Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
BEST PRACTICES TO PROTECT YOUR
CLIENTS’ PRIVACY
Michelle Lewis NREI- School Director
John F. Goryl Senior Counsel KML Law Group
Jada S. Greenhowe Assistant Counsel PHFA
Presented By:
Special Note:
The following presentation is used as a part of NWCS’ Client Privacy and Confidentiality Training, and will be used exclusively for this training as part of a collaboration between the Pennsylvania Housing Finance Agency and NREI.
Overview
Objective of privacy & Confidential Policy Counseling Agency Relationship to the Client Definition of Person in Position of Trust Covered Client Information and Staff Privacy Confidentiality Privacy Act of 1974 Conditions of Disclosure HUD Certification Confidentiality of Records Maintenance of Files Maintenance of Credit Reports
3
5/11/2015
Objective of Privacy & Confidentiality Policy
Maintain trust Uphold fiduciary
obligation Avoid misuse or abuse of
access to sensitive information
Avoid apparent or appearance of conflicts of interest
Avoid external access to client information
Avoid internal access to unauthorized persons
4
5/11/2015
Counseling Agency’s Relationship to the Client
Fiduciary obligation: Highest level of trust Highest standard of care Unequal relationship as
client is relying on our advice to make decisions
Obligation to place the clients needs above all else; including our own
Counseling Agency’s Duties: Care Loyalty Accountability Dependability Performance Act in good faith
5
5/11/2015
Person in a Position of Trust 6
According to HUD: “This person is a participating agency’s employee (including
both paid and volunteer staff), consultant, officer, director, elected or appointed official, any member of their immediate families, or anyone who is in a position to influence a participating agency’s decision-making process or who has access to the agency’s confidential client information.”
5/11/2015
Covered Client Information 7
Conversations Documents Demographic information (individually or in aggregate) Circumstance Client file Credit Report Any and all information pertaining to the client whether
obtained verbally, in express (written) form, or electronically
5/11/2015
Covered Staff 8
Counselors Supervisors Executive Clerical Processing Billing Volunteers Anyone obtaining access by or through Counseling Agency
5/11/2015
Privacy 9
According to Merriam-Webster, privacy is described as:
a: the quality or state of being apart from company or observation: seclusion
b: freedom from unauthorized intrusion <one's right to privacy>
5/11/2015
Confidentiality 10
According to Merriam-Webster, confidentiality is described as: a: marked by intimacy or willingness to confide <a confidential
tone>
b: private, secret <confidential information>
c: containing information whose unauthorized disclosure could be prejudicial to the national interest — compare secret, top secret
5/11/2015
Client Privacy at Facility 11
Private office Closed door No discussion within earshot of other staff or others Protect privacy and confidentiality of client information in: Scheduling Intake Workshops Case Management File Management
5/11/2015
Client Privacy at Facility 12
No discussion or disclosure to others without prior client consent.
Includes spouses or other interested parties. Observe workshop privacy rules. Client information must be kept completely away from
unauthorized view. i.e., left open on desk or otherwise exposed.
5/11/2015
Privacy Act of 1974
Prohibits the disclosure absent the written consent of the subject individual
Provides individuals with a means by which to seek access to and amendment of their records
sets forth various agency record-keeping requirements
Pass through to sub-recipients of federal funds
13
5/11/2015
Governs the collection, maintenance, use and dissemination of personally identifiable information about individuals maintained in systems of records by federal agencies
Conditions of Disclosure 14
No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.
5/11/2015
HUD Certification
No person, except the counselor and his superiors shall have access to client data
Exceptions: Counselor superiors Intake persons who have
been trained in requirements of the Privacy Act
HUD and its personnel Government or by
contract
15
5/11/2015
HUD’s Definition of Privacy 16
Ensure the confidentiality of all client level and agency profile information.
Must use a CMS which has taken all the standard and required security protections.
Assurances that this data will not be shared with any entities other than HUD and the housing counseling agency, unless explicitly instructed to do so by the client.
In the case of agency information, the housing counseling agency.
5/11/2015
HUD’s Definition of Privacy 17
Any information about an individual maintained by an agency used to distinguish, trace, or identify an individual’s identity including personal information which is linked or linkable to an individual.
5/11/2015
Any information about an individual maintained by an agency, • used to distinguish, trace, or identify an
individual’s identity • including personal information which is
linked or linkable to an individual
Confidentiality of Records 19
Social Security numbers or comparable identification numbers
Financial information associated with individuals Medical information associated with individuals. Sensitive PII, a subset of PII, requires additional levels of
security controls
5/11/2015
Confidentiality of Records 20
Ensure that their CMS system protects the confidentiality of each client’s personal and financial information, both electronic and paper, including credit reports, whether the information is received from the client or from another source.
Ensure that neither they nor their CMS vendor discloses the information in the client’s individual case file to anyone except for authorized agency personnel and HUD.
5/11/2015
Confidentiality of Records (Continued) 21
Ensure that their selected CMS maintains the confidentiality of this information as well. The only exception to this requirement is when the counseling recipient expressly grants permission, for example in the case of, through a CMS, the automatic creation of a loan application and submission to a lender.
HUD staff may not disclose to anyone except to authorized HUD personnel the information contained in individual case files that may be sampled as part of monitoring or received as part of reporting.
5/11/2015
Maintenance of Files and Records
Maintain a separate confidential file documenting each unique, distinct provision of counseling services provided to a client.
