SlideShare uma empresa Scribd logo

Texas Privacy Laws - Tough New Changes

Jim Brashear
Jim Brashear

Overview of principal Texas privacy laws and amendments that became effective September 1, 2012. Some say the new Texas law is tougher than federal HIPAA laws.

1 de 31
Baixar para ler offline
Texas Privacy Laws Tough New Changes
Speaker James F. Brashear General Counsel Zix Corporation Jim Brashear is a member of the Bar of the United States Supreme Court, the California Bar Association and the State Bar of Texas. He frequently appears as a public speaker on corporate governance, data security and information technology legal topics. He currently serves the Association of Corporate Counsel on its Information Technology, Privacy & Electronic Commerce Committee as Programs Co-Chair and Cloud/SaaS Co-Chair. He received a Juris Doctorate degree, magna cum laude, from the University of San Diego School of Law, and a Bachelor of Arts degree in political science from the University of California at San Diego. Twitter @jfbrashear This program is for educational purposes only. The content does not constitute legal advice. No attorney-client relationship is created by your participation.
Overview  Texas recently amended privacy laws protecting: – Protected Health Information (PHI) – Sensitive Personal Information (SPI)  A business may be simultaneously subject to: – Texas Identity Theft Enforcement and Protection Act – Texas Medical Records Privacy Act – HIPAA and HITECH  New amendments: – Broaden scope of Texas privacy laws – Add new requirements – Impose new penalties  New medical privacy laws are stricter than HIPAA
Two Principal Texas Privacy Statutes Identity Theft Enforcement and Protection Act Medical Records Privacy Act
Identity Theft Enforcement and Protection Act Business and Commerce Code Chapter 521 http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htm  Amended by H.B. No. 300 effective September 1, 2012 http://www.capitol.state.tx.us/tlodocs/82R/billtext/pdf/HB00300F.pdf
Broad Scope Applies to virtually all businesses operating in Texas  Includes most healthcare businesses  Specifically includes nonprofit athletic or sports associations  Excludes financial institutions under Gramm-Leach-Bliley Act Focus: It is not clear how the Act will be applied to: • SPI stored outside Texas • Non-Texas business SPI stored in Texas • Non-Texas business SPI of Texas residents
Duty to Protect Sensitive Personal Information Business and Commerce Code §521.052 Business must use reasonable procedures to protect from unlawful use or disclosure any sensitive personal information collected or maintained in its regular course of business Focus: In contrast to Massachusetts 201 CMR 17.01, Texas does not mandate encryption – but Texas does: • exclude some encrypted data completely • exclude encrypted data from data breach notice rules • mitigate penalties if data was encrypted
Sensitive Personal Information §521.002(a)(2) defines two types of SPI: 1. Personal identifying information An individual's first name or first initial + their last name + any of their following:  social security number  driver's license number  government-issued identification number, or  account number or credit or debit card number plus any financial account security code, access code, or password  Encryption exclusion for this type – If the name and the listed items are encrypted, then they are not treated as SPI at all Tip: Encrypt all sensitive data, at rest and in motion
Sensitive Personal Information §521.002(a)(2) defines two types of SPI: 2. Medical identifying information Information that identifies an individual and relates to their:  physical or mental health or condition  provision of health care, or  payment for provision of health care  No encryption exclusion for this type . . .  Treated as SPI even if encrypted . . . but there is an encryption safe harbor from data breach notification  Consistent with HIPAA Tip: Encrypt all sensitive data, at rest and in motion
Data Breach from Unauthorized Acquisition §521.053(a) defines Breach of System Security  Unauthorized acquisition of computerized data that compromises SPI security, confidentiality or integrity  Safe harbor for encrypted data – No data breach results from unauthorized acquisition of encrypted data unless the decryption key was also acquired – No notification required Focus: The statute does not require a business to monitor its systems to detect a data breach Tip: Encrypt all sensitive data, at rest and in motion
Data Breach from Authorized Access  Data breach can result from unauthorized use or disclosure of SPI by employee or agent – Even if their acquisition was authorized and in good faith – Even if their use or disclosure was not unlawful  Safe harbor for encrypted data applies here, too Focus: Recent court decisions held that unauthorized use or disclosure of data by employees or agents did not violate the Computer Fraud and Abuse Act where their access to the data was authorized
Long Arm Duty to Notify Must disclose data breach to any individual whose SPI is reasonably believed to have been acquired – Act formerly required notice to Texas residents only  Deference to other states’ laws – Texas law is satisfied by notice provided under the data breach law of states where affected individuals reside – Texas law mandates a notice when the data breach laws of those other states do not Focus: Contrast MA privacy law 201 CMR 17.00, which applies to data of MA residents no matter where it is held
Timing of Notification Must disclose data breach as quickly as possible  Two permitted reasons for delay: 1. As necessary to determine the scope of the breach and restore the reasonable integrity of the data system 2. At the request of a law enforcement agency  Only if that agency determined notification will impede a criminal investigation  Must provide notice as soon as that agency later determines notification will not compromise the investigation Focus: It is not clear how impede differs from compromise Focus: It is not clear how a business is expected to know if or when the agency makes its determinations
Form of Notification Business may notify affected individuals by:  written notice, or  electronic notice Three exceptions: 1. If the business can demonstrate any of: – cost > $250,000 – number of affected persons > 500,000 – insufficient contact information then it may give notice by any of: – email – conspicuous posting on the business’ website – notice via major statewide media
Form of Notification Business may notify affected individuals by:  written notice, or  electronic notice Three exceptions: 2. If the business: – maintains its own SPI security policy notification procedures, and – its procedures meet the statute’s notice timing requirements, then notice under that policy satisfies the statute Tip: Maintain a SPI security policy with notification procedures consistent with Texas data breach notice law
Form of Notification Business may notify affected individuals by:  written notice, or  electronic notice Three exceptions: 3. If the business: – is required by the Act to notify > 10,000 persons at one time, then the business must without unreasonable delay also – notify each nationwide consumer reporting agency of the:  notice timing  notice distribution  notice content
