Texas Privacy Laws Tough New Changes
Jun 08, 2015
Texas Privacy Laws
Tough New Changes
Speaker
Jim Brashear is a member of the Bar of the United States Supreme Court, the California Bar Association and the State Bar of Texas. He frequently appears as a public speaker on corporate governance, data security and information technology legal topics.
He currently serves the Association of Corporate Counsel on its Information Technology, Privacy & Electronic Commerce Committee as Programs Co-Chair and Cloud/SaaS Co-Chair.
He received a Juris Doctorate degree, magna cum laude, from the University of San Diego School of Law, and a Bachelor of Arts degree in political science from the University of California at San Diego.
James F. BrashearGeneral CounselZix Corporation
Twitter @jfbrashear
This program is for educational purposes only. The content does not constitute legal advice. No attorney-client
relationship is created by your participation.
Overview
Texas recently amended privacy laws protecting:– Protected Health Information (PHI)– Sensitive Personal Information (SPI)
A business may be simultaneously subject to:– Texas Identity Theft Enforcement and Protection Act– Texas Medical Records Privacy Act– HIPAA and HITECH
New amendments:– Broaden scope of Texas privacy laws– Add new requirements– Impose new penalties
New medical privacy laws are stricter than HIPAA
Two Principal Texas Privacy Statutes
Medical Records Privacy Act
Identity Theft Enforcement and Protection Act
Identity Theft Enforcement and Protection Act
Business and Commerce Code Chapter 521http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htm
Amended by H.B. No. 300 effective September 1, 2012http://www.capitol.state.tx.us/tlodocs/82R/billtext/pdf/HB00300F.pdf
Broad Scope
Applies to virtually all businesses operating in Texas Includes most healthcare businesses Specifically includes nonprofit athletic or sports associations Excludes financial institutions under Gramm-Leach-Bliley Act
Focus: It is not clear how the Act will be applied to:• SPI stored outside Texas• Non-Texas business SPI stored in Texas• Non-Texas business SPI of Texas residents
Duty to Protect Sensitive Personal Information
Business and Commerce Code §521.052
Business must use reasonable procedures to protect from unlawful use or disclosure any sensitive personal information collected or maintained in its regular course of business
Focus: In contrast to Massachusetts 201 CMR 17.01, Texas does not mandate encryption – but Texas does:• exclude some encrypted data completely• exclude encrypted data from data breach notice rules• mitigate penalties if data was encrypted
Sensitive Personal Information
§521.002(a)(2) defines two types of SPI:1. Personal identifying information
An individual's first name or first initial
+ their last name
+ any of their following: social security number driver's license number government-issued identification number, or account number or credit or debit card number plus any financial
account security code, access code, or password Encryption exclusion for this type
– If the name and the listed items are encrypted, then they arenot treated as SPI at all
Tip: Encrypt all sensitive data, at rest and in motion
Sensitive Personal Information
§521.002(a)(2) defines two types of SPI:2. Medical identifying information
Information that identifies an individual and relates to their: physical or mental health or condition provision of health care, or payment for provision of health care
No encryption exclusion for this type . . . Treated as SPI even if encrypted
. . . but there is an encryption safe harbor
from data breach notification Consistent with HIPAA
Tip: Encrypt all sensitive data, at rest and in motion
Data Breach from Unauthorized Acquisition
§521.053(a) defines Breach of System Security Unauthorized acquisition of computerized data that
compromises SPI security, confidentiality or integrity Safe harbor for encrypted data
– No data breach results from unauthorized acquisition of encrypted data unless the decryption key was also acquired
– No notification required
Focus: The statute does not require a business to monitor its systems to detect a data breach
Tip: Encrypt all sensitive data, at rest and in motion
Data Breach from Authorized Access
Data breach can result from unauthorized use or disclosure of SPI by employee or agent– Even if their acquisition was authorized and in good faith– Even if their use or disclosure was not unlawful
Safe harbor for encrypted data applies here, too
Focus: Recent court decisions held that unauthorized use or disclosure of data by employees or agents did not violate the Computer Fraud and Abuse Act where their access to the data was authorized
Long Arm Duty to Notify
Must disclose data breach to any individual whose SPI is reasonably believed to have been acquired
– Act formerly required notice to Texas residents only
