Joining six other states, California will impose significant restrictions on an employer’s ability to obtain a credit report for employment purposes. The law becomes effective January 1, 2012.

California Assembly Bill 22, signed by Governor Jerry Brown, generally permits employers who are seeking to fill only specific, identified “exempt” positions to obtain and use credit reports to screen applicants and/or current employees. The use of the credit reports in other occupations generally is prohibited. Further, employers will be required to provide the employee or applicant with a disclosure statement setting forth the specific basis permitting the employer to obtain a credit report. 

Click here for more information about this law.

CLICK HERE FOR UPDATED INFORMATION CONCERNING THE AUDIT PROGRAM

The Health Information Technology for Economic and Clinical Health law (“HITECH”) made a number of changes for HIPAA covered entities and business associates. One key change stems from Section 13411 of HITECH, which gives the Secretary of the Department of Health and Human Services authority to conduct “periodic audits to ensure that covered entities and business associates” comply with the privacy and security mandates under HIPAA. Susan McAndrew, the Deputy Director for Health Information Privacy at the Office of Civil Rights ("OCR"), has been speaking out about the nature, scope and timing of these audits, which are expected to begin in February 2012. A summary of reports about the audit program follows below.  

Covered entities and business associates need to be prepared and take stock of their HIPAA compliance. One hundred percent compliance can be an elusive goal, particularly in a short time frame. So, perhaps a more efficient way to prepare for the coming wave of audits it to look, at a minimum, for the low hanging fruit, such as: (i) having clear policies and procedures on topics such as access management, breach notification, discipline, passwords, managing portable data storage devices, distributing notices of privacy practices, and similar items, (ii) conducting and documenting training of workforce members, and (iii) ensuring appropriate agreements are in place with business associates and subcontractors.   

Continue Reading HIPAA Audits to Begin Early 2012

The Minneapolis Star Tribune reports that a laptop computer containing private information on about 14,000 patients of Fairview Health Services and 2,800 patients of North Memorial Medical Center was stolen from a locked car in the parking lot of a Minneapolis restaurant in July of 2011.  The incident is just one more in a series of recent data breaches around the country, often involving laptops. As we described here, the U.S. Department of Health and Human Services has noted that these types of breaches are increasing in the midst of a massive transition to electronic medical records by health care providers around the country. Both Fairview and North Memorial are sending letters to the affected patients offering free services to protect against identity theft.

The laptop in question belonged to an employee of an outside health care consultant. The computer was password-protected, but the data was not encrypted. Officials contacted for the story stated that, although it is unusual for consultants to keep large amounts of patient data on their laptops, in this case it was justified. Others disagree. Jeff Neuberger of Mid Dakota Clinic in Fargo, North Dakota stated that when an outside contractor needs access to patient information he should be brought on-site and provided temporary, restricted access to the company’s computer system. Either way, it is critically important from a HIPAA and state law compliance standpoint that, when dealing with vendors, the appropriate business associate agreement or other form of confidentiality agreement be in place.

Fairview disclosed another breach of patient data back in April when it lost a box of paper records containing information on 1,200 patients. The box was never recovered, which goes to show that data breaches can still occur the old-fashioned way.

 

In November 2010, the Department of Health and Human Services established the Department-wide Text4Health Task Force to among other things identify ongoing initiatives and proposals for feasible new projects which would deliver health information and resources to users’ fingertips via their mobile phones. The Task Force announced recommendations on September 19 to support health text messaging and mobile health programs, which include addressing the privacy and security concerns inherent in texting.

The Task Force acknowledged in its recommendations some critical facts driving the need for guidance in this area:

  • Approximately 2.2 trillion text messages were sent in the U.S. in 2010.
  • Text messaging is particularly prevalent among teenagers, with nearly 90% of teenagers who have cell phones reporting that they use text messaging.
  • A growing body of empirical studies suggests that the use of mobile phone text messaging can be effective in improving health behaviors and health outcomes.

The recommendations note that text messaging programs may be subject to numerous privacy and security laws, including the privacy and security regulations under Health Insurance Portability and Accountability Act of 1996 (HIPAA). Additional guidance in this area would be welcomed as many health care providers look to use developing technologies, including texting, to deliver their services.

