Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

As more companies move to the cloud, regulatory compliance remains a critical issue. For cloud service providers to the healthcare industry, it looks like the requirement to comply with the HIPAA privacy and security rules as business associates will be confirmed when long-awaited final regulations are issued, based on a report by Marianne Kolbasuk McGee with Healthcare Information Security. According to Ms. McGee's report, Joy Pritts, chief privacy officer in the Office of the National Coordinator for Health IT, a unit of the Department of Health and Human Services, addressed this issue during a Jan. 7 panel discussion on cloud computing hosted by Patient Privacy Rights.

Cloud service providers would prefer to take the position that they are conduits to protected health information, and therefore not business associates, similar to the US Postal Service, and certain private couriers and their electronic equivalents. See HIPAA FAQ.  A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law. However, HHS has already noted that "a software company that hosts the software containing patient information on its own server or accesses patient information when troubleshooting the software function, is a business associate of a covered entity." See HIPAA FAQ. 

According to Ms. Pritts' remarks in the report cited above, it appears that the modifications made to HIPAA under the Health Information Technology for Economic and Clinical Health (the HITECH Act), along with anticipated regulatory guidance, will remove any doubt that cloud service providers servicing HIPAA covered entities are "business associates." This would require, among other things, that covered entities enter into business associate agreements with their cloud providers, and that standard confidentiality clauses likely will be insufficient. Of course, covered entities, practitioners and others are looking forward to these long awaited regulations to help clarify this and other issues.

• Email This
• Print
• Comments
• Trackbacks

Today the White House issued a Cybersecurity Legislative Proposal. The proposed legislation focuses on protecting the American people, the nation’s critical infrastructure, and the federal government's computers and networks.  While legislation of this nature would simplify the breach reporting process for businesses, and overall streamline cybersecurity laws, a number of legislative attempts to do this have previously failed.  It is important to note that while this proposal sets forth some guidelines, the specific details of how each provision would be instituted are not yet clear

Our critical infrastructure – such as the electricity grid, financial sector, and transportation networks that sustain our way of life – have suffered repeated cyber intrusion, and cyber crime has increased dramatically over the law decade. The President has thus made cybersecurity an Administration priority. 

1.  To protect the American people, the proposed legislation calls for a national data breach reporting law which would simplify and standardize the existing patchwork of 47 state laws that contain these requirements. Additionally, the proposal calls for penalties for computer criminals and clarifies the penalties for computer crimes, synchronizes them with other crimes, and sets mandatory minimums for cyber intrusions into critical infrastructure.
2. To protect our nation’s critical infrastructure the proposal calls on legislative changes to fully protect this infrastructure. Specifically, proposal will enable the Department of Homeland Security (DHS) to quickly help a private-sector company, state, or local government when that organization asks for its help. It also clarifies the type of assistance that DHS can provide to the requesting organization.

Additionally, the proposal permits businesses, states, and local governments to share information about cyber threats or incidents with DHS. To fully address these entities’ concerns, it also provides them with immunity when sharing cybersecurity information with DHS. At the same time, the proposal mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.

Further, the proposal emphasizes transparency to help market forces ensure that critical-infrastructure operators are accountable for their cybersecurity.

Finally, the proposal requires DHS to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators. Critical infrastructure operators would then take steps to address cyber threats, develop risk mitigation plans, and permit DHS to modify the processes which are implemented if they are insufficient. 

3.  To protect federal government computers and networks the legislative proposal includes: an update to the Federal Information Security Management Act (FISMA) as well as formalizing DHS’ current role in managing cybersecurity for the Federal Government’s civilian computers and networks, in order to provide departments and agencies with a shared source of expertise; giving DHS more flexibility in hiring highly-qualified cybersecurity professionals; the permanency of DHS’s authority to oversee intrusion prevention systems for all Federal Executive Branch civilian computers while codifying strong privacy and civil liberties protections, congressional reporting requirements, and an annual certification process; and preventions on states requiring companies to build their data centers in that state, as opposed to in the cloud, except where expressly authorized by federal law.

The Administration’s proposal also attempts to ensure the protection of individuals’ privacy and civil liberties through a framework designed expressly to address the challenges of cybersecurity. Some of these provisions include: requiring federal agencies (and likely federal contractors) to follow privacy and civil liberties procedures; limitations on monitoring, collecting, using, retaining, and sharing of information; requiring efforts to remove identifying information unrelated to cybersecurity threats; as well as immunity provisions for those business which comply with the proposal’s requirements.  

As the proposal concludes: 

Our Nation is at risk… [t]he Administration has responded to Congress’ call for input on the cybersecurity legislation that our Nation needs, and we look forward to engaging with Congress as they move forward on this issue.

• Email This
• Print
• Comments
• Trackbacks

Over the past few months, many businesses, particularly in the Northeast Region, have been focusing on creating a written information security program (WISP) to comply with Massachusetts identity theft regulations that went into effect March 1, 2010. For many, this has been a significant effort, reaching most, if not all, parts of their organizations. However, it is important to remember that although Massachusetts may be the state with the most comprehensive set of rules for securing personal data, other states have enacted similar protections, and compliance with Massachusetts does NOT necessarily mean compliance with other states.

Consider the following examples:

California. The Civil Code in California states a business that owns or licenses personal information about a California resident must:

implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

For purposes of this requirement, “personal information" means:

an individual's first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
(A) Social security number.
(B) Driver's license number or California identification card number.
(C) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
(D) Medical information.