Duty to Destroy Sensitive Personal Information Must destroy or arrange for destruction of customer records containing SPI which are not going to be retained  Destruction methods: – Shred – Erase – Make SPI unreadable or indecipherable  E.g., encryption
Penalties §521.151 civil penalties and injunctions  Restraining order for conduct that violates the Act  $2,000 to $50,000 per violation $100 per individual for each consecutive day of unreasonable delay in providing notice of a data breach – Capped at $250,000 per data breach
Two Principal Texas Privacy Statutes Identity Theft Enforcement and Protection Act Medical Records Privacy Act
Texas Medical Records Privacy Act Health & Safety Code Chapter 181 http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.181.htm  Amended by H.B. No. 300 effective September 1, 2012 http://www.capitol.state.tx.us/tlodocs/82R/billtext/pdf/HB00300F.pdf
Both HIPAA and Texas MRA May Apply §181.004 refers to applicability of Texas and federal law  Texas MRA refers to Covered Entity as defined in both . . . – 45 C.F.R. §160.103  Must comply with HIPAA and its Privacy Standards – Texas Health & Safety Code §181.001(b)(2)  Must comply with Texas MRA*  A business might be a . . . – Texas Covered Entity even if not a HIPAA Covered Entity – Covered Entity under both laws Tip: Consider standardizing compliance programs to meet the most restrictive applicable requirement *Subject to the partial exemptions under §181.051
Covered Entity Broader Than HIPAA §181.001(b)(2) expansively defines Covered Entity  Generally includes persons who assemble, collect, analyze, use, evaluate, store, transmit, obtain or come into possession of PHI – Includes their employees, agents, and contractors who create, receive, obtain, maintain, use or transmit PHI – Includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, and person who maintains an Internet site  Unlike HIPAA, no exception for conduit entities that only transmit PHI – E.g., couriers
Limited Exemptions Subchapter B offers a few exemptions  For example: §181.051 makes employers, and entities defined in the Insurance Code, subject only to Subchapter D (Prohibited Acts) §181.052 exempts certain financial institution activities, such as payment processing §181.054 exempts workers compensation activities
More Training Than HIPAA §181.101 requires Covered Entity to provide and record employee training in PHI protection laws  Content – Must cover federal and Texas laws concerning PHI – Tailored for the Covered Entity’s business and the employee’s responsibilities  Timing New employee: Within 60 days after hire Existing employee: Not specified All employees: Recurring every two-years – HIPAA requires training  within a reasonable amount of time after hire  when there are material changes in privacy policies  Record-keeping – Must require employees attending training to sign (can be electronic or written) a statement verifying attendance – Must maintain the signed statements (no time limit) Tip: Combine with training on policies and procedures
EHR Access, Notice and Consent §181.102: Must give patient an electronic copy of EHR within 15 business days of written request  HIPAA allows 30 days §181.154: Must notify individuals that PHI is subject to electronic disclosure  Can be satisfied by posting in the place of business, on the website or in any other place those individuals are likely to see the notice §181.154: Must get consent for each electronic disclosure of PHI  Consent can be electronic or written  Texas AG is to develop standard form  Not required if disclosed to a Covered Entity for treatment, payment, health care operations, insurance or HMO functions, or as authorized or required by law Tip: Add website notice of electronic disclosure of PHI
Sale of PHI §181.153: Covered Entity generally cannot disclose PHI for direct or indirect remuneration  Except to another Covered Entity for treatment, payment, health care operations, insurance or HMO functions, or as authorized or required by federal or state law – Remuneration for disclosing PHI for the purpose of performing an insurance or HMO function described by Insurance Code §602.053 cannot exceed the reasonable cost of preparing or transmitting the PHI – No remuneration cap otherwise §181.152 generally requires clear, unambiguous consent to use or disclose PHI for marketing
Audits §181.206 authorizes Texas authorities to monitor HIPAA compliance  Can ask U.S. HHS to audit HIPAA Covered Entities in Texas  Must monitor and review the results of all U.S. HHS audits of HIPAA covered entities in Texas If Texas MPA violations are egregious and constitute a pattern or practice, §181.206 authorizes Texas HSS to:  Require Covered Entity to submit results of any risk analysis required by 45 C.F.R. Section 164.308(a)(1)(ii)(A)  Ask the Texas agency that licenses the Covered Entity to conduct an audit to determine compliance with Texas MPA Texas HHS must report the number of audits to the legislature annually
Increased Penalties §181.201 authorizes Texas AG to institute court actions to impose civil penalties for Texas MPA violations – Texas AG incentivized by ability to retain a portion of penalties – Texas AG cannot institute an action under against a Covered Entity licensed by Texas unless the licensing agency refers the violation to the Texas AG  Annual penalties up to: – $5,000 per negligent violation – $25,000 per knowing or intentional violation – $250,000 per knowing or intentional violation if PHI is used for financial gain  Those penalties are capped at $250,000 annually if all the following apply: – For disclosure of electronic PHI in violation of §181.154 – Made only to a Covered Entity – Made only for a purpose permitted by §181.154(c) – A court finds any of the following:  The PHI was encrypted  The recipient did not use or release the PHI  At the time the PHI was disclosed, the Covered Entity had security procedures, including PHI training for employees
Increased Penalties (cont.) §181.201 authorizes court to assess civil penalty of up to $1.5 million annually for violations that constitute a pattern or practice – Formerly capped at $250,000  Court must consider in determining the amount of penalties: – the seriousness of the violation – if the violation poses a significant risk of financial, reputational or other harm to an individual whose PHI is involved – if Covered Entity was certified by Texas Health Services Authority for compliance with electronic PHI sharing standards – deterrence – compliance history – efforts to correct the violation – good faith compliance efforts  Federal and Texas penalties both may apply  Injunctions, administrative penalties, license actions, and Texas program bans may also apply
Key Recommendations A business may benefit from:  Written policies to protect Sensitive Personal Information and Protected Health Information  Written procedures to protect SPI and PHI  Written procedures for data breach response  Annual privacy risk and data breach insurance coverage analysis  Monitoring and auditing privacy and data security procedures  Recurring privacy law training for employees and contractors  Revising HIPAA Business Associate Agreements to cover state laws  Revising written privacy policies to reflect amended state laws  Updating privacy notices  Encrypting SPI and PHI while at rest and in motion
Questions This program is for educational purposes only. The content does not constitute legal advice. No attorney- client relationship is created by your participation.

