Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP 800-596-6176

Privacy and Security Laws for Health Care Organizations

www.ScottandScottllp.comPresented by Robert J. ScottScott & Scott, LLP800-596-6176

© 2008 Scott&Scott, LLP




Ponemon Survey Results – 85% of Companies Surveyed Experienced a Data Breach

Bar Chart 1Data breach statistics for the present sample

85%

81%

78%79%80%81%82%83%84%85%86%

Companies experiencing the loss of personalinformation

Companies required to notify breach victims



Ponemon Survey Results – 42% of data breaches were caused by missing devices such as laptop computers

Bar Chart 2Probable cause of the data breach event

4%

6%

6%

7%

10%

16%

42%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Missing backup media

Malicious employees

Criminal activity

IT mishaps

Negligent third parties

Negligent employees

Missing devices



Ponemon Survey Results - 57% did not have an incident response plan in place when the breach happened

Bar Chart 4Did you have an incident plan before the breach?

57%

77%

0%

20%

40%

60%

80%

100%

Did not have an incident response plan Did not engage outside legal counsel to draft orreview plan



Ponemon Survey Results – Breaches May Impact IT Spending

Bar Chart 9Percentage difference between companies that experienced a breach and

companies that did not experience a breach

54%

37% 37%

23%

54%

14%

27%

10%15%

9%

41%

2%

0%

10%

20%

30%

40%

50%

60%

Encryption Devices areproperlycleaned

Legal counsel Data leakprevention

Training andaw areness

Data inventory

Had breach Did not have breach



Federal Regulation of Privacy Rights

º HIPAAº GLBAº COPPAº Electronic Communications Privacy Actº Privacy Act and Computer Matching & Privacy

Protection Actº Computer Fraud and Abuse Act



HIPAA Privacy Rule

º Purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected health information may be used or disclosed by a covered entity.

º All individually identifiable health information held or transmitted by a covered entity or its business associates is protected health information.

º A covered entity must obtain the individual’s written authorization for any use or disclosure of information that is not for treatment, payment or health care operations, or otherwise permitted or required by the Privacy Rule.

º Each covered entity must provide a notice of its privacy practices.



HIPAA Privacy Breach Notification

º In the event of a data breach, a covered entity has a duty to:

• Mitigate impermissible uses and disclosures; and

• Account for impermissible uses and disclosures.º A business associate must report any breach to the

covered entity.º A business associate has no obligation to notify

others or mitigate the effect of the breach.



HIPAA Security Requirements

º Designate a privacy official who is responsible for developing and implementing policies and procedures

º Train all members of the workforce on policies and procedures related to protected health information

º Implement appropriate administrative, technical and physical safeguards to protect against the intentional or unintentional use or disclosure in violation of HIPAA

º No waiver of rightsº Implement policies and procedures that are reasonably

designed to ensure complianceº Retain documents and prepare reports to regulators

demonstrating compliance



Understanding State Breach Notification Laws

º Forty-five jurisdictions have data breach notification statutes (forty-four states and DC)

º Definition of Personal Informationº Exemption for Encrypted Personal Informationº Criminal Investigation or Government Entity

Exemptionº Immaterial Information Exemption



Definition of Personal Information

º First name or first initial and last name, along with one of the following unencrypted pieces of information:

• social security number;• driver’s license number or state identification

number; or• account number, credit card number, or debit

card number, combined with any password, security code, or access code.



Exemptions for Encryption

º Many states, like California, exclude encrypted information from the definition of a security breach.

º Other states have an express exemption for encrypted information.

º Encryption means an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key.

º Exemption does not apply if the security breach also involves the encryption key.



Criminal Investigation Exemption

º Breach notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.

º The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation.



Alaska’s Data Breach Notification Law

º Notification required in the most expeditious time possible and without unreasonable delay

º Exemption for encrypted dataº Suspension of duty to notify during ongoing criminal

investigationº Specific exemption for immaterial breaches º Civil penalties for failure or unreasonable delay of

notificationº Private right of action





Contact Information

Robert J. Scott

Scott & Scott, LLP

2200 Ross Avenue, Suite 5350E

Dallas, Texas 75201

Phone: 214-999-0080

Fax: 214-999-0333

[email protected]

Documents

Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP 800-596-6176