News reports of security risks, hackings and breaches caused by individuals, terror groups or even countries around the world certainly are important and can be unsettling. But, for many organizations, including healthcare providers and business associates, a significant and perhaps more immediate area of data risk rests with an organization’s workforce members. An organization’s information technology (IT) department can do a tremendous job securing the systems from outside intruders, however, relying too heavily on external risks at the expense of internal risks can be problematic for any healthcare practice or healthcare industry vendor. Whether inadvertently or intentionally, employees are frequently the cause of improper uses or disclosures of patient data, putting the company at risk for a data breach, reputational harm, investigation by federal and state agencies, and litigation.

It is true that no system or set of safeguards is infallible; breaches are going to happen. However, here are some steps providers and business associates can take to reduce the risk that those breaches will be caused by members of the company’s workforce:

  • In-person Training. Many covered entities and business associates use on-line, “in-the-can” training products. These could be a valuable part of any training and awareness program, particularly for conveying general HIPAA privacy and security concepts. But there is no substitute for in-person training about the provider’s own policies as applied to the day-to-day circumstances of that practice or business. Employees need to ask questions and hear how policies interact with their particular job responsibilities to best understand some of the nuances in applying HIPAA and applicable state laws and privileges. The Texas Medical Records Privacy Act (the state’s “mini-HIPAA” law), for example, does not mandate in-person training, but it does require at Section 181.101 that training address “state and federal law concerning protected health information as necessary and appropriate for the employees to carry out the employees’ duties for the covered entity.” It is important to make training real, practical and regular. In many cases, it is the more senior employees, physicians and nurses, who could benefit most from such training.
  • Enhance Monitoring. All the training in the world will not protect an organization from an employee who is intent on taking information or improperly accessing information. For example, the employee might be trying to find out information about the diagnosis or drug use of a family member, or the employee may be in fear of losing his or her job and want to collect evidence for subsequent litigation. Other employees may want to steal patient/customer information for a new business, or commit medical identity theft which is reported to be growing rapidly. Implemented carefully and responsibly, monitoring systems activity can be an excellent tool for helping the organization to mitigate and in some cases stop data loss.
  • Manage Devices. The flood of new and more powerful devices carried by employees is a headache for any Privacy Officer. But some of the risks could be relieved through careful planning and policies. Consider the following: (i) should all devices be permitted, (ii) if so, what mobile device management solution, if any, should be used; (iii) which employees should be permitted to use devices at the workplace, and what should they be permitted to access; (iv) what happens to the device when the employee is terminated or purchases a new device; (v) do employees have to be reimbursed for the cost of the device or the data service; and (vi) do we have any labor law considerations, whether or not the workforce is unionized.
  • Plan for a Breach. As noted above, breaches are going to happen, so plan and run drills. Even if on a single page, have a checklist for responding that addresses such things as – who should be involved in the response process, who will coordinate the investigation and ensure systems are secure, what vendors can the organization call upon (legal, forensic, etc.), insurance contacts and requirements, and who makes decisions on such things, as whether to notify, who to notify, and what to say in the notice. Employees hear about these incidents, but many do not have a feel for what a breach is, how to report internally, the steps involved, and how quickly the organization must respond.
  • Assess Confidence in IT Staff. For many practices, it likely is easier to assess a surgeon’s competence than the competence of the practice’s IT director. Often the owners of a healthcare practice do not find this out until it is too late. The business should take steps to ensure it has the right team in this critical department. In some cases, it may need to have an outside vendor assess the performance of its internal team.

Could your healthcare practice or business become the target of an external attacker? Yes. Is it likely? Probably not as likely as an internal incident. The steps outlined above are not exhaustive, and do not promise HIPAA compliance. They are, however, sensible best practices to help avoid inadvertent and intentional activities inside the organization that can cause a data privacy or security incident.

The Federal Communications Commission (FCC) is continuing its efforts to clarify the Telephone Consumer Protection Act (TCPA) and its requirements.

To this end, the FCC is seeking comments by tomorrow, January 13, 2015, on eleven petitions seeking waiver of the FCC’s rule on opt-out notices on fax advertisements to recipients who have provided prior express invitation or permission.   Specifically, the petitioners seek retroactive waiver  of the opt-out notice requirement for fax ads which the petitioners assert were sent where prior express invitation or permission had been obtained from the recipient.  The petitioners argue that good cause exists because they are similarly situated to parties who were previously granted retroactive waivers from this requirement by the FCC because of uncertainty about whether the opt-out notice applied to “solicited” faxes.

