• No results found

Recent Developments in U.S. Law: Privacy and Information Technology Health

N/A
N/A
Protected

Academic year: 2021

Share "Recent Developments in U.S. Law: Privacy and Information Technology Health"

Copied!
47
0
0

Loading.... (view fulltext now)

Full text

(1)

Recent Developments in

U.S. Law: Privacy and

Information Technology

Health - 2013

Amyt M. Eckstein

Moses & Singer LLP 405 Lexington Avenue

New York, NY 10174-1299 (212) 554-7843

(2)

What Does “Privacy” Mean?

• The term "privacy" has different meanings in

different contexts.

• In a business context, the term privacy generally

means the legal protections given to certain pieces of data belonging to human beings.

• The rise of criminal identity theft has been a

significant factor in the increase of data

(3)

What Laws Govern Privacy?

Medical information is protected by federal law ("HIPAA") as well as similar laws enacted in each state.

• The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) creates security breach notification requirements.

• Information transmitted over the Internet is protected by the

Federal Trade Commission (“FTC”) Regulations and Guidelines.

Children Online Privacy Protections Act (“COPPA”) governs online content accessible by those under 13.

• Banking account and credit or debit card information is

protected by laws in each state, Gramm-Leach Bliley (“GLB”).

(4)

What Kinds of Information Should We Protect?

• As a matter of legal compliance and best

practices, we should protect any information about a customer/client that is personal to that individual, particularly if the information that is misused or wrongfully disclosed could result in reputational or financial harm.

(5)

The Privacy Rule (HIPAA)

• The Heath Information Portability and

Accountability Act

• HIPAA is a federal law that was enacted in 1996

to protect an individual’s health information

• Regulates how private health information can be

(6)

Who has to comply with HIPAA?

• Certain entities and persons (covered entities)

• Business Associates and their subcontractors

(7)

Why was HIPAA enacted?

• Individuals’ private medical information was being released without authorization.

• In Tampa, Florida, a disgruntled public health worker sent the names of more than 4,000 people who tested positive for HIV to two newspapers.

• Employees of companies had been fired without cause when their employers had discovered that these

employees have a potentially expensive medical condition.

• Medical doctors had sold their patient lists to marketing and pharmaceutical companies without patient

permission, thereby allowing this information to be easily accessed to the general public.

(8)

What kind of information does HIPAA protect?

• HIPAA imposes restrictions on the use and disclosure of protected

health information (“PHI”) and outlines patients' rights, namely, the right to have access to their records, the ability to amend those records, the right to receive an accounting of disclosures, the right to limit the use and disclosure of the records, and the right to receive responses to their requests pertaining to their rights. Can only access, use and disclose PHI as permitted by law or with patient authorization.

• While a person's name is a clear example of data that identifies an individual, there are many types of information that may reasonably identify an individual. For example, addresses and telephone numbers, passport or green card numbers, insurance policy numbers, etc.

• When any of these "identifiers" are combined with either information about an individual's health status/condition or information about payment for health care services for the individual, then all of the information is considered PHI.

(9)

What do entities need to do to comply with HIPAA?

• Implement policies/procedures to

– Restrict access, use and disclosure of PHI

– Ensure PHI is secure through administrative, physical and technical safeguards (workforce training, workstation security, audits)

• Contracts with business associates contain same

protections

(10)

Example of Recent HIPAA Enforcement

• Accretive Health – national debt collection co.

– Minnesota Attorney General brought suit alleging that Accretive was mining, analyzing and using data for purposes not disclosed to patients and which might adversely affect patient access to care.

– Suit stemmed from a laptop stolen from an Accretive employee that contained patient records.

– Suit is the first major HIPAA enforcement action by a state attorney general against a business

(11)

Examples of Recent HIPAA Enforcement

State of Alaska Department of Health & Human Services

• Reached $1.7M settlement with US HHS in 2012.

• First HIPAA enforcement action taken by HHS

against a state agency.

• Breach resulted from theft of a portable electronic

storage device potentially containing electronic protected health information (“ePHI”) from the car of a DHSS computer technician in October 2009.

(12)

HIPAA Enforcement

• In 2009, CVS Pharmacy agreed to pay $2,250,000 penalty after an investigation reveals that CVS had not properly disposed of protected health information.

• In 2012 the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates agreed to pay $1,500,000 for violations of privacy and security rules.

