plan do watch...departmental procedures & training compliance audits cross-reference to critical...
TRANSCRIPT
5/30/2012
1
June 2, 2009
PLAN DO
WATCH
5/30/2012
2
Do: Legislative Mandates
Watch: Strategic Issues
Plan: Privacy as Business Imperative
Resources
5/30/2012
3
Family Educational Rights and Privacy Act (FERPA) Family Medical Leave Act (FMLA)
Genetic Information Nondiscrimination Act (GINA) Red Flag Rules
American Reinvestment and Recovery Act (ARRA) Health Information Technology for Economic and
Clinical Health Act (HITECH)
FERPA Amended Regulations became effective January 8, 2009. New changes include: ◦ Unauthorized education record disclosures for
health and safety emergencies. ◦ Disclosure of student identifications and user ID
numbers. ◦ Expansion of ‘attending’ to include distance
learning students. ◦ Release of education records to Contractors and
other third parties. ◦ Re-disclosure of education records under Clery Act. ◦ Recommendations for breach of student records
(NIST 800-100 and NIST 800-53 guidance)
5/30/2012
4
Employers now permitted new allowances to managed ill or injured workers. ◦ Provider certify essential functions for specific job
descriptions. ◦ May contact provider to clarify certification. ◦ Might require provider to certify in writing for
return to work (fitness for duty). Can require certification every 30 days.
Employee must provide HIPAA authorization necessary for medical certification.
Results of genetic tests for individuals or family members that provides any data about medical history
Mandates modification of HIPAA’s Privacy Rule so that genetic information is treated as protected health information
Confidentiality safeguards required for collection, maintenance, and storage; limits disclosure of genetic information.
5/30/2012
5
Employment: Prohibits discrimination in hiring, firing,
job placement or promotion
Benefits: Disallows health plans
use or disclosure of genetic
data for underwriting purposes
Regulations due in 2009
FTC Red Flag Rules, became effective May 1, 2009
Written ID Theft Prevention Program for any ‘covered account’ for individuals or households.
regularly extending, renewing, or continuing credit;
regularly arranging for such credit;
acting as an assignee of an original creditor
5/30/2012
6
(681.1) Users of consumer reports must develop reasonable policies and procedures to apply when they receive notice of an address discrepancy from a consumer reporting agency.
(681.2) Financial institutions and credits holding “covered accounts” must develop and implement a written identity theft prevention program for both new and existing accounts.
(681.3) Debit and credit card issuers must
develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card.
Inventory and Risk Assessment of Accounts
Board of Trustees Review and Approval of Written Policies and Procedures
Red Flags Training Departmental Procedures & Training Compliance Audits Cross-reference to Critical Incident and Breach Notification Plan and SSN
Monitoring Add or revise contract language to require
contractors to establish a written identity theft program or to mirror the University’s Red Flags Program
Audit compliance at least annually.
5/30/2012
7
Restrictions on Disclosures prohibited with limited exceptions (as required by law)
Enforcement by State Attorney General ◦ Civil case (violation)on interest to state residents ◦ Damages and court fees to be awarded ◦ Federal court venue ◦ Effective for violations that occurred after enactment
Tiered Civil Monetary Penalties Collected ◦ Employees or individuals can be found liable under
HIPAA.
Minimum per Violation Annual Maximum
Minimum Penalties “Did not know”
◦ Tier A $100
“Reasonable cause”
◦ Tier B $1,000
“Willful neglect”
◦ Tier C $10,000
“Uncorrected violation”
◦ Tier D $50,000
Maximum Penalties ◦ Tier A $25,000
◦ Tier B $100,000
◦ Tier C $250,000
◦ Tier D $1,500,000
5/30/2012
8
August 2009: Breach notification provisions and PHI breach notification
February 2010: Business Associates and Marketing
August 2010: Minimum Necessary and Prohibition on sale of electronic health records/PHRs.
January 2011: Accounting for Disclosures
February 2011: Enforcement for ‘willful neglect’
Section 13402 requires HIPAA covered entities to notify affected individuals of a breach of “unsecured protected health information” ◦ “Not secured through the use of a
technology or methodology specified by the Secretary of HHS through guidance”
April 17th HHS Guidance recommends either encryption or destruction.
5/30/2012
9
Encryption According to National Institute of Standards and Technology (“NIST”) or Federal Information Processing Standards (“FIPS”):
◦ “Data at rest” - NIST 800-111, Guide to Storage Encryption Technologies for End User Devices
◦ “Data in motion” – FIPS 140-2, including
NIST 800-52, Guidelines for the Selection and Use of Transport Layer Security Implementation
NIST 800-77, Guide to IPSet VPNs
NIST 800-113, Guide to SSL VPNs
Destruction :
◦ Paper, film, or other hard copy media must be shredded or destroyed to the extent that the PHI cannot be read or reconstructed.
