Presentation is loading. Please wait.

Presentation is loading. Please wait.

2009 Privacy Initiatives Susan Blair, MSJ, MBA, CIPP, CCEP, CIA

Similar presentations

Presentation on theme: "2009 Privacy Initiatives Susan Blair, MSJ, MBA, CIPP, CCEP, CIA"— Presentation transcript:

1 2009 Privacy Initiatives Susan Blair, MSJ, MBA, CIPP, CCEP, CIA
Chief Privacy Officer, University of Florida

2 Privacy Officers in a Nutshell


4 Definitions: Complaint v. Incident
Privacy Complaint: An allegation by an individual that an organization is not complying with the requirements of the federal privacy and/or security regulations or the organization’s own policies and procedures related to the privacy / security of personal information. Privacy Incident: A known or suspected action, inconsistent with the organization’s privacy policies and procedures, or an adverse event, related to restricted or sensitive information.

5 Incidents by Type –

6 Incidents by Area –

7 2008 Privacy Violation by Type
PHI: 3,440 PHI/PII: 335,353 PII: 825 Student Record: 4,955 PII/Student Record: 13,516 Financial: 2 Human Resources: 32

8 Significant 2008 Privacy Violations and Incidents by Area
College of Dentistry: 334,238#/7 College of Medicine: 3,501/91 Academic Technology-CLAS: 11,562/2 College of Engineering: 4,423/3 Reitz Union: 612/1 IFAS: 271/2 College of Education: 145/1 *Number of Violations/Incidents #334,234 were both PHI and PII violations

9 2009 Legislative Mandates Genetic Information Nondiscrimination Act
Red Flag Rules American Reinvestment and Recovery Act (ARRA) Health Information Technology for Economic and Clinical Health Act (HITECH)

10 Genetic Information Nondiscrimination Act
Results of genetic tests for individuals or family members that provides any data about medical history; includes predictive testing Mandates modification of HIPAA’s Privacy Rule so that genetic information is treated as protected health information; became effective May 21, 2009 Confidentiality safeguards required for collection, maintenance, and storage; also limits disclosure of genetic information.

11 FTC’s Red Flag Rules FTC Red Flag Rules, became effective May 1, 2009 but delayed to August 1, 2009 Written ID Theft Prevention Program for any ‘covered account’ for individuals or households. regularly extending, renewing, or continuing credit; regularly arranging for such credit; acting as an assignee of an original creditor

12 Red Flags’ Hybrid Checklist
Inventory and Risk Assessment of Accounts Board of Trustees Review and Approval of Written Policies and Procedures Red Flags Training Departmental Procedures & Training Compliance Audits Cross-reference to Critical Incident and Breach Notification Plan and SSN Monitoring Add or revise contract language to require contractors to establish a written identity theft program or to mirror the University’s Red Flags Program Audit compliance at least annually.

13 ARRA: Effective February 2009
Restrictions on Disclosures prohibited with limited exceptions (as required by law) Enforcement by State Attorney General Civil case (violation) on interest to state residents Damages and court fees to be awarded Federal court venue Effective for violations that occurred after enactment Tiered Civil Monetary Penalties Collected Employees or individuals can be found liable under HIPAA.

14 ARRA: Effective February 2009
Minimum Penalties “Did not know” Tier A $100 “Reasonable cause” Tier B $1,000 “Willful neglect” Tier C $10,000 “Uncorrected violation” Tier D $50,000 Maximum Penalties Tier A $25,000 Tier B $100,000 Tier C $250,000 Tier D $1,500,000 Minimum per Violation Annual Maximum

15 ARRA: Provisions Changes Due
August 2009: Breach notification provisions and PHI breach notification February 2010: Business Associates and Marketing August 2010: Minimum Necessary and Prohibition on sale of electronic health records/PHRs. January 2011: Accounting for Disclosures February 2011: Enforcement for ‘willful neglect’

16 “HITECH” Enhances HIPAA
Section requires HIPAA covered entities to notify affected individuals of a breach of “unsecured protected health information” “Not secured through the use of a technology or methodology specified by the Secretary of HHS through guidance” April 17th HHS Guidance recommends either encryption or destruction.