Under the TCPA, unsolicited faxed advertisements are prohibited unless the sender has an established business relationship with the recipient; the recipient voluntarily communicated his or her fax number directly to the sender or a directory; and the faxed ad also contains an opt-out notice.

While comments are due tomorrow, reply comments are due January 20, 2015.

About two years ago, President Obama signed an executive order on the date that he delivered his State of the Union address which directed certain federal agencies to develop voluntary standards for achieving cybersecurity. Preparing for his 2015 State of the Union address, Bloomberg and other news outlets are reporting this morning that President Obama will be proposing legislation, including the Personal Data Notification & Protection Act, designed to increase protections for personal data. This announcement comes in advance of the President’s visit to the Federal Trade Commission today, and apparently will be a topic during the coming State of the Union address later this month.

According to the reports, the President wants a national standard for data breach notification, one that requires notice to customers within 30 days of discovering the breach. Criminal sanctions also would be enacted for persons engaged in illegal trading of identities, the economic engine behind massive payment card breaches. The President’s proposal also would tighten protections for student data and consumer data pertaining to energy use. The President also will seek to enact into law provisions of the Consumer Privacy Bill of Rights that the White House issued in February 2012.

White House Press Release

Over the past 10 or so years, there have been many calls for broad-based data security measures at the federal level, including a national data breach notification standard. Many members of the House and Senate proposed a number of laws in this area. Those efforts have largely failed. Whether the President’s call for action following a year of massive data breaches will yield a different result remains to be seen, particularly as the Republican Party has a stronger grip on the legislative branch.

As we reported, state Attorneys General have authority to enforce the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA), pursuant to the authority granted under the Health Information Technology for Clinical and Economic Health (HITECH) Act. Shortly after announcing plans to seek legislation requiring stronger protections for personal and financial information, Indiana Attorney General Greg Zoeller reached a settlement with a dentist in his state, Joseph Beck, for improperly dumping patient records in violation of state law and HIPAA. The dentist agreed to pay $12,000 in fines.

According to news reports, over 60 boxes containing years of dental records pertaining to over 5,600 patients, and including very sensitive personal information, were found in a dumpster. Apparently, the dentist hired a third party vendor to dispose of the records; that vendor likely was a business associate under HIPAA and, if so, also subject to the HIPAA privacy and security rules.

For small medical or dental practices, as for other professional service businesses such as lawyers, accountants, and insurance brokers, data security can be both daunting and expensive if there is a breach. Like many businesses, small businesses rely on third party vendors to perform certain activities. When those activities involve personal information of the business’ customers, the business owner should be paying more attention. Ask the vendor about what steps it has in place to protect information, does it have a written information security plan, it is licensed, does it have insurance in the event of a breach, does it train employees about data security, and, yes, how does it dispose the records and data it is being asked to handle. In many states, businesses are required to have language in the service agreements with vendors about data security when the vendors are going to handle personal information. There is a similar provision under HIPAA for business associates.

It is troubling to see that sensitive records are still being found in dumpsters even after the many widely-publicized data breaches. But, as here, the owner of the records may not be able to avoid responsibility by shifting it to the vendor.

Complying with the Telephone Consumer Protection Act (TCPA) is a growing concern for employers and others. This is especially true given that suits under the TCPA have regularly resulted in damage awards of hundreds of thousands, if not millions, of dollars.

We have developed a comprehensive set of frequently asked questions concerning TCPA. If you are interested in learning more about the TCPA, and its impact on your business:

On December 19, 2014, the FCC published Chairman Thomas Wheeler‘s response to Senator Bill Nelson’s (D-FL) letter regarding the FCC’s recent proposed $10 million fine against two telecom companies.

In the response, Chairman Wheeler reiterated the need for FCC action in this area and explained that consumers regularly entrust their most personal, confidential, and sensitive information to communication networks and service providers.  The Chairman went on to state that the FCC has a responsibility to ensure that service providers and network operators are taking reasonable steps to “honor the public trust, and to protect consumers from harm caused by violations of the Communications Act.”

With some of the strongest language to date concerning the FCC’s role in this area, the Chairman said:

As the nation’s expert agency on communications networks, the Commission cannot – and will not – stand idly by when a service provider’s lax security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud.  I assure you that the Commission will exercise its full authority against companies that fail to meet their statutory requirements of safeguarding the personal information of consumers.

