws Govern Privacy? Medical information is protected by federal law ("HIPAA") as well as similar laws enacted in each state. The Health Information Technology for Economic and Clinical Health Act ( HITECH Act ) creates security breach notification requirements. Information transmitted over the Internet is protected by the Federal Trade Commission ( FTC ) Regulations and Guidelines. Children Online Privacy Protections Act ( COPPA ) governs online content accessible by those under 13. Banking account and credit or debit card information is protected by laws in each state, Gramm-Leach Bliley ( GLB ). State Laws 47 states have breach notification laws 3

4 What Kinds of Information Should We Protect? As a matter of legal compliance and best practices, we should protect any information about a customer/client that is personal to that individual, particularly if the information that is misused or wrongfully disclosed could result in reputational or financial harm. 4

5 The Privacy Rule (HIPAA) The Heath Information Portability and Accountability Act HIPAA is a federal law that was enacted in 1996 to protect an individual s health information Regulates how private health information can be used and disclosed 5

6 Who has to comply with HIPAA? Certain entities and persons (covered entities) Business Associates and their subcontractors (per HITECH) 6

7 Why was HIPAA enacted? Individuals private medical information was being released without authorization. In Tampa, Florida, a disgruntled public health worker sent the names of more than 4,000 people who tested positive for HIV to two newspapers. Employees of companies had been fired without cause when their employers had discovered that these employees have a potentially expensive medical condition. Medical doctors had sold their patient lists to marketing and pharmaceutical companies without patient permission, thereby allowing this information to be easily accessed to the general public. 7

8 What kind of information does HIPAA protect? HIPAA imposes restrictions on the use and disclosure of protected health information ( PHI ) and outlines patients' rights, namely, the right to have access to their records, the ability to amend those records, the right to receive an accounting of disclosures, the right to limit the use and disclosure of the records, and the right to receive responses to their requests pertaining to their rights. Can only access, use and disclose PHI as permitted by law or with patient authorization. While a person's name is a clear example of data that identifies an individual, there are many types of information that may reasonably identify an individual. For example, addresses and telephone numbers, passport or green card numbers, insurance policy numbers, etc. When any of these "identifiers" are combined with either information about an individual's health status/condition or information about payment for health care services for the individual, then all of the information is considered PHI. 8

9 What do entities need to do to comply with HIPAA? Implement policies/procedures to Restrict access, use and disclosure of PHI Ensure PHI is secure through administrative, physical and technical safeguards (workforce training, workstation security, audits) Contracts with business associates contain same protections Issue with outsourcing 9

10 Example of Recent HIPAA Enforcement Accretive Health national debt collection co. Minnesota Attorney General brought suit alleging that Accretive was mining, analyzing and using data for purposes not disclosed to patients and which might adversely affect patient access to care. Suit stemmed from a laptop stolen from an Accretive employee that contained patient records. Suit is the first major HIPAA enforcement action by a state attorney general against a business associate (Accretive is a BA of a hospital chain). 10

11 Examples of Recent HIPAA Enforcement State of Alaska Department of Health & Human Services Reached $1.7M settlement with US HHS in First HIPAA enforcement action taken by HHS against a state agency. Breach resulted from theft of a portable electronic storage device potentially containing electronic protected health information ( ephi ) from the car of a DHSS computer technician in October

12 HIPAA Enforcement In 2009, CVS Pharmacy agreed to pay $2,250,000 penalty after an investigation reveals that CVS had not properly disposed of protected health information. In 2012 the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates agreed to pay $1,500,000 for violations of privacy and security rules. In 2012, Blue Cross and Blue Shield of Tennessee agreed to pay $1,500,000 for violations of privacy and security rules. 12

13 HIPAA Enforcement WellPoint agrees to pay $1.7 million HIPAA penalty 2013 WellPoint serves nearly 36 million people through affiliated health plans. Between Oct. 2009, and March 2010, access to personal data for 613,000 people - names, dates of birth, addresses, Social Security numbers, telephone numbers and health information - was made available to unauthorized users as the result of online security vulnerability. HHS found that WellPoint did not enact appropriate administrative, technical and physical safeguards for data as required by HIPAA. 13

