Author: Tegan Blackburn

Health Law News

Tegan Blackburn

HIPAA OMNIBUS COMPLIANCE – COVERED ENTITIES AND BUSINESS ASSOCIATES

Sweeping changes to the HIPAA/HITECH (Health Insurance Portability and Accountability Act “HIPAA” and Health Information Technology for Economic and Clinical Health Law “HITECH”) changes came into play September 23, 2013. This long anticipated final omnibus rule greatly expands the reach of those directly liable under HIPAA. Under the new rules, healthcare providers who are “Covered Entities” (covered healthcare providers, health plans and others defined in the rule) must update their Business Associate Agreements (See Note 3 below). “Business Associates” are now directly liable for any breach of protected patient health information (PHI) and must comply with the rule changes concerning sub-contractors and their own obligations to protect PHI.

Entities with compliant Business Associate Agreements in place before the rule change have until September 23rd of 2014 to update agreements to bring them in line with the new requirements. Business Associates must also enter into Business Associate Agreements with sub-contractors and should exercise great care in vetting new hires and compliance by their sub-contractors. Other professionals such as attorneys and financial advisors working with regulated entities, who are not directly characterized as Covered Entities or Business Associates must exercise care in accessing, using or transmitting any confidential, protected information so as not to expose themselves or clients to potential violations. Periodic training to those handling PHI and conducting regular audits of all systems and processes involving PHI will help minimize any accidental violation of the rules.

In large part, the new omnibus rulemaking was driven by the massive amount of patient health information (PHI) shared by healthcare providers and their vendors through open networks, e-transmissions, digital media, mobile devises, and e-health exchanges, therefore, leaving the door open to additional vulnerabilities to PHI during use or transmission.

Key changes to the HIPAA rules include:

  1. Expanding Privacy, Security and Breach Notification Policies and Procedures (with new form and work flow requirements for some providers). Breaches are now presumed reportable unless after completing the mandated risk analysis (defined by 4 factors) the entity has determined that there is a “low probability of PHI compromise”. The rules do not modify the actual reporting requirements. Covered Entities and Business Associates must still adhere to providing individual notifications, HHS notifications and where applicable media posting of the breach.
  2. Notices of Privacy Practices (NPPs) must be amended to reflect major changes in the rules concerning breach notification, disclosures to health plans, and marketing and sale of PHI. Updates to NPP policies should be posted to a healthcare provider’s website and adhere to other requirements of the privacy rules.
  3. Business Associate Agreements (BAA’s). The new rules greatly expand the universe of individuals and entities that will now be treated as “Business Associates”, including health information exchanges, e-gateways, personal health record vendors and others. Covered Entities have until September 23, 2014 to bring all of their existing BAAs into conformance with the new rules. (The September 23, 2013 compliance deadline affected Business Associates not yet under contract as of that date.) Those characterized as “Business Associates” under HIPAA will now be directly liability for any compromise of PHI and must comply with all of the privacy, security and breach policy amendments of the rules or suffer the consequences.

Next Steps: Some of the most sweeping changes to HIPAA privacy and security rules expand the obligations of Business Associates making them directly liability for any compromise of PHI. Covered Entities and Business Associates should immediately take steps to ensure that their Business Associate Agreements (including those with sub-contractors) are fully compliant with the new rules. Additional care should be taken to ensure that updates to privacy practices and work flows are actually being carried out. Those covered by the final omnibus rule must conduct periodic audits and training to ensure that all systems, processes and devises accessing, using, transmitting or storing PHI fully comply with the new HIPAA/HITECH standards. With the potential for $1.5 million in fines, not to mention serious damage to a provider’s reputation, these new rules must be taken seriously.

Note: This commentary is not intended to and should not be construed as legal advice and is provided only as a summary of key changes to HIPAA/HITECH.

Last Updated (Tuesday, 18 February 2014 09:14)

What’s Your Risk Of Cyber Attack?

Tegan Blackburn 0 Comments

WHAT EVERY BUSINESS NEEDS TO KNOW:

Every business that uses, views, stores or otherwise handles personal customer information is at risk. The level of risk is largely determined by the business you’re in and what kind of “personal information” you have in your care, custody and control. If you use the internet to conduct business, you’ve significantly increased your risk of cyber attack. However, there are things you can do to protect yourself and your customers. If your company is hacked and you haven’t adequately protected the data on your devises, you may find yourself in for a costly surprise. Many small and mid-size businesses with high volumes of transactions are often favored targets where hackers have learned cyber security may not be up to snuff allowing them easy access. These smaller incidents don’t usually get the same level of attention as the large breaches; however, the consequences are just as serious. The cost to small and mid-size companies for responding to a data breach can run from $100,000.00 to $500,000.00 or more. In today’s internet business environment, anyone handling credit cards, debit cards or other sensitive information such as a customer’s financial, legal or health information is particularly at risk.

