Data Breach Notification: State and Federal Law Requirements Donna Maassen, CHC Director of Compliance Extendicare Health Services, Inc. & Andrew G. Conkovich, CHC Director of Regulatory Affairs & Compliance University of Louisville Hospital 1 Offence Good News Compliance must be proactive Information provides you the power to be on offence Unsung heroes Staff complaints allow you to address problems before escalation Cost avoidance Measuring cost avoidance is the only available measure that quantifies the impact of efforts to prevent program integrity risks instead of focusing on losses that have already taken place. (Kaiser Commission MIP Report, p 25, June 2007) 2
Benefit to Bottom Line Compliance departments need to take credit for their efforts Board reporting Include examples of compliance interventions and their financial impact Measuring cost avoidance is the only available measure that quantifies the impact of efforts to prevent program integrity risks instead of focusing on losses that have already taken place. Citing initiatives where compliance has been the catalyst for change 3 Data Security HIPAA Was Just the Beginning State Breach Statutes Our Primary Focus FTC Red Flag Rules (FCT) Fair Accurate Credit Transactions Act ( FACT ) Graham-Leach-Bliley Act ( GLB Act ) Children s Online Privacy Protection Act ( COPPA ) 4
Red Flag Rules Rule applies to all non-profit corporations Rule applies to any Creditor that regularly extends, renews, or continues credit (such as.patients that have a partial responsibility of payment, i.e. insurance pays 80% patient responsibility is 20%) Compliance deadline extended to May 1, 2009, programs must be Board approved and implemented by date. Organizations must develop and implement programs to detect, prevent and mitigate ID theft. Program must be updated periodically Training will be critical to success 5 State Breach Reporting Statutes Many states are proposing and enacting statutes requiring the reporting of information breaches California was the first California Civil Code Section 1798.29 enacted in 2002 Many states have followed California s lead 6
44 States & D.C. With Statutes Alaska Arizona Arkansas California Colorado Connecticut Delaware Florida Georgia Hawaii Illinois Idaho Indiana Iowa Kansas Louisiana Maine Maryland Massachusetts Michigan Minnesota Montana Nebraska Nevada New Jersey New York New Hampshire N. Carolina N. Dakota Ohio Oklahoma Oregon Pennsylvania Rhode Island S. Carolina Tennessee Texas Utah Vermont Virginia W. Virginia Washington Wash. D.C. Wisconsin Wyoming 7 States Without Statutes Alabama Kentucky Mississippi Missouri New Mexico South Dakota 8
Statute Reference Site National Conference of State Legislatures http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm 9 Why Do We Care? Require persons/entities doing business in the respective states to notify individuals if their information has been breached Many reflect the original CA statute but are not carbon copies Requirements vary Statutes are subject to change with each legislative session (Indiana, Mass., CA) 10
CA Code 1798.29 CA Civil Code1798.29. (a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Note: The statute is somewhat ambiguous in the fact that the have included reasonably believed. What does reasonably believed mean? How far does it go? An employee surfing e-records of interesting cases? A portable drive or CD left unattended in a non-secure area? 11 CA Additional Considerations Accounting of Disclosures Separate issue but one to consider Providers need to know what else is requires of the statutes Each agency shall keep an accurate accounting of the date, nature, and purpose of each disclosure of a record made pursuant to subdivision (i), (k), (l), (o), or (p) of Section 1798.24. 12
CA 1798.24 The accounting shall also include the name, title, and business address of the person or agency to whom the disclosure was made. (o) To a law enforcement or regulatory agency when required for an investigation of unlawful activity or for licensing, certification, or regulatory purposes, unless the disclosure is otherwise prohibited by law. 13 Disclosure to Individual CA 1798.25 mandates: The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement. 14
Personal Information Means An Individual's first name or first initial and last name in combination with any one or more of the following data elements. 1) Social security number. 2) Driver's license number or California Identification Card number. 3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. 15 Important Considerations Safeharbors Breach definition Reporting requirements Individual State AG or other department Time frame Right to private action 16
Encryption Safeharbor States Alaska Arizona Arkansas California Colorado Connecticut Delaware Florida Georgia Hawaii Illinois Idaho Indiana Iowa Kansas Louisiana Maine Maryland Massachusetts (128 bit or higher) Michigan Minnesota Montana Nebraska Nevada New Hampshire New Jersey New York N. Carolina N. Dakota Ohio Oklahoma (Statute applies to state agencies) Oregon Pennsylvania Rhode Island S. Carolina Tennessee Texas Utah Vermont Virginia Washington W. Virginia Wisconsin Wyoming 17 Redaction Many statutes include redaction as a safeharbor Does this extend the statute to paper? 45 C.F.R. 164.530(c) Requirements- Safeguards (HIPAA Privacy Rule s mini-security rule) (1) Standard Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. 18
Penalties Right of private action Fines up to $500,000 Reporting requirements may include reports to: State IG State AG Major Credit Agencies 19 Nevada Nevada Statute effective 10/1/2008 System means a set of related equipment, whether or not connected, which is used with or for a computer. Business shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of the electronic transmission. 20
Indiana Breach of the security of a system means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person. The term includes the unauthorized acquisition of computerized data that have been transferred to another medium, including paper, microfilm, or a similar medium, even if the transferred data are no longer in a computerized format. 21 Indiana Data Base Owner Shall Disclose the Breach to an Indiana Resident Whose: Unencrypted personal information was or may have been acquired by an unauthorized person or If the data base owner knows, should know, or should have known that the unauthorized acquisition constituting the breach has resulted in or could result in identity deception 22
