Top 3 questions relating to compliance with 201 CMR 17.00

At the beginning of the "countdown" to the March 1st effective date of 201 CMR 17.00, we offered some posts with "misapprehensions" and compliance suggestions (see
16 Days to March 1..... and Countdown to compliance with 201 CMR 17.00.....11 days). Here are some questions that have been reoccurring over the last few weeks:

1) What should I be doing about the requirement relating to third party service providers and how does my company get "assurances" that those service providers (like payroll and benefits) are in compliance?

The answer to this will depend upon the kind of access and extent of information that the vendors have. Some companies have created extensive 3rd party/ vendor PI due diligence forms and processes. In the end, all your vendors should provide their own attestation that they are capable of meeting the requirements of 201 CMR 17.00 as part of the vendor review process, and it should be part of the contract. Depending on the situation, targeted risk assessments of vendors may be appropriate, as well as detailed security exhibits attached to contractual agreements. With existing service providers, if the contract is in place by Monday, you will have two years to amend it....but you should be addressing the security safeguard issues now.

2) What about faxes? How can I encrypt those, and is that required under 201 CMR 17,04?

A rather complex answer, but if the fax machine is using the Plain Old Telephone System (POTS to telecom engineers) this is not a "Public Transport" as used in 17.04(3). POTS is a private, switched, 2 party connection. The fax transmission in this case is simply not traveling over a public connection....and does not need to be encrypted nor would the fax machine require an encryption key technology. There are many other concerns with the "process" of sending and receiving faxes, most of these fall under logical or physical access controls, that are required elsewhere in 201 CMR 17.00. One thought of caution, is that there are many FAX systems that are NOT, 100% based on POTS or based on private switched network technology. If your business uses eFax or some other Internet-based form of transmission, that may be going to a traditional fax machine -- it’s POTS to me, but an email to you that is traveling over the public network. If you have a concern about the security of PI in a process, then you most likely have something which needs to be locked down and controlled.

3) We have a good handle on the computer system security requirements and the technical issues, including the whole portable device issue, but what about all that paper?

Start with the basics - do you really need to have the PI in paper format, and do you need as much as you have? If you don't have it, you can't lose it. Keep track of what is in the file, so missing items will be noticed, and to enable you to comply with data breach notification obligations if the worst happens. Simple things like: use color-coding and labels to indicate the sensitivity of the file; consider whether the original or a copy can be taken, if a copy, track the number of copies and stamp them; physically attaching documents to a folder makes copying/losing items more difficult. Use log-in/out records for the files. Remind employees to keep the records in sight or in a safe location when out of sight - use a briefcase lock if there is one, keep files in the trunk of the car and not on the car seat. The most important step is to make sure the plan is followed and to TRAIN EMPLOYEES. Companies can craft great policies and procedures to handle PI and comply with 201 CMR 17.00. But if employees and third parties are not educated and trained in these policies then compliance with the law is highly unlikely! Training, training, training. Security awareness is a big key to avoiding the unfortunate data breach.

And, it's Friday, February 26th......

And that means today is the last business day before the new Massachusetts data security regulations go live-- as Jim Cramer would say, "That's 201 CMR 17.00 for all you home gamers."

“Stunning”/ “Shear Madness” – Reaction to Google Convictions

The reactions are coming in fast and furious to yesterday’s conviction of three Google executives in an Italian court. Linked here are just a few of the more than 1,000 media stories on the decision so far.

Google privacy convictions in Italy spark outrage
Larger Threat Is Seen in Google Case - NYTimes.com
Conviction of Google Execs in Italy Shear Madness
Kerry: Sending Google execs to prison 'unjust' - The Hill's Hillicon Valley

BREAKING NEWS: Google Executives Convicted on Privacy Charges in Italy

In the first case of its kind, an Italian judge today convicted three Google executives on privacy violations in Milan court. Global Privacy Counsel Peter Fleischer, Chief Legal Officer David Drummond, and another executive were found guilty of failing to comply with Italian privacy code in allowing a disparaging video to be posted online. A fourth defendant was acquitted. All three will appeal the decision.