14 HIPPA Enforcement Wall of Shame In their initial report to OCR, WellPoint discloses 31,700 people were affected by the breach. That is posted on the OCR's public website, known as the Wall of Shame which the OCR is required to maintain Subsequent forensic analysis of the WellPoint breach determined that 612,404 individuals were affected - the number reported by the OCR the settlement agreement announcement. The Wall of Shame has 627 incidents posted since September These reported incidents each involve the exposure of records of Including the WellPoint breach approximately 22.8 million people records have been exposed. Since July 2008, under HIPAA, HHS has collected almost $17 million in penalties through resolution agreements. 14

15 HIPAA Changes 2013 New Rule effective March 2013, covered entities must comply by September 23, Strengthens privacy and security protections and improves enforcement Modifies breach notification rule Increases protection of genetic information as required by GINA (Genetic Information Nondiscrimination Act of 2008) Harmonizes rules 15

16 HIPAA Modifications effective September 2013 Business associates will be directly liable for compliance with certain HIPAA privacy and security requirements Strengthens PHI use and disclosure limitations Expands individuals rights to receive electronic copies of health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full, 16

17 HIPAA Modifications effective September 2013 Requires modifications to and redistribute of covered entity s notice of privacy practices. Modifies the individual authorization and other requirements to facilitate research and disclosure of child immunization to schools. Adopts HITECH s enhancements to enforcement rules re: willful neglect. Increases penalties and some definitions, e.g., harm. Prohibits most health plans from using genetic information for underwriting (from GINA). 17

18 HITECH Act Overview Mandates security breach notification for HIPAA covered entities and related entities. Makes Business Associates subject to many obligations that formerly only applied to covered entities. Enhances penalties for non-compliance with HIPAA. 18

19 HITECH Overview At the time of HITECH s passage, over 45 states had very similar security breach notification laws. So why did we need a federal standard? Most state security breach notification laws focus only on breaches of personal information and financial information. HITECH and its related regulations apply to breaches of health information. 19

20 Examples of a security breach A lost or stolen laptop, PDA, or flash drive that is used to store PHI. Faxing lab results to an incorrect number or person. Mailing medical record to the wrong address or person. A hacker breaks into company s electronic data storage system. 20

21 Security Breach Notification Under HITECH, a covered entity must, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured PHI has been or is reasonably believed by the covered entity to have been accessed, acquired, used or disclosed as a result of such breach. 21

22 Security Breach Notification A covered entity must notify all affected individuals within 60 days after discovery of a breach, provided that it meets the risk of harm threshold. A business associate of a covered entity must notify a covered entity of a breach no later than 60 days after discovery of a breach. The covered entity must then notify affected individuals. 22

23 Security Breach Notification Notice to affected individuals must contain brief descriptions of the occurrence of the breach and the types of information that were involved in the breach, steps that individuals should take to protect themselves, how the covered entity is mitigating harm and contact information. HHS must be notified of the breach within 60 days of discovery. If over 500 persons are affected in a given state, media of that state must be notified. 23

24 Security Breach Notification Encryption is key. The term unsecured PHI used in the definition of what constitutes unsecured and secured PHI means that PHI is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by HHS, such as encryption. Encryption is not required by HIPAA, but a covered entity or business associate that experiences a breach of encrypted information is not required to provide notification to affected individuals. 24

25 Security Breach Notification The FTC issued a similar rule Very similar to HITECH, but applies to vendors of personal health records (PHRs), PHR-related entities and third party service providers. Such entities can be business associates in different contexts, so HHS rule can apply as well. These entities must notify the FTC (not HHS) with a form on the FTC website 60 days after beginning of following calendar year. If 500+ individuals are affected, FTC must be notified within 10 days of discovery and must notify state media. 25

