Slide 1

Susan Blair, MSJ, MBA, CIPP, CCEP, CIA Chief Privacy Officer, University of Florida Slide 2 PLAN DO WATCH Slide 3 Slide 4 Privacy Complaint: An allegation by an individual that an organization is not complying with the requirements of the federal privacy and/or security regulations or the organizations own policies and procedures related to the privacy / security of personal information. Privacy Incident: A known or suspected action, inconsistent with the organizations privacy policies and procedures, or an adverse event, related to restricted or sensitive information. Slide 5 Slide 6 Slide 7 PHI: 3,440 PHI/PII: 335,353 PII: 825 Student Record: 4,955 PII/Student Record: 13,516 Financial: 2 Human Resources: 32 Slide 8 College of Dentistry: 334,238#/7 College of Medicine: 3,501/91 Academic Technology-CLAS: 11,562/2 College of Engineering: 4,423/3 Reitz Union: 612/1 IFAS: 271/2 College of Education: 145/1 *Number of Violations/Incidents #334,234 were both PHI and PII violations Slide 9 Genetic Information Nondiscrimination Act Red Flag Rules American Reinvestment and Recovery Act (ARRA) Health Information Technology for Economic and Clinical Health Act (HITECH) Slide 10 Results of genetic tests for individuals or family members that provides any data about medical history; includes predictive testing Mandates modification of HIPAAs Privacy Rule so that genetic information is treated as protected health information; became effective May 21, 2009 Confidentiality safeguards required for collection, maintenance, and storage; also limits disclosure of genetic information. Slide 11 FTC Red Flag Rules, became effective May 1, 2009 but delayed to August 1, 2009 Written ID Theft Prevention Program for any covered account for individuals or households. regularly extending, renewing, or continuing credit; regularly arranging for such credit; acting as an assignee of an original creditor Slide 12 Inventory and Risk Assessment of Accounts Board of Trustees Review and Approval of Written Policies and Procedures Red Flags Training Departmental Procedures & Training Compliance Audits Cross-reference to Critical Incident and Breach Notification Plan and SSN Monitoring Add or revise contract language to require contractors to establish a written identity theft program or to mirror the Universitys Red Flags Program Audit compliance at least annually. Slide 13 Restrictions on Disclosures prohibited with limited exceptions (as required by law) Enforcement by State Attorney General Civil case (violation) on interest to state residents Damages and court fees to be awarded Federal court venue Effective for violations that occurred after enactment Tiered Civil Monetary Penalties Collected Employees or individuals can be found liable under HIPAA. Slide 14 Minimum per Violation Annual Maximum Minimum Penalties Did not know Tier A $100 Reasonable cause Tier B $1,000 Willful neglect Tier C $10,000 Uncorrected violation Tier D $50,000 Maximum Penalties Tier A $25,000 Tier B $100,000 Tier C $250,000 Tier D $1,500,000 Slide 15 August 2009: Breach notification provisions and PHI breach notification February 2010: Business Associates and Marketing August 2010: Minimum Necessary and Prohibition on sale of electronic health records/PHRs. January 2011: Accounting for Disclosures February 2011: Enforcement for willful neglect Slide 16 Section 13402 requires HIPAA covered entities to notify affected individuals of a breach of unsecured protected health information Not secured through the use of a technology or methodology specified by the Secretary of HHS through guidance April 17 th HHS Guidance recommends either encryption or destruction. Slide 17 Encryption According to National Institute of Standards and Technology (NIST) or Federal Information Processing Standards (FIPS): Data at rest - NIST 800-111, Guide to Storage Encryption Technologies for End User Devices Data in motion FIPS 140-2, including NIST 800-52, Guidelines for the Selection and Use of Transport Layer Security Implementation NIST 800-77, Guide to IPSet VPNs NIST 800-113, Guide to SSL VPNs Slide 18 Destruction : Paper, film, or other hard copy media must be shredded or destroyed to the extent that the PHI cannot be read or reconstructed. Electronic media must be cleared, purged or destroyed such that the PHI cannot be retrieved, and such destruction must be consistent with NIST 800-88, Guidelines for Medical Sanitization. Slide 19 Notification: Sets thresholds for triggering breach notification requirements as well as parameters for the method, content, and timing of the notification. For example, Must provide notice to consumers and FTC within 60 days of discovery; Notice must include mitigation details; and If 10 or more individuals cannot be reached, must post conspicuously for six months on homepage of website; or, provided to print and broadcast media outlets in areas affected by breach. Applies to breaches discovered on or after September 18, 2009. Slide 20 Over 50 colleges and universities have experienced multiple reported privacy incidents since 2001. At a state level, California is home to seven twice breached universities, while Ohio follows at four schools. At least four universities have experienced five or more publicized privacy incidents. Purdue University (7) Ohio University (5) University of Florida (5) University of Iowa (5) Slide 21 Stanford University 72,000 University Georgia: 4,250 University Akron: 800 University of Florida: 101 Ohio University 492 Tennessee Tech: 990 University Texas: 2,500 University of Maryland 23,000 Penn State: 677 Georgetown University: 38,000 University of Florida: 1,900 University Minnesota: 3,100 Long Island University: 30,000 Middle Tenn. State: 1,500 Texas A&M: 3,000 Harvard University: 6,600 Binghamton University: 300 University of Miami: 2,100,000 University of Florida: 11,300 University of Utah: 2,200,000 University of Florida: 344, 448 Oklahoma St. University: 70,000 UC San Francisco: 3, 569 Slide 22 Data-rich information systems creating a natural target. Outdated and non-enforced data security safeguards. Sophisticated intruders with potential criminal intent. Careless or inattentive data systems management. Negligent hiring practices or employee misuse of data. Demonstrated opportunities for repeat access. Business partners or research sponsors who fail to protect information. Slide 23 Seminal means Highly original and influencing the development of future events. When does Privacy Breach cause harm? Identity theft and financial fraud Offensive publication of illicitly acquired PII Limit economic opportunities, i.e. job applicant Canada, Australia, New Zealand are codifying that privacy-security breaches can cause harm. Slide 24 Federal Precedent: Ninth Circuit Court (Stollenwerk) opined that harm was not necessary for class action lawsuits resulting from data breach. Partnering of Federal Agencies: FTC joined OCR to pursue claims against CVS with settlement costs of $2.25 million. Also, FTC can levy penalties where identity theft results. States Action: ARRA permits states AG to sue for damages on behalf of residents. Slide 25 Increased Governmental Regulations, especially for identity theft and healthcare operations Emerging Technology Risks and Expanding Data Security Obligations Probable Civil Case Law Developments as well as Enhanced Enforcement, especially from state AGs. Continuing infrastructure and resource challenges Slide 26 UF Privacy Office http://privacy.ufl.edu 352-273-5094 Toll-free Hotline: 866-876-4472