Search right to access

We have prepared a 60 minute webinar* to provide plans, health care providers and business associates with a high-level compliance roadmap concerning the Omnibus Privacy Rule under HIPAA that for the most part becomes effective next month.  We hope this presentation is helpful for your organization.

On January 25, 2013, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services issued long-awaited final privacy and security regulations (“Omnibus Rule”) under the Health Insurance Portability and Accountability Act (“HIPAA”) to implement the changes made in 2009 by the Health Information for Economic and Clinical Health Act (“HITECH Act”). The Omnibus Rule became effective March 26, 2013, and, in general, covered entities and business associates are required to comply by September 23, 2013.

This webinar provides a high-level overview of the key requirements facing health plans, health care providers and business associates. Following a brief refresher on HIPAA, the webinar covers key compliance topics such as the new data breach notification standard, required changes to the Notice of Privacy Practices and updating business associate agreements. 

 

* Of course, as with all of the materials and information provided on this blog, this webinar is for informational purposes only and not for the purpose of providing legal advice. For advice about a particular problem or situation, please contact an attorney of your choice. Use of and access to this blog does not create an attorney-client relationship between Jackson Lewis and the recipient, reader, or user. This email may be considered attorney advertising in some states. Furthermore, prior results do not guarantee a similar outcome.

It seems more companies are considering whether to purchase or enhance their cyber or data breach insurance coverage. In recent years, these offerings have expanded giving businesses more choice, and perhaps so has the need for such coverage given the explosion of access to and transmission of confidential data. What is interesting about this development is the different approaches companies seem to take when evaluating this type of coverage.

Networkworld reports today on a study by the Ponemon Institute that of the companies surveyed "chief information officer[s] and chief information security officer[s] have ‘very little influence’ in deciding whether to buy cyber security insurance." According to the report, the survey also shows that

companies rarely do a formal risk assessment by in-house staff to figure out how much insurance coverage should be purchased. Instead, they rely on the insurer to do that or take a very informal approach. Only 32% of the respondents said the IT security department had a very significant level of involvement; 35% cited “some involvement;” and 33% said there was absolutely “no involvement” for IT security staff.

It is not surprising that chief information officers do not hold the purse strings in most organizations when it comes to decisions about buying insurance. However, risk assessments are critical. Doing a proper risk assessment, one that takes into account all aspects of an organization that could pose information risks, of course including IT, seems fundamental to understanding what risks exist and what role insurance can play in addressing those risks. Additionally, in some cases, risk assessments are required – e.g., HIPAA security regulations, Massachusetts data security regulations.    

According to a press release by the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS), the managed care company WellPoint Inc. may not have adequately implemented policies and procedures for authorizing access to its on-line application database or performed an appropriate technical evaluation when doing a software upgrade to its information systems. Additionally, OCR alleged that Wellpoint did not have appropriate technical safeguards in place to verify the person or entity seeking access to electronic protected health information (PHI) maintained in its application database, leaving the PHI of over 600,000 accessible via the database. This data included names, dates of birth, addresses, Social Security numbers, telephone numbers and health information.

To settle these allegations, Wellpoint agreed to pay HHS $1.7 million.

OCR cautions:

This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.

As software upgrades often involve the assistance of outside third parties – business associates – in addition to compliant business associate agreements, covered entities may want to be more specific in the scope of work described in their services agreements about the privacy and security safeguards that will apply in the process of such conversions or upgrades. OCR notes that beginning Sept. 23, 2013, liability for many of HIPAA’s requirements will extend directly to business associates.

The publishing lawyer and law firm values the privacy of its clients and Web/blog site viewers. Any of the following personal information that may be made available to the lawyer or firm when browsing or navigating the site shall be kept confidential:
  • First and last name
  • Company, home, postal or other physical address
  • Other contact

In addition to limiting employers’ access to the online accounts of employees and applicants, effective July 1, 2013, Colorado becomes the ninth state to restrict an employer’s right to obtain and use credit information for making employment decisions. Colorado joins California, Connecticut, Hawaii, Illinois, Maryland, Oregon, Vermont and Washington.

