Title: Evolving Security
1Evolving Security Privacy Laws Regulations
- Michael W. Hubbard, J.D.
- Smith, Anderson, Blount, Dorsett, Mitchell
Jernigan, L.L.P. - Carole A. Klove, R.N., J.D.
- Chief Compliance and Privacy Officer
- Stanford Hospital Clinics and
- Lucile Salter Packard Childrens Hospital
- Jeanne Smythe, CISM
- Director of Computing Policy and Compliance
- University of North Carolina at Chapel Hill
- AMC Security Privacy Progress Prospects
- Research Triangle Park, North Carolina
- September 26, 2005
- Note The information reported is general in
nature, and because individual - circumstances differ, should not be construed as
legal advice.
2Agenda for this Session
- Evolving Privacy Security Laws
- Trends of More Complaints and Incidents
- AMC Security Management Trends
- Group Discussion
2
3Evolving Privacy Security Laws
3
4Key Privacy Laws Affecting AMCs
- Health Information Portability and Accountability
Act (HIPAA) - Gramm-Leach-Bliley?
- Potentially applicable if AMC is vendor to a
commercial health plan or it makes loans to
medical students - Federal Trade Commission Act (FTC Act)
- Federal Drug Administration (FDA) Regulations
- Fair and Accurate Credit Transactions Act (FACTA)
- FTC Disposal Rule
- Consumer credit reports regarding patients,
regarding potential hires in pre-employment
screening - Fair Information Practices (FIPs) Principles
4
5Key Privacy Laws AffectingAMCs, contd
- Cross-Border Data Transfer Laws
- State Consumer Protection LawsEspecially
California! - State Privacy Breach Notice Laws
- Childrens Online Privacy Protection Act (COPPA)
- Medicare Conditions of Participation
- Patriot Act
5
6Security Breach Notificationthe New Driver
- California Security Breach Notification Law (SB
1386) - Many observers attribute to this California law
the flood of news stories in the last year
about privacy breachesCalifornia had the first
law in the United States requiring notice to
consumers. - Congress and states are very busy on this topic.
6
7New State Data Protection Laws
- North Carolina Senate Bill 1048
- Privacy breach notification
- Destruction of records
7
8North Carolina Senate Bill 1048
- Applies to personal information, which is a
persons first name or first initial, and last
name, in combination with identifying
information, which includes - Social security numbers.
- Drivers license numbers.
- Checking account numbers.
- Savings account numbers.
- Credit card numbers.
- Debit card numbers.
- Personal Identification (PIN) Code as defined in
G.S. 14-113.8(6). - Electronic identification numbers.
- Digital signatures.
- Any other numbers or information that can be used
to access a persons financial resources.
(emphasis added) - Biometric data.
- Fingerprints.
- Passwords.
- Parents legal surname prior to marriage.
8
9North Carolina Senate Bill 1048, contd
- Effective date for most provisions October 1,
2006. - More than a data breach notification bill.
9
10North Carolina Senate Bill 1048, contd
- 75-64. Destruction of personal information
records. (a) Any business that conducts business
in North Carolina and any business that maintains
or otherwise possesses personal information of a
resident of North Carolina must take reasonable
measures to protect against unauthorized access
to or use of the information in connection with
or after its disposal. - (f) A violation of this section is a violation
of G.S. 75-1.1, but any damages assessed against
a business because of the acts or omissions of
its nonmanagerial employees shall not be trebled
as provided in G.S. 75-16 unless the business was
negligent in the training, supervision, or
monitoring of those employees. No private right
of action may be brought by an individual for a
violation of this section unless such individual
is injured as a result of the violation.
10
11North Carolina Senate Bill 1048, contd
- 75-65. Protection from security breaches.
(a) Any business that owns or licenses personal
information of residents of North Carolina or any
business that conducts business in North Carolina
that owns or licenses personal information in any
form (whether computerized, paper, or otherwise)
shall provide notice to the affected person that
there has been a security breach following
discovery or notification of the breach. - 14-113.21. Venue of offenses. In any
criminal proceeding brought under G.S. 14-113.20,
the crime is considered to be committed in the
county where the victim resides, where the
perpetrator resides, where any part of the
financial identity fraud took place, or in any
other county instrumental to the completion of
the offense, regardless of whether the defendant
was ever actually present in that county. - 120-61. Report by State agencies to the
General Assembly on ways to reduce incidence of
identity theft. Agencies of the State shall
evaluate and report annually by January 1 to the
General Assembly about the agencys efforts to
reduce the dissemination of personal identifying
information, as defined in G.S. 14-113.20(b).
11
12Evolving Common Law
- What is the liability standard (1) prevailing
standard of care among like providers, or (2)
reasonable person standard? - When the alleged breach does not involve the
rendering or failure to render professional
nursing or medical services requiring special
skills, it is not necessary to establish the
standard of due care prevailing among hospitals
in like situations in order to develop a case of
negligence.The standard of care of a reasonable,
prudent person is generally the standard the
courts have applied.
Burns v. Forsyth Memorial Hospital, 81 N.C. App.
556 (1986)
12
13Evolving Common Law, contd
- Claim for negligence per seis HIPAA a safety
statute? - Our Supreme Court has held that when a statute
imposes a duty on a person for the protection of
others, it is a public safety statute and a
violation of such a statute is negligence per
se. - Gregory v. Kilbride, 150 N.C. App. 601, 610
(2002)
13
14Evolving Common Law, contd
- Fair Information Practices (FIPs) principles and
remedies - Will FIPs become a part of common law in states?
14
15Claim Negligent Formulation of Privacy and
Security Policies
- Also claim for negligent enforcement of
policies - See Foster ex rel. J.L. v. Hillcrest Baptist Med.