In light of the prior FCC action and the Chairman’s most recent statements, service providers and network operators must ensure their data security practices are up to date and they are appropriately safeguarding the personal information of consumers with which they are entrusted.

As we reported, there are a number of signs pointing to a significant tightening of regulation and increased enforcement of data security mandates. Following efforts in New Jersey, New York and Oregon, Indiana Attorney General Greg Zoeller announced his office is seeking legislation that would better protect the online personal and financial information of Indiana residents. Indiana State Sen. Jim Merritt plans to sponsor the legislation during the 2015 session of the Indiana General Assembly.

The Attorney General proposes a three-pronged approach to increasing security – (i) stricter requirements for the safe storage of sensitive data, (ii) reducing harm to consumers following a data breach, and (iii) increasing transparency of online privacy policies. In proposing stricter requirements for storing sensitive data, Attorney General Zoeller’s approach would include a requirement to delete and not retain the data beyond what is necessary for business purposes. Effective and efficient record retention and destruction policies and procedures present significant challenges for businesses, but as new laws like this emerge, companies will need to get better about keeping only what they need, and making sure what is deleted is really deleted.  The proposal also includes requirements for businesses to share or sell information only when authorized by law or when consumers are informed in advance, and to inform consumers by conspicuous notice when data must be collected and how long it will be stored.

The Hoosier state already has a data breach notification law, however, the Attorney General wants to make notice under the law more timely and informative. Additionally, his proposal would extend the notification mandate to breaches of paper and handwritten records. Like the breach notification laws in many other states, the Indiana law applies only to electronically generated or computerized records.

If the third item in the proposal becomes law, Indiana would join California in requiring website operators and online entities that collect personal or financial information from state residents to conspicuously post their privacy policies online. The policies would need to identify what personal information the site collects from site visitors and whether the operator of the site shares or sells any of that information, and with whom.

We will be following this and other developments of this kind in the year ahead. However, we recommend businesses be more proactive in taking steps to safeguard and management personal information. These steps should go beyond the IT department and include administrative and physical safeguards to protect data in all forms, including paper documents. Additionally, data security is only one of a number of important reasons for a rigorous record retention and destruction policy. These include the development of more efficient data management practices, keeping data storage costs down, and controlling e-discovery costs.

The New Jersey Assembly on December 15 unanimously approved, by a vote of 75-0, a bill designed to better protect consumers from identify theft.  Bill A3146, if approved by the Senate, would expand the state’s law to include disclosure of a breach of security of online accounts.

Per the Identity Theft Resource Center, between 2005 and 2014, there have been 4,695 breaches exposing 633 million records. with the cost of a breach to an organization averaging an estimated $3.5 million.

Under the NJ bill, the definition of “personal information” set forth in Section 10 of P.L.2005, c.226 (C.56:8-161) would be amended and expanded to include a combination of user name or email address with any password or security question and answer that would permit access to an online account.  Currently, the law covers breaches involving a combination of a Social Security number, driver’s license number or State identification card number, or account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.  The expansion would allow consumers, upon notice of a breach, “to change their online account information quickly following a breach and put consumers on notice to monitor for potential identity theft,” said one of the bill’s sponsors.

Notably, the New York assembly earlier introduced Bill A10190 which would amend New York’s data breach notification law (NY Gen. Bus. Law 899-aa).  The proposed amendment would require entities which conduct business in New York State, and which own or license  computerized  data  which  includes  private information to develop, implement, and maintain a comprehensive information security program which must be consistent with the safeguards for protection of personal information.  The New York amendment would impose requirements nearly identical to those required under Massachusetts law.

Each of these developments should be closely monitored so that companies can ensure compliance.

On December 9, Oregon’s Attorney General, Ellen Rosenblum, announced to the Oregon House and Senate Judiciary Committee that she would be introducing legislation to expand existing personal data protections for Oregon consumers while implementing additional enforcement measures to combat non-compliance.

According to Ms. Rosenblum, Oregon’s laws have not kept up with the rapid increase in the use and maintenance of consumer data.  As stated to reporters:  “We essentially need a consumer bill of rights so that people know what their rights are online . . . There’s great things about technology, but we have to inform the people, we have to inform parents and the kids so we can be protected better online as well as offline.”

Ms. Rosenblum’s proposal would allow the state Department of Justice to more broadly enforce civil penalties against non-compliance with enhanced data privacy standards.  Oregon’s present identity theft statutes ORS 646A.600‐628, vest the Director of the Department of Consumer and Business Services with enforcement authority.

