Texas Privacy Laws - Tough New Changes

Texas Privacy Laws

Tough New Changes

Speaker

Jim Brashear is a member of the Bar of the United States Supreme Court, the California Bar Association and the State Bar of Texas. He frequently appears as a public speaker on corporate governance, data security and information technology legal topics.

He currently serves the Association of Corporate Counsel on its Information Technology, Privacy & Electronic Commerce Committee as Programs Co-Chair and Cloud/SaaS Co-Chair.

He received a Juris Doctorate degree, magna cum laude, from the University of San Diego School of Law, and a Bachelor of Arts degree in political science from the University of California at San Diego.

James F. BrashearGeneral CounselZix Corporation

Twitter @jfbrashear

This program is for educational purposes only. The content does not constitute legal advice. No attorney-client

relationship is created by your participation.

Overview

Texas recently amended privacy laws protecting:– Protected Health Information (PHI)– Sensitive Personal Information (SPI)

A business may be simultaneously subject to:– Texas Identity Theft Enforcement and Protection Act– Texas Medical Records Privacy Act– HIPAA and HITECH

New amendments:– Broaden scope of Texas privacy laws– Add new requirements– Impose new penalties

New medical privacy laws are stricter than HIPAA

Two Principal Texas Privacy Statutes

Medical Records Privacy Act

Identity Theft Enforcement and Protection Act

Identity Theft Enforcement and Protection Act

Business and Commerce Code Chapter 521http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htm

Amended by H.B. No. 300 effective September 1, 2012http://www.capitol.state.tx.us/tlodocs/82R/billtext/pdf/HB00300F.pdf

Broad Scope

Applies to virtually all businesses operating in Texas Includes most healthcare businesses Specifically includes nonprofit athletic or sports associations Excludes financial institutions under Gramm-Leach-Bliley Act

Focus: It is not clear how the Act will be applied to:• SPI stored outside Texas• Non-Texas business SPI stored in Texas• Non-Texas business SPI of Texas residents

Duty to Protect Sensitive Personal Information

Business and Commerce Code §521.052

Business must use reasonable procedures to protect from unlawful use or disclosure any sensitive personal information collected or maintained in its regular course of business

Focus: In contrast to Massachusetts 201 CMR 17.01, Texas does not mandate encryption – but Texas does:• exclude some encrypted data completely• exclude encrypted data from data breach notice rules• mitigate penalties if data was encrypted

Sensitive Personal Information

§521.002(a)(2) defines two types of SPI:1. Personal identifying information

An individual's first name or first initial

+ their last name

+ any of their following: social security number driver's license number government-issued identification number, or account number or credit or debit card number plus any financial

account security code, access code, or password Encryption exclusion for this type

– If the name and the listed items are encrypted, then they arenot treated as SPI at all

Tip: Encrypt all sensitive data, at rest and in motion

Sensitive Personal Information

§521.002(a)(2) defines two types of SPI:2. Medical identifying information

Information that identifies an individual and relates to their: physical or mental health or condition provision of health care, or payment for provision of health care

No encryption exclusion for this type . . . Treated as SPI even if encrypted

. . . but there is an encryption safe harbor

from data breach notification Consistent with HIPAA

Tip: Encrypt all sensitive data, at rest and in motion

Data Breach from Unauthorized Acquisition

§521.053(a) defines Breach of System Security Unauthorized acquisition of computerized data that

compromises SPI security, confidentiality or integrity Safe harbor for encrypted data

– No data breach results from unauthorized acquisition of encrypted data unless the decryption key was also acquired

– No notification required

Focus: The statute does not require a business to monitor its systems to detect a data breach

Tip: Encrypt all sensitive data, at rest and in motion

Data Breach from Authorized Access

Data breach can result from unauthorized use or disclosure of SPI by employee or agent– Even if their acquisition was authorized and in good faith– Even if their use or disclosure was not unlawful

Safe harbor for encrypted data applies here, too

Focus: Recent court decisions held that unauthorized use or disclosure of data by employees or agents did not violate the Computer Fraud and Abuse Act where their access to the data was authorized

Long Arm Duty to Notify

Must disclose data breach to any individual whose SPI is reasonably believed to have been acquired

