Privacy and Security Laws for Health Care Organizations www.ScottandScottllp.com Presented by Robert J. Scott Scott & Scott, LLP 800-596-6176
Dec 29, 2015
Privacy and Security Laws for Health Care Organizations
www.ScottandScottllp.comPresented by Robert J. ScottScott & Scott, LLP800-596-6176
© 2008 Scott&Scott, LLP
Privacy and Security Laws for Health Care Organizations
© 2008 Scott&Scott, LLP
Privacy and Security Laws for Health Care Organizations
Ponemon Survey Results – 85% of Companies Surveyed Experienced a Data Breach
Bar Chart 1Data breach statistics for the present sample
85%
81%
78%79%80%81%82%83%84%85%86%
Companies experiencing the loss of personalinformation
Companies required to notify breach victims
© 2008 Scott&Scott, LLP
Privacy and Security Laws for Health Care Organizations
Ponemon Survey Results – 42% of data breaches were caused by missing devices such as laptop computers
Bar Chart 2Probable cause of the data breach event
4%
6%
6%
7%
10%
16%
42%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Missing backup media
Malicious employees
Criminal activity
IT mishaps
Negligent third parties
Negligent employees
Missing devices
© 2008 Scott&Scott, LLP
Privacy and Security Laws for Health Care Organizations
Ponemon Survey Results - 57% did not have an incident response plan in place when the breach happened
Bar Chart 4Did you have an incident plan before the breach?
57%
77%
0%
20%
40%
60%
80%
100%
Did not have an incident response plan Did not engage outside legal counsel to draft orreview plan
© 2008 Scott&Scott, LLP
Privacy and Security Laws for Health Care Organizations
Ponemon Survey Results – Breaches May Impact IT Spending
Bar Chart 9Percentage difference between companies that experienced a breach and
companies that did not experience a breach
54%
37% 37%
23%
54%
14%
27%
10%15%
9%
41%
2%
0%
10%
20%
30%
40%
50%
60%
Encryption Devices areproperlycleaned
Legal counsel Data leakprevention
Training andaw areness
Data inventory
Had breach Did not have breach
© 2008 Scott&Scott, LLP
Privacy and Security Laws for Health Care Organizations
Federal Regulation of Privacy Rights
º HIPAAº GLBAº COPPAº Electronic Communications Privacy Actº Privacy Act and Computer Matching & Privacy
Protection Actº Computer Fraud and Abuse Act
© 2008 Scott&Scott, LLP
Privacy and Security Laws for Health Care Organizations
HIPAA Privacy Rule
º Purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected health information may be used or disclosed by a covered entity.
º All individually identifiable health information held or transmitted by a covered entity or its business associates is protected health information.
º A covered entity must obtain the individual’s written authorization for any use or disclosure of information that is not for treatment, payment or health care operations, or otherwise permitted or required by the Privacy Rule.
º Each covered entity must provide a notice of its privacy practices.
© 2008 Scott&Scott, LLP
Privacy and Security Laws for Health Care Organizations
HIPAA Privacy Breach Notification
º In the event of a data breach, a covered entity has a duty to:
• Mitigate impermissible uses and disclosures; and
• Account for impermissible uses and disclosures.º A business associate must report any breach to the
covered entity.º A business associate has no obligation to notify
others or mitigate the effect of the breach.
© 2008 Scott&Scott, LLP
Privacy and Security Laws for Health Care Organizations
HIPAA Security Requirements
º Designate a privacy official who is responsible for developing and implementing policies and procedures
º Train all members of the workforce on policies and procedures related to protected health information
º Implement appropriate administrative, technical and physical safeguards to protect against the intentional or unintentional use or disclosure in violation of HIPAA
º No waiver of rightsº Implement policies and procedures that are reasonably
designed to ensure complianceº Retain documents and prepare reports to regulators
demonstrating compliance
© 2008 Scott&Scott, LLP
Privacy and Security Laws for Health Care Organizations
Understanding State Breach Notification Laws
º Forty-five jurisdictions have data breach notification statutes (forty-four states and DC)
º Definition of Personal Informationº Exemption for Encrypted Personal Informationº Criminal Investigation or Government Entity
Exemptionº Immaterial Information Exemption
© 2008 Scott&Scott, LLP
Privacy and Security Laws for Health Care Organizations
Definition of Personal Information
º First name or first initial and last name, along with one of the following unencrypted pieces of information:
• social security number;• driver’s license number or state identification
number; or• account number, credit card number, or debit
card number, combined with any password, security code, or access code.
© 2008 Scott&Scott, LLP
Privacy and Security Laws for Health Care Organizations
Exemptions for Encryption
º Many states, like California, exclude encrypted information from the definition of a security breach.
º Other states have an express exemption for encrypted information.
º Encryption means an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key.
º Exemption does not apply if the security breach also involves the encryption key.
© 2008 Scott&Scott, LLP
Privacy and Security Laws for Health Care Organizations
Criminal Investigation Exemption
º Breach notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.
º The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation.
© 2008 Scott&Scott, LLP
Privacy and Security Laws for Health Care Organizations
Alaska’s Data Breach Notification Law
º Notification required in the most expeditious time possible and without unreasonable delay
º Exemption for encrypted dataº Suspension of duty to notify during ongoing criminal
investigationº Specific exemption for immaterial breaches º Civil penalties for failure or unreasonable delay of
notificationº Private right of action
© 2008 Scott&Scott, LLP
Privacy and Security Laws for Health Care Organizations
© 2008 Scott&Scott, LLP
Privacy and Security Laws for Health Care Organizations
Contact Information
Robert J. Scott
Scott & Scott, LLP
2200 Ross Avenue, Suite 5350E
Dallas, Texas 75201
Phone: 214-999-0080
Fax: 214-999-0333