Recomendados

Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...David Cunningham
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowThe Capital Network
 
Week Of 2009 08 31
Week Of 2009 08 31Week Of 2009 08 31
Week Of 2009 08 31mbarreto13
 
Case for-secure-email-encryption
Case for-secure-email-encryptionCase for-secure-email-encryption
Case for-secure-email-encryptionNeoCertified
 
Personally Identifiable Information Protection
Personally Identifiable Information ProtectionPersonally Identifiable Information Protection
Personally Identifiable Information ProtectionPECB
 
SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013- Mark - Fullbright
 
Regulatory compliance 2018
Regulatory compliance 2018Regulatory compliance 2018
Regulatory compliance 2018ProColombia
 
Cyber & Privacy Liability for Health Care Industry
Cyber & Privacy Liability for Health Care IndustryCyber & Privacy Liability for Health Care Industry
Cyber & Privacy Liability for Health Care IndustryFerrariT1
 

Recomendados

Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...Law firm information security overview focus on encryption by dave cunningh...
Law firm information security overview focus on encryption by dave cunningh...David Cunningham
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowThe Capital Network
 
Week Of 2009 08 31
Week Of 2009 08 31Week Of 2009 08 31
Week Of 2009 08 31mbarreto13
 
Case for-secure-email-encryption
Case for-secure-email-encryptionCase for-secure-email-encryption
Case for-secure-email-encryptionNeoCertified
 
Personally Identifiable Information Protection
Personally Identifiable Information ProtectionPersonally Identifiable Information Protection
Personally Identifiable Information ProtectionPECB
 
SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013- Mark - Fullbright
 
Regulatory compliance 2018
Regulatory compliance 2018Regulatory compliance 2018
Regulatory compliance 2018ProColombia
 
Cyber & Privacy Liability for Health Care Industry
Cyber & Privacy Liability for Health Care IndustryCyber & Privacy Liability for Health Care Industry
Cyber & Privacy Liability for Health Care IndustryFerrariT1
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)KP Naidu
 
10 Things You Need To Know About Privacy
10 Things You Need To Know About Privacy10 Things You Need To Know About Privacy
10 Things You Need To Know About PrivacyNow Dentons
 
On ramp hipaa-omnibus-presentation
On ramp hipaa-omnibus-presentationOn ramp hipaa-omnibus-presentation
On ramp hipaa-omnibus-presentationOnRampAccess
 
CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law padler01
 
MA Privacy Law
MA Privacy LawMA Privacy Law
MA Privacy Lawtravismd
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistTodd LaRue
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theftAmber Gupta
 
Protecting PHI with encryption for HIPAA compliance
Protecting PHI with encryption for HIPAA complianceProtecting PHI with encryption for HIPAA compliance
Protecting PHI with encryption for HIPAA complianceTodd Merrill
 
Kurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Kurnava_Law+Ethics+and+Cybersecurity_Research+PaperKurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Kurnava_Law+Ethics+and+Cybersecurity_Research+PaperMatthew Kurnava
 
“Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation “Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation tomasztopa
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 
Legal Aspects in Health Informatics
Legal Aspects in Health InformaticsLegal Aspects in Health Informatics
Legal Aspects in Health InformaticsNawanan Theera-Ampornpunt
 
Protecting ePHI: What Providers and Business Associates Need to Know
Protecting ePHI: What Providers and Business Associates Need to KnowProtecting ePHI: What Providers and Business Associates Need to Know
Protecting ePHI: What Providers and Business Associates Need to KnowNetwork 1 Consulting
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About PrivacyNow Dentons
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!Now Dentons
 
WhitePaper- Archiving Supports HIPAA Compliance
WhitePaper- Archiving Supports HIPAA ComplianceWhitePaper- Archiving Supports HIPAA Compliance
WhitePaper- Archiving Supports HIPAA ComplianceSuccor Consulting Group, Inc.
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislationUlf Mattsson
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin, Inc.
 
Tax deducted at source
Tax deducted at sourceTax deducted at source
Tax deducted at source300544
 
Fatca rules explained
Fatca rules explainedFatca rules explained
Fatca rules explainedInvestors Europe (Mauritius) Limited
 

Mais conteúdo relacionado

Mais procurados

Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)KP Naidu
 
10 Things You Need To Know About Privacy
10 Things You Need To Know About Privacy10 Things You Need To Know About Privacy
10 Things You Need To Know About PrivacyNow Dentons
 
On ramp hipaa-omnibus-presentation
On ramp hipaa-omnibus-presentationOn ramp hipaa-omnibus-presentation
On ramp hipaa-omnibus-presentationOnRampAccess
 
CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law padler01
 
MA Privacy Law
MA Privacy LawMA Privacy Law
MA Privacy Lawtravismd
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistTodd LaRue
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theftAmber Gupta
 
Protecting PHI with encryption for HIPAA compliance
Protecting PHI with encryption for HIPAA complianceProtecting PHI with encryption for HIPAA compliance
Protecting PHI with encryption for HIPAA complianceTodd Merrill
 
Kurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Kurnava_Law+Ethics+and+Cybersecurity_Research+PaperKurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Kurnava_Law+Ethics+and+Cybersecurity_Research+PaperMatthew Kurnava
 
“Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation “Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation tomasztopa
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 
Protecting ePHI: What Providers and Business Associates Need to Know
Protecting ePHI: What Providers and Business Associates Need to KnowProtecting ePHI: What Providers and Business Associates Need to Know
Protecting ePHI: What Providers and Business Associates Need to KnowNetwork 1 Consulting
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About PrivacyNow Dentons
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!Now Dentons
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislationUlf Mattsson
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin, Inc.
 

Mais procurados (20)

Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_india
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)
 
10 Things You Need To Know About Privacy
10 Things You Need To Know About Privacy10 Things You Need To Know About Privacy
10 Things You Need To Know About Privacy
 
On ramp hipaa-omnibus-presentation
On ramp hipaa-omnibus-presentationOn ramp hipaa-omnibus-presentation
On ramp hipaa-omnibus-presentation
 
CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law
 
MA Privacy Law
MA Privacy LawMA Privacy Law
MA Privacy Law
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issues
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response Checklist
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theft
 
Protecting PHI with encryption for HIPAA compliance
Protecting PHI with encryption for HIPAA complianceProtecting PHI with encryption for HIPAA compliance
Protecting PHI with encryption for HIPAA compliance
 
Kurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Kurnava_Law+Ethics+and+Cybersecurity_Research+PaperKurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Kurnava_Law+Ethics+and+Cybersecurity_Research+Paper
 
“Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation “Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
 
Legal Aspects in Health Informatics
Legal Aspects in Health InformaticsLegal Aspects in Health Informatics
Legal Aspects in Health Informatics
 
Protecting ePHI: What Providers and Business Associates Need to Know
Protecting ePHI: What Providers and Business Associates Need to KnowProtecting ePHI: What Providers and Business Associates Need to Know
Protecting ePHI: What Providers and Business Associates Need to Know
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About Privacy
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!
 
WhitePaper- Archiving Supports HIPAA Compliance
WhitePaper- Archiving Supports HIPAA ComplianceWhitePaper- Archiving Supports HIPAA Compliance
WhitePaper- Archiving Supports HIPAA Compliance
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislation
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012
 

Destaque

Tax deducted at source
Tax deducted at sourceTax deducted at source
Tax deducted at source300544
 
Mc afee digital deception study 2013
Mc afee digital deception study 2013Mc afee digital deception study 2013
Mc afee digital deception study 2013PNMI
 
Us patent cases weekly update february 11th february 18th 2014
Us patent cases weekly update february 11th february 18th 2014Us patent cases weekly update february 11th february 18th 2014
Us patent cases weekly update february 11th february 18th 2014InvnTree IP Services Pvt. Ltd.
 