– Act formerly required notice to Texas residents only

Deference to other states’ laws– Texas law is satisfied by notice provided under the data breach

law of states where affected individuals reside– Texas law mandates a notice when the data breach laws of those

other states do not

Focus: Contrast MA privacy law 201 CMR 17.00, which applies to data of MA residents no matter where it is held

New

Timing of Notification

Must disclose data breach as quickly as possible Two permitted reasons for delay:

1. As necessary to determine the scope of the breach and restore the reasonable integrity of the data system

2. At the request of a law enforcement agency Only if that agency determined notification will impede a criminal

investigation Must provide notice as soon as that agency later determines

notification will not compromise the investigation

Focus: It is not clear how impede differs from compromise

Focus: It is not clear how a business is expected to know if or when the agency makes its determinations

Form of Notification

Business may notify affected individuals by: written notice, or electronic notice

Three exceptions:1. If the business can demonstrate any of:

– cost > $250,000– number of affected persons > 500,000– insufficient contact information

then it may give notice by any of:– email– conspicuous posting on the business’ website– notice via major statewide media

Form of Notification

Business may notify affected individuals by: written notice, or electronic notice

Three exceptions:2. If the business:

– maintains its own SPI security policy notification procedures, and– its procedures meet the statute’s notice timing requirements,

then notice under that policy satisfies the statute

Tip: Maintain a SPI security policy with notification procedures consistent with Texas data breach notice law

Form of Notification

Business may notify affected individuals by: written notice, or electronic notice

Three exceptions:3. If the business:

– is required by the Act to notify > 10,000 persons at one time,

then the business must without unreasonable delay also– notify each nationwide consumer reporting agency of the:

notice timing notice distribution notice content

Duty to Destroy Sensitive Personal Information

Must destroy or arrange for destruction of customer records containing SPI which are not going to be retained Destruction methods:

– Shred– Erase– Make SPI unreadable or indecipherable

E.g., encryption

Penalties

§521.151 civil penalties and injunctions Restraining order for conduct that violates the Act $2,000 to $50,000 per violation

$100 per individual for each consecutive day of unreasonable delay in providing notice of a data breach– Capped at $250,000 per data breach

New

Two Principal Texas Privacy Statutes

Medical Records Privacy Act

Identity Theft Enforcement and Protection Act

Texas Medical Records Privacy Act

Health & Safety Code Chapter 181http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.181.htm

Amended by H.B. No. 300 effective September 1, 2012http://www.capitol.state.tx.us/tlodocs/82R/billtext/pdf/HB00300F.pdf

Both HIPAA and Texas MRA May Apply

§181.004  refers to applicability of Texas and federal law Texas MRA refers to Covered Entity as defined in both . . .

– 45 C.F.R. §160.103 Must comply with HIPAA and its Privacy Standards

– Texas Health & Safety Code §181.001(b)(2) Must comply with Texas MRA*

A business might be a . . .– Texas Covered Entity even if not a HIPAA Covered Entity– Covered Entity under both laws

Tip: Consider standardizing compliance programs to meet the most restrictive applicable requirement

*Subject to the partial exemptions under §181.051

New

Covered Entity Broader Than HIPAA

§181.001(b)(2) expansively defines Covered Entity Generally includes persons who assemble, collect, analyze, use,

evaluate, store, transmit, obtain or come into possession of PHI– Includes their employees, agents, and contractors who create, receive,

obtain, maintain, use or transmit PHI– Includes a business associate, health care payer, governmental unit,

information or computer management entity, school, health researcher, health care facility, clinic, health care provider, and person who maintains an Internet site

Unlike HIPAA, no exception for conduit entities that only transmit PHI– E.g., couriers

Limited Exemptions

Subchapter B offers a few exemptions For example:

§181.051 makes employers, and entities defined in the Insurance Code, subject only to Subchapter D (Prohibited Acts)

§181.052 exempts certain financial institution activities, such as payment processing

§181.054 exempts workers compensation activities

More Training Than HIPAA

§181.101 requires Covered Entity to provide and record employee training in PHI protection laws Content

– Must cover federal and Texas laws concerning PHI– Tailored for the Covered Entity’s business and the employee’s responsibilities

