1 / 30

U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Diana S. Hare Associate Gene

U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Diana S. Hare Associate General Counsel Drexel University College of Medicine Diana.Hare@drexelmed.edu. U.S. Privacy and Security Laws. Contents: DISCLAIMER Audience Participation

tyne
Download Presentation

U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Diana S. Hare Associate Gene

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Diana S. Hare Associate General Counsel Drexel University College of Medicine Diana.Hare@drexelmed.edu

  2. U.S. Privacy and Security Laws Contents: • DISCLAIMER • Audience Participation III. What’s Protected? • Sources of Privacy & Security Obligations - Trends • What’s Loss, Liability, Breach? - Sanctions/Liability VI. Lessons Learned VII. Resources

  3. I. DISCLAIMER This presentation does not include every privacy and security law and regulation in the United States. Its purpose is to provide context, key principles and trends. Thank you!

  4. II. Audience Participation • Who knows they are covered by the FTC Guidelines on protecting consumer information collected online? • Who knows they are covered by HIPAA because they have an employer-sponsored health plan? • Who knows they are covered by the Red Flags Rule? (And who knows what it is?)

  5. II. Audience Participation • Who knows they are covered by state data breach notification acts other than Pennsylvania? By the new federal data breach notification act? • Who has not had employees or consultants lose the company’s customers’ personally identifying information, or access such data beyond their scope of authorization?

  6. III. What’s Protected? • Identity • Individually Identifiable Information • Personal Information • Education Record • Name, social security number (cf. redacted to last 4), credit card number • HIPAA has 18 Identifiers – down to stripping the Zip Code

  7. III. What’s Protected? • Sensitive Information about a Person Drug and alcohol treatment HIV Status Genetic screening Children 13 or younger Privileged communications

  8. III. What’s Protected? • Data “CIA” = • Confidentiality • Integrity • Availability • Collection, Use and Disclosure • Informed Consent

  9. IV. Sources of Privacy & Security Obligations General Sources • U.S. Constitution – 4th Amendment; 14th Amendment; U.S. v. Griswold • Torts – Intrusion upon Seclusion; Invasion of Privacy • Privileges – Judicial Codes • Accountant • Psychologist – 42 PA C.S.A. § 5944 • Sexual Abuse Victim Counseling – 42 PA C.S.A. § 5945.1 • Attorney • Physician

  10. IV. Sources of Privacy & Security Obligations Federal Laws and Regulations and Guidance: • U.S. Constitution –see above • Federal Privacy Act of 1974 – 5 U.S.C. §552a • FTC Consumer Online Privacy Principles 1998; Online Behavioral Advertising Principles 2009 • FTC COPPA – Children’s Online Privacy Protection Rule – 16 C.F.R. 312

  11. IV. Sources of Privacy & Security Obligations • HIPAA – Health Insurance Portability and Accountability Act of 1996 and Privacy and Security Rules, 45 CFR §§ 160, 162 and 164, as Amended by HITECH Act (see below) • GLB – Gramm-Leach Bliley Act (Financial Modernization Act of 1999) 15 U.S.C. §6801 et seq. and Financial Privacy Rule 16 C.F.R. 313 and Financial Safeguards Rule 16 C.F.R. 314 • Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)

  12. IV. Sources of Privacy & Security Obligations • FCRA – Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); amended by FACT Act – Fair and Accurate Credit Transactions Act of 2003 • Section 114 – Identity Theft Prevention – Red Flags Rules – 16 C.F. R. 681 • Section 116 – Proper Disposal of Consumer Information – Disposal of Consumer Report Information and Records - 16 C.F.R. 682

  13. IV. Sources of Privacy & Security Obligations • FDA – Research Data – Electronic Records and Signatures – “Part 11” – 21 C.F.R. 11

  14. IV. Sources of Privacy & Security Obligations • ARRA – American Recovery and Reinvestment Act of 2009 (“Stimulus Bill”) February 17, 2009 (www.whitehouse.gov ≥ http://frwebgate.access.gpo.gov/) • HITECH Act – Health Information Technology for Economic and Clinical Health Act – Division A, Title XIII of ARRA • Subtitle D – Privacy - §§13400 -13424 – Amends HIPAA, substantially increases penalties (now) and new Federal Data Breach Notification as to Protected Health Information

  15. IV. Sources of Privacy & Security Obligations State Laws: • More stringent state laws on protected health information supersede HIPAA – e.g. • PA Confidentiality of HIV-Related Information Act (“Act 148”) 35 P.S §7601 et seq. • Limit use of Social Security Numbers, e.g. • PA Social Security Number Privacy Act – 71 P.S. § 2601 et seq.