Edital 2014 01-09-10_42_27
Edital 2014 01-09-10_42_27Edital 2014 01-09-10_42_27
Edital 2014 01-09-10_42_27Resgate Cambuí
 
How to choose initial metrics for hitachi tuning manager
How to choose initial metrics for hitachi tuning managerHow to choose initial metrics for hitachi tuning manager
How to choose initial metrics for hitachi tuning managerHitachi Vantara
 
Secure Enterprise Cloud
Secure Enterprise CloudSecure Enterprise Cloud
Secure Enterprise CloudIndu Kodukula
 
Board Fiduciary Duty Relating to the Annual Audit and Form 990
Board Fiduciary Duty Relating to the Annual Audit and Form 990Board Fiduciary Duty Relating to the Annual Audit and Form 990
Board Fiduciary Duty Relating to the Annual Audit and Form 990Ballstate1
 
Cross Oak Ranch, Cross Roads, TX
Cross Oak Ranch, Cross Roads, TXCross Oak Ranch, Cross Roads, TX
Cross Oak Ranch, Cross Roads, TXShannon Slater
 
Eurecom уличили приложения для Android в тайной от пользователя активности
Eurecom уличили приложения для Android в тайной от пользователя активностиEurecom уличили приложения для Android в тайной от пользователя активности
Eurecom уличили приложения для Android в тайной от пользователя активностиSergey Ulankin
 
[주간리포트Week62] 03/04일자(2월4주차)Mobile Trend 캘커타랭크
[주간리포트Week62] 03/04일자(2월4주차)Mobile Trend 캘커타랭크[주간리포트Week62] 03/04일자(2월4주차)Mobile Trend 캘커타랭크
[주간리포트Week62] 03/04일자(2월4주차)Mobile Trend 캘커타랭크Meryl YounHwan Ko
 
VCERA FAIR VALUE MEMI 20160718BusinessMeeting
VCERA FAIR VALUE MEMI 20160718BusinessMeetingVCERA FAIR VALUE MEMI 20160718BusinessMeeting
VCERA FAIR VALUE MEMI 20160718BusinessMeetingTavish Towner
 
Write On: How To Create Killer Recruiting Content
Write On: How To Create Killer Recruiting ContentWrite On: How To Create Killer Recruiting Content
Write On: How To Create Killer Recruiting ContentMatt Charney
 
Posting of Tax Delinquencies: Liquor, Wine and Beer Sales
Posting of Tax Delinquencies: Liquor, Wine and Beer SalesPosting of Tax Delinquencies: Liquor, Wine and Beer Sales
Posting of Tax Delinquencies: Liquor, Wine and Beer SalesPost-Bulletin Co.
 
Mapa mental, ley para el ejercicio de la ingenieria.
Mapa mental, ley para el ejercicio de la ingenieria.Mapa mental, ley para el ejercicio de la ingenieria.
Mapa mental, ley para el ejercicio de la ingenieria.Daimar Ramos
 

Destaque (20)

Tax deducted at source
Tax deducted at sourceTax deducted at source
Tax deducted at source
 
Fatca rules explained
Fatca rules explainedFatca rules explained
Fatca rules explained
 
Us patent cases weekly update may 19th may 26th 2015
Us patent cases weekly update may 19th may 26th 2015Us patent cases weekly update may 19th may 26th 2015
Us patent cases weekly update may 19th may 26th 2015
 
Cyber crime v3
Cyber crime v3Cyber crime v3
Cyber crime v3
 
Mc afee digital deception study 2013
Mc afee digital deception study 2013Mc afee digital deception study 2013
Mc afee digital deception study 2013
 
Us patent cases weekly update february 11th february 18th 2014
Us patent cases weekly update february 11th february 18th 2014Us patent cases weekly update february 11th february 18th 2014
Us patent cases weekly update february 11th february 18th 2014
 
Edital 2014 01-09-10_42_27
Edital 2014 01-09-10_42_27Edital 2014 01-09-10_42_27
Edital 2014 01-09-10_42_27
 
How to choose initial metrics for hitachi tuning manager
How to choose initial metrics for hitachi tuning managerHow to choose initial metrics for hitachi tuning manager
How to choose initial metrics for hitachi tuning manager
 
Secure Enterprise Cloud
Secure Enterprise CloudSecure Enterprise Cloud
Secure Enterprise Cloud
 
Board Fiduciary Duty Relating to the Annual Audit and Form 990
Board Fiduciary Duty Relating to the Annual Audit and Form 990Board Fiduciary Duty Relating to the Annual Audit and Form 990
Board Fiduciary Duty Relating to the Annual Audit and Form 990
 
Cross Oak Ranch, Cross Roads, TX
Cross Oak Ranch, Cross Roads, TXCross Oak Ranch, Cross Roads, TX
Cross Oak Ranch, Cross Roads, TX
 
Eurecom уличили приложения для Android в тайной от пользователя активности
Eurecom уличили приложения для Android в тайной от пользователя активностиEurecom уличили приложения для Android в тайной от пользователя активности
Eurecom уличили приложения для Android в тайной от пользователя активности
 
[주간리포트Week62] 03/04일자(2월4주차)Mobile Trend 캘커타랭크
[주간리포트Week62] 03/04일자(2월4주차)Mobile Trend 캘커타랭크[주간리포트Week62] 03/04일자(2월4주차)Mobile Trend 캘커타랭크
[주간리포트Week62] 03/04일자(2월4주차)Mobile Trend 캘커타랭크
 
