HHS – RISC Management and Consulting

Blog GDPR CCPA HIPAA

Note: After having various conversation with a few students learning about HIPAA, State Laws, and GDPR, we thought it would be useful to post a handout provided to the class.

California Consumer Privacy Act (CCPA) of 2018

Assembly Bill (AB) No. 375: Chapter 55

Beginning January 1, 2020, the bill would grant a consumer the right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer.

Consumer Privacy Law for companies that deal with personal data and those operating in the digital space. Companies that collect web browsing data and generate revenue from targeted advertising over internet platforms or service providers will be affected:

Facebook
Twitter
Google
AT&T
Verizon

CCPA

CCPA applies to for profit entities that both collect and process the personal information of California residents and do business in the State of California. However, a physical presence in California is not a requirement, and it appears that making sales in the state would be enough. Additionally, the business must meet at least one of the following criteria for the CCPA to apply (see blue box). Nonprofit businesses, as well as companies that don’t meet any of the mentioned thresholds, are not required to comply with the CCPA.

CCPA

Historical Background: SB 1386, Peace. Personal information: Privacy

On September 25, 2002, the California Senate Bill No. 1386 Chapter 915 was approved by Governor September 25, 2002 and filed with the Secretary of State September 26, 2002.

“Existing law regulates the maintenance and dissemination of personal information by state agencies, as defined, and requires each agency to keep an accurate account of disclosures made pursuant to specified provisions. Existing law also requires a business, as defined, to take all reasonable steps to destroy a customer’s records that contain personal information when the business will no longer retain those records. Existing law provides civil remedies for violations of these provisions.

This bill, operative July 1, 2003, would require a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The bill would permit the notifications required by its provisions to be delayed if a law enforcement agency determines that it would impede a criminal investigation. The bill would require an agency, person, or business that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data, as specified. The bill would state the intent of the Legislature to preempt all local regulation of the subject matter of the bill. This bill would also make a statement of legislative findings and declarations regarding privacy and financial security.”

About 16 Years Later

The new privacy law (CCPA) Assembly Bill No. 375, will allow California residents to delete their data or bring it with them to alternative service providers. Data brokers who generate profits by collecting consumer data & profit by selling it to a third party are affected too:

Acxiom
Epsilon
Experian
Oracle

The Privacy Act contains a broad definition of “personal information”, as defined below.

The state’s attorney general will be the enforcer of this law. However, consumers will maintain a private right of action should companies fail to maintain reasonable security practices, resulting in unauthorized access to their personal data.

California residents will have a multitude of new Rights:

To know what personal information is being collected about them
To know whether their personal information is sold or disclosed and to whom
To say no to the sale of personal information
To access their personal information
To have equal service and price, even if they exercise their privacy rights
To receive financial incentives from businesses for providing their personal information
To prohibit a business from selling the personal information for under 16 years old consumers

For more information see AB 375 CCPA

“Personal information” is defined under the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The addition of the term “household” adds a dimension to a privacy law that is largely uncharted territory. Specifically, information collected by a business does not have to be associated with a name or specific individual, but rather can identify a household.

The definition of “personal information” under the CCPA also lists a wide range of standard examples that includes Social Security numbers, drivers’ license numbers and purchase histories, but also “unique personal identifiers” such as device identifiers and other online tracking technologies.

Note: CCPA excludes information that is publicly available.

Europe’s General Data Protection Regulation (GDPR) Entered the U.S.

Brief Explanation: Global privacy regulation (EU Regulation 2016/679)

Healthcare businesses (providers, digital health/health IT companies, and their vendors) that “control” and/or ”process” health data in the U.S. that may include data from EU “data subjects” will be required to comply with the new EU General Data Protection Regulation (GDPR).