Any business handling “personal information” has the obligation to protect its customers from the illegal use or disclosure of this protected information. The privacy and security protections regulating many industries include administrative, legal and technical requirements. Data breaches are often the result of either insufficient technical safeguards or careless handling of data. A great deal of debate has taken place over the amount of time it took for Target to notify its customers. The difficulty faced by businesses when a breach has occurred (or is suspected) is that steps must be immediately taken to eliminate the intrusion, which often involves a very comprehensive forensic analysis. This first step can take weeks to complete and then must be evaluated with counsel familiar with the many layers of regulation, risk and reporting requirements. The assessment of when and whether a company is required to notify customers typically requires the involvement and consent of local, state and federal law enforcement officials. In many states including Connecticut, the Attorney General must also be notified. These notifications extend to any state or territory where an affected customer resides. To add to the mix of complexity following a breach, forty-eight states now have their own response requirements for known or suspected data breaches. Unfortunately, many of these laws have differing requirements and most don’t specify the timetables for reporting a breach. Connecticut’s statute requires that notice must not be unreasonably delayed, which leaves a great deal open to interpretation. A business might also be compelled to delay publically reporting a breach by the Secret Service or other law enforcement authorities.

The U.S. Senate recently re-introduced a Data Breach Bill in efforts to nationalize data security and reporting standards. Following the recent breach announcements by Target, Neiman Marcus and Michael’s Stores, there will undoubtedly be many more efforts to strengthen cyber security standards. Currently, credit card security standards are primarily privately regulated by the major card brands, including MasterCard, Visa and American Express. These recent major breaches clearly show a need to better protect American businesses and residents. The technical standards required by merchants in America today (known as the Payment Card Industry Data Security Standards PCI-DSS standards) for all point of sale systems (and POS Providers) are not nearly as strong as the EMI standards used by many European nations. By latest counts, the recent Target breach involved over 100 million customers, whose data is now at risk. These pools of ill-gotten gain are typically sold on the black market within a matter of moments leaving the door open to large scale fraud and identity theft problems for those affected.

Businesses handling any type of regulated “personal information” should immediately take steps to evaluate their risk and audit all devises. Responding to a cyber attack is a costly enterprise, which will include the costs of forensics, fines by the card brands, notification costs, legal expenses to evaluate and respond to the breach and mitigate damage, and fall out certain to take place from unhappy customers and many potential lawsuits and claims to follow. The damage to a business’s reputation after a breach is impossible to put a dollar value on. Staying abreast of current and emerging regulations is critical to keep a step ahead of the ever present risk of cyber attack on the internet. If you are notified or suspect that customer data may have been breached, it’s imperative to take this seriously and immediately take steps to evaluate the situation. Numerous states including Connecticut now permit the Attorney General to assess additional fines against businesses that do notify affected customers in a timely fashion. Lastly and most importantly having a comprehensive compliance program in place covering the technical, legal and administrative safeguards necessary to protect data is simply the best way to avoid a costly data breach, which has become a far too common occurrence today.

Attorney Tegan Blackburn frequently provides compliance counseling to businesses across diverse industries on preventing and responding to data breach.

Data Breach: What Steps Can Consumers Take To Protect Their Data?

Tegan Blackburn

Hardly a day goes by without some news about the Target data breach, which is now estimated to have affected over 100 million customers. Neiman Marcus and Michaels Stores have also just announced potential large scale breaches at their stores.

Protection of customer data is regulated on a number of different levels depending upon the type of transaction. Different state and federal laws and regulations come into play depending upon the type of transaction and where it occurred. Consumers may be surprised to learn that credit card transactions are for the most part privately regulated by the card brand industry (referred to as PCI-DSS standards). The technical standards required for point of sale transactions in the United States clearly need to be strengthened and are not nearly as robust as standards used by many European countries (the EMI standards.)

When a credit card breach is suspected, many of the card brands will promptly cancel credit cards and issue new cards to customers to limit liability. In some instances the card brands will shut down a merchant’s ability to process cards. The good news for consumers using credit cards is that most card brands (Visa, MasterCard, American Express and others) have a policy of no liability (some have a $50.00 limit for fraudulent transactions.) The news is not as good for debit card transactions where accounts can be hacked into and completely drained in a matter of moments.