XD Powerpoint
XD PowerpointXD Powerpoint
XD Powerpoint
 
VCERA FAIR VALUE MEMI 20160718BusinessMeeting
VCERA FAIR VALUE MEMI 20160718BusinessMeetingVCERA FAIR VALUE MEMI 20160718BusinessMeeting
VCERA FAIR VALUE MEMI 20160718BusinessMeeting
 
Write On: How To Create Killer Recruiting Content
Write On: How To Create Killer Recruiting ContentWrite On: How To Create Killer Recruiting Content
Write On: How To Create Killer Recruiting Content
 
Posting of Tax Delinquencies: Liquor, Wine and Beer Sales
Posting of Tax Delinquencies: Liquor, Wine and Beer SalesPosting of Tax Delinquencies: Liquor, Wine and Beer Sales
Posting of Tax Delinquencies: Liquor, Wine and Beer Sales
 
Mapa mental, ley para el ejercicio de la ingenieria.
Mapa mental, ley para el ejercicio de la ingenieria.Mapa mental, ley para el ejercicio de la ingenieria.
Mapa mental, ley para el ejercicio de la ingenieria.
 
San Diego
San DiegoSan Diego
San Diego
 
2007 03 Global Assurance Magazine
2007 03 Global Assurance Magazine2007 03 Global Assurance Magazine
2007 03 Global Assurance Magazine
 

Semelhante a Texas Privacy Laws - Tough New Changes

2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?Raffa Learning Community
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA ComplianceRaffa Learning Community
 
Cybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementCybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementKeelan Stewart
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance Raffa Learning Community
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age padler01
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsFinancial Poise
 
The 5 Things All In-House Counsel Need to Know about Privacy + Data Security
The 5 Things All In-House Counsel Need to Know about Privacy + Data SecurityThe 5 Things All In-House Counsel Need to Know about Privacy + Data Security
The 5 Things All In-House Counsel Need to Know about Privacy + Data SecurityKegler Brown Hill + Ritter
 
Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)Robert MacLean
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentDonald E. Hester
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkMatt Siltala
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!catherinecoulter
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!catherinecoulter
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Envision Technology Advisors
 
DAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDATAVERSITY
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...- Mark - Fullbright
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfJakeAldrinDegala1
 

Semelhante a Texas Privacy Laws - Tough New Changes (20)

2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance
 
Cybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementCybersecurity Law and Risk Management
Cybersecurity Law and Risk Management
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
 
201 CMR 17.00
201 CMR 17.00201 CMR 17.00
201 CMR 17.00
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
 
The 5 Things All In-House Counsel Need to Know about Privacy + Data Security
The 5 Things All In-House Counsel Need to Know about Privacy + Data SecurityThe 5 Things All In-House Counsel Need to Know about Privacy + Data Security
The 5 Things All In-House Counsel Need to Know about Privacy + Data Security
 
Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David Mink
 
Cybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower ProtectionsCybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower Protections
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
 
DAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) Data
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
 