Oregon’s push towards additional privacy protections follows a large data breach at the Oregon Employment Department and Secretary of State’s Office, which compromised the personal information of more than a million people.

According to the Oregon AG, retail data breaches have also compromised the personal information of 70 million customers worldwide, including 800,000 in Oregon.

 

Some have called 2014 the “Year of the Data Breach.” That may be true given the steady stream of large-scale data breaches affecting tens of millions of individuals. We do not know if this time next year commentators will be saying the same thing about 2015, but there are signs pointing to a significant tightening of regulation and increased enforcement of data security mandates – some are discussed below. No matter a company’s size or industry, maintaining personal data can be a risky business, more so for companies that are not prepared and that have not taken reasonable steps to safeguard personal data.

New York regulators announce new cyber security preparedness assessments for banks. Following an announcement in October concerning third-party vendors, Benjamin M. Lawsky, Superintendent of Financial Services, issued an industry guidance letter on December 10 to all New York State Department of Financial Services (DFS)-regulated banks outlining enhanced examinations as part of “new targeted, DFS cyber security preparedness assessments.” According to the announcement, and in the letter to banks, DFS examinations will be looking at safeguards such as protocols for detection of cyber breaches and penetration testing; corporate governance related to cyber security; defenses against breaches, including multi-factor authentication; and security of their third-party vendors. This is not just an issue for the banks because as part of their efforts to be ready for these increased examinations and assessments, they will need to be looking at the practices of their third-party vendors.

Another HIPAA settlement and Phase 2 audits expected to commence soon. Earlier this month, the Office for Civil Rights announced it reached a resolution agreement with Anchorage Community Mental Health Services (ACMHS) to settle potential HIPAA violations. Under the agreement, ACMHS will pay $150,000 and adopt a corrective action plan with regard to its HIPAA compliance program. Like a number of prior OCR investigations, this one was opened when ACMHS, a nonprofit organization providing behavioral health care services, informed OCR of a breach of unsecured electronic protected health information affecting 2,743 individuals. The breach resulted due to malware compromising the security of its information technology resources. According to OCR, ACMHS had adopted sample policies and procedures, but was not following them. In addition, OCR alleged that ACMHS failed to identify and address basic risks, such as not regularly installing updates and security patches for its software. Again, as with financial institutions, healthcare providers and health plans are not the only entities under OCR’s scrutiny. Under HIPAA, and as clarified by HITECH, the privacy and security obligations extend downstream to business associates and subcontractors, and possibly others. If your business is in the healthcare industry, there is a likelihood you will be affected by these requirements.

In addition to continued enforcement, OCR also is preparing to commence Phase 2 of its audit program. OCR representatives have been reported as stating unofficially that OCR hopes to start Phase 2 by the end of 2014, or the beginning of 2015. Those audits are expected to focus on (i) risk analysis and risk management, a fundamental requirement under the HIPAA Security Rule, (ii) breach notification compliance, and (iii) compliance with notice of privacy practices requirements. The audits are expected to reach both covered entities and business associates.

States enhancing breach notification laws and enforcement. During 2014, a number of states enhanced their existing breach notification laws (e.g., CA and FL) and Kentucky became the 47th state to enact such a law. Other states, such as Oregon, have announced a desire to enhance their own laws. Additionally, states like Massachusetts continue to announce fines for companies violating that state’s data security mandates.

Cyber insurance offerings to small business grow. In July 2014, CNBC explained “Why cyber-insurance will be the next big thing.” But it also is worth noting that during 2014 a number of carriers, syndicates have announced cyber products with a focus on small and mid-sized businesses. One example is an announcement that former Pennsylvania Governor and the first U.S. Secretary of Homeland Security, Tom Ridge, formed Ridge Insurance Solutions Company which seeks to close “a dangerous cyber insurance gap… particularly [for] small- and mid-cap firms”. Also, in November, Nationwide announced that it will be joining with Hartford Steam Boiler “to offer cyber insurance coverage for small business owners.”  The insurance market’s movement in this direction is one indicator of higher data risks for businesses beyond large organizations in the financial services industry and retail.

 

These are just a few of the signs in 2014 that point to more regulatory and enforcement activity ahead in 2015. Businesses large and small need to focus on their data privacy and security practices, which starts with assessing their risks across their organizations.