◦ Electronic media must be cleared, purged or destroyed such that the PHI cannot be retrieved, and such destruction must be consistent with NIST 800-88, Guidelines for Medical Sanitization.
5/30/2012
10
Notification :Sets thresholds for triggering breach notification requirements as well as parameters for the method, content, and timing of the notification. For example, ◦ Must provide notice to consumers and FTC within 60
days of discovery; ◦ Notice must include mitigation details; and ◦ If 10 or more individuals cannot be reached, must
post conspicuously for six months on homepage of website; or, provided to print and broadcast media outlets in areas affected by breach.
Applies to breaches discovered on or after September 18, 2009.
Monitoring Technology
Breaches & Litigation
State Privacy Offices
5/30/2012
11
Cloud Computing: Virtualized resources (www.) where users do not control computing infrastructure. HIGH Risk
Social Networks: Online utility that
connects people with friends and others who work, study and live around them. MODERATE Risk
Texting: Short “160” messaging to mobile phones. LOW Risk
Twitter: Service to exchange quick, frequent answers to simple questions, i.e. What are you doing?
LOW Risk
Global: User, data, and computing may be different physical places and each may be in more than one place.
Locus of software applications, data storage, and data processing.
Vendors: Currently accessed via web browser; Microsoft, Google, Facebook, Hotmail, Yahoo, Myspace, ◦ Email management ◦ Data security services ◦ Hosting medical records
5/30/2012
12
Geographical/Jurisdictional Issues: ◦ Location of servers where data is stored. ◦ Location of servers where data is processed. ◦ Location of user accessing services. ◦ Citizenship of data subject. ◦ Headquarters of service provider.
System of privacy laws that govern, especially with international providers. Data content may have legal implications. i.e., PII disclosures
Behavior targeting and marketing.
Incidents of “unthinking disclosure” will increase. Technology and institutions may offer limited protections. Potential cyber-bullying.
Provide general awareness training at student orientation (about vulnerabilities of ONS) as part of educational mission; add streaming video for hosted site registration to reduce ‘tagged’ exposures.
Conduct random audits of university ‘branded’ sites to ensure that contents are consistent with institutional Code of Conduct
5/30/2012
13
Over 50 colleges and universities have experienced multiple reported privacy incidents since 2001. At a state level, California is home to seven doubly breached universities, while Ohio follows at four schools.
At least four universities have experienced five or more publicized privacy incidents.
Purdue University (7)
Ohio University (5)
University of Florida (5)
University of Iowa (5)
Stanford University 72,000
University Georgia: 4,250
University Akron: 800
University of Florida: 101
Ohio University 492
Tennessee Tech: 990
University Texas: 2,500
University of Maryland 23,000
Penn State: 677
Georgetown University: 38,000
University of Florida: 1,900
University Minnesota: 3,100
Long Island University: 30,000
Middle Tenn. State: 1,500
Texas A&M: 3,000
Harvard University: 6,600
Binghamton University: 300
University of Miami: 2,100,000
University of Florida: 11,300
University of Utah: 2,200,000
University of Florida: 344, 448
Oklahoma St. University: 70,000
UC San Francisco: 3, 569
5/30/2012
14
23
24
36
43
39
36
25
42
29
24
29
19
- 5 10 15 20 25 30 35 40 45 50
aug
jul
jun
may
apr
mar
feb
jan
dec
nov
oct
sep
# reported breaches at universities, by month
Data-rich information systems creating a natural target.
Outdated and non-enforced data security safeguards.
Sophisticated intruders with potential criminal intent.
Careless or inattentive data systems management.
Negligent hiring practices or employee misuse of data.
Demonstrated opportunities for repeat access.
Business partners or research sponsors who fail to protect information.
5/30/2012
15
Seminal means “Highly original and influencing the development of future events”.
When does Privacy Breach cause harm? ◦ Identity theft and financial fraud ◦ Offensive publication of illicitly acquired PII ◦ Limit economic opportunities, i.e. job
applicant
Canada, Australia, New Zealand are codifying that privacy-security breaches can cause harm.
Bell v. Acxion, 2006 WL 2850042(E.D.Ark. 2006): Computer hacking incident. Theft of unencrypted PII caused expenses; however, damages claim unproven for loss of income. Also, rejected breach
of contract and negligence.