17 HITECH Guidance Encryption According to National Institute of Standards and Technology (“NIST”) or Federal Information Processing Standards (“FIPS”): “Data at rest” - NIST , Guide to Storage Encryption Technologies for End User Devices “Data in motion” – FIPS 140-2, including NIST , Guidelines for the Selection and Use of Transport Layer Security Implementation NIST , Guide to IPSet VPNs NIST , Guide to SSL VPNs

18 HITECH Guidance Destruction :
Paper, film, or other hard copy media must be shredded or destroyed to the extent that the PHI cannot be read or reconstructed. Electronic media must be cleared, purged or destroyed such that the PHI cannot be retrieved, and such destruction must be consistent with NIST , Guidelines for Medical Sanitization.

19 HITECH Breach Notification
Notification: Sets thresholds for triggering breach notification requirements as well as parameters for the method, content, and timing of the notification. For example, Must provide notice to consumers and FTC within 60 days of discovery; Notice must include mitigation details; and If 10 or more individuals cannot be reached, must post conspicuously for six months on homepage of website; or, provided to print and broadcast media outlets in areas affected by breach. Applies to breaches discovered on or after September 18, 2009.

20 Academic Data Breaches Minnesota Privacy Consultants
Over 50 colleges and universities have experienced multiple reported privacy incidents since At a state level, California is home to seven twice breached universities, while Ohio follows at four schools. At least four universities have experienced five or more publicized privacy incidents. Purdue University (7) Ohio University (5) University of Florida (5) University of Iowa (5)

21 Privacy Breaches Sampling January – December 2008
Stanford University 72,000 University Georgia: 4,250 University Akron: 800 University of Florida: 101 Ohio University 492 Tennessee Tech: 990 University Texas: 2,500 University of Maryland 23,000 Penn State: 677 Georgetown University: 38,000 University of Florida: 1,900 University Minnesota: 3,100 Long Island University: 30,000 Middle Tenn. State: 1,500 Texas A&M: 3,000 Harvard University: 6,600 Binghamton University: 300 University of Miami: 2,100,000 University of Florida: 11,300 University of Utah: 2,200,000 University of Florida: 344, 448 Oklahoma St. University: 70,000 UC San Francisco: 3, 569

22 Top Reasons for University Breaches
Data-rich information systems creating a natural target. Outdated and non-enforced data security safeguards. Sophisticated intruders with potential criminal intent. Careless or inattentive data systems management. Negligent hiring practices or employee misuse of data. Demonstrated opportunities for repeat access. Business partners or research sponsors who fail to protect information.

23 Watch for “Seminal” Court Cases
Seminal means “Highly original and influencing the development of future events”. When does Privacy Breach cause harm? Identity theft and financial fraud Offensive publication of illicitly acquired PII Limit economic opportunities, i.e. job applicant Canada, Australia, New Zealand are codifying that privacy-security breaches can cause harm.

24 Cause for Caution Federal Precedent: Ninth Circuit Court (Stollenwerk) opined that ‘harm’ was not necessary for class action lawsuits resulting from data breach. Partnering of Federal Agencies: FTC joined OCR to pursue claims against CVS with settlement costs of $2.25 million. Also, FTC can levy penalties where identity theft results. States’ Action: ARRA permits states’ AG to sue for damages on behalf of residents.

25 In Summary: Nowhere to Hide
Increased Governmental Regulations, especially for identity theft and healthcare operations Emerging Technology Risks and Expanding Data Security Obligations Probable Civil Case Law Developments as well as Enhanced Enforcement, especially from state AGs. Continuing infrastructure and resource challenges

26 Contact Information UF Privacy Office Toll-free Hotline:

Download ppt "2009 Privacy Initiatives Susan Blair, MSJ, MBA, CIPP, CCEP, CIA"

Similar presentations

Ads by Google