Connecticut Any person who collects Social Security numbers in the course of business shall create a privacy protection policy which shall be published or publicly displayed. Publicly displayed" includes, but is not limited to, posting on an Internet web page. The policy shall: (1) Protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers. 23 Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth initial effective date1-1-2009 Delayed until May 1, 2009 (same as Red Flag Rule) Includes Reasonable monitoring of systems, for unauthorized use of or access to personal information Encryption of all personal information stored on laptops or other portable devices Education and training of employees on the proper use of the computer security system and the importance of personal information security 24
California Modification Effective 1-1-2009 Inclusion of medical information Free $1000 (Section 56.36 ) (b) In addition to any other remedies available at law, any individual may bring an action against any person or entity who has negligently released confidential information or records concerning him or her in violation of this part, for either or both of the following: (1) Nominal damages of one thousand dollars ($1,000). In order to recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual damages. (2) The amount of actual damages, if any, sustained by the patient. 25 California (c) (1) In addition, any person or entity that negligently discloses medical information in violation of the provisions of this part shall also be liable, irrespective of the amount of damages suffered by the patient as a result of that violation, for an administrative fine or civil penalty not to exceed two thousand five hundred dollars ($2,500) per violation. The bill would establish within the California Health and Human Services Agency the Office of Health Information Integrity to assess and impose administrative fines for a violation of these provisions, as provided. 26
Security Breach Retrospective Review Providence Health Systems 27 Missing 4 Laptops 4 Backup tapes 2 Optical Disks All unattended Unencrypted Contain ephi of over 386,000 patients 28
Back-up Media Left unattended in employee vehicle Routine Procedure Management Team Aware of Practice Media Stolen 29 Laptops 4 separate incidents September 05 through March 06 Laptops Stolen 30
Then What? Provider Notifies patients of loss per State Law Provider Notifies HHS of stolen media HHS receives over 30 complaints Class Action Suit Filed (Dropped Nov. 07) State AG Takes Action Feds Take Action 31 State AG Assurance of Voluntary Compliance (Signed September 26, 2006) Credit Monitoring (min 1 yr) Credit Restoration Services (min 1 yr) Improve Security Program Designate person accountable for Security Identify internal and external risks Implement reasonable safeguards Pay $95,764 to Consumer Protection and Education 32
Federal Investigation 3 Government Agencies HHS Office of Civil Rights CMS 1 Resolution Agreement 3 Year Corrective Action Plan $100,000 Fine? Total Cost Still Counting 33 Corrective Action Plan (CAP) 3 Year Agreement P&P s Training Reportable Events Notification to HHS Quarterly Monitor Reviews Annual Report to HHS 34
Corrective Action Plan P&P s 10 P&P s Delineated Must be Reviewed and Approved by HHS Certification by all employees Read Understand Shall Abide Updated at least annually and reapproved by HHS 35 Corrective Action Plan Training Completed within 90 day of P&P Approval Certification of participation of all employees Annual Training thereafter New hires within 30 days of employment 36
Corrective Action Plan Reportable Events Workforce member violates policies Must notify HHS within 30 days Complete description Parties involved Identification of which policy was violated Mitigation Activities Prevention Activities 37 Corrective Action Plan Monitor Reviews Must be done quarterly Risk identification Should be unannounced visits Random interviews with workforce regarding portable devices Inspection of portable devices Policies being followed 38
Corrective Action Plan Monitor Review Documentation Summaries of Interviews Summaries of device inspection Description of new risks identified May request copies of all work papers or documents created during Monitor Review 39 Corrective Action Plan Annual Reports Annual Report to HHS Training materials; schedules; topic outlines Training attestation documentation Summary of Reportable Events Monitor Review Reports CISO Attestation of validity of information within Annual Report 40
What Would You Do? Let s talk 41 What If There Is A Breach Consult state statute Thorough investigation Document due diligence Must determine what data elements were lost Must list persons involved Consult legal Draft notification letter Develop a post notification plan Public relations statements Staff to discuss issue with involved persons Good faith offers? Paid credit reporting contract ID theft insurance 42
Internal Corrections Must drive change so the event doesn t repeat The last thing your organization needs is to repeatedly be in the news paper for the same type of data loss 43 Letter Considerations Verbiage Truthful and forthright without placing your facility at greater risk Peace offerings Credit monitoring services ID theft insurance Consideration must be given whether to offer upfront or to only offer to persons that contact you or if you should offer to anyone 44
After Sending Letter Set up a phone line to take calls Person should be knowledgeable of situation and be able to answer questions Prepare a media response 45 Prevent Future Occurrences Perform PI on situation Root cause analysis (RCA) RCA members must be able to drive change in policy and procedure Implement new process to prevent additional occurrences. Assign responsibility F/U Audits 46
Questions? 47 Andrewco@ulh.org Thank you! Dmaassen@extendicare.com 48