Under Colorado’s new law, a covered employer cannot require an employee to consent to a background check containing credit information unless: (1) the employer is a bank or financial institution; (2) the report is required by law; or (3) the report is “substantially related to the employee’s current or potential job,” and the employer has a bona fide purpose for such information, and this information is disclosed in writing to the employee. Further, such information can be used only if it is “substantially related to the employee’s current or potential job.”

The statute provides that the phrase, “substantially related to the employee’s current or potential job,” means the information in the credit report is related to the position for which the subject is being evaluated, because the position is one for executive or management level personnel or officers,  or employees who constitute professional staff to executive and management personnel, and the position involves one or more of the following:

  • Setting the direction or control of a business, division, unit, or an agency of the business;
  • A fiduciary responsibility to the employer;
  • Access to customers, employees, or the employer’s personal or financial information, other than information customarily provided in a retail transaction;
  • The authority to issue payments, collect debts, or enter into contracts; or
  • Involves contracts with defense, intelligence, national security, or space agencies of the federal government.

More information about the law can be accessed here, or at the link above. 

In the face of increasing incidences of and rising public concern regarding identity theft, the California Legislature is considering a bill with new personal information data disclosure requirements for California businesses and a broad definition of what constitutes personal information.

California Assembly Bill 1291, would require businesses who have customer personal information and have disclosed such information to provide each such customer with notice of the names and contact information of all third parties who received personal information from the business and provide a designated request address at which to receive requests from customers as provided for under the bill. Additionally, the business must make available, free of charge, access to or copies of all of the customer’s personal information that the business holds. Also, if the business has any online privacy policies, each privacy policy must also include a statement of the customer’s rights as provided in the legislation and a designated request address.

Personal information broadly includes, but is not limited to, any of the following: (1) identity information such as real name, alias, nickname, and user name; (2) address information, including but not limited to, postal address, e-mail, internet protocol address; (3) telephone number; (4) account name; (5) social security number or other government-issued identification number, such as a driver’s license number, identification card number, and passport number; (6) birthdate or age; (7) physical characteristic information such as height and weight; (8) sexual information, including but not limited to, sexual orientation, sex, gender status, gender identity, and gender expression; (9) race or ethnicity; (10) religious affiliation or activity; (11) political affiliation or activity; (12) professional or employment-related information; (13) educational information; (14) medical information; (15) financial information; (16) commercial information; (17) location information; (18) internet or mobile activity information; (19) content including text, photographs, audio or video recordings, or other material generated by or provided by the customer; and (20) any of the above information as it relates to the customer’s children.

Customer is defined as an individual who is a resident of California and provides personal information to a business “in the course of purchasing, viewing, accessing, renting, leasing, or otherwise using real or personal property, or any interest therein, or obtaining a product or service from the business including advertising or any other content.” Customers also include individuals for whom the business obtained personal information from another business. Accordingly, the bill would cover individuals who are not traditionally thought of as customers and may also include a business’ employees.

All businesses, including employers, with operations in California or with California customers must stay abreast of these developments and, given the breadth of personal information implicated, no such business can be exempt from the requirements. In preparation for the passing of this or a similar bill, it is important to determine how customer personal information is disclosed and set forth a compliance plan to meet the pending disclosure and access requirements.

A New Jersey District Court has sanctioned a personal injury plaintiff for spoliation following the plaintiff’s deletion of his Facebook account which defendants were trying to access.  

The defendant’s discovery requests asked for documents or records of “wall posts, comments, status updates or personal information posted or made by plaintiff on Facebook and/or any social media website from 2008 through the present.” Later, the defendant sent forms for plaintiff to execute which would authorize Facebook and other sites to release plaintiff’s information. The plaintiff executed all the authorizations except the one for Facebook.