26 Changes to Business Associate Obligations In addition to Business Associates responsibilities with respect to security breach notification, there are additional new obligations for Business Associates under HITECH. Covered entities and business associates should ensure that new obligations are covered in business associate agreements. 26

27 Changes to Business Associate Obligations Business Associates are now required to implement the safeguards set forth in HIPAA. Are directly subject to civil and criminal penalties if they violate HIPAA. Business associates must terminate business associate agreement or, if infeasible, notify HHS, if a covered entity fails to cure a material breach under such business associate agreement (e.g. impermissible disclosures of PHI). 27

28 Sale of PHI Prohibited Generally the sale of PHI is prohibited under HITECH unless a covered entity obtains a valid authorization from an individual that includes a specification of whether PHI can be further exchanged for remuneration by the entity receiving the PHI. Example: Individuals in Florida were charged with conspiring with an ambulance company worker to steal PHI of individuals transported by the ambulance company and selling the information to various Florida personal injury attorneys. 28

29 Recent HITECH Enforcement Action Blue Cross/Blue Shield of Tennessee recently agreed to pay the U.S. Department of Health and Human Services $1.5 million as a result of a 2009 data breach The case stemmed from the theft of 57 unencrypted computer hard drives from a former BlueCross call center in Tennessee. The drives contained the PHI of more than 1 million BlueCross customers, including names, Social Security numbers, diagnosis codes, dates of birth, and health plan ID numbers BC/BS ordered to pay and develop a corrective plan to address gaps in its privacy/security compliance plan 29

30 Penalties for Noncompliance HIPAA and HITECH breaches are made public on government websites Damages HIPAA/HITECH up to $1.5 Million plus up to $1.2 Million in criminal penalties May impose additional civil monetary penalties Reputational harm Cost of curing breach by stopping practice and creating/revising policies and procedures 30

31 Federal Trade Commission Under the FTC Act, the FTC actively pursues unfair and deceptive practices related to personal information Deceptive practices include a company s failure to follow or implement its own privacy policy to the detriment of consumers Unfair practices include a company s failure to adopt minimum level of security protection Companies must implement reasonable information security programs to protect consumer personal information 31

32 Definition of Personal Information An individual's name (either first and last name, or first initial and last name) and/or address/telephone number when combined with one or more of the following: Date of birth Social Security number Drivers license number Passport - Visa number Insurance policy number Banking information -routing and/or account numbers Credit - debit card information Health information Net worth information Adverse underwriting information Consumer credit information Log-in credentials for customer-accessible web sites Images of customer signatures 32

33 Federal Trade Commission Once a company has published its privacy policy, it is bound by the public statements made. Publishing a privacy policy exposes the company to prosecution if it fails to perform according to the representations made in the public privacy policy. If a privacy policy includes an opt-out button, company must remove the customer s data from any tracking software. 33

34 Federal Trade Commission Red Flags Rule Applies to financial institutions and creditors for consumer accounts Imposes an obligation on companies to develop an identity theft prevention program Identify relevant patters, practices and forms of activity which signal possible identity theft ( red flags ) Detect red flags Incorporate red flags into ID theft program Respond to detected red flags Update program to reflect changes in possible ID theft risks 34

35 FTC Enforcement Actions LinkedIn June 2012 Breach involved 6.5 million encrypted user passwords, which could allow hackers access to user personally identifiable information. Hacked passwords were posted to an online forum. How the breach occurred: LinkedIn used standard encryption to protect passwords easily decrypted. LinkedIn now uses Salted passwords, but should develop more sophisticated encryption techniques. Federal class action just filed alleging $5 Million in damages caused by the breach. 35

36 FTC Enforcement Actions Facebook Settled charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing their information to be shared and made public told users they could restrict sharing of data to limited audiences for example with "Friends Only." In fact, selecting "Friends Only" did not prevent their information from being shared with third-party applications their friends used claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts. Settlement requires Facebook to comply with what it writes in its privacy policy and conduct regular audits. 36

