Building a HIPAA Toolkit: Part II
Part II: Extend privacy beyond federal healthcare regulations.
by Emily Caron, Esq.
Unlike many other countries, the United States does not have a single specific agency to regulate privacy. Citizens rely on a complicated patchwork of federal, state, and private entities to protect their rights to privacy. In addition to federal enforcement, state attorneys general uphold privacy laws enacted by state legislatures, and many private industry associations have voluntary privacy protection initiatives in place, as well. Although healthcare focuses on the privacy requirements of HIPAA, other privacy laws may affect the use and protection of patient information. It’s important to understand how all of these different privacy requirements may affect your practice.
Federal Trade Commission (FTC)
The FTC plays a large role in regulating and enforcing privacy laws in the United States. Its authority comes from a 100-year-old statute that states, “… unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” In 1914, privacy and information security meant something very different than it does today, and the law made no mention of it. The FTC began using that language to enforce privacy violations in 1970, and over the years — in light of vast changes in technology — Congress has added privacy-related responsibilities for the FTC through other legislation. The FTC shares Health Information Technology for Economic and Clinical Health (HITECH) Act enforcement responsibility with the U.S. Department of Health & Human Services (HHS).
The FTC’s primary objectives are to prevent unfair competition and unfair or deceptive acts and practices in commerce. If the FTC learns of a questionable practice, it launches an investigation; and if the FTC finds an offense has taken place, it acts with enforcement. At that point, the defendant can go through an administrative trial (similar to a traditional civil trial, but in a special court), or it can enter into a consent decree (a settlement where the company will not admit fault), agree to change its practices, and allow FTC oversight and third-party audits for a specified time period, as long as 20 years.
In the privacy context, the FTC has held companies accountable for failure to abide by their posted privacy notices. If a company promises a certain level of privacy in its posted notice, and then does not act in accordance with that policy, the FTC considers that an unlawful “deceptive practice” and proceeds with enforcement and possible sanctions.
FTC Targets Unfair Trade Practices of Corporations
In 2004, the FTC began targeting “unfair trade practices” related to privacy notices. The first case involved Gateway Learning Corporation and its educational product, Hooked on Phonics. Gateway had strong privacy protections set forth in its original Privacy Notice, but changed that notice and rented personal information without notifying its existing customers. The FTC found that retroactively applying such a material change to the company’s data sharing practice was an unfair trade practice. As a result, Gateway agreed to a consent decree where it was prohibited from disclosing a customer’s information without that customer’s express prior authorization. Gateway also agreed to give back all of the money it made renting customer data.
FTC Litigation in Healthcare
More recently, FTC scrutiny has affected the healthcare sector. The FTC is involved in litigation and administrative proceedings with LabMD, debating the extent to which the FTC can target “deceptive practice,” separate from HHS enforcement of HIPAA.
State Privacy Laws
In addition to federal privacy laws, each state has its own privacy laws and regulations, which may include laws concerning information security, data destruction, identity theft, spyware, and medical privacy. Each state has its own version of the law preventing deceptive trade practices, as well. Some federal laws preempt state laws, where state law cannot alter federal provisions. Other laws, including HIPAA, allow states to make their own laws providing stricter privacy protections. California often is viewed as the leading state for this legislation because of its large population and high-tech business sector.
Although HITECH added breach notification requirements to HIPAA, most industries are not subject to federal law governing breach notification. Many states have filled this gap. To date, 47 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have enacted legislation requiring private and government entities to notify individuals of security breaches involving personally identifiable information. Because HIPAA is preempted by any state law that is more restrictive, applicable state laws may layer additional breach notification requirements on covered entities and business associates. These laws change constantly, and it’s up to data-collectors to make sure their practices comply with current applicable laws. This is no easy task.
Based on the Privacy Rights Clearinghouse’s review of breaches since 2005, there are eight types of data breaches:
- 1. Unintended disclosure (including material sent to the wrong party)
- 2. Hacking/Malware (electronic entry by an outside party)
- 3. Payment card fraud (skimming devices)
- 4. Insider theft (an employee or contractor who steals data)
- 5. Physical loss (lost paper records)
- 6. Lost portable device (a laptop, phone, or flash drive)
- 7. Lost stationary device (lost, stolen, or discarded stationary device, such as a computer or server)
- 8. Unknown/Other
When one of these things happens, it triggers a duty under state laws to notify the people whose information was disclosed.
Check Your State Data Breach Laws
There are many similarities among state laws, with many containing the same basic provisions. For example, there is a definition of personal information and the specific data elements that trigger reporting requirements. This may include a name associated with a Social Security number or an account number. Some states include medical and healthcare information; others include biometric data (such as fingerprints); North Dakota includes mother’s maiden name.
States specify what entities are covered by the law. This usually is a person who conducts business in the state and owns/licenses/maintains computerized personal information. The law defines “security breach,” and provides the level of harm that requires notification. Some states, such as Florida, require a “material compromise” to trigger notice requirements; others, including Kansas and South Carolina, define “breach” to be an event that causes identity theft or other material harm.
State laws also provide whom to notify, how, and when. Time periods for response can be as short as 24 hours (Idaho) or vaguely “without unreasonable delay,” which is language used in several states. Texas requires notification of its residents, and also requires notice to residents of jurisdictions without data breach laws. Under certain circumstances, some states require notice to the state attorney general, as well as to consumer credit reporting agencies.
Several states also dictate what should be in the notification letter. This may include a description of the circumstances leading to the breach, the date the breach took place, instructions for credit monitoring, and how to report identity theft activity to law enforcement. Note that Massachusetts’ requirements are unique, and often require a specific letter targeted only to residents of Massachusetts.
The laws may also include exemptions from the notice obligation. The most common exemption is for organizations covered by more stringent breach notification laws, including HIPAA and Gramm-Leach-Bliley Act. States also allow exceptions for entities that have breach notification as a part of their own information security policies, as long as they already comply with state law. Many states also have exceptions for encrypted or redacted data, as long as the decryption key remains secured. Note that Washington, D.C., Hawaii, Illinois, Iowa, Louisiana, Nevada, and Ohio do not allow for this.
In the event a company fails to comply with breach requirements, many states restrict enforcement to the state attorney general. Others, including Michigan, Rhode Island, and Texas, also specify civil fines and penalties. Alaska, California, District of Columbia, Louisiana, and others, also grant a private right of action to individuals harmed by the disclosure of their information, which allows them to sue for damages on their own, without involvement of the state attorney general.
Protect Yourself: Understand Privacy Laws
It’s important to be aware of the complicated array of privacy laws beyond those that specifically address healthcare. It’s a difficult maze to navigate. Make sure to consider this structure, consult experts to ensure adequate safeguards for client information, and put a plan in place for addressing a breach, should one occur. Failure to do so will likely cause problems ranging from bad public relations, to regulatory headaches, to tremendous expense.
Emily Caron, Esq., is an attorney with Lathrop & Gage, LLP, where she regularly consults clients regarding data breach, privacy, and cyberliability. She offers focused experience in analysis of insurance coverage related to media, advertising, intellectual property, and technology.