Plaintiff’s failure to execute the Facebook authorization was raised before the Court and the Court ordered plaintiff to execute the authorization.  Plaintiff agreed to enable access by changing his password to a certain word. Thereafter, defense counsel accessed the account to confirm the password change and printed some of the accounts content.  

The following day, Facebook notified plaintiff of the account access from an unknown IP address in New Jersey. Plaintiff notified his counsel who contacted defense counsel to confirm that the records would be sought from Facebook headquarters. Defense  counsel responded, explaining the account was accessed to confirm the password change but would not be accessed again as the authorization was sent to Facebook.

Facebook responded to the authorization advising that the Stored Communications Act barred it from disclosing the data but suggested having plaintiff download the content himself.    Counsel for the parties agreed that plaintiff would do so and turn over a copy, along with a certification that he had made no changes since he was first ordered to execute the authorization. However, plaintiff’s counsel later advised defendants that plaintiff had deactivated the account and could not reactivate it. The plaintiff claimed he deactivated the account because of the notification he received that unknown people were accessing his account without his permission.

The defendants moved for sanctions claiming that the deletion was intentional as postings contained in the deleted account would have helped refute plaintiff’s damages claim. Defendants based this assertion on content printed from the account prior to deactivation.  The Court rejected plaintiff’s argument that the information contained in the account was not intentionally suppressed and found that even if plaintiff did not intend to deprive defendants of the data, he intentionally deleted the account and thereby failed to preserve relevant evidence.

This case, as well as the case discussed here, provide valuable authority for accessing social media content in litigation. 

Linking his announcement to National Privacy Day, January 28, 2013, Maryland Attorney General Douglas F. Gansler informed the public that his office has formed an Internet Privacy Unit. (See similar step taken by Connecticut AG)

The stated purpose of the Unit is to protect the privacy of online users. The Unit will be charged with "monitor[ing] companies to ensure they are in compliance with state and federal consumer protection laws." In addition, the Unit will "examine weaknesses in online privacy policies" and help to create awareness about privacy rights. Of course, the Unit also will pursue enforcement actions to ensure consumer protection.

As in other states, such as Massachusetts and California, Maryland has a Personal Information Protection Act.  The Act provides, in part:

To protect personal information from unauthorized access, use, modification, or disclosure, a business that owns or licenses personal information of an individual residing in the State shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information owned or licensed and the nature and size of the business and its operations.

Md. Code Ann. Comm. Section 14-3503. The Attorney General’s Office has published some guidance about the data breach provisions of the law.

Maryland businesses and businesses which maintain personal information about Maryland residents should review their online privacy statements, as well as the policies and procedures for safeguarding personal information. In his press release, Attorney General Gansler acknowledged "the emergence and evolution of the Digital Age has created new and significant privacy risks for both consumers and businesses." Businesses need to be prepared to address these risks and defend against enforcement activities.

In honor of National Data Privacy Day, we have laid out 13 key issues affecting businesses in 2013. While the list is by no means exhaustive, it does provide critical areas businesses will need to consider in 2013.