The Internal Revenue Service updated is Disclosure Litigation and Reference Book last revised in April 2000. The 2011 Disclosure & Privacy Law Reference Guide covers the primary disclosure laws that affect the IRS. This includes IRC §§ 6103 and 6110, the Freedom of Information Act (FOIA), and the Privacy Act of 1974), related statutes, and testimony authorization procedures. Guidance on legal matters concerning these disclosure laws is provided by the Office of the Assistant Chief Counsel (Disclosure & Privacy Law). Of course, the IRS is careful to note that its Guide cites to "unpublished" cases which generally should not be cited as authority except under "severely limited circumstances." It also states in the Guide that the result in any case will depend on the applicable facts and the Guide may not be used or cited as authority for setting or sustaining a legal position. However, the Guide appears to be a good resource on these issues.

 

The Office of Civil Rights of the U.S. Department of Health and Human Services (“HHS”) has published its first round of annual reports to Congress under the HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009 to Congress. The first report concerns HHS’s HIPAA (Health Insurance Portability and Accountability Act of 1996) enforcement activity for 2009 and 2010 and the second report focuses on reported or recorded data breaches occurring in 2009 and 2010.  

The HITECH Act contains multiple breach notification requirements for HIPAA-covered entities and their business associates. Covered entities and business associates that create unreadable or indecipherable protected health information, however, are exempt from such requirements. Covered entities must notify individuals and the Secretary of HHS of any breach of unsecured protected health information within 60 days following the discovery of the breach. For breaches involving more than 500 residents of a state, a covered entity must also notify the media in addition to the individuals and the Secretary of HHS. Business associates of covered entities under HIPAA must notify the covered entity of any breach of unsecured protected health information so the covered entity can notify affected individuals. 

As reported by HHS, between September 23, 2009 and December 31, 2010, the HHS Office of Civil Rights received 45 reports of breaches affecting 500 individuals or more in 2009 and 207 reports in 2010, resulting in notification of 7.8 million affected individuals. 

The general causes of breaches of unsecured protected health information included, first and foremost, theft.  27 of the 45 large 2009 incidents involved theft and 17 of those incidents occurred on the premises of a covered entity or its business associates. Likewise, 99 of the 207 incidents in 2010 involved theft, primarily of electronic or paper records, affecting some 2,979,121 people. Types of theft noted by HHS included theft of back-up tapes transported by a vendor of a medical facility, of laptops or desk-top computers at covered entity sites, and of smart phones or flash drives. Other causes of breaches generally involved loss of electronic media or paper records containing protected health information, unauthorized access to, use of or disclosure of protected health information, human error, and improper disposal. Notably, loss of portable electronic devices is a major factor in the loss of electronic media.

With respect to complaints and compliance with HIPAA’s Privacy Rule, HHS reports that from April 14, 2003, the date HIPAA-covered entities were to comply with the Privacy Rule, through December 31, 2010, it received 57,375 complaints and resolved 91% of them.   Through the same time period, HHS investigated 19,161 complaints, achieved corrective action in 66% of them and found no violation in 34%. 

HHS further reports that between April 20, 2005, and December 31, 2010, it investigated 289 complaints of the 803 it received related to HIPAA’s Security Rule, resolving 77% of them and finding no violation in 48%. 

The compliance issues related to the Privacy Rule most investigated included impermissible uses and disclosures of protected health information, lack of safeguards, and denial of individual access. HHS Security Rule investigations focused on a covered entity’s failures to demonstrate adequate policies and procedures to address response or reporting of security incidents, security training, access controls and workstation security.  

The two HHS reports to Congress show a marked improvement in compliance with HIPAA’s Privacy Rule. However, the reports also highlight a continuing vulnerability for covered entities that rely on electronic devices and employee accountability for elements of their privacy and security compliance programs under HIPAA (as we have touched on in previous posts). As noted by HHS, remedial actions for violations include revising policies and procedures; improving physical security; training or retraining workforce members; adopting encryption technologies; changing passwords; performing new risk assessments; and revising business associate agreements to specify required confidentiality protections. The HHS reports remind covered entities and their business associates to review and place appropriate limits on employee access to protected health information and incorporate HHS’s remedial measures into their best practices.

Connecticut Attorney General George Jepsen announced on September 14, 2011, the creation of a Privacy Task Force to help educate the public about data protection requirements and to focus his Office’s response to Internet privacy concerns and data breaches that affect consumers. According to Attorney General Jepsen’s press release, “Internet and data privacy have been among the biggest issues affecting the broad public interest during my first eight months in office” and nearly a dozen investigations have been initiated or pursued regarding security breaches that resulted in the loss of medical and insurance records or personal customer information.