Maintain a separate
confidential file for each course provided.
Hard copies of client files must be kept in locked filing cabinets and electronic client files must be kept secure, and be accessible only by authorized individuals.
22
5/11/2015
Confidentiality and Maintenance of Credit Reports
23
Secure client’s authorization prior to ordering a credit report. Failure to maintain the confidentiality of, or improper use of,
credit reports may subject the agency to penalties under the Fair Credit Reporting Act (14 U.S.C. 1681 et seq.) Ensure that neither they nor their CMS vendor discloses the information in the client’s individual case file to anyone except for authorized agency personnel and HUD.
Otherwise subject to all other privacy and confidentiality rules.
5/11/2015
Outrageous Breach of Privacy 24
5/11/2015
Hardware to Malware 25
5/11/2015
Existing Federal Privacy Laws 26
5/11/2015
Existing Federal Privacy Laws (Continued) 27
5/11/2015
Existing Federal Privacy Laws (Continued) 28
5/11/2015
Existing Federal Privacy Laws, (Continued) 29
5/11/2015
Existing Federal Privacy Laws (Continued) 30
5/11/2015
Existing Federal Privacy Laws (Continued) 31
5/11/2015
Existing Federal Privacy Laws (Continued) 32
5/11/2015
Existing Federal Privacy Laws (Continued) 33
5/11/2015
Existing Federal Privacy Laws (Continued) 34
5/11/2015
Existing Federal Privacy Laws (Continued) 35
5/11/2015
Existing Federal Privacy Laws (Continued) 36
5/11/2015
Existing Federal Privacy Laws (Continued) 37
5/11/2015
Existing Federal Privacy Laws (Continued) 38
5/11/2015
Chronology of Data Breaches 39
5/11/2015
Hacker Profitability 40
5/11/2015
National Data Breach Law
Passage of data breach legislation has been a national trend 47 states have a data breach statute Several states have recently updated and increased protection
in their data breach statutes New Jersey, Massachusetts, California, and Connecticut
Numerous federal laws and entities already protect some types
of information Federal Trade Commission and Federal Communications
Commission Health Insurance Portability and Accountability Act of 1996 Gramm-Leach Bliley
Breach of Personal Information Notification Act
On December 22, 2005, the Pennsylvania legislature passed the Breach of Personal Information Notification Act (“PA Breach Act”), which became effective on June 20, 2006
Scope of the PA Breach Act: Which entities should take action What specific actions should be taken When remedial actions should be implemented
General Rule
An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any resident of this Commonwealth whose encrypted and unredacted personal information was or is reasonably believed to have been accessed or acquired by an unauthorized person. Notice shall be made without unreasonable delay.
Applicability
An entity that maintains, stores or manages computerized data that includes personal information
Includes: Pennsylvania Governmental Agencies and political
subdivisions Businesses Financial Institutions Individuals
Important Definitions
Personal information : Excludes publicly available
information. Person’s first name (or initial) and last name AND any
of the following data elements (if not encrypted or redacted):
social security number drivers license or state identification card number
OR financial account number, credit card number, with a
security code, access code or password permitting access to the account.
Important Definitions (Continued)
Security Breach: Unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth.
Encryption: the use of algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key
Important Definitions (Continued)
Redact: Alteration or truncation such that no more than the last four digits of a Social Security number, driver’s license number, State identification card number or account number is accessible as part of the data
Records: Any material, regardless of physical form, on which information is recorded or preserved by any means. Includes: Written or spoken words Graphically depicted information Printed or electromagnetically transmitted information
Important Undefined Term
The Act does not define “unreasonable delay,” but the law recognizes that entity may take measures to determine scope of breach and restore reasonable integrity of the data system and there is an exception if a law enforcement agency advises in writing that notification would impede a civil or criminal investigation.
Notice: Disclosure to Consumers
The notification requirements are triggered when there is a breach of the security of a computerized data system “to any resident of the Commonwealth whose unencrypted and unredacted personal information was or is unreasonably believed to have been accessed and acquired by an unauthorized person.”
Law Enforcement Exception
Notice of a security breach may be delayed where a law enforcement agency advises an entity in writing that notification under the PA Breach Act will impede an investigation The entity may only give notice after the law enforcement
agency has determined that the notice will not compromise the investigation
Notice: Form of Notice
Written notice : To last known home address for the individual.
Telephonic notice: If the customer can be reasonably expected to receive it and the notice is given in clear and conspicuous manner, describes the incident in general terms and verifies the personal information but does not require the customer to provide personal information and the customer is provided with a telephone number to call or the Internet website for further info or assistance.
Form of Notice (Continued)
E-mail notice : If a prior business relationship exists and the person or entity has a valid email address for the individual.
Substitute notice : E-mail (if available), post on entity's website AND statewide media (only if cost of notice will exceed $100,000, class to be notified exceeds 175,000 OR entity does not have contact information)
Civil Relief: Remedies
Violations are actionable under PA’s Unfair Trade Practices and Consumer Protection Law.
No private right of action exits. Exclusive enforcement authority by Office of Attorney
General Actions may include: injunctive relief to compel compliance or prevent further
violations civil penalties for willful violations.
Questions?
55
Thank you!
We welcome your feedback
John F. Goryl Senior Counsel KML Law Group
Michelle W. Lewis NREI – School Director
5/11/2015
Best Practices to Protect Your Clients’ Privacy
Jada S. Greenhowe Assistant Counsel PHFA