• In 2012, Blue Cross and Blue Shield of Tennessee agreed to pay $1,500,000 for violations of privacy and security

(13)

HIPAA Enforcement

• WellPoint agrees to pay $1.7 million HIPAA penalty – 2013

• WellPoint serves nearly 36 million people through affiliated health plans.

• Between Oct. 2009, and March 2010, access to personal data for 613,000 people - names, dates of birth,

addresses, Social Security numbers, telephone numbers and health information - was made available to

unauthorized users as the result of online security vulnerability.

• HHS found that WellPoint did not enact appropriate

administrative, technical and physical safeguards for data as required by HIPAA.

(14)

HIPPA Enforcement – Wall of Shame

• In their initial report to OCR, WellPoint discloses 31,700 people were affected by the breach.

That is posted on the OCR's public website, known as the “Wall

of Shame” which the OCR is required to maintain

• Subsequent forensic analysis of the WellPoint breach

determined that 612,404 individuals were affected - the number reported by the OCR the settlement agreement announcement.

The Wall of Shame has 627 incidents posted since September 2009.

• These reported incidents each involve the exposure of records of 500 +

Including the WellPoint breach – approximately 22.8 million

people records have been exposed.

• Since July 2008, under HIPAA, HHS has collected almost $17 million in penalties through resolution agreements.

(15)

HIPAA Changes 2013

• New Rule effective March 2013, covered entities

must comply by September 23, 2013.

• Strengthens privacy and security protections and

improves enforcement

• Modifies breach notification rule

• Increases protection of genetic information as

required by GINA (Genetic Information Nondiscrimination Act of 2008)

(16)

HIPAA Modifications effective September 2013

• Business associates will be directly liable for

compliance with certain HIPAA privacy and security requirements

• Strengthens PHI use and disclosure limitations

• Expands individuals rights to receive electronic

copies of health information and to restrict

disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full,

(17)

HIPAA Modifications effective September 2013

• Requires modifications to and redistribute of covered entity’s notice of privacy practices.

• Modifies the individual authorization and other

requirements to facilitate research and disclosure of child immunization to schools.

• Adopts HITECH’s enhancements to enforcement rules re: willful neglect.

• Increases penalties and some definitions, e.g., harm.

• Prohibits most health plans from using genetic information for underwriting (from GINA).

(18)

HITECH Act Overview

• Mandates security breach notification for HIPAA

covered entities and related entities.

• Makes Business Associates subject to many

obligations that formerly only applied to covered entities.

• Enhances penalties for non-compliance with

(19)

HITECH Overview

• At the time of HITECH’s passage, over 45 states

had very similar security breach notification laws. So why did we need a federal standard?

• Most state security breach notification laws focus

only on breaches of personal information and financial information.

• HITECH and its related regulations apply to

(20)

Examples of a security breach

• A lost or stolen laptop, PDA, or flash drive that is

used to store PHI.

• Faxing lab results to an incorrect number or

person.

• Mailing medical record to the wrong address or

person.

• A “hacker” breaks into company’s electronic data

(21)

Security Breach Notification

• Under HITECH, a covered entity must, following

the discovery of a breach of unsecured protected health information, notify each individual whose

unsecured PHI has been or is reasonably

believed by the covered entity to have been

accessed, acquired, used or disclosed as a result of such breach.

(22)

Security Breach Notification

• A covered entity must notify all affected

individuals within 60 days after discovery of a breach, provided that it meets the “risk of harm” threshold.

• A business associate of a covered entity must

notify a covered entity of a breach no later than 60 days after discovery of a breach. The

covered entity must then notify affected individuals.

(23)

Security Breach Notification

• Notice to affected individuals must contain brief

descriptions of the occurrence of the breach and the types of information that were involved in the breach, steps that individuals should take to

protect themselves, how the covered entity is mitigating harm and contact information.

• HHS must be notified of the breach within 60

days of discovery.

• If over 500 persons are affected in a given state,

(24)

Security Breach Notification

• Encryption is key.

– The term “unsecured PHI” used in the definition of what constitutes unsecured and secured PHI means that PHI is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by HHS, such as encryption.

– Encryption is not required by HIPAA, but a covered entity or business associate that experiences a breach of encrypted information is not required to provide notification to affected individuals.

(25)

Security Breach Notification

The FTC issued a similar rule

– Very similar to HITECH, but applies to vendors of personal health records (PHRs), PHR-related entities and third party service providers.

– Such entities can be business associates in different contexts, so HHS rule can apply as well.

– These entities must notify the FTC (not HHS) with a form on the FTC website 60 days after beginning of following

calendar year.