Applicable as of May 25th, 2018 in all member states to harmonize data privacy laws across Europe
GDPR is broader in scope than HIPAA, as its protections extend to all broadly defined “personal data,” not just Protected Health Information (PHI)
Replaced the 1995 Data Protection Directive from the European Union, which only impacted U.S. companies that transferred the data of EU data subjects out of the EU
GDPR affects all companies that do business with EU data subjects, whether or not they have a presence in the EU
Any company that uses, collects, or retains any personal data from any European citizen, either knowingly or unknowingly, will have to comply with the GDPR – even if that citizen is physically located in the U.S

Concerns

Consumer confidence has been miserable and distressful post Equifax and Cambridge Analytica style compromising of our trust, leading to real consequences in personal identity theft , abuse and data privacy. Companies who were doing business in Europe under EU terms have had to deal with protecting privacy. California laws such as the two mentioned above SB 1386 and AB 375 are setting examples and we should not be surprised when other states follows to improve consumers security controls over the use of their data.

It is very simple, GDPR is similar to the U.S. State laws. HIPAA has many requirements corresponding to the GDPR requirements such as having policies, Data protection impact assessment, Technical vulnerability assessment, training, Data Protection Officer (DPO), etc.

Brief Explanation: HIPAA

Your RIGHTS Under HIPAA

Health Insurance Portability and Accountability Act of 1996

Public Law 104-191

Most of us believe that our medical and other health information is private and should be protected, and we want to know who has this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals’ Protected Health Information (PHI), whether electronic, written, or oral. The Security Rule is a Federal law that requires security for health information in electronic form.

To improve the efficiency and effectiveness of the health care system, HIPAA included Administrative Simplification provisions that required the U.S. Department of Health & Human Services (HHS) to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Therefore, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for Individually Identifiable Health Information (IIHI).

Be Proactive not Reactive!

While numerous businesses are struggling to implement data strategies to assist them to meet regulatory requirements, it is not too late to start if you have not. With the potential risks and loss of customer trust that you jeopardise by not safeguarding your customers’ data, this is the perfect opportunity to act.

The CCPA has already been amended once and may go through additional updates before it takes effect, but businesses should start to prepare now. Privacy notices, other policies and procedures, and websites will need to be updated before the CCPA takes effect. At the very least, a business should start mapping the personal information that it collects and locations where personal information is stored so it can promptly meet any request under the CCPA.

Our team at RISC Management and Consulting are ready and able to assist your organization from all your Data privacy and information security requirements to State Laws and GDPR to protect your client’s Protected Health Information (PHI) and/or Personal information. We are committed to the success of our clients.

Solutions

Read the 10 Best Practices for CyberSecurity
Implement the use of Password Managers, visit http://lifehacker.com/5042616/five-best-password-managers
Visit Microsoft’s Safety and Security Center https://www.microsoft.com/security/pc-security/password-checker.aspx
Use Wi-Fi networks cautiously. Use VPN or SSL protection. Do not send sensitive data such as mobile banking through public Wi-Fi and Bluetooth. Turn off Bluetooth when not in use.
Make sure links or URLs are legitimate – only go to trusted sources
Install security software on your smartphone http://www.avast.com/en-us/free-mobile-security

SOLUTIONS

Solutions for cyber security

Note: Number nine pertains to Mobile Device protection, and a strong password is the best tip. For more information http://www.healthit.gov/providers-professionals/cybersecurity

Use Strong Passwords and Change Them Regularly – Visit Microsoft Safety and Security Center to see if your password is strong enough: https://www.microsoft.com/security/pc-security/password-checker.aspx
Install and Maintain Anti-Virus Software
Use a Firewall
Control Access to Protected Health Information
Control Physical Access
Limit Network Access
Plan for the Unexpected
Maintain Good Computer Habits
Protect Mobile Devices
Establish a Security Culture

Protect Mobile Devices

Mobile devices—laptop computers, handhelds, smart phones, and portable storage media— have opened a world of opportunities to un-tether EHRs from the desktop. But these opportunities also present threats to information security and privacy. Some of these threats overlap those of the desktop world, but others are unique to mobile devices.