Ctr., No. 10-02-143-CV, 2004 WL 254713
(Tex.App.-Waco Feb. 11, 2004)
15
16Unfair and Deceptive Trade Practices Claims Based
on Privacy/Security Failure
- Alleged inconsistencies between privacy notice
and actual privacy practices - See, e.g., California Consumer Healthcare Council
v. Kaiser Foundation Health Plan, Inc., et al.,
Superior Court of the State of California, County
of Alameda, Case No. RGO414572, Complaint filed
March 15, 2004 - Kaisers HIPAA Privacy Notice is Exhibit A to
litigation complaint - Plaintiffs allege actual handling of health
information deviated from what the privacy notice
said.
16
17Unfair and Deceptive Trade Practices Claims Based
on Privacy/Security Failure, contd
- Key HIPAA requirements for privacy notices.
- The notice must contain . . . a statement that
all other uses and disclosures will only be made
with the individuals written authorization . . .
. - Some privacy notices (especially on websites)
contain gratuitous and strong assurances
regarding privacy and security of personally
identifiable information.
17
18FTC Act , Section 5
- The Commission is hereby empowered and directed
to prevent personsfrom using unfair methods of
competition in or affecting commerce and unfair
or deceptive acts or practices in or affecting
commerce. (emphasis added)
18
19In Re Petco Animal Supplies, Inc.,
- Petco stated in its privacy notice that
consumers credit card numbers and other personal
information would be (1) completely safe and
(2) maintained in encrypted form. - FTC alleged that Petco engaged in deceptive
practices because Petco website was easily
subject to attack and data was not encrypted. - Consent Order For twenty years, Petco must get
a biennial assessment of its security practices
from a qualified, objective independent third
party professional and must provide supporting
materials to FTC.
19
20In Re BJs Wholesale Club, Inc.
- FTC alleged that BJs committed unfair acts and
practices in failing to implement reasonable
protections of credit and debit card information. - In June 2005, BJs and FTC agreed to a 20 year
consent decree. - This is first FTC privacy enforcement of unfair
acts and practices versus deceptive acts and
practicesBJs enforcement is not based on a
privacy notice that was violated.
20
21Trends of More Complaintsand Incidents
21
22Points to Consider inIncident Response
- Attorney-client privilege
- Public relations
- Alert management
- Investigate
- Consider applicable data breach notification laws
in applicable jurisdictions - Identify data/files/executables to quarantine,
destroy, preserve for chain of custody purposes
in later proceeding, etc. - Compare to policies and procedures
- Identify gaps
- Identify lessons learned or any changes to
policies - Identify how to communicate to a patient or a
customer - Identify what documentation is required
22
23AMC Security Management Trends
23
24Consumer Requests
- Consumer Awareness and Requests
- Identity theft
- Access to and correction of records
- Collateral damage
- May be used as a way to take out frustrations
24
25Patient Communication Challenges
- Patient demand for insecure communications
- Email today
- IM tomorrow
- Once patients send you the medical information,
you have duty to protect it
25
26Increasingly Hostile Environment
- More security incidents
- Viruses and worms are becoming more evil
- Disproportionate number of incidents in Academic
environment - Accounting for disclosures is a nightmare
26
27Small Mobile Devices and Media
- Becoming Ubiquitous
- PDAs, Blackberries, Treos
- Multiple communication paths
- Not always Centrally Managed
- Patient management software easily available for
download - Medical students as well as staff
- Personal and business use commingled
- Incident handling very difficult
27
28Managing the Risk of FDA Approved Devices
-
- Dilemma patching can invalidate warranty
- Manage vendor relationship proactively
- Inventory and understand risk of underlying
imbedded technology - Frequency of need to address new vulnerabilities
28
29Special Challenges for Academia
- Distributed Academic Environment makes some
security challenges more difficult - Blending of research and treatment records
- Disaster Recovery and Emergency Mode Operation
Plan - Technology usable but not secure for IT novices
29
30Leverage What Youre Already Doing
- Look to other compliance practices for examples
of technical implementation - You already need to do security for other
compliance efforts and to manage risks
30
31Group Discussion
31
32Audience Experience
- Have you found the direction and trends discussed
here to be also what you are experiencing at your
institution? - 1 - Strongly Disagree ___
- 2 - Disagree ___
- 3 - Neither agree not disagree ___
- 4 - Agree ____
- 5 - Strongly agree ____
33Audience Experience
- How is your institution preparing for this trend
toward greater emphasis on privacy and security
of sensitive (patient and other) data? - In communicating with patients
- In incorporating key security considerations in
new systems and processes in anticipation of more
stringent requirements
34Audience Experience
- What measures in policies, processes, and
practices have been made to sensitize and prepare
the workforce for this heightened focus on
sensitive data? - Enterprise-wide, multi-discipline
teams/committees - Initial and continuing training efforts
35Session Feedback Poll
- This session did a good job of engaging the
panelists and the audience on the topic. - 1 - Strongly Disagree ___
- 2 - Disagree ___
- 3 - Neither agree not disagree ___
- 4 - Agree ____
- 5 - Strongly agree ____
36Thank You !
- Carole Klove
- Stanford Hospital Clinics
- 180 El Camino Real, Suite V860
- Palo Alto, California 94304-5716
- Telephone (650) 724-2572
- cklove_at_stanfordmed.org
- Jeanne Smythe
- University of North Carolina at Chapel Hill
- Chapel Hill, North Carolina 27599
- Telephone (919) 962-5322
- jeanne_smythe_at_unc.edu
- Mike Hubbard
- Smith, Anderson, Blount, Dorsett, Mitchell
Jernigan, L.L.P - 2500 Wachovia Capitol Center
- Raleigh, NC 27602-2611
- Telephone (919) 821-6656
36