37 FTC Enforcement Actions Wyndham Worldwide Corporation FTC filed suit against Wyndham and three of its subsidiaries for alleged data security failures that allowed hackers to steal credit card and other personal information from more than 600,000 customers, resulting in at least $10.6 million in fraudulent charges Complaint alleges that security failures led to fraudulent charges on consumers accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers payment card account information to an Internet domain address registered in Russia Action marked the first time FTC had sued a major company for failing to adequately secure customer information 37

38 Children s Online Privacy Protection Act ( COPPA ) Enforced by FTC Applies to web sites and online services: Which are directed at children under 13, OR Operator has actual knowledge that children under 13 are providing individually identifiable information, such as full name, home address, address, telephone number or any other information that would allow someone to identify or contact the child. 38

39 COPPA Requires each site to provide a clear and conspicuous notice of its privacy practices on its website. In addition, before it may collect, use, or disclose children's personal information, a company subject to COPPA must obtain verifiable parental consent. COPPA also defines how and to which extent, once the children s personally identifiable information has been collected, the company may use such information. 39

40 COPPA The statute applies when a company operates a website gathering information from consumers in the U.S., even if the website is located outside the U.S. As e-commerce grows, companies should take care to follow COPPA with active privacy policies and internal enforcement of those polices. 40

41 COPPA Amended Effective July 1, 2013 FTC amends COPPA to reflect behavioral advertising and expands definitions of who is covered by rule. Modifies definition of personal information (that cannot be collected without parental consent) to include geolocation information, photographs, videos, persistent identifiers. Persistent Identifiers are screen names, addresses, IP address, device IDs, that can be used to recognize (i.e., track) a user across different websites or online services. Closes loophole on kid-directed websites to collect personal information through third party plug-ins 41

42 COPPA Amended Effective July 1, 2013 The COPPA rule contains a safe harbor provision that allows industry groups and others to seek FTC approval of self regulatory guidelines Requires covered operators to adopt reasonable procedures for data retention and deletion Strengthens FTC oversight of self-regulatory safe harbor programs 42

43 COPPA Amended Effective July 1, 2013 Expands definitions to clarify that the whole ecosystem if affected by COPPA rules, if you collect personal information from kids under 13, you are now covered (broadly speaking), if you have actual knowledge. Can t ignore or intentionally not know. Plug-ins and ad networks now within the definition of operator but does not extend to platforms, i.e., App stores, when such platforms merely offer the public access to the child-directed apps. 43

44 COPPA Enforcement Actions W3 Innovations, Inc. First action against mobile phone app company FTC alleged that the apps violated COPPA by failing to provide notice on W3 s website of what information it collects from children, to provide clear and complete notice of its information practices directly to parents and to obtain parental consent prior to collecting, using or disclosing personal information from children W3 agreed to pay $50,000 and delete all personal information it had collected 44

45 State Laws Invasion of privacy under common law Unauthorized intrusion; Intrusion is offensive to a reasonable person; Intrusion relates to private matters; and Intrusion results in anguish or suffering 45

46 Recommendations Draft and implement privacy and security policies that address administrative, physical and technical safeguards. Make sure company can and does comply with what is in its policy. Privacy and security training programs. Communicate policies to customers. Agreements with business partners, contractors should contain same restrictions. 46

47 Questions? Amyt M. Eckstein Moses & Singer LLP Connect to me on LinkedIn Disclaimer: Viewing this PowerPoint or contacting Moses & Singer LLP regarding this presentation does not create or invite an attorney-client relationship. This presentation does not constitute legal advice or an opinion of Moses & Singer LLP or any member of the firm and may be rendered incorrect by future developments. It is recommended that it not be relied upon in connection with any dispute or other matter but that professional advice be sought. Attorney Advertising: Under the laws, rules or regulations of certain jurisdictions, this may be construed as an advertisement or solicitation. Copyright 2013 Moses & Singer LLP All Rights Reserved. 47