Similar pretections for medical information exist in Arkansas, but that information is not covered by the rules in Massachusetts. Illinois requires safeguards for certain biometric information, a classification of data also not covered by the Massachusetts regulations.

Oregon. Oregon’s Consumer Identity Theft Protection Act lays out safeguards similar to those in Massachusetts, with some relief for small businesses (those manufacturing businesses with 200 employees or fewer and all other forms of business having 50 employees or fewer). Key is the requirement to implement an “information security program” that contains administrative, technical and physical safeguards.

Administrative safeguards include, for example: 

1. designating one or more employees to coordinate the program;
2. identifying reasonably foreseeable internal and external risks;
3. assessing the sufficiency of data safeguards;
4. training employees in the program’s practices and procedures;
5. limiting outside service providers to those maintaining adequate data security safeguards; and
6. adjusting the program according to business changes or new circumstances.

In New Jersey, regulations are pending that would create similar obligations.

Connecticut. Without specifying the kinds of safeguards, Connecticut requires any person in possession of personal information of another person to:

safeguard the data, computer files and documents containing the information from misuse by third parties, and [ ] destroy, erase or make unreadable such data, computer files and documents prior to disposal.

For purposes of this law, “personal information” includes:

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.

Similar requirements were enacted in other states, including Arkansas, North Carolina, Rhode Island, Texas, and Utah. But note the definition in Connecticut goes beyond the elements of data protected under the Massachusetts regulations.

Service contracts. Some states go a step further, requiring certain provisions be included in contracts between entities and their service providers when the contracts involve the disclosure of a state resident’s personal information from the owner of the information to the service provider. For example, such contracts in Nevada and Maryland must include a provision requiring the person to whom the information is disclosed to implement safeguards to protect that information.

The emergence of state mandates fueled by the continued rapid advancement and increased use of technology suggest a trend that is sure to become a fact of life for businesses operating anywhere in the U.S. Whether the technology is “cloud computing” or “peer-to-peer” software, businesses need to take appropriate steps to protect personal information maintained throughout their organizations.

• Email This
• Print
• Comments (3)
• Trackbacks

Last month, we briefly discussed "cloud computing," along with some issues that should be considered when deciding whether to adopt this new technology. Our post focused on data privacy and security issues.

As reported by Kim Hart, of The Hill's Technology Blog, a December 9, 2009, Federal Communications Commission filing states that the Federal Trade Commission is in the process of investigating "cloud computing" to address some of the same concerns noted in the post referenced above - privacy and security concerns.

Companies operating in the cloud, or thinking of moving in that direction, ought to be on the lookout for regulation or guidance that could come from the FTC's investigation.

• Email This
• Print
• Comments
• Trackbacks

“Cloud computing” takes many forms, but, fundamentally, it is a computer network system that allows consumers, businesses, and other entities to store data off-site and manage it with third-party-owned software accessed through the Internet. Files and software are stored centrally on a network to which end users can connect to access their files using computers that are less powerful and sophisticated than those we use today.  This technology reduces the need for expensive multiple servers and PCs with enough capacity to store massive data and application files. Some believe the PC of the future will need simply the capacity to connect to a web browser for the user to access his or her applications and files.

For more information on how cloud computing works, click here. For information on the FTC investigation of cloud computing, click here.

If you are not already computing in a cloud, you likely will be hearing more about “cloud computing” soon. Last month, for example, the City Council for the City of Los Angeles voted to move city employee e-mail and other applications from city computer networks to a cloud service provider – in this case, Google Inc. City officials cite significant cost savings (which they estimate to be in the millions) as one of the reasons for the switch. They acknowledged that concerns over data privacy, security and management remain.

We’ll agree that significant cost savings can be achieved through, among other things, reduced infrastructure. Questions and concerns many have with cloud computing, however, relate to the privacy, security and management of the information in the cloud. These include:

• What if the cloud starts to rain – a cloud computing data breach – who is responsible for notifying affected persons (and bearing the costs)?
• Which company owns the data placed in the cloud?
• If the data in the cloud is employee e-mail, is the employer still permitted to access and monitor email communications? Will new policies/notices be needed?
• Will company proprietary information be safe?
• Who has access to the data? Who should have access?
• Is the cloud service provider a business associate under HIPAA, prepared to comply with the HITECH Act? What other legal compliance requirements are there?
• Do we still need to maintain a back-up of data in the cloud?
• Where is the data stored? Is it in the United States, or in a foreign country subject to different data security standards? Does one location as opposed to another provide better access or security? What if data is stored in multiple places, will we be able to locate what we need when we need it?
• How big is the cloud? How much can we store?
• What if the cloud goes down? How do we get our data and access the applications needed to run our business?
• How do we move between clouds? Can our data be held captive when contract negotiations fall through?
• Can we put our clients’ data in the cloud? Do we have to tell them where it is?
• What happens to the data if the cloud service provider or the cloud customer goes out of business?
• Will applications in the cloud work the same way, be as flexible, and respond with the same speed as those on current PCs?

Organizations such as the Cloud Security Alliance have been formed to grapple with some of these issues. Indeed, the City of Los Angeles has had to respond to some of these concerns. So, while cloud computing may yield substantial cost savings and appear tempting, these and other questions and concerns should be addressed before moving in that direction.

• Email This
• Print
• Comments
• Trackbacks