Stollenwerk v. Tri-West Health Care Alliance, 254 Fed. Appx. 664 (9thCir. 2007): Lost laptop. Identity theft can cause damages. No causation evidence.
Kahle v. Litton Loan Servicing LP, 1:05-cv-00756-MRB (S.D.Ohio 2007): Economic harm prerequisite
for damages claim.
5/30/2012
16
Pinero v. Jackson Hewitt Tax Service, Inc., No.08-3535 (E.D. La. Jan. 7, 2009): Federal Court refused to dismiss claim for damages; allowed allegations of “false promise of data protection” to stand. Established basis to assert a damages claim and opens door for class action lawsuits
based on same legal theory.
Department of Veterans Affairs Data Theft Litigation, No. 06-0506, (D. DC Jan. 27, 2009): $20 million fund to pay out-of-pocket breach related expenses. Fund is sizable and VA’s willingly paying even though no actual damages or evidence to connect to possible identity theft.
Federal Precedent: Ninth Circuit Court (Stollenwerk) opined that ‘harm’ was not necessary for class action lawsuits resulting from data breach.
Partnering of Federal Agencies: FTC joined OCR to pursue claims against CVS with settlement costs of $2.25 million. Also, FTC can levy penalties where identity theft results.
States’ Action: ARRA permits states’ AG to sue for damages on behalf of residents.
5/30/2012
17
California model for state governments to protect information privacy in state agencies ◦ Privacy Offices - Arizona, California, Ohio, West
Virginia, and Wisconsin ◦ CPO – Florida ◦ Security and Technology Offices - All states
Varied Functions and Responsibilities ◦ Influence Legislative Agenda ◦ Topical Policies and Procedures ◦ Consumer Focused
New state requirements move from mitigation and loss to prevention: ◦ Nevada – Businesses to encryption PII. ◦ California – Enhanced PHI safeguards; increased
penalties for breaches; created Office of Health Information Integrity
◦ Massachusetts – Adopt technical security measures, i.e. encryption of portable media device
The added penalties, “will be seen as a revenue stream for states [as they enforce their laws]. It’s a way to pay for costs of health care.”
Shirley Morrigan, Foley & Lardner
5/30/2012
18
Self- Assess Readiness to Address 2009 and Beyond
Infrastructure: Reporting Relationships
Job Descriptions: CPO
“Most colleges and universities devote insufficient resources to assessing the risks to , and systematically protecting the privacy and ensuring the security of, personal information.”
Fred H. Cate, Educause Review, October 2006
5/30/2012
19
University Privacy Statement? Notice? System-wide privacy policies that extend
beyond medical centers and student records? Evaluate privacy implications before buying or
deploying new systems? Audit for compliance with privacy policies and
procedures? Train its faculty and staff in privacy policies
and procedures?
CPO position that reports to Board or President? Authority to act independently?
Fred Cate, Educause Review, October 2006
In a sector regulated by the Health Insurance Portability and Accountability Act, the Family Educational Rights and Privacy Act, the Graham-Leach-Bliley Act, the Fair Accounting and Credit Transaction Act, the Red Flag Rules PCIDSS, and state-level laws on SSNs and breach notification - it’s surprising how few CPOs there are in academia. Only 20 Chief Privacy Officers were identified…”
Jay Cline, ComputerWorld, March 16, 2009
5/30/2012
20
Extensive information privacy management and privacy practice experience in an academic setting; demonstrated understanding of all elements of information privacy management
Knowledge of federal and state privacy regulations and other regulations pertaining to other external agencies and businesses.
Knowledge of the issues and challenges of the university’s education and research (and clinical) components; a full understanding of and ability to adopt privacy management efforts to effectively respond to changes in education and research practices, legal or regulatory changes and technological trends.
Requires Master’s degree in Business, Health Care Administration, Public Health or a Juris Doctorate
Furst Group
A leader who understands the technical, legal and operational aspects of gathering, handling and securing personal data, and who can establish and maintain a comprehension strategic vision for handing all personal data of employees, customers, and suppliers of an organization in a manner that is legal, secure and ethical, from the point of acquisition through the point of disposition, thereby gaining public trust in the organization’s role as custodian of such data.
International Association of Privacy Professional, 2007
5/30/2012
21
Increased Governmental Regulations, especially for identity theft and healthcare operations
Emerging Technology Risks and Expanding Data Security Obligations
Probable Litigation Developments and Enhanced
Enforcement, especially from state legislators.
Continuing infrastructure and job profile challenges
What’s Missing?
5/30/2012
22
UF Privacy Office ◦ http://privacy.ufl.edu ◦ 352-273-5094 ◦ Toll-free Hotline: 866-876-4472