Presentation Transcript

1. Arkansas State Law Which Governs Sensitive Information……Part 3B

   Arkansas Personal Information Protection Act (PIPA)
2. What is Sensitive Information? Sensitive information exists in several forms: Printed Spoken Electronic 2014 DHS IT Security & Privacy Training
3. Even if HIPAA doesn’t apply – you still have to comply with PIPA!!! Just as HIPAA protects PHI, PIPA protects Personal Identifying Information (PII). 2014 DHS IT Security & Privacy Training
4. Sensitive Information Is PII What is PII? A client’s first initial or first name and last name in combination with one or more of the following when either the name or the information is not encrypted: Name + Medical information Name + Social Security Number (SSN) Name + Driver’s license number or AR Identification card number Name + an account number, credit card number, or debit card number in combination with any required security code, access code or password that would permit access to an individual’s financial account 2014 DHS IT Security & Privacy Training
5. PIPA Breach Notice Requirements PIPA requires breach notification letters where a reasonable probability of harm exists. As with HITECH, the PIPA letter should contain information which does the following: Describes what happened, including the date of the breach, and the discovery date of the breach, if known. Describes the types of unsecured personal information that were involved in the breach. 2014 DHS IT Security & Privacy Training
6. Breach Notification Requirements Continued… Any steps the individual should take to protect himself/herself from potential harm resulting from the breach. A brief description of what DHS is doing to investigate the breach, to mitigate harm to the individuals, and to protect against further breaches. Contact procedures for individuals to ask questions or learn additional information, which includes a toll-free telephone number, an e-mail address, website, or postal address. 2014 DHS IT Security & Privacy Training
7. PIPA Use Scenario An employee loses files which include diet plans and SSN’s. What would you do? Must you notify anyone? Is a breach notification letter to the client required? 2014 DHS IT Security & Privacy Training
8. Steps Step One: Report this immediately to your supervisor and your designated Privacy Officer. Step Two: The Privacy Officer must determine which laws apply and determine which standard of harm applies. If PIPA applies - whether there is a reasonable probability of harm. If HIPAA applies – whether there is a probability of reputational or financial harm. Step Three: A letter must be written if it is determined as required by the applicable law that there is a probability of harm. In some instances, a phone call or contacting the media will be necessary. 2014 DHS IT Security & Privacy Training
9. Wrapping Up….. The next few slides contain some helpful links. 2014 DHS IT Security & Privacy Training
10. Helpful Links HIPAA Privacy Rule protections and requirements: http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html If you want to know more about PIPA find it here: http://www.dis.arkansas.gov/security/Documents/Act1526.pdf Want more information? http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html If you need to file a privacy complaint with DHS please refer to DHS Form 4005 or if you need to file one with OCR find the link here: http://www.hhs.gov/ocr/office/about/rgn-hqaddresses.html 2014 DHS IT Security & Privacy Training
11. Reminders: Employees must report a security or privacy incident. Remember the Incident Reporting site: https://dhs.arkansas.gov/reporting If you fail to report a incident you are in direct violation of DHS Policy 5007. Find Security & Privacy Policies here: http://dhsshare/DHS%20Policies/Forms/Security%20and%20Privacy%20Policies.aspx 2014 DHS IT Security & Privacy Training