Warner's Privacy Blog

The Canadian province of Alberta passed the Personal Information Protection Amendment Act of 2009 (PIPAA), which received Royal assent late last year. This Act amends Alberta’s Personal Information Protection Amendment Act of 2004 (PIPA). PIPA covers a wide range of issues dealing with the collection, protection and use of personal information. However, PIPA did not cover notification of the individual in the event someone gained unauthorized access to the individuals’ information.  PIPAA filled in that gap with its breach notification requirements, the first of its kind in Canada.

PIPAA went into effect on May 1, 2010. The breach notification requirements contained in PIPAA mirror, to a large degree, notification requirements found in states across the U.S. In summary, PIPAA requires notification of the Information and Privacy Commissioner (Commissioner) if a breach occurs and the breach poses a “real” risk of significant harm to individuals.  A “real” risk of significant harm means more than a risk that is merely theoretical. PIPAA specifies the information required to be included in a notice to the Commissioner.

After reporting an incident to the Commissioner, the Commissioner has the ability to require an organization to report the breach to individuals affected by the breach. A notice to individuals, if required by the Commissioner, will contain a description of the incident that led to the breach, the time when the incident occurred, a description of the personal information involved, information about any steps taken to reduce the risk of harm, and contact information for a person who can answer the individual’s questions. The Commissioner may require the disclosure additional information to individuals as it determines is necessary. PIPAA nor PIPA restrict a company from notifying individuals on their own accord. However, if there is a “real” risk of significant harm to individuals, notification of the Commissioner is required.

PIPAA is not the final word in Canadian breach notification requirements.  On May, 25, 2010, amendments to the Personal Information Protection and Electronic Documents Act were introduced into the Canadian House of Commons. The amendments include breach notification requirements that parallel the PIPAA requirements. The new law will be addressed in my next post.

Remember the HITECH Act?  Passed in 2009, it amended HIPAA privacy and security rules.  Among other things, it beefed up enforcement penalties and required updated business associate agreements and security breach notifications.  Possibly, you’ve forgotten that it also expanded individual rights in connection with electronic health records—particularly an individual’s right to receive an accounting of how his or her information has been disclosed.

Under the existing regulatory framework that’s been in effect since 2003, this accounting does not have to include the many routine disclosures made for treatment, payment and health care operations purposes.  At the time those rules were written, it was believed that having to account for these routine disclosures would be too burdensome.

The HITECH Act, however, may change this.  The Act says that covered entities who have electronic health record systems in place will have to begin accounting for all disclosures, including those made for treatment, payment and health care operations, consistent with regulations that the Department of Health & Human Services is to draft—balancing the interests of those wanting to learn about the disclosures with the administrative burden involved in tracking these disclosures.  In order to balance these interests, the Office for Civil Rights is asking for information.  There’s a variety of questions, but they come down to trying to understand the demand for this information and its benefits to individuals versus the feasibility and costs of collecting such information.

In my own experience, not many people request an accounting of disclosures.  I suspect many people are simply unaware of the right, but I also think there’s some who don’t exercise the right because they believe the report isn’t very useful if it doesn’t include disclosures made for treatment, payment and healthcare operations purposes.  From the provider side, however, this sounds like an administrative nightmare, particularly since many systems do not have the capability of capturing the necessary information.   Getting that capability will likely require expensive modification, and I think it will be particularly challenging for a system to accurately collect some of this data—particularly the specific purpose for which the data is being disclosed.

Anyway, if you think you have a stake in this, you might consider responding to the request for information.  Your input may help shape the regulations.

If you have questions about complying with HIPAA, Warner Norcross & Judd LLP can help.  Give us a call!

Norbert F. Kugele

nkugele@wnj.com

616.752-2186

While I can’t say for sure that this is the first, I can say that it’s the first that I’ve seen publicized:  a woman in Connecticut has brought a claim that her former employer engaged in genetic discrimination.

According to the news story, the woman informed her employer about genetic test results that indicated she had a genetic predisposition for breast cancer and would be having a double mastectomy as a precautionary measure.  Six weeks after her surgery, the company eliminated her position.  She has now filed complaints with the U.S. Equal Opportunity Commission and with the Connecticut Commission on Human Rights and Opportunities.  The employer denies that the allegations are true. Read more »

Back in January, I wrote about a criminal case against a former doctor who worked at the UCLA School of Medicine.  The doctor had entered into a plea bargain admitting that he had improperly accessed over 300 medical records upon being notified that he was being terminated.

Today, we have news that he has been sentenced to four months in prison.  Another story reports that he was also fined $2000.  Among the records that he accessed were those of Sharon Osbourne, Barbara Walters, Elizabeth Banks, Leonardo DiCaprio and Anne Rice. Read more »

Recently, the state of Washington enacted a law that allows financial institutions to recover costs relating to credit/debit card breaches from businesses that are careless in protecting credit card data.  Large businesses and card processors are the targets of this legislation.  Any company—regardless of where it is located—that processes more than 6 million credit card and debit card transactions annually and that sells goods or services to Washington residents is subject to the act.  There is no liability, however, if the company encrypted the data or was certified compliant with the payment card industry data security standards. Read more »

The FTC has posted a news release that it has sent out notification letters to almost 100 organizations that personal information stored on their systems—including sensitive data about customers and/or employees—is available on peer-to-peer (P2P) file sharing networks.  Samples of the FTC letters are available here, here and here. Read more »

Hitting the news today is a report that an Italian court has convicted three Google executives in connection with a video that was posted on Google Video (Google’s version of YouTube before Google bought YouTube).  In case you haven’t been following this story, the video showed four Italian teenagers bullying an autistic youth.  The video was posted on Google Video for a couple months, at which point police authorities contacted Google.  Once notified, Google removed the video within a couple of hours and provided information about who posted the video, which led to the juvenile sentencing of the four teenagers. Read more »

As you’ve probably noticed, the deadline for implementing the HITECH Amendments to HIPAA came and went last week without much fanfare—primarily because the Department of Health & Human Services still has not released any guidance on how we should be implementing these changes.  Moreover, there’s still no indication when the new guidance will come out. Read more »

Interesting article at Forbes.com about how businesses—especially financial institutions—are increasingly absorbing the cost of security breaches.  According to the article, individuals who are victims of identity theft are more likely to take their business elsewhere.  The article notes that its expensive to replace a customer—to the point where it makes sense to absorb identity theft costs. Read more »

A few data breaches making the news recently:

One breach involved a lost laptop at Methodist Hospital in Houston.  The details are rather sketchy, but it seems that a thief made off with a laptop that contained SSNs and personal health information of 689 patients.  No indication whether the information was encrypted, but my assumption is that it must not have been if the hospital has sent out notification letters. Read more »