Judge Oscar Magi ordered a six-month suspended jail sentence and fines for Fleischer, Drummond and former Google Italy board member George De Los Reyes. The three were absolved of defamation charges. .The case stems from the posting of a video to Google Video Italia showing teenage boys taunting a classmate with Down syndrome. Prosecutors charged that the executives did not do enough to keep the offensive video off its site. In a statement, Peter Fleischer said the ruling sets a dangerous precedent. “If company employees like me can be held criminally liable for any video on a hosting platform…then our liability is unlimited.” He said today’s decision raises questions for the operators of many Internet platforms.

Stay tuned.

Today's compliance deadline - Enforcement of the HITECH/HIPAA data breach notification rule

February and March are just full of significant deadlines for privacy/security reporting and compliance.

Today is the day that the Health & Human Services Office of Civil Rights begins to enforce the HITECH/HIPAA data breach notification rule. To "celebrate" the occasion, the agency publicly posted the first list of reported breaches affecting 500 or more individuals. The list is available on the HHS’ website, but I thought I would post them here. Reasonably instructive…..see any trends??

Breaches Affecting 500 or More Individuals
As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. The following breaches have been reported to the Secretary.

The Methodist Hospital
State:
Texas
Approx. # of Individuals Affected:
689
Date of Breach:
1/18/10
Type of Breach:
Theft
Location of Breached Information:
Computer

Carle Clinic Association
State:
Illinois
Approx. # of Individuals Affected:
1,300
Date of Breach:
1/13/10
Type of Breach:
Theft
Location of Breached Information:
Paper Records and Films

Ashley and Gray DDS
State:
Missouri
Approx. # of Individuals Affected:
9,309
Date of Breach:
1/10/10
Type of Breach:
Theft
Location of Breached Information:
Desktop Computer

Educators Mutual Insurance Association of Utah
State:
Utah
Business Associate Involved:
Health Behavior Innovations
Approx. # of Individuals Affected:
5,700
Date of Breach:
12/27/09
Type of Breach:
Theft
Location of Breached Information:
CDs


Goodwill Industries of Greater Grand Rapids, Inc.
State:
Michigan
Approx. # of Individuals Affected:
10,000
Date of Breach:
12/15/09
Type of Breach:
Theft
Location of Breached Information:
Backup Tapes

Private Practice
City and State:
Stoughton, MA
Approx. # of Individuals Affected:
1,860
Date of Breach:
12/11/09
Type of Breach:
Theft
Location of Breached Information:
Portable Electronic Device/Electronic Medical Record

AvMed, Inc.
State:
Florida
Approx. # of Individuals Affected:
359,000
Date of Breach:
12/10/09
Type of Breach:
Theft
Location of Breached Information:
Laptop

Blue Island Radiology Consultants
State:
Illinois
Business Associate Involved:
United Micro Data
Approx. # of Individuals Affected:
2,562
Date of Breach:
12/09/09
Type of Breach:
Loss
Location of Breached Information:
Backup Tapes

Private Practice
City and State:
Wilmington, NC
Business Associate Involved:
Rick Lawson, Professional Computer Services
Approx. # of Individuals Affected:
2,000
Date of Breach:
12/08/09
Type of Breach:
Hacking/IT Incident
Location of Breached Information:
Computer/Network Server/Electronic Medical Record

Kaiser Permanente Medical Care Program
State:
California
Approx. # of Individuals Affected:
15,500
Date of Breach:
12/01/09
Type of Breach:
Theft
Location of Breached Information:
Portable Electronic Device

University of California, San Francisco
State:
California
Approx. # of Individuals Affected:
7,300
Date of Breach:
11/30/09
Type of Breach:
Theft
Location of Breached Information:
Laptop

Detroit Department of Health and Wellness Promotion
State:
Michigan
Approx. # of Individuals Affected:
646
Date of Breach:
11/26/09
Type of Breach:
Theft
Location of Breached Information:
Laptop, Desktop Computer

Advocate Health Care
State:
Illinois
Approx. # of Individuals Affected:
812
Date of Breach:
11/24/09
Type of Breach:
Theft
Location of Breached Information:
Laptop

Concentra
State:
Texas
Approx. # of Individuals Affected:
900
Date of Breach:
11/19/09
Type of Breach:
Theft
Location of Breached Information:
Laptop

Children's Medical Center of Dallas
State:
Texas
Approx. # of Individuals Affected:
3,800
Date of Breach:
11/19/09
Type of Breach:
Loss
Location of Breached Information:
Portable Electronic Device