Until better standards are in place, consumers should take the following steps to protect their financial security:

  • Cancel debit cards or keep only minimal balances in these accounts.
  • Obtain free annual credit reports and immediately report and any false or suspicious activity.
  • Frequently change passwords using complex passwords (combination of letters, symbols and numbers that do not personally relate to you or that could be easily guessed) Use a unique password for each account. In that way, not all accounts will be affected if one account is hacked. Weak passwords are one of the easiest ways to be attacked on-line. Software bots running programs at mind blogging speed on internet 24/7 all too often gain entry due to weak or easy to guess passwords.
  • Consider adding identify theft protection to your insurance policies.
    Keep up to date with antivirus software applications on all devises. It’s critical to keep AV software up to date and some offer better protections than others.
  • Never open an email that looks suspicious. Phishing scams with official sounding names, including details. zip; UPS_document.zip; DCIM.zip; Report.zip; Scan.zip and many others, including exe.files that prompt you to enter passwords or click links to infected website should never be opened and will come to no good.

Most credit card companies do a good job of cancelling cards and limiting liability for fraudulent credit card transactions. Debit cards do not enjoy the same protections. Debit card transactions won’t usually be reimbursed unless the merchant decides to cover the loss or is able to recover the funds from the hacker. Since many of the data breaches today result from hacks outside the United States, it’s not likely you’ll get reimbursed for fraudulent debit card activity. By keeping antivirus software up to date and using strong passwords on all your accounts, you can have the peace of mind that you haven’t made it easy for hackers to gain access. The encryption and other standards in place today won’t likely change for some time. In the meantime, you can take these steps to protect your financial security.

Last Updated (Wednesday, 29 January 2014 07:33)

New Data Breach Law Impacts Connecticut Businesses

Tegan Blackburn

Any business handling credit card transactions, confidential health or financial information needs to take heed of important new amendments to Connecticut’s security breach notification laws. Effective October 1, 2012, new subsection (b)(2) of the existing Connecticut General Statutes Sec. 36a-701 Data Breach Notification Statute requires that the Connecticut Attorney General’s Office be notified of a data breach. Prior to this enactment, Connecticut and other New England states were on the forefront of these consumer protection breach laws requiring anyone doing business in their state to provide notice of a computerized security breach without unreasonable delay to residents who may have been affected. As part of the Connecticut Attorney General’s Privacy Task Force, a dedicated webpage detailing these new reporting requirements is available at www.ct.gov/ag.

An important lesson from this new law is that unless these new notification provisions are carefully followed, the Attorney General’s office will also have a crack at assessing additional fines. The good news is that there is a “safe harbor” built into some of these regulations so that if businesses are fully compliant with the Payment Card Industry’s Data Security Standards (often called PCI-DSS) at the time the breach occurred they will likely get a “get out of jail free card” with no fines accessed by the credit card industry.

Given the prolific amount of malware and organized crime activity occurring on the internet, businesses can’t be too cautious about regularly updating their internet security tools and accessing potential risks. Many of the data breaches occurring today aren’t always caused by criminals. They’re just as often caused by careless handling of customers’ personal information on the devices that store or transmit information and failing to update security tools. Regularly updating computer security, training employees, restricting user access and understanding the legal requirements will help businesses stay ahead of the costly aftermath of a data breach. If businesses outsource these functions to third party vendors, it’s critical to verify they meet or exceed current security standards on all networks and devises.

Sufficient encryption, secure passwords, limited user access, regularly updating all firewall and anti-virus software on all devises that use, store or transmit data is critical to data breach prevention. The small cost of regularly conducting audits, upgrading security tools and training staff is well worth the investment compared to the high-cost of a data breach. Only after forensics has been completed with the clock running will the breached entity know just how many individuals, Attorney Generals, banking institutions, local law enforcement and FBI officials or other regulators will need to be notified. The aftermath to a breached entity will be much more than the sum of its legal expenses, costs of forensics, notification costs, fines and penalties. Data breach is much more than an IT issue, it is critical to business survival. Ensuring your business meets or exceeds all applicable security standards and carefully training staff is one of best ways to avoid a breach and the serious consequences that follow.

If you missed our articles in the Hartford Business Journal and Connecticut Law Tribune on these important new requirements under Connecticut State law, reprints of the full article are available on request.

Attorney Tegan Blackburn based in Simsbury, Connecticut has two decades of experience as in-house and outside counsel advising retail, banking, restaurant, healthcare, technology and other clients on general business and corporate matters, including compliance issues and data breach response.

Last Updated (Wednesday, 13 February 2013 21:34)