Texas Privacy Laws - Tough New Changes

  • 1. Texas Privacy Laws Tough New Changes
  • 2. Speaker James F. Brashear General Counsel Zix Corporation Jim Brashear is a member of the Bar of the United States Supreme Court, the California Bar Association and the State Bar of Texas. He frequently appears as a public speaker on corporate governance, data security and information technology legal topics. He currently serves the Association of Corporate Counsel on its Information Technology, Privacy & Electronic Commerce Committee as Programs Co-Chair and Cloud/SaaS Co-Chair. He received a Juris Doctorate degree, magna cum laude, from the University of San Diego School of Law, and a Bachelor of Arts degree in political science from the University of California at San Diego. Twitter @jfbrashear This program is for educational purposes only. The content does not constitute legal advice. No attorney-client relationship is created by your participation.
  • 3. Overview  Texas recently amended privacy laws protecting: – Protected Health Information (PHI) – Sensitive Personal Information (SPI)  A business may be simultaneously subject to: – Texas Identity Theft Enforcement and Protection Act – Texas Medical Records Privacy Act – HIPAA and HITECH  New amendments: – Broaden scope of Texas privacy laws – Add new requirements – Impose new penalties  New medical privacy laws are stricter than HIPAA
  • 4. Two Principal Texas Privacy Statutes Identity Theft Enforcement and Protection Act Medical Records Privacy Act
  • 5. Identity Theft Enforcement and Protection Act Business and Commerce Code Chapter 521 http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htm  Amended by H.B. No. 300 effective September 1, 2012 http://www.capitol.state.tx.us/tlodocs/82R/billtext/pdf/HB00300F.pdf
  • 6. Broad Scope Applies to virtually all businesses operating in Texas  Includes most healthcare businesses  Specifically includes nonprofit athletic or sports associations  Excludes financial institutions under Gramm-Leach-Bliley Act Focus: It is not clear how the Act will be applied to: • SPI stored outside Texas • Non-Texas business SPI stored in Texas • Non-Texas business SPI of Texas residents
  • 7. Duty to Protect Sensitive Personal Information Business and Commerce Code §521.052 Business must use reasonable procedures to protect from unlawful use or disclosure any sensitive personal information collected or maintained in its regular course of business Focus: In contrast to Massachusetts 201 CMR 17.01, Texas does not mandate encryption – but Texas does: • exclude some encrypted data completely • exclude encrypted data from data breach notice rules • mitigate penalties if data was encrypted
  • 8. Sensitive Personal Information §521.002(a)(2) defines two types of SPI: 1. Personal identifying information An individual's first name or first initial + their last name + any of their following:  social security number  driver's license number  government-issued identification number, or  account number or credit or debit card number plus any financial account security code, access code, or password  Encryption exclusion for this type – If the name and the listed items are encrypted, then they are not treated as SPI at all Tip: Encrypt all sensitive data, at rest and in motion
  • 9. Sensitive Personal Information §521.002(a)(2) defines two types of SPI: 2. Medical identifying information Information that identifies an individual and relates to their:  physical or mental health or condition  provision of health care, or  payment for provision of health care  No encryption exclusion for this type . . .  Treated as SPI even if encrypted . . . but there is an encryption safe harbor from data breach notification  Consistent with HIPAA Tip: Encrypt all sensitive data, at rest and in motion
  • 10. Data Breach from Unauthorized Acquisition §521.053(a) defines Breach of System Security  Unauthorized acquisition of computerized data that compromises SPI security, confidentiality or integrity  Safe harbor for encrypted data – No data breach results from unauthorized acquisition of encrypted data unless the decryption key was also acquired – No notification required Focus: The statute does not require a business to monitor its systems to detect a data breach Tip: Encrypt all sensitive data, at rest and in motion
  • 11. Data Breach from Authorized Access  Data breach can result from unauthorized use or disclosure of SPI by employee or agent – Even if their acquisition was authorized and in good faith – Even if their use or disclosure was not unlawful  Safe harbor for encrypted data applies here, too Focus: Recent court decisions held that unauthorized use or disclosure of data by employees or agents did not violate the Computer Fraud and Abuse Act where their access to the data was authorized
  • 12. Long Arm Duty to Notify Must disclose data breach to any individual whose SPI is reasonably believed to have been acquired – Act formerly required notice to Texas residents only  Deference to other states’ laws – Texas law is satisfied by notice provided under the data breach law of states where affected individuals reside – Texas law mandates a notice when the data breach laws of those other states do not Focus: Contrast MA privacy law 201 CMR 17.00, which applies to data of MA residents no matter where it is held
  • 13. Timing of Notification Must disclose data breach as quickly as possible  Two permitted reasons for delay: 1. As necessary to determine the scope of the breach and restore the reasonable integrity of the data system 2. At the request of a law enforcement agency  Only if that agency determined notification will impede a criminal investigation  Must provide notice as soon as that agency later determines notification will not compromise the investigation Focus: It is not clear how impede differs from compromise Focus: It is not clear how a business is expected to know if or when the agency makes its determinations
  • 14. Form of Notification Business may notify affected individuals by:  written notice, or  electronic notice Three exceptions: 1. If the business can demonstrate any of: – cost > $250,000 – number of affected persons > 500,000 – insufficient contact information then it may give notice by any of: – email – conspicuous posting on the business’ website – notice via major statewide media
  • 15. Form of Notification Business may notify affected individuals by:  written notice, or  electronic notice Three exceptions: 2. If the business: – maintains its own SPI security policy notification procedures, and – its procedures meet the statute’s notice timing requirements, then notice under that policy satisfies the statute Tip: Maintain a SPI security policy with notification procedures consistent with Texas data breach notice law
  • 16. Form of Notification Business may notify affected individuals by:  written notice, or  electronic notice Three exceptions: 3. If the business: – is required by the Act to notify > 10,000 persons at one time, then the business must without unreasonable delay also – notify each nationwide consumer reporting agency of the:  notice timing  notice distribution  notice content
  • 17. Duty to Destroy Sensitive Personal Information Must destroy or arrange for destruction of customer records containing SPI which are not going to be retained  Destruction methods: – Shred – Erase – Make SPI unreadable or indecipherable  E.g., encryption