Universal American, Inc.
State:
New York
Business Associate Involved:
Democracy Data & Communications, LLC
Approx. # of Individuals Affected:
83,000
Date of Breach:
11/12/09
Type of Breach:
Incorrect Mailing
Location of Breached Information:
Postcards

Massachusetts Eye and Ear Infirmary
State:
Massachusetts
Approx. # of Individuals Affected:
1,076
Date of Breach:
11/10/09
Type of Breach:
Theft
Location of Breached Information:
Other

Kern Medical Center
State:
California
Approx. # of Individuals Affected:
596
Date of Breach:
10/31/09
Type of Breach:
Theft
Location of Breached Information:
Paper Records

Blue Cross Blue Shield Association
State:
District of Columbia
Business Associate Involved:
Service Benefits Plan Administrative Services Corp.
Approx. # of Individuals Affected:
3,400
Date of Breach:
10/26/09
Type of Breach:
Unauthorized Access
Location of Breached Information:
Mailings

Detroit Department of Health and Wellness Promotion
State:
Michigan
Approx. # of Individuals Affected:
10,000
Date of Breach:
10/22/09
Type of Breach:
Theft
Location of Breached Information:
Portable Electronic Device

The Children's Hospital of Philadelphia
State:
Pennsylvania
Approx. # of Individuals Affected:
943
Date of Breach:
10/20/09
Type of Breach:
Theft
Location of Breached Information:
Laptop

Public Employee Health Insurance Plan (Kentucky Employees' Health Plan)
State:
Kentucky
Approx. # of Individuals Affected:
676
Date of Breach:
10/20/09
Type of Breach:
Misdirected E-mail
Location of Breached Information:
E-mail

Brooke Army Medical Center
State:
Texas
Approx. # of Individuals Affected:
1,000
Date of Breach:
10/16/09
Type of Breach:
Theft
Location of Breached Information:
Paper Records

Alaska Department of Health and Social Services
State:
Alaska
Approx. # of Individuals Affected:
501
Date of Breach:
10/12/09
Type of Breach:
Theft
Location of Breached Information:
Portable USB Device

Cogent Healthcare of Wisconsin, S.C.
State:
Tennessee
Business Associate Involved:
Cogent Healthcare, Inc.
Approx. # of Individuals Affected:
6,400
Date of Breach:
10/11/09
Type of Breach:
Theft
Location of Breached Information:
Laptop

Health Services for Children with Special Needs, Inc.
State:
District of Columbia
Approx. # of Individuals Affected:
3,800
Date of Breach:
10/09/09
Type of Breach:
Loss
Location of Breached Information:
Laptop

Blue Cross Blue Shield Association
State:
District of Columbia
Business Associate Involved:
Merkle Direct Marketing
Approx. # of Individuals Affected:
15,000
Date of Breach:
10/07/09
Type of Breach:
Unauthorized Access
Location of Breached Information:
Mailings

Blue Cross Blue Shield of Tennessee
State:
Tennessee
Approx. # of Individuals Affected:
500,000
Date of Breach:
10/02/09
Type of Breach:
Theft
Location of Breached Information:
Hard Drives

City of Hope National Medical Center
State:
California
Approx. # of Individuals Affected:
5,900
Date of Breach:
9/27/09
Type of Breach:
Theft
Location of Breached Information:
Laptop

Private Practice
City and State:
Torrance, CA
Approx. # of Individuals Affected:
6,145
Date of Breach:
9/27/09
Type of Breach:
Theft, Unauthorized Access
Location of Breached Information:
Desktop Computer

Private Practice
City and State:
Torrance, CA
Approx. # of Individuals Affected:
5,166
Date of Breach:
9/27/09
Type of Breach:
Theft, Unauthorized Access
Location of Breached Information:
Desktop Computer

Private Practice
City and State:
Torrance, CA
Approx. # of Individuals Affected:
5,257
Date of Breach:
9/27/09
Type of Breach:
Theft, Unauthorized Access
Location of Breached Information:
Desktop Computer

Private Practice
City and State:
Torrance, CA
Approx. # of Individuals Affected:
857
Date of Breach:
9/27/09
Type of Breach:
Theft, Unauthorized Access
Location of Breached Information:
Desktop Computer

