Data Privacy and the Law
News Flash: Data Privacy is a Big Deal.
The Federal Trade Commission (FTC) recently released a 2013 report again ranking identity theft as the top U.S. consumer complaint (nearly 300,000 complaints). U.S. Attorney General Eric Holder renewed the call for a U.S. national data breach notification law in response to ongoing concerns with identity theft plus the recent Target cyber-attack that accessed 40 million Americans’ credit card information. The Target event triggered consumer class actions, and now banks are suing Target for increased administrative costs (refunding transactions, opening new accounts, freezing accounts or blocking transactions). Attorney General Holder correctly observes that data breaches are common. The European Union (EU) recently called for strengthening EU data protection laws. Among requested improvements were a “general omnibus U.S. privacy law” and improved trust in EU-U.S. personal data transfers. This makes sense given evidence that the National Security Agency secretly eavesdropped on German Prime Minister Angela Merkel’s mobile phone calls. The German Federal Minister of Justice and Consumer Protection announced this month that consumer rights organizations will soon be able to sue businesses directly for breaches of German data protection law. Recently, the Financial Times reported that French Prime Minister Nicholas Sarkozy was taped during what were believed to be confidential internal government discussions (although not by the NSA). Waves of regulations are playing catch-up to rapidly escalating data breach events. Understanding how to navigate these regulations can avoid disaster. Why are there so many data privacy events and regulations?
Navigating the Electronic Ocean
Communications and commerce evolved into the cloud, a digitized sea of data connecting every country and government. Maritime commerce once triggered the need to understand and manage international laws (and pirates and security concerns). Today we navigate an electronic ocean that must be rendered as secure as possible for commerce. This is a complex and global process. But look no further than California. In February 2014 the Torrance office of Sutherland Healthcare Solutions, a medical billing company, suffered a break-in with computer and hard-drive theft causing health data loss for up to 168,500 patients.The California Attorney General’s Office recently sued Kaiser Permanente for delayed consumer notification of a non-health record data breach under California’s data breach notification statute. Forty-six states plus Washington, D.C., have data breach notification laws, along with New Mexico developing them. The California Attorney General has created both an eCrime Unit and a Privacy Enforcement and Protection Unit to pursue charges of violating the state and federal laws outlined in this article. You simply cannot ignore data privacy compliance!
Is Your Practice Really Ready?
Medical practices are accustomed to HIPAA regulatory compliance concerns. The HIPAA Final or Omnibus Rule, enacted in 2013, rendered virtually every person or entity holding decipherable electronic health information a “covered entity” subject to HIPAA regulation. In a sense, medical practices have an advantage: They are already familiar with steering through the dangerous waters of HIPAA Privacy and Security Rules (that is, keeping electronic medical information private and enacting documented efforts to maintain that privacy in scale to the business unit’s resources and technological platforms). But medical practices (and frankly any business with electronic health data) must realize that with data privacy a global issue, HIPAA compliance will become the subject of increased audits and regulatory action. In 2013, the Health and Human Services (HHS) Office for Civil Rights (OCR) fined a Massachusetts dermatologist $150,000 after an unencrypted thumb drive containing ePHI of 2,200 individuals was stolen from an employee’s car. The violations of HIPAA included an impermissible disclosure of ePHI (Privacy Rule violation), a failure to conduct an adequate risk analysis (Security Rule violation), and a failure to train workforce members (Security Rule violation). Other enforcement actions include Puerto Rico fining a plan subcontractor $7 million for mailings addressed to patients with identifiable health information in plain view. Last year the OCR fined an Arizona cardiologist $150,000 for failing to use a sufficiently secure online calendaring system.
The U.S. Office of Inspector General (OIG) has called for increased HIPAA audits and increased OCR HIPAA oversight. Those audits will happen. Will HIPAA-regulated medical practices, and businesses that may not realize they are HIPAA regulated, be ready? With sufficient effort toward HIPAA compliance, the answer should be “yes.” But neither medical practices nor businesses with decipherable electronic health information should assume that borrowed forms, Internet browsing for templates, or crossed fingers suffice.
More Changes
This year, HIPAA was the subject of yet another adjustment, a 2014 rule entitling patients to directly secure electronic laboratory results from labs. Without question, medical providers must more persistently watch and regularly update their HIPAA compliance forms (notice of privacy practices, business associate agreements with nonemployee contractors receiving ePHI, and internal risk assessment memo to reflect reasonable evaluations of security measures as new technology solutions are adopted). If your medical practice has not updated your data compliance forms, or you are a business that holds decipherable health data without realizing HIPAA regulates you: It is time to engage in data protection compliance efforts. Do not let your ship sink under the weight of avoidable data leak regulations and litigation. Do not assume HIPAA is the sole concern. As referenced above, there is a growing pool of regulations connected to data privacy. And privacy regulation is by no means limited to the healthcare industry. It has become a basic component of doing business in corporate America, and internationally.
Stay Active and Updated
Regulations can trigger frustration, and they can protect important fundamental rights. Piracy can seem romantic or entertaining from a distance, until you are a victim. Then it becomes very real, immediate and dangerous. The rapidly increased global interest in data privacy compliance means that your HIPAA compliance cannot be passive or presumed. It must be active and updated. Electronic events occur with rapidity unthinkable in prior times. That means your ability to be seaworthy in the digital ocean will be tested by regulators, and criminals. You may have very little time to steer clear of hazards. More than ever, your passengers expect you to run a tight ship. We all know how that movie ends about the beautiful unsinkable ship without sufficient lifeboats that could not turn quickly enough to avoid an iceberg in icy water.
James Eischen & Austin Rutherford, Physician Magazine, Data Privacy and the Law, (Apr. 2014), https://higgslaw.com/wp-content/uploads/2014/04/Eischen-Article-Data-Privacy-and-the-Law.pdf.