– If 500+ individuals are affected, FTC must be notified within 10 days of discovery and must notify state media.

(26)

Changes to Business Associate Obligations

• In addition to Business Associates’

responsibilities with respect to security breach notification, there are additional new obligations for Business Associates under HITECH.

• Covered entities and business associates should

ensure that new obligations are covered in business associate agreements.

(27)

Changes to Business Associate Obligations

• Business Associates are now required to

implement the safeguards set forth in HIPAA.

• Are directly subject to civil and criminal penalties

if they violate HIPAA.

• Business associates must terminate business

associate agreement or, if infeasible, notify HHS, if a covered entity fails to cure a material breach under such business associate agreement (e.g. impermissible disclosures of PHI).

(28)

Sale of PHI Prohibited

• Generally the sale of PHI is prohibited under HITECH

unless a covered entity obtains a valid authorization from an individual that includes a specification of whether PHI can be further exchanged for remuneration by the entity receiving the PHI.

• Example: Individuals in Florida were charged with

conspiring with an ambulance company worker to steal PHI of individuals transported by the ambulance company and selling the information to various Florida personal

(29)

Recent HITECH Enforcement Action

• Blue Cross/Blue Shield of Tennessee recently agreed to pay the U.S. Department of Health and Human Services $1.5 million as a result of a 2009 data breach

• The case stemmed from the theft of 57 unencrypted

computer hard drives from a former BlueCross call center in Tennessee. The drives contained the PHI of more than 1 million BlueCross customers, including names, Social Security numbers, diagnosis codes, dates of birth, and health plan ID numbers

• BC/BS ordered to pay and develop a corrective plan to address gaps in its privacy/security compliance plan

(30)

Penalties for Noncompliance

• HIPAA and HITECH breaches are made public

on government websites

• Damages

– HIPAA/HITECH – up to $1.5 Million plus up to $1.2 Million in criminal penalties

– May impose additional civil monetary penalties

• Reputational harm

• Cost of curing breach by stopping practice and

(31)

Federal Trade Commission

• Under the FTC Act, the FTC actively pursues

unfair and deceptive practices related to “personal information”

– Deceptive practices include a company’s failure to follow or implement its own privacy policy to the detriment of consumers

– Unfair practices include a company’s failure to adopt minimum level of security protection

• Companies must implement reasonable information security programs to protect consumer personal

(32)

Definition of Personal Information

An individual's name (either first and last name, or first initial and last name) and/or address/telephone number when combined with one or more of the following:

(33)

Federal Trade Commission

• Once a company has published its privacy policy,

it is bound by the public statements made.

Publishing a privacy policy exposes the company to prosecution if it fails to perform according to the representations made in the public privacy policy.

• If a privacy policy includes an “opt-out” button,

company must remove the customer’s data from any tracking software.

(34)

Federal Trade Commission

• Red Flags Rule

– Applies to financial institutions and creditors for consumer accounts

– Imposes an obligation on companies to develop an identity theft prevention program

• Identify relevant patters, practices and forms of activity which signal possible identity theft (“red flags”)

• Detect red flags

• Incorporate red flags into ID theft program

• Respond to detected red flags

• Update program to reflect changes in possible ID theft risks

(35)

FTC Enforcement Actions

LinkedIn – June 2012

• Breach involved 6.5 million encrypted user passwords, which could allow hackers access to user personally identifiable information.

• Hacked passwords were posted to an online forum.

• How the breach occurred: LinkedIn used standard encryption to protect passwords – easily decrypted.

• LinkedIn now uses “Salted” passwords, but should develop more sophisticated encryption techniques.

• Federal class action just filed alleging $5 Million in damages caused by the breach.

(36)

FTC Enforcement Actions

• Facebook

– Settled charges that it deceived consumers by telling them they could keep their information on Facebook private, and then

repeatedly allowing their information to be shared and made public

• told users they could restrict sharing of data to limited

audiences – for example with "Friends Only." In fact, selecting "Friends Only" did not prevent their information from being shared with third-party applications their friends used

• claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.

– Settlement requires Facebook to comply with what it writes in its privacy policy and conduct regular audits.