Private Practice
City and State:
Torrance, CA
Approx. # of Individuals Affected:
952
Date of Breach:
9/27/09
Type of Breach:
Theft, Unauthorized Access
Location of Breached Information:
Desktop Computer

University of California, San Francisco
State:
California
Approx. # of Individuals Affected:
610
Date of Breach:
9/22/09
Type of Breach:
Phishing Scam
Location of Breached Information:
Email

Mid America Kidney Stone Association, LLC
State:
Missouri
Approx. # of Individuals Affected:
1,000
Date of Breach:
9/22/09
Type of Breach:
Theft
Location of Breached Information:
Network Server

HITECH Act Compliance Date Arrived -- Without the Promised Regulatory Guidance

We have been so focused on the upcoming Massachusetts data security deadline, that we let one last week go without fanfare. As we have gently reminded you on several occasions, the new HIPAA privacy and security rules contained in the Health Information Technology for Clinical and Economic Health Act (HITECH) became effective on February 17th.

The HITECH Act was passed as part of the “Stimulus Bill” on February 17, 2009. Although rumors continue to swirl that additional regulations will be forthcoming shortly (the latest rumor is that the East Coast blizzard slowed down the review and approval process), it is clear that they were not out as of the February 17th effective date. Therefore, covered entities and their business associates must act immediately on the terms of the HITECH statute itself.

HITECH imposes new HIPAA rules on covered entities and their business associates. New data breach notification rules require covered entities to review any possible wrongful disclosures to determine whether to warn individuals or notify the federal government or the press. Covered entities should have policies in place to meet these requirements in the event of a breach. Covered entities should review and revise their business associate agreements and their other policies and procedures as well.

HITECH also makes most HIPAA rules applicable directly to business associates. If your company serves healthcare providers or insurance plans (including group health plans), and you receive health information, you are probably a business associate and are covered by these changes. Most importantly, business associates must adopt HIPAA policies and procedures to protect the security of the information they collect, hold and use. In addition to the contractual obligations business associate agreements put on them, business associates are now directly liable under HIPAA.

T Minus 10,080 Minutes and Counting.....

We have just one week to go before all entities that own, store, license -- or basically do anything with -- personal information of Massachusetts residents must comply with the Commonwealth's new data security regulations. Things to consider:

• Have you done your risk assessment? Looked at what you collect and how you collect and how it is transmitted through and outside your organization?
• Have you reached out to service providers that may have access to PI of your employees/customers?
• Is your written information security plan in place, or at least have you started pulling together the various policies and processes ("P&P") that would make up a "written information security plan"? Is the plan tailored to your actual P&P and, thus an accurate representation of what your business really does (and not a template with [insert company name here])?
• Have you thought about employee security awareness training?

Countdown to compliance with 201 CMR 17.00.....11 days

As we approach the 10 day mark to the March 1 effective date of the Massachusetts data security regulations, 201 CMR 17.00, we thought that we would share another misapprehension in the ever-growing list.

"I ordered one of those $99 "Compliance Kits" from the Internet, and they say that they will "certify" that I am compliant. I should be all set."

You might be -- but then again, we are not sure that we would bet the company on it. First, if any packaged template provider or consultant promises to issue a "certification" of your company's compliance with 201 CMR 17.00, run the other way. There are no standards that would form the basis for any such "certification" and neither the Attorney General nor the Office of Consumer Affairs and Business Regulation have authorized any such "certifications."

The Attorney General's office has been clear in various outreach programs across the state -- any company that chooses anything less than "strict compliance" with the very specific requirements of the written information security and control requirements in the Standards will need to be able to legally support their decision based on the risk elements in the Standards. In other words, did you do something more than insert your company's name in the pre-fab "policy" that you purchased?

The Massachusetts Standards take a hybrid approach to privacy/security requirements and require specific controls mandated through a general risk-based framework. Without a legal analysis to interpret and apply the risk-based factors to your particular business and business processes, companies run a serious risk with "one size fits all" templates.

The main question on March 1 should be: "If the worst happens, how comfortable are we defending our legal position to the Attorney General's office concerning our information security program and security controls under the law?" And where will the provider of that $99 template or "certification" be by that time?