Like nearly all states across the country, Connecticut has a data breach notification law. The State’s Insurance Commissioner has also adopted rules concerning data breach notification requirements for its licensees. Among other laws, the Nutmeg state has also enacted specific protections for Social Security Numbers, employment applications, and personal information, which includes:

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver’s license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.  

The Task Force will be responsible for all investigations of consumer privacy breaches, which we are assuming will apply to breaches of any personal information for which notification is required, including patients and employees. The Task Force will also help to educate the public and business community about their responsibilities, which include protecting personally sensitive data and promptly notifying affected individuals when breaches do occur.

Clearly a sign of increased attention to and enforcement of the state’s data security and consumer protection mandates, Connecticut businesses and businesses maintaining personal information of Connecticut residents should revisit their information security programs and data breach response plans to ensure they could withstand the scrutiny of an inquiry by the Attorney General’s office.  

In a novel approach to data breach notification requirements, Texas has amended its breach notification law (Business & Commerce Code, Section 521.053) to require notification to residents of not only Texas, but to residents of each of the 50 states.  The amendment becomes effective September 1, 2012, and applies to “all persons who conduct business in the state,” without further defining what “conducting business” would entail. 

The law was amended to require notification of a breach of system security to any individual whose sensitive personal information was, or is reasonable believe to have been, acquired by an unauthorized person.  A review of the amendment reflects the legislature’s intent to expand the notification requirement by its deletion of the language “resident of this state” from the current data breach notification law. 

This law has obvious far reaching import for residents of the four states which do not currently maintain data breach notification laws (Alabama, Kentucky, New Mexico, and South Dakota).  Under Texas’ law, residents of these states whose personal information is owned, licensed or maintained by a business/employer subject to Texas law would now receive notification of a breach of their personal information. 

Additionally, Texas’ breach notification law does not include a “risk of harm trigger.”  A number of state data breach notification laws only require notification where illegal use of the breached personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person.  However, under Texas’ law, notification is required only upon acquisition, without regard to a risk of harm.  While Texas’ amended law appears to include some limiting language on its application to states that have their own breach notification laws, as worded, it is unclear whether this would include states whose risk of harm trigger would not require notification.  Accordingly, for those entities which conduct business in Texas, notification of those affected may be required even if the individual’s home state would not have required notice in the case of low-risk breaches 

The amendment also adds civil penalties for any person who fails to take reasonable actions to comply with the notification requirements.  These penalties are compounded by the number of individuals who are not notified and for each consecutive day notification is not provided, resulting in a maximum fine of $250,000.  Additionally, the amendment makes a violation a misdemeanor, unless the breached information is protected by HIPAA, which would elevate the violation to a felony. 

Companies, especially those that maintain vast amounts of personal information for persons in multiple states, must be aware of the various state laws which potentially impact there business and amendments like those highlighted above. See also recent amendments to the breach notification statutes in California and Illinois.

As we suspected, California’s current governor, Edmund G. “Jerry” Brown, Jr. (D), signed into law S.B. 24, which adds some additional protections to the state’s current data breach notification requirements. The champion of this law and its recent enhancements, State Sen. Joe Simitian (D-Palo Alto), has finally succeeded after a number of prior attempts to pass this measure were vetoed by then-Gov. Arnold Schwarzenegger (R).

Summary of Changes

Under S.B. 24, breaches occurring on and after January 1, 2012, that require notification to California residents will have to meet the following additional requirements:

  • The notifications themselves will need to satisfy specific content requirements, such as including a description of the type of information breached, time of breach, and toll-free telephone numbers and addresses of the major credit reporting agencies;
  • If more than 500 California residents are affected by a single breach, an electronic copy of the breach notification must be send to the California Attorney General;
  • If the law’s "substitute notice" provisions are used, notice also must be provided to the Office of Information Security or the Office of Privacy Protection. Substitute notice is permitted when the person or business required to provide the notice demonstrates that (I)(i) the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), or (ii) that the affected class of subject persons to be notified exceeds 500,000, or (II) the person or business does not have sufficient contact information. Prior to the change, substitute notice consisted of only email notification, conspicuous posting of the notice on the person or business’ website, and notification to statewide media.

Companies responding to multi-state breaches face significant challenges trying to harmonize the various state law requirements. See, for example, the recent changes to the Illinois statute. Presently, a number of bills are being considered in Congress that would preempt all of the state laws in this area, however, passage of one of these laws does not appear to be imminent. As data breaches go global, similar concerns exist as countries are enacting their own breach notification mandates.