Deference to other states’ laws– Texas law is satisfied by notice provided under the data breach
law of states where affected individuals reside– Texas law mandates a notice when the data breach laws of those
other states do not
Focus: Contrast MA privacy law 201 CMR 17.00, which applies to data of MA residents no matter where it is held
New
Timing of Notification
Must disclose data breach as quickly as possible Two permitted reasons for delay:
1. As necessary to determine the scope of the breach and restore the reasonable integrity of the data system
2. At the request of a law enforcement agency Only if that agency determined notification will impede a criminal
investigation Must provide notice as soon as that agency later determines
notification will not compromise the investigation
Focus: It is not clear how impede differs from compromise
Focus: It is not clear how a business is expected to know if or when the agency makes its determinations
Form of Notification
Business may notify affected individuals by: written notice, or electronic notice
Three exceptions:1. If the business can demonstrate any of:
– cost > $250,000– number of affected persons > 500,000– insufficient contact information
then it may give notice by any of:– email– conspicuous posting on the business’ website– notice via major statewide media
Form of Notification
Business may notify affected individuals by: written notice, or electronic notice
Three exceptions:2. If the business:
– maintains its own SPI security policy notification procedures, and– its procedures meet the statute’s notice timing requirements,
then notice under that policy satisfies the statute
Tip: Maintain a SPI security policy with notification procedures consistent with Texas data breach notice law
Form of Notification
Business may notify affected individuals by: written notice, or electronic notice
Three exceptions:3. If the business:
– is required by the Act to notify > 10,000 persons at one time,
then the business must without unreasonable delay also– notify each nationwide consumer reporting agency of the:
notice timing notice distribution notice content
Duty to Destroy Sensitive Personal Information
Must destroy or arrange for destruction of customer records containing SPI which are not going to be retained Destruction methods:
– Shred– Erase– Make SPI unreadable or indecipherable
E.g., encryption
Penalties
§521.151 civil penalties and injunctions Restraining order for conduct that violates the Act $2,000 to $50,000 per violation
$100 per individual for each consecutive day of unreasonable delay in providing notice of a data breach– Capped at $250,000 per data breach
New
Two Principal Texas Privacy Statutes
Medical Records Privacy Act
Identity Theft Enforcement and Protection Act
Texas Medical Records Privacy Act
Health & Safety Code Chapter 181http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.181.htm
Amended by H.B. No. 300 effective September 1, 2012http://www.capitol.state.tx.us/tlodocs/82R/billtext/pdf/HB00300F.pdf
Both HIPAA and Texas MRA May Apply
§181.004 refers to applicability of Texas and federal law Texas MRA refers to Covered Entity as defined in both . . .
– 45 C.F.R. §160.103 Must comply with HIPAA and its Privacy Standards
– Texas Health & Safety Code §181.001(b)(2) Must comply with Texas MRA*
A business might be a . . .– Texas Covered Entity even if not a HIPAA Covered Entity– Covered Entity under both laws
Tip: Consider standardizing compliance programs to meet the most restrictive applicable requirement
*Subject to the partial exemptions under §181.051
New
Covered Entity Broader Than HIPAA
§181.001(b)(2) expansively defines Covered Entity Generally includes persons who assemble, collect, analyze, use,
evaluate, store, transmit, obtain or come into possession of PHI– Includes their employees, agents, and contractors who create, receive,
obtain, maintain, use or transmit PHI– Includes a business associate, health care payer, governmental unit,
information or computer management entity, school, health researcher, health care facility, clinic, health care provider, and person who maintains an Internet site
Unlike HIPAA, no exception for conduit entities that only transmit PHI– E.g., couriers
Limited Exemptions
Subchapter B offers a few exemptions For example:
§181.051 makes employers, and entities defined in the Insurance Code, subject only to Subchapter D (Prohibited Acts)
§181.052 exempts certain financial institution activities, such as payment processing
§181.054 exempts workers compensation activities
More Training Than HIPAA
§181.101 requires Covered Entity to provide and record employee training in PHI protection laws Content
– Must cover federal and Texas laws concerning PHI– Tailored for the Covered Entity’s business and the employee’s responsibilities
TimingNew employee: Within 60 days after hire
Existing employee: Not specified
