Lack of a sufficient risk analysis continues to be one of the most commonly alleged violations in Office for Civil Rights (OCR) HIPAA enforcement actions, appearing in half of all OCR settlements announced in the last 12 months and in almost all of the $1 million-plus settlements during that time period. Significant confusion remains across the health care industry as to what actually constitutes a compliant risk analysis for purposes of the HIPAA Security Rule. On April 30, 2018 OCR issued guidance discussing the differences between a HIPAA Security Rule risk analysis and a HIPAA compliance “gap analysis.” Drawing from our experience reviewing clients’ historical risk analysis documents, helping clients to navigate OCR investigations and negotiating several recent HIPAA settlements with OCR, we elaborate on what constitutes a compliant HIPAA Security Rule risk analysis, discuss common risk analysis misunderstandings and pitfalls, and encourage covered entities and business associates to consider whether to conduct these reviews under attorney-client privilege.
Dave Gacioch counsels clients across the health care industry and beyond on compliance and risk management issues. He also assists clients in conducting internal investigations and represents them in matters involving government investigations, enforcement actions and civil litigation. Read David Gacioch's full bio.
With no Congressional consensus to adopt a federal data privacy and breach notification statute, states are updating and refining their already-existing laws to enact more stringent requirements for companies. Two states recently passed updated data privacy laws with significant changes.
The Rhode Island Identity Theft Protection Act (Rhode Island Data Law), an update to Rhode Island’s already-existing data security and breach notification law, introduces several new requirements for companies that store, collect, process, use or license personal identifying information (PII) about Rhode Island residents.
A few of these provisions are particularly noteworthy. First, the new law requires entities to “implement and maintain a risk-based information security program which contains reasonable security procedures and practices,” scaled to the size of the entity and the type of personal information in its possession. Second, the Rhode Island Data Law requires that any entity that discloses PII to a third party have a written contract with the third party pursuant to which the third party will also implement and maintain an information security program to protect the personal information. Third, the Rhode Island Data Law requires any entity that experiences a data breach of personal information to notify affected residents within 45 calendar days after it knows that a breach has occurred. (Rhode Island also required this under its previous law, but there was no precise time frame.) Among other information, the notification must now contain information about data protection services to be offered to the resident, as well as information about how the resident can request a security credit freeze.
Under both the old and new laws, a health care provider, insurer or covered entity that follows the medical privacy and security rules established by the federal government pursuant to the Health Insurance Portability and Accountability Act (HIPAA) is deemed compliant with the law’s requirements. The Rhode Island Data Law will become effective June 26, 2016.
The Connecticut Act Improving Data Security and Effectiveness (Connecticut Data Law) similarly updates Connecticut’s existing law and introduces more stringent requirements for entities that that store, collect, process, use or license PII about Connecticut residents.
Perhaps most noteworthy, the Connecticut Data Law puts in place important new requirements about notification following a data breach. Unlike the older Connecticut breach notification law, the Connecticut Data Law now requires an entity to notify affected individuals of a data breach within a set time period of 90 days. In addition, if the breach involves disclosure of Social Security numbers, the entity must also provide free credit monitoring services to individuals for one year. Many companies provide credit monitoring at no cost to their customers affected by a data breach voluntarily. However, laws like Connecticut’s make credit monitoring a mandatory part of any company’s response.
Additionally, the Connecticut Data Law imposes significant new requirements on insurers and state contractors that handle PII. Health insurers are required to develop and follow a written data security program, and to certify annually to the state insurance department that it is following its written data security program. State contractors must implement and maintain a data security program to safeguard PII and maintain the information in a secure manner as specified in the statute.
The law’s requirements regarding data breach notification become effective October 1, 2015, but insurers have until October 1, 2017 to create and implement the required written data security program.
These new laws highlight important takeaways for businesses:
- Any business operating across multiple states must be aware of the specific requirements of state data privacy and breach laws, and updates to those laws.
- If other states follow Rhode Island and Connecticut’s lead, state data security and breach notification requirements will continue to become more, not less, stringent.
- Any business that collects or maintains data relating to Rhode Island or Connecticut should evaluate its own policies and procedures regarding data security and breach response, and update those procedures in light of the new requirements.
The Supreme Court of the United States’ recent decision prohibiting warrantless mobile phone searches incident to arrest underscores unique privacy concerns raised by modern technology. The decision has an immediate impact on an individual’s rights under the Fourth Amendment, and may also have an impact on evolving areas of white collar and employment law.
“Heartbleed” has been all over the news, and companies have been scrambling to respond. What sounds like a nasty medical condition is actually a recently discovered flaw in popular encryption software called OpenSSL. It has been widely reported in the news outlets that approximately 60 percent of all web servers use OpenSSL. According to the Federal Trade Commission, the flaw can permit a hacker to unlock the encryption and “monitor all communication to and from a server—including usernames, passwords, and credit card information—or create a fake version of a trusted site that would fool browsers and users, alike.”
So how can companies stop the bleeding?
- Figure out if any websites, systems (like e-mail) or applications (like virtual private network [VPN] endpoints, load balancers or database management software) use OpenSSL. More information about how internal information technology (IT) teams can find and fix the flaw can be found on heartbleed.com.
- A comprehensive review of systems is important because, according to security firm Coalfire, OpenSSL is a program that is not just used on externally facing websites. It also is frequently used on internal applications, management consoles, “appliances” and legacy systems, which will remain vulnerable until patched. This is especially critical for systems that contain sensitive information, such as protected health information, financial information, Social Security numbers and other highly confidential items. A firm like Coalfire can scan corporate systems to discover the vulnerability at a relatively modest cost.
- Update to the latest version of OpenSSL to fix the flaw. After updating, companies need to generate a new encryption key (most IT teams know how to do this) and obtain a new SSL Certificate from a trusted authority, which will signal to browsers that the website is secure. Generating the new key is critical—otherwise a company’s server and data could still be at risk.
- Confirm that vendors, business partners and contractors that provide technical services or support to company systems have addressed any OpenSSL flaws in their systems.
But what about the blood that’s already spilled?
After taking these steps to stop the bleeding by fixing OpenSSL flaws, a critical next step is for companies to conduct an assessment of data and actions previously thought to be encrypted.
Companies should consider evaluating with counsel how and when to communicate with customers and employees about changing log-in credentials and taking any other appropriate steps in light of the particular situation addressed by the company.
In addition, given the publicity and attention to this issue, customer service lines might see an increase in calls inquiring whether a company’s website is secure and whether log-in credentials should be changed. Convening the right internal resources to prepare clear, concise talking points will help those customer service teams convey accurate, consistent information in a way that minimizes harm to consumers and brand.
Even if companies are confident that their own sites have been fixed, they should consider whether employees may have used corporate log-in credentials on mobile devices or over connections, such as remote access VPN systems or third-party hotspots, that may have been vulnerable to Heartbleed. Those credentials will need to be changed and employees instructed on how to avoid exposing that information again through another connection that may not yet be patched.
Finally, organizations that find themselves to have been impacted significantly by this vulnerability should pre-plan with counsel for potential regulator attention and class action litigation in response to breach reports, media coverage and consumer complaints. To do this, companies should contact their regular McDermott lawyer or any one of the authors who are poised to help.
Boston-based litigation partner Matt Turnell shares his predictions about class action litigation under the Telephone Consumer Protection Act (TCPA) and Electronic Communications Privacy Act (ECPA) in 2014 and Boston-based white-collar criminal defense and government investigations partner David Gacioch shares his predictions about government responses to data breaches.
Class Action Litigation Predictions
2014 is already shaping up to be an explosive year for privacy- and data-security-related class actions. Last December’s data breach at Target has already led to more than 70 putative class actions being filed against the retailer. With recently disclosed data breaches at Neiman Marcus and Michaels Stores—and possibly more to come at other major retailers—court dockets will be flooded with these suits this year. And consumers are not the only ones filing class actions; banks that have incurred extra costs as a result of the data breaches are headed to court as well, with at least two putative class actions on behalf of banks filed so far against Target.
That volume of litigation related to the Target data breaches likely will be matched by a steady stream of class actions filed under the TCPA. 2013 was a busy year for the TCPA docket and I expect that the Federal Communications Commission’s (FCC) stricter rules requiring express prior written consent from the called party, which took effect in October 2013, means that 2014 will be just as busy since the majority of TCPA class actions seek statutory damages for companies’ failure to obtain consent before making autodialed or prerecorded voice calls or sending unsolicited text messages or faxes.
In 2014, I expect to see key decisions under the ECPA related to social media platforms and email providers capturing and using content from customers’ emails and other messages for targeted advertising or other purposes. One district court has already denied a motion to dismiss an ECPA claim challenging this conduct and I predict that other decisions are forthcoming this year. Needless to say, decisions in favor of class-action plaintiffs in this area could have major implications for how social media sites and email providers do business.
– Matt Turnell, Partner
Government Responses to Data Breaches
As significant data breaches continue to dominate the news, public awareness of data privacy and security issues will increase, as will their political appeal. I expect to see in 2014:
- Record numbers of breach reports to state and federal regulators, as awareness of reporting obligations spreads further and further across data owner, licensee, broker and transmitter groups;
- More states committing more enforcement resources to data privacy and security, including budget dollars and dedicated attorney general’s office units;
- More state/federal and multi-state coordination of investigations, leading to increased settlement leverage by enforcement authorities vis-à-vis firms under investigation; and
- Greater numbers and dollar values of settlements by the Federal Trade Commission (FTC) and state attorneys general than ever before.
Similarly, with the HIPAA Omnibus Final Rule going into effect on September 23, 2013, coupled with the late-2013 Department of Health and Human Services (HHS) Office of Inspector General Report decrying HHS Office for Civil Rights’ (OCR) recent pace of HIPAA-related auditing and enforcement will lead to a jump in HIPAA breach reporting and harder lines taken by OCR with respect to investigation dispositions. Therefore, expect increased settlement counts and dollar values in the OCR enforcement during 2014, too.
Substantively, expect enforcement agencies to continue focusing their greatest attention on companies that they perceive as foot-dragging or stone-walling on notification obligations in the aftermath of breaches.
– David Gacioch, Partner
In Boston, we celebrated Data Privacy Day (January 28) by presenting “U.S. Privacy and Data Protection: 2013 Year In Review and a Prediction of What’s to Come in 2014” for participants in an IAPP KnowledgeNet. Our panel of speakers discussed significant U.S. data privacy and protection events from 2013 and shared thoughts about what’s ahead for 2014 in U.S. data privacy and protection. You may download the presentation slides here.
We hope you find our presentation materials informative. Of course, please do not hesitate to contact any member of the Of Digital Interest editorial team with questions or comments.