  1. BYOD. As advancements in technology continue at a breakneck pace, many businesses are confronted with the idea of implementing a Bring Your Own Device (“BYOD”) program. Under these programs, employees are permitted to connect their own personal devices to the company’s networks and systems to complete job tasks either in the office or working remotely. While BYOD programs have advantages, they also have associated risks. Developing a thorough implementation strategy with appropriate policies is critical.
  2. Bans On Requesting Social Media Passwords. As we have previously discussed  fourteen states introduced legislation in 2012 which would prohibit employers from requiring current, or prospective, employees to disclose a user name or password for a personal social media account. Six states have passed and/or enacted such legislation and it is anticipated that other states will pass similar measures in 2013.
  3. Final HIPAA Regulations. On January 17, 2012, the Office for Civil Rights released final privacy and security regulations under the Health Insurance Portability and Accountability Act. In addition to incorporating the HITECH Act which, among other things, expands the application of the rules to business associates, the final rules also apply the rules to subcontractors and remove the risk of harm trigger for data breaches affecting unsecured protected health information.
  4. Disaster Recovery Plans. Hurricane Sandy caused extensive damage on the east coast in 2012, greatly affecting not only personal residences, but many businesses up and down the coast. Unfortunately, protecting information and technology assets from natural disasters and other emergencies is often an afterthought. However, developing a comprehensive disaster recovery plan now can avoid the significant expense, and often irretrievable loss of data, associated with natural disasters.
  5. Develop a Plan for Responding to a Breach Notification. All state and federal data breach notification requirements currently in effect require notice be provided as soon as possible. Delays in notification viewed as unreasonable could trigger an inquiry by the state’s Attorney General, or in the case of HIPAA protected health information, the Office of Civil Rights. This is true even when the number of individuals affected is relatively small.
  6. Investigating Social Media. As the use of social media continues to grow throughout the world, it is only natural that social media content is being sought to aid in litigation. While public content may generally be utilized without issue, if private content is accessed improperly, serious repercussions can follow. This is especially true for attorneys and their staff who attempt to aid their clients by accessing social media content.
  7. International Data Protection. More and more company information is being stored in electronic format and shared with various corporate divisions through company intranets or email. While U.S. law requires some safeguarding of this information, international protections on personal information can be much more stringent. When the transfer of data across international borders is possible, or actively occurring, companies should be advised on the potential risks and requirements associated with same.
  8. Develop a Written Information Security Program. Even if adopting a written information security program (WISP) to protect personal information is not an express statutory or regulatory mandate in your state, having one is critical to addressing information risk. Not only will a WISP better position a company when defending claims related to a data breach, but it will help the company manage and safeguard critical information, and may even help the company avoid whistleblower claims from employees. For some companies, a WISP can be a competitive advantage. Of course, in states like Massachusetts, Maryland, Oregon, Texas, Connecticut and others, a WISP in one form or another is required.
  9. Risk Assessment. Many businesses remain unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and so on. Getting a handle on a business’ critical information assets must be the first step, and is perhaps the most important step to tackling information risk. You simply can’t adequately safeguard something you are not aware exists. And failing to conduct a risk assessment may subject the business to penalties under federal and/or state law.
  10. Insurance. Like many other risks, information risk can be addressed in part through insurance. More carriers are developing products dealing with personal information risk, and specifically data breach response. This kind of coverage should be a part of any CIO, privacy officer or risk manager’s toolkit for safeguarding information.
  11. Training. A necessary component of any WISP and a required element under most federal and state laws mandating data security is training. In addition to meeting compliance requirements, training employees and supervisors also will aid in defending any potential breach of privacy claim that may be asserted against the company.
  12. Carefully Integrate New Technologies. As businesses look for new technologies to increase productivity, cut costs, and gain a competitive advantage, how those technologies address information risk must be a factor in the decision to adopt.
  13. Watch for New Legislation. Today, managing data and ensuring its privacy, security and integrity is critical for businesses and individuals, and is increasingly becoming the subject of broad, complex regulation. As no national law requiring the protection of personal information has yet to be passed in the U.S., companies are left to navigate the constantly evolving web of growing state legislation. Companies therefore need to stay tuned in order to continue to remain compliant and competitive in this regard.

The Office for Civil Rights released on January 17, 2013, final privacy and security regulations (563 pages) under the Health Insurance Portability and Accountability Act. The rules address four key issues:

  • Reflecting the changes made by the Health Information for Economic and Clinical Health Act (HITECH);
  • Revisions to the HIPAA enforcement rule;
  • Updates to the previously issued data breach regulations; and
  • Incorporating the changes made by the Genetic Information Nondiscrimination Act.

In general, covered entities and business associates will need to comply by September 23, 2013. We expect to be reporting on some of the key changes shortly.  

ACCESS SUMMARY HERE