Because of their mobility, these devices are easy to lose and vulnerable to theft.
Mobile devices are more likely than stationary ones to be exposed to electro-magnetic interference (EMI), especially from other medical devices, such as MRI machines. This interference can corrupt the information stored on a mobile device.
Because mobile devices may be used in places where the device can be seen by others, extra care must be taken by the user to prevent unauthorized viewing of the PHI displayed on a laptop or handheld device.
Not all mobile devices are equipped with strong authentication and access controls. Extra steps may be necessary to secure mobile devices from unauthorized use. Laptops should have password protection that conforms to that described in Practice 1 . Many handheld devices can be configured with password protection and this should be enabled when available. Additional steps must be taken to protect PHI on the handheld, including extra precaution over the physical control of the device, if password protection is not provided.
Laptop computers and handheld devices are often used to transmit and receive data wirelessly. These wireless communications must be protected from intrusion (Practice 6 describes wireless network protection). PHI transmitted unencrypted across public networks (e.g. the Internet, public Wi-Fi services) can be done where the patient requests it and has been informed of the potential risks. Generally, however, PHI should not be transmitted without encryption across these public networks.

Transporting data with mobile devices is inherently risky. There must be an overriding justification for this practice that rises above mere convenience. If healthcare data is stored on the mobile device, ensure that encryption is installed and enabled. The newest iPhone models have achieved FIPS 140-2 certification for their encryption modules. Mobile devices that cannot support encryption should not be used. This includes the inexpensive memory sticks or thumb drives that are widely available and often given away by vendors. Encrypted versions of these devices are readily obtainable at a modest cost—much less than the cost of mitigating a data breach. Remember to encrypt the removable media like the microSD card in your phone.

If it is absolutely necessary to take a laptop out of a secure area when the laptop contains patient data, the laptop’s hard drive should be encrypted. Encryption for laptops has become so affordable, and so easy to install and manage, it is hard to envision a reason that all laptops are not encrypted today. To leave a laptop unencrypted is to invite unnecessary risk to your organization and to ignore the benefits such as safe harbor from federal and state data breach laws.

Policies specifying the circumstances under which devices may be removed from the facility are very important and all due care must be taken in developing and enforcing these. The primary goal is to protect the patient’s information, so considerations of convenience or custom (e.g. working from home) must be considered in that light.

But I need to work at home today…

In today’s increasingly mobile world, it is certainly tempting to use mobile technology to break away from the office and perform work from the comfort of home, a travel hub, or a coffee shop. Those who have responsibility for protecting patient data must recognize that this responsibility does not end at the office door. Good security practices must always be followed.

Sponsored by: RISC Management, www.RISCsecurity.com

Contact us today for all your compliance needs: Sales@RISCsecurity.com

References

About.com. (2014). What makes a smartphone smart? Retrieved from http://cellphones.about.com/od/smartphonebasics/a/what_is_smart.htm

Bloomberg Business Week. (2013). How Samsung became the world’s no. 1 smartphone maker. Retrieved from http://www.businessweek.com/articles/2013-03-28/how-samsung-became-the-worlds-no-dot-1-smartphone-maker

HealthIT.gov.(2014). CyberSecurity: 10 Best practices for the small health care environment. Retrieved from http://www.healthit.gov/providers-professionals/cybersecurity

Hill, M. (2010). 5 Terrifying ways your own gadgets can be used to spy on you. Retrieved from http://www.cracked.com/article_18532_5-terrifying-ways-your-own-gadgets-can-be-used-to-spy-you.html

Home Box Office, Inc. (2014). The Wire. Retrieved from http://www.hbo.com/the-wire#/

Microsoft. (2014). Safety and security center: Create strong passwords. Retrieved from https://www.microsoft.com/security/pc-security/password-checker.aspx

Tech Media Network. (2014). Top Ten Reviews: 2014 Best smartphone reviews and comparisons. Retrieved from http://cell-phones.toptenreviews.com/smartphones/

U.S. Department of Health & Human Services. (2014). Health Information Privacy: Guidance materials for consumers. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html

U.S. Department of Justice. (2013). Privacy and civil liberties: Electronic Communications Privacy Act of 1986. Retrieved from https://it.ojp.gov/default.aspx?area=privacy&page=1285