(37)

FTC Enforcement Actions

• Wyndham Worldwide Corporation

– FTC filed suit against Wyndham and three of its subsidiaries for alleged data security failures that allowed hackers to

steal credit card and other personal information from more than 600,000 customers, resulting in at least $10.6 million in fraudulent charges

– Complaint alleges that security failures led to fraudulent

charges on consumers’ accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain

address registered in Russia

– Action marked the first time FTC had sued a major company for failing to adequately secure customer information

(38)

Children’s Online Privacy Protection Act (“COPPA”)

• Enforced by FTC

• Applies to web sites and online services:

– Which are directed at children under 13, OR

– Operator has actual knowledge that children under 13 are providing individually identifiable

information, such as full name, home address, email address, telephone number or any other information that would allow someone to identify or contact the child.

(39)

COPPA

• Requires each site to provide a clear and

conspicuous notice of its privacy practices on its website. In addition, before it may collect, use, or disclose children's personal information, a

company subject to COPPA must obtain

verifiable parental consent. COPPA also defines how and to which extent, once the children’s

personally identifiable information has been collected, the company may use such

(40)

COPPA

• The statute applies when a company operates a

website gathering information from consumers in the U.S., even if the website is located outside the U.S. As e-commerce grows, companies should take care to follow COPPA with active privacy policies and internal enforcement of those polices.

(41)

COPPA Amended Effective July 1, 2013

¾ FTC amends COPPA to reflect behavioral advertising and expands definitions of who is covered by rule.

¾ Modifies definition of “personal information” (that cannot be collected without parental consent) to include

geolocation information, photographs, videos, persistent identifiers.

¾ “Persistent Identifiers” are screen names, email

addresses, IP address, device IDs, that can be used to recognize (i.e., track) a user across different websites or online services.

¾ Closes loophole on kid-directed websites to collect personal information through third party plug-ins

(42)

COPPA Amended Effective July 1, 2013

• The COPPA rule contains a “safe harbor”

provision that allows industry groups and others to seek FTC approval of self regulatory

guidelines

• Requires covered operators to adopt reasonable

procedures for data retention and deletion

• Strengthens FTC oversight of self-regulatory safe

(43)

COPPA Amended Effective July 1, 2013

• Expands definitions to clarify that the whole ecosystem if affected by COPPA rules, if you collect personal

information from kids under 13, you are now covered (broadly speaking), if you have actual knowledge.

• Can’t ignore or intentionally not know.

• Plug-ins and ad networks now within the definition of “operator” – but does not extend to platforms, i.e., App stores, when such platforms merely offer the public access to the child-directed apps.

(44)

COPPA Enforcement Actions

• W3 Innovations, Inc.

– First action against mobile phone app company

– FTC alleged that the apps violated COPPA by failing to provide notice on W3’s website of what information it collects from children, to provide clear and complete notice of its information

practices directly to parents and to obtain parental consent prior to collecting, using or disclosing

personal information from children

– W3 agreed to pay $50,000 and delete all personal information it had collected

(45)

State Laws

• Invasion of privacy under common law

– Unauthorized intrusion;

– Intrusion is offensive to a reasonable person;

– Intrusion relates to private matters; and

(46)

Recommendations

• Draft and implement privacy and security policies

that address administrative, physical and technical safeguards.

– Make sure company can and does comply with what is in its policy.

• Privacy and security training programs.

• Communicate policies to customers.

• Agreements with business partners, contractors

(47)

Questions?

Amyt M. Eckstein

Moses & Singer LLP 212.554.7843

[email protected]

Connect to me on LinkedIn

Disclaimer: Viewing this PowerPoint or contacting Moses & Singer LLP regarding this presentation does not create or invite an attorney-client

relationship. This presentation does not constitute legal advice or an opinion of Moses & Singer LLP or any member of the firm and may be rendered incorrect by future developments. It is recommended that it not be relied upon in connection with any dispute or other matter but that professional advice be sought.

References

Related documents

Favor you leave and sample policy employees use their job application for absence may take family and produce emails waste company it discusses email etiquette Deviation from

The business associate shall provide the University with available information that is required to include in the notification to the individual (s) affected by the breach..

► Allows you to export mesh of an assembly by creating a mesh part ► The mesh part created become an orphan mesh instances. ► The mesh part is then being imported back to

Upon request, the Business Associate and its agents or subcontractors shall make available to the Covered Entity or the individual information required to provide

Exceeding three on a constitutional amendment is law or vice president whenever the united states ratified by jury trial by citizens or term.. Honey is constitutional amendment law

All HIPAA Covered Entities and their Business Associates are required to provide notice in the event of a breach of unsecured protected health information (PHI).. Covered

The ARRA establishes a federal security breach notification law that will require HIPAA-covered entities to notify each individual whose “un- secured protected health information”

• HITECH requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach