1 / 18

Privacy, Information Security and Health Information: An Arizona Update Data Protection Day 2010

Privacy, Information Security and Health Information: An Arizona Update Data Protection Day 2010. Mary Beth Joublanc, J.D. Chief Privacy Officer and HIPAA Coordinator State of Arizona January 28, 2010. Scope of Discussion. Data Privacy Day in Arizona – 2010

kat
Download Presentation

Privacy, Information Security and Health Information: An Arizona Update Data Protection Day 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy, Information Security and Health Information: An Arizona Update Data Protection Day 2010 Mary Beth Joublanc, J.D. Chief Privacy Officer and HIPAA Coordinator State of Arizona January 28, 2010

  2. Scopeof Discussion • Data Privacy Day in Arizona – 2010 • An Arizona Update on the Privacy and Information Security Landscape • General Government Status • Government Agencies and ARRA – HITECH • Resources and References • Questions??

  3. Purpose of Data Privacy Day • Rights, duties and obligations of/for collection, use, safeguards, disclosure and disposition of personal identifying information (also critical assets) • Third year of the celebration • US, Canada and 27 European countries • Companion to Cyber Security Awareness Month (similar goals –foster collaboration between privacy and information security disciplines)

  4. Arizona Data Privacy Day Proclamation for 2010

  5. Importance of the Governor’s Proclamation • Arizona remains a leader in recognizing the importance of Data Privacy Day (one of six states). • Key Points of Proclamation: • All industries must participate (privacy, non-profit, government) • Abide by responsible information management policies, practices and technology (e.g. Generally Accepted Privacy Principles—GAPP) • Evaluate the appropriateness of collecting, securing and managing all forms of personal identifying information --hardcopyand electronic format (life cycle approach analysis)

  6. Importance of the Governor’s Proclamation – 2 • Key Points of Proclamation (continued): • Support information privacy education within the organization • Provide individuals with ease of access to the organization’s information management policies and practices (transparency) • Promote resources which assist individuals to manage the privacy of their personal information

  7. Overview: Arizona Privacy and Information Security Laws • Applicable to Business and Government: • Breach Notification Law (ARS 44-7501)—electronic only • Social Security Number Protection (ARS 44-1373 – 1373.03)—broad exceptions—hardcopy and electronic • Data Destruction (ARS 44-7601)—hardcopy only • Government Agencies • Numerous Agency Confidentiality Laws (300 +) • Government Anti-identification Procedures (ARS 41-4171 & 41-4172)—hardcopy and electronic (maybe) • State Agency Web Site Records and Privacy Laws (ARS 41-4151 & 41-4152) • Other laws and regulations

  8. Arizona Privacy and Information Security Laws – Health Related • Arizona Medical Record Laws • Health Care Directives Laws • Laws protecting infants, genetic information, and rights of minors (ability to contract—includes health services) • Arizona Health Care Cost Containment System (Medicaid agency) • Arizona Department of Administration • Employee Health Plan • Occupational Health & Workers’ Compensation • Risk Management/Litigation • Arizona Department of Health Services • Mental Health Services/Arizona State Hospital • Public Health • Medical Facilities Licensure • Some Professional Licensure

  9. Arizona Privacy and Information Security Laws – Health Related • Department of Economic Security • Protective Services (Adult and Child)/Family Services • Foster and adoptive child health plan • Division of Developmental Disability • Vocational Rehabilitation • Numerous other functions • Correctional Facilities – Juvenile and Adult • Health care services • On premises • Contracted facility • Department of Public Safety • Paramedic and First Responders • Department of Transportation/Motor Vehicle Division • Professional Licensing Agencies • Approximately 39 licensed professions under Title 32 “Professions and Occupations” • Approximately 18+ licensed health professions – Title 32 “Professions and Occupations” (Does not include subsections of other agencies)

  10. Arizona and Federal Law Interface:Current Issues • Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification (Privacy, Security, Transactions, Identifiers, Part D – Medicare Prescriptions) • Health Information Technology for Economic and Clinical Health (HITECH) • Non-HITECH Data Breach Bills (3)

  11. Hybrid-Covered Agencies: AHCCCS, ADHS, ADES, ADOA Thousands of Business Associates! Exchange of Information BAs, other agencies, health care entities, oversight EHR (State Hospital & AHCCCS AMIE, others?) Technology requirements Breach Notification How to Address: Validate policy, practice & training (huge!) Covered and Non-covered agencies All those BAs—are they really BAs Lost services—what to do?? Contract language and question of oversight Federated Agencies – Workgroups Technology (really huge!!) Privacy Framework – GAPP Minimum Necessary Assurance HIPAA & HITECH IMPLICATIONS TO AGENCIES

  12. Breach Notification – HIPAA/HITECH and Beyond! • AZ Breach Notification Law • http://www.azleg.state.az.us/FormatDocument.asp?inDoc=/ars/44/07501.htm&Title=44&DocType=ARS • Owner/licensee • Electronic Information Only • Report if not encrypted, redacted or otherwise secured • Name + SSN, Drivers/non-operator’s license, financial account/debit/credit cards with password or other security access information • Exceptions: • Must materially compromise security or confidentiality and cause or is reasonably likely to cause substantial economic loss to an individual • Good faith exception • Enforcement: State Attorney General; penalty set by AG

  13. Breach Notification – HIPAA/HITECH and Beyond -- 2 • HITECH • http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf • Covered Entities (CE) and Business Associates (notify CE) • Verbal, hardcopy and electronic • Resolution with 60 days; exceptions • Protected Health Information (in addition to AZ reporting) • Unsecured = not encrypted or destroyed (unusable, unreadable or indecipherable); back door to redaction?? • Notification: letter, phone, electronic (record number/cost) • Notify Media (>500); HHS (all events; time frames) • Enforcement: HHS or state attorneys general; fines up to $1,500,000

  14. Breach Notification – HIPAA/HITECH and Beyond -- 3 • Pending Federal Legislation – if passed would repeal the Arizona Breach Notification Statute • HR2221—Data Accountability and Trust Act • http://www.govtrack.us/congress/bill.xpd?bill=h111-2221 • Passed the House and is in the Senate • Person engage in interstate commerce or contractor for person • Requires data management and safeguard program for personal information (SSN, driver’s license or government issued ID, financial account/credit/debit card) • Might not pre-empt HITECH (rule making planned) • Regulates “Information Brokers” (certain consumer rights) • Breach notification: multiple requirements (credit reporting agencies, third party agents, service providers), timelines, content of notice • Exemption to notification (unusable, unreadable, indecipherable and no reasonable risk of ID theft) • Rule making and guidance publications by Federal Trade Commission (FTC) • FTC has oversight and enforcement; state attorneys general may also enforce; fines up to $5,000,000 for certain violations

  15. Breach Notification – HIPAA/HITECH and Beyond -- 4 • Pending Federal Legislation – (continued) • S1490—Personal Data Privacy and Security Act of 2009 • http://www.govtrack.us/congress/bill.xpd?bill=s111-1490 • Owner/licensee involved in interstate commerce • Information security and privacy data management program • Sensitive personal information: name, SSN (other ID), with home address, mother’s maiden name or date of birth; unique biometric identifier; unique account number and access code; financial account/debit/credit and access code • Breach notification: data brokers, no unreasonable delay (45 days), multiple other provisions regarding notice requirements including timing of notice • Safe Harbor: industry standard security for type of data • Exemptions: Secret Service certification (encrypted/indecipherable) and “no reasonable risk of harm” • Exceptions: HIPAA & GLBA • Enforcement: FTC or state attorney general or state law enforcement agency; fines up to $1,000,000

  16. Breach Notification – HIPAA/HITECH and Beyond -- 5 • Pending Federal Legislation – (continued) • S139—Data Breach Notification Act • http://www.govtrack.us/congress/bill.xpd?bill=s111-139 • Owner/licensee involved in interstate commerce • Personal information: name, SSN, birth date, state/govt ID, EIN, Tax ID, biometric identifier, unique electronic number, address, routing code, or telecommunications identifier or access device • Risk assessment exception (encryption or indecipherable) • Secret Service must review and approve (certify) • No significant risk of harm • Time frame for notification (without unreasonable delay—45 days) • Notification provisions include credit reporting agencies, Secret Service and other law enforcement agencies (Secret Service notifies) • Good faith exception • Pre-empts other federal and state breach notification statutes • Secret Service oversight; state attorneys general enforce • Maximum penalty $1,000,000 per violation

  17. Resources and References • Arizona Data Privacy Day 2010 Press Release and Proclamation • http://www.azgita.gov/sispo/DPDProclamation2010.pdf • http://www.azgita.gov/sispo/ (SISPO News) • National and International Data Privacy Day 2010 • The Privacy Projects: www.dataprivacyday.org • Generally Accepted Privacy Principles • http://infotech.aicpa.org/NR/rdonlyres/1D6C8F10-1BC1-4498-89BD-C83831E75C4C/0/9632395_ExecutiveOverview.pdf/ • Arizona Statutes (Arizona Legislature Website) • http://azleg.gov/ArizonaRevisedStatutes.asp • Arizona Administrative Code (Arizona Secretary of State Website) • http://www.azsos.gov/public_services/Table_of_Contents.htm • Arizona Government Information Technology Agency (GITA) • http://www.azgita.gov/ • GITA Statewide Information Security and Privacy Office (SISPO) • http://www.azgita.gov/sispo/

  18. The Arizona Update Questions???

More Related