  • 18. Penalties §521.151 civil penalties and injunctions  Restraining order for conduct that violates the Act  $2,000 to $50,000 per violation $100 per individual for each consecutive day of unreasonable delay in providing notice of a data breach – Capped at $250,000 per data breach
  • 19. Two Principal Texas Privacy Statutes Identity Theft Enforcement and Protection Act Medical Records Privacy Act
  • 20. Texas Medical Records Privacy Act Health & Safety Code Chapter 181 http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.181.htm  Amended by H.B. No. 300 effective September 1, 2012 http://www.capitol.state.tx.us/tlodocs/82R/billtext/pdf/HB00300F.pdf
  • 21. Both HIPAA and Texas MRA May Apply §181.004 refers to applicability of Texas and federal law  Texas MRA refers to Covered Entity as defined in both . . . – 45 C.F.R. §160.103  Must comply with HIPAA and its Privacy Standards – Texas Health & Safety Code §181.001(b)(2)  Must comply with Texas MRA*  A business might be a . . . – Texas Covered Entity even if not a HIPAA Covered Entity – Covered Entity under both laws Tip: Consider standardizing compliance programs to meet the most restrictive applicable requirement *Subject to the partial exemptions under §181.051
  • 22. Covered Entity Broader Than HIPAA §181.001(b)(2) expansively defines Covered Entity  Generally includes persons who assemble, collect, analyze, use, evaluate, store, transmit, obtain or come into possession of PHI – Includes their employees, agents, and contractors who create, receive, obtain, maintain, use or transmit PHI – Includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, and person who maintains an Internet site  Unlike HIPAA, no exception for conduit entities that only transmit PHI – E.g., couriers
  • 23. Limited Exemptions Subchapter B offers a few exemptions  For example: §181.051 makes employers, and entities defined in the Insurance Code, subject only to Subchapter D (Prohibited Acts) §181.052 exempts certain financial institution activities, such as payment processing §181.054 exempts workers compensation activities
  • 24. More Training Than HIPAA §181.101 requires Covered Entity to provide and record employee training in PHI protection laws  Content – Must cover federal and Texas laws concerning PHI – Tailored for the Covered Entity’s business and the employee’s responsibilities  Timing New employee: Within 60 days after hire Existing employee: Not specified All employees: Recurring every two-years – HIPAA requires training  within a reasonable amount of time after hire  when there are material changes in privacy policies  Record-keeping – Must require employees attending training to sign (can be electronic or written) a statement verifying attendance – Must maintain the signed statements (no time limit) Tip: Combine with training on policies and procedures
  • 25. EHR Access, Notice and Consent §181.102: Must give patient an electronic copy of EHR within 15 business days of written request  HIPAA allows 30 days §181.154: Must notify individuals that PHI is subject to electronic disclosure  Can be satisfied by posting in the place of business, on the website or in any other place those individuals are likely to see the notice §181.154: Must get consent for each electronic disclosure of PHI  Consent can be electronic or written  Texas AG is to develop standard form  Not required if disclosed to a Covered Entity for treatment, payment, health care operations, insurance or HMO functions, or as authorized or required by law Tip: Add website notice of electronic disclosure of PHI
  • 26. Sale of PHI §181.153: Covered Entity generally cannot disclose PHI for direct or indirect remuneration  Except to another Covered Entity for treatment, payment, health care operations, insurance or HMO functions, or as authorized or required by federal or state law – Remuneration for disclosing PHI for the purpose of performing an insurance or HMO function described by Insurance Code §602.053 cannot exceed the reasonable cost of preparing or transmitting the PHI – No remuneration cap otherwise §181.152 generally requires clear, unambiguous consent to use or disclose PHI for marketing
  • 27. Audits §181.206 authorizes Texas authorities to monitor HIPAA compliance  Can ask U.S. HHS to audit HIPAA Covered Entities in Texas  Must monitor and review the results of all U.S. HHS audits of HIPAA covered entities in Texas If Texas MPA violations are egregious and constitute a pattern or practice, §181.206 authorizes Texas HSS to:  Require Covered Entity to submit results of any risk analysis required by 45 C.F.R. Section 164.308(a)(1)(ii)(A)  Ask the Texas agency that licenses the Covered Entity to conduct an audit to determine compliance with Texas MPA Texas HHS must report the number of audits to the legislature annually
  • 28. Increased Penalties §181.201 authorizes Texas AG to institute court actions to impose civil penalties for Texas MPA violations – Texas AG incentivized by ability to retain a portion of penalties – Texas AG cannot institute an action under against a Covered Entity licensed by Texas unless the licensing agency refers the violation to the Texas AG  Annual penalties up to: – $5,000 per negligent violation – $25,000 per knowing or intentional violation – $250,000 per knowing or intentional violation if PHI is used for financial gain  Those penalties are capped at $250,000 annually if all the following apply: – For disclosure of electronic PHI in violation of §181.154 – Made only to a Covered Entity – Made only for a purpose permitted by §181.154(c) – A court finds any of the following:  The PHI was encrypted  The recipient did not use or release the PHI  At the time the PHI was disclosed, the Covered Entity had security procedures, including PHI training for employees
  • 29. Increased Penalties (cont.) §181.201 authorizes court to assess civil penalty of up to $1.5 million annually for violations that constitute a pattern or practice – Formerly capped at $250,000  Court must consider in determining the amount of penalties: – the seriousness of the violation – if the violation poses a significant risk of financial, reputational or other harm to an individual whose PHI is involved – if Covered Entity was certified by Texas Health Services Authority for compliance with electronic PHI sharing standards – deterrence – compliance history – efforts to correct the violation – good faith compliance efforts  Federal and Texas penalties both may apply  Injunctions, administrative penalties, license actions, and Texas program bans may also apply
  • 30. Key Recommendations A business may benefit from:  Written policies to protect Sensitive Personal Information and Protected Health Information  Written procedures to protect SPI and PHI  Written procedures for data breach response  Annual privacy risk and data breach insurance coverage analysis  Monitoring and auditing privacy and data security procedures  Recurring privacy law training for employees and contractors  Revising HIPAA Business Associate Agreements to cover state laws  Revising written privacy policies to reflect amended state laws  Updating privacy notices  Encrypting SPI and PHI while at rest and in motion
  • 31. Questions This program is for educational purposes only. The content does not constitute legal advice. No attorney- client relationship is created by your participation.