16 Days to March 1.....

Just in case you missed it, March 1 is the deadline for compliance with 201 CMR 17.00, the new Massachusetts data security regulations, and we published a client alert last week as a "reminder"... Privacy and Security Alert.

In addition to the top five "misapprehensions" about the applicability of the new regulations that we included in the Privacy and Security Alert, here are a couple of others:

"We are a [law][dental][medical] practice and have [patient][client] confidentiality obligations. The regulations do not apply to our activities."

Patient/client confidentiality obligations are separate and apart from the requirements of 201 CMR 17.00. The Data Security Regulations apply to any entity "in commerce" that owns, stores, licenses or maintains the personal information of Massachusetts residents. It is highly likely in the course of a medical practice that the practice would have at least patient name, address and social security number. Also, because a health insurance number entitles one to obtain benefits and could impose a financial burden on the individual in the wrong hands, such account number could also be "PI". Lawyers with trusts and estates practices, immigration practices and employment practices will certainly have some amount of PI in their files. Lawyers may have PI that is obtained in the course of conducting transactions (real estate closings, private placements, etc.), on certain tax forms to make payments, or on other types of transactional documents. All of these would come under the Data Security Regulations and a Plan must be developed for administrative, physical and technical safeguarding of the PI.

"We only have 5 employees. Isn't there an exemption for small companies?"
There is no "small company exemption" under the Data Security Regulations. If you are "in commerce," the requirements of 201 CMR 17.00 to safeguard PI apply to you. However, the Data Security Regulations also state that your Plan for safeguarding such PI may be commensurate with the size and resources of your business and the scope of the PI. If you do not have any PI other than that of your employees, and all of that is under lock and key in a single file cabinet, then your Plan can state exactly that. But, you must have a Plan.

New Facebook privacy lawsuits

Facebook has been hit with two new potential class-action lawsuits stemming from recent revisions to its privacy settings.

The cases, filed recently in federal district court in San Jose, Calif. on behalf of nine Facebook users, allege that the new settings are "confusing and materially deceptive" and lessened their privacy. "Facebook has violated the privacy rights of the members of the Facebook.com Web site, misappropriated their personal information, and converted that information for commercial use by means of materially deceptive conduct," the complaints allege.

Late last year, Facebook sparked controversy by classifying a host of data as "publicly available information" -- including users' names, profile pictures, cities, networks, lists of friends and pages that people are fans of. Facebook also changed the default settings for many users to share-everything, spurring criticism that users who reviewed their settings quickly and accepted the defaults might inadvertently share more than they had intended. The consumers who sued allege that the opt-out controls offered by Facebook are "misleading and very difficult for them to use."

Roundtable data privacy and security discussions on YouTube

See a series of Data & IT Security Roundtable discussions with thought leaders: www.youtube.com/user/JaxsonGroup

Tracking the cookie crumbs

Disabling cookies may not be the answer to controlling your online identity. Regardless of whether you have cookies enabled or not, Web sites collect certain amounts of operational information about your browser. The Electronic Frontier Foundation has detailed how companies can use browser-configuration information to identify users, and also launched a new project, Panopticlick, aimed at testing just how useful this type of data is for tracking people.

Once the sites collect these browser "fingerprints," then according to the EFF, those sites can theoretically recognize some visitors upon their return regardless of whether they still have their cookies. Additionally, a technology expert with EFF says that sites that identify a returning browser based on the configuration data -- or, perhaps, a combination of configuration data and IP address -- can then restore any cookies previously associated with that browser.

Utilization of technologies that effectively overrides the end user's choice of what, and how much, information to make available is inviting future regulation and may be violating some existing privacy regulations.

Related Article

MediaPost - Flash Cookies Could Become Hot-Button Privacy Issue

27 days and counting...

March 1st is the deadline for compliance with the Massachusetts data security regulations, 201 CMR 17.00. We have blogged incessantly for months about the need to get compliance programs into gear and develop information security plans as required by the regulations. The time is here.

If you are one of the procrastinators (and, you are not alone), the basic information and the regulations can be found at the Office of Consumer and Business Affairs Regulation website. If you are larger than a mom-and-pop shop, however, you rely on the template information security plan at some considerable risk.

Over the next week or so, we will be blogging with preparedness tips, so come back often.