TimingNew employee: Within 60 days after hire

Existing employee: Not specified

All employees: Recurring every two-years– HIPAA requires training

within a reasonable amount of time after hire when there are material changes in privacy policies

Record-keeping– Must require employees attending training to sign (can be electronic or written) a

statement verifying attendance– Must maintain the signed statements (no time limit)

New

Tip: Combine with training on policies and procedures

EHR Access, Notice and Consent

§181.102: Must give patient an electronic copy of EHR within15 business days of written request HIPAA allows 30 days

§181.154: Must notify individuals that PHI is subject toelectronic disclosure Can be satisfied by posting in the place of business, on the website or in

any other place those individuals are likely to see the notice

§181.154: Must get consent for each electronic disclosure of PHI Consent can be electronic or written Texas AG is to develop standard form Not required if disclosed to a Covered Entity for treatment, payment, health

care operations, insurance or HMO functions, or as authorized or required by law

New

New

New

Tip: Add website notice of electronic disclosure of PHI

Sale of PHI

§181.153: Covered Entity generally cannot disclose PHI for direct or indirect remuneration Except to another Covered Entity for treatment, payment, health

care operations, insurance or HMO functions, or as authorized or required by federal or state law– Remuneration for disclosing PHI for the purpose of performing an insurance or

HMO function described by Insurance Code §602.053 cannot exceed the reasonable cost of preparing or transmitting the PHI

– No remuneration cap otherwise

§181.152 generally requires clear, unambiguous consent to use or disclose PHI for marketing

New

Audits

§181.206 authorizes Texas authorities to monitor HIPAA compliance Can ask U.S. HHS to audit HIPAA Covered Entities in Texas Must monitor and review the results of all U.S. HHS audits of

HIPAA covered entities in Texas

If Texas MPA violations are egregious and constitute a pattern or practice, §181.206 authorizes Texas HSS to: Require Covered Entity to submit results of any risk analysis

required by 45 C.F.R. Section 164.308(a)(1)(ii)(A) Ask the Texas agency that licenses the Covered Entity to conduct

an audit to determine compliance with Texas MPA

New

New

Texas HHS must report the number of audits to the legislature annually

Increased Penalties

§181.201 authorizes Texas AG to institute court actions to impose civil penalties for Texas MPA violations

– Texas AG incentivized by ability to retain a portion of penalties– Texas AG cannot institute an action under against a Covered Entity licensed by

Texas unless the licensing agency refers the violation to the Texas AG Annual penalties up to:

– $5,000 per negligent violation– $25,000 per knowing or intentional violation– $250,000 per knowing or intentional violation if PHI is used for financial gain

Those penalties are capped at $250,000 annually if all the following apply:– For disclosure of electronic PHI in violation of §181.154– Made only to a Covered Entity– Made only for a purpose permitted by §181.154(c)– A court finds any of the following:

The PHI was encrypted The recipient did not use or release the PHI At the time the PHI was disclosed, the Covered Entity had

security procedures, including PHI training for employees

New

Increased Penalties (cont.)

§181.201 authorizes court to assess civil penalty of up to $1.5 million annually for violations that constitute a pattern or practice

– Formerly capped at $250,000 Court must consider in determining the amount of penalties:

– the seriousness of the violation– if the violation poses a significant risk of financial, reputational or other harm to

an individual whose PHI is involved– if Covered Entity was certified by Texas Health Services Authority for

compliance with electronic PHI sharing standards– deterrence– compliance history– efforts to correct the violation– good faith compliance efforts

Federal and Texas penalties both may apply Injunctions, administrative penalties, license actions,

and Texas program bans may also apply

New

Key Recommendations

A business may benefit from: Written policies to protect Sensitive Personal Information and

Protected Health Information Written procedures to protect SPI and PHI Written procedures for data breach response Annual privacy risk and data breach insurance coverage analysis Monitoring and auditing privacy and data security procedures Recurring privacy law training for employees and contractors Revising HIPAA Business Associate Agreements to cover state laws Revising written privacy policies to reflect amended state laws Updating privacy notices Encrypting SPI and PHI while at rest and in motion

This program is for educational purposes only. The content does not constitute legal advice. No attorney-

client relationship is created by your participation.

Questions