All employees: Recurring every two-years– HIPAA requires training
within a reasonable amount of time after hire when there are material changes in privacy policies
Record-keeping– Must require employees attending training to sign (can be electronic or written) a
statement verifying attendance– Must maintain the signed statements (no time limit)
New
Tip: Combine with training on policies and procedures
EHR Access, Notice and Consent
§181.102: Must give patient an electronic copy of EHR within15 business days of written request HIPAA allows 30 days
§181.154: Must notify individuals that PHI is subject toelectronic disclosure Can be satisfied by posting in the place of business, on the website or in
any other place those individuals are likely to see the notice
§181.154: Must get consent for each electronic disclosure of PHI Consent can be electronic or written Texas AG is to develop standard form Not required if disclosed to a Covered Entity for treatment, payment, health
care operations, insurance or HMO functions, or as authorized or required by law
New
New
New
Tip: Add website notice of electronic disclosure of PHI
Sale of PHI
§181.153: Covered Entity generally cannot disclose PHI for direct or indirect remuneration Except to another Covered Entity for treatment, payment, health
care operations, insurance or HMO functions, or as authorized or required by federal or state law– Remuneration for disclosing PHI for the purpose of performing an insurance or
HMO function described by Insurance Code §602.053 cannot exceed the reasonable cost of preparing or transmitting the PHI
– No remuneration cap otherwise
§181.152 generally requires clear, unambiguous consent to use or disclose PHI for marketing
New
Audits
§181.206 authorizes Texas authorities to monitor HIPAA compliance Can ask U.S. HHS to audit HIPAA Covered Entities in Texas Must monitor and review the results of all U.S. HHS audits of
HIPAA covered entities in Texas
If Texas MPA violations are egregious and constitute a pattern or practice, §181.206 authorizes Texas HSS to: Require Covered Entity to submit results of any risk analysis
required by 45 C.F.R. Section 164.308(a)(1)(ii)(A) Ask the Texas agency that licenses the Covered Entity to conduct
an audit to determine compliance with Texas MPA
New
New
Texas HHS must report the number of audits to the legislature annually
Increased Penalties
§181.201 authorizes Texas AG to institute court actions to impose civil penalties for Texas MPA violations
– Texas AG incentivized by ability to retain a portion of penalties– Texas AG cannot institute an action under against a Covered Entity licensed by
Texas unless the licensing agency refers the violation to the Texas AG Annual penalties up to:
– $5,000 per negligent violation– $25,000 per knowing or intentional violation– $250,000 per knowing or intentional violation if PHI is used for financial gain
Those penalties are capped at $250,000 annually if all the following apply:– For disclosure of electronic PHI in violation of §181.154– Made only to a Covered Entity– Made only for a purpose permitted by §181.154(c)– A court finds any of the following:
The PHI was encrypted The recipient did not use or release the PHI At the time the PHI was disclosed, the Covered Entity had
security procedures, including PHI training for employees
New
Increased Penalties (cont.)
§181.201 authorizes court to assess civil penalty of up to $1.5 million annually for violations that constitute a pattern or practice
– Formerly capped at $250,000 Court must consider in determining the amount of penalties:
– the seriousness of the violation– if the violation poses a significant risk of financial, reputational or other harm to
an individual whose PHI is involved– if Covered Entity was certified by Texas Health Services Authority for
compliance with electronic PHI sharing standards– deterrence– compliance history– efforts to correct the violation– good faith compliance efforts
Federal and Texas penalties both may apply Injunctions, administrative penalties, license actions,
and Texas program bans may also apply
New
Key Recommendations
A business may benefit from: Written policies to protect Sensitive Personal Information and
Protected Health Information Written procedures to protect SPI and PHI Written procedures for data breach response Annual privacy risk and data breach insurance coverage analysis Monitoring and auditing privacy and data security procedures Recurring privacy law training for employees and contractors Revising HIPAA Business Associate Agreements to cover state laws Revising written privacy policies to reflect amended state laws Updating privacy notices Encrypting SPI and PHI while at rest and in motion
This program is for educational purposes only. The content does not constitute legal advice. No attorney-
client relationship is created by your participation.
Questions