  16. IV. Sources of Privacy & Security Obligations • Data Breach Notification Acts – • California and Massachusetts lead the trends • PA – Breach of Personal Information Notification Act – 73 P.S. § 2301 • NJ – New Jersey Identity Theft Prevention Act – N.J.S.A. § 56:11- 44 et seq. and new draft rules with comment period closed 2/13/09 • DEL – Computer Security Breaches – Title 6, Chapter 12B

  17. IV. Sources of Privacy & Security Obligations • Torts – see above • Privileges – Judicial Codes (see above)

  18. IV. Sources of Privacy & Security Obligations Industry Standards – PCI – Payment Card Industry

  19. IV. Sources of Privacy & Security Obligations Key obligations shared: • Risk assessment • Administrative, Physical and Technical Safeguards • Policies and Procedures • Training • Sanctions

  20. - Trends in Privacy and Security Laws Trends in Laws: • Mandatory encryption • Mandatory and prompt reporting of data breaches • Increased penalties; enforcement • Increased third party vendor oversight, liability • Board level responsibility (e.g. Red Flags Rule)

  21. -Trends in Privacy and Security • Data breaches • Increased Identity Theft • Class Actions

  22. V. What’s Loss, Liability, Breach? • Unauthorized Access • Loss that reasonably could lead to theft

  23. - Sanctions/Liability for Violations:Examples Laws: Section 5 of the FTC Act - unfair or deceptive acts States – “Baby FTC Acts” HIPAA  HITECH Act

  24. - Sanctions/Liability for Violations:Enforcement Actions; Lawsuits: • Providence Health – unencrypted tapes – OCR/CMS/HIPAA sanction; 1st monetary penalty ($100K) - Treatment Assocs of Victoria – TX AG – charge - unlawfully dumping client records in publicly accessible garbage;TX Identity Theft Act and Baby FTC Act • Heartland Payment Systems, N.J. – (payment card processor); hacker; PCI standards; Class Action – on behalf affected financial institutions

  25. - Sanctions/Liability for Violations:Enforcement Actions; Lawsuits: • CVS – dumped prescription labels in dumpster. OCR and FTC JT enforcement: HIPAA Privacy Rule and FTC Act; $2.25 million; FTC 20 year monitoring. • Premier Capital Lending – GLB Privacy and Security Rules; customer data. Mortgage broker gave access that was used improperly. • Mortgage Broker Gregory Navone – consumer info into unsecured dumpster; FCRA Disposal Rule violation charged w/failure to implement training & exercise oversight of serviceproviders.

  26. VI. Privacy & Security – Lessons Learned • Access is key; audit logs • Audit/Assessment of Risks • Effective Policies and Procedures • Sanction employees • Train employees • It is internal employees and consultants with authorized access

  27. VI. Privacy & Security – Lessons Learned • Vendor management/Due diligence – not just contractual language required by HIPAA, GLB, Red Flag Rules, etc. • Encryption • Data Breach – Prepare • Incident Reporting Team/Committee • Mandatory Reporting • Insurance

  28. VII. Privacy & Security - Resources • Data breach remedial products: • Credit monitoring products – negotiate contract (Experian) • Debix • Insurance coverage purchased (Data breach for one company cost $65K in postage alone!)

  29. VII. Privacy & Security - Resources • FTC.gov • OCR Listserv (Office of Civil Rights – DHHS) • CMS – HIPAA Security Rule • NIST - National Institute of Standards and Technology www.nist.gov; Computer Security Resource Center (http://csrc.nist.gov); (Draft) Guide to Protecting Confidentiality of Personally Identifiable Information -1/13/09 • IAPP www.privacyassociation.org

  30. U.S. Privacy & Security Laws Questions? Diana S. Hare Associate General Counsel Drexel University College of Medicine 215.255.7842 Diana.Hare@drexelmed.edu

More Related