Apr 222018

The Canadian Press reports:

Ottawa. Credit: Dreamstime.

Federal data breach regulations set to take effect Nov. 1 will require mandatory reporting of security breaches that pose a “real risk of significant harm,” but give businesses flexibility about how that’s done.

Ottawa has rolled out the long-awaited requirements in a notice in the Canada Gazette that indicates the government wanted to protect consumers without overburdening private-sector organizations with excessive costs or complexity.

Read more on OHS Canada.

Apr 182018

Michael Bertoncini writes:

Health insurance carriers often provide explanation of benefits (EOB) summaries to the policyholder specifying the type and cost of health care services received by dependents covered by the policy. EOBs often disclose sensitive information regarding the mental or physical health condition of adult dependents. Massachusetts has now enacted a law, an act to protect access to confidential health care (the PATCH Act), that permits patients to require their insurance carriers to send their medical information only to them as opposed to the policyholder. This will permit a spouse or adult child of the policyholder to keep medical information from being shared with the policyholder. The law also requires insurance carriers to use a common summary of payments form to be developed by the Massachusetts Division of Insurance. The law takes effect April 1, 2019; however, any carrier that has the capacity to provide electronic access to common summary of payments forms prior to that date must do so.

Read more on Jackson Lewis Workplace Privacy, DataManagement & Security Report.

Apr 062018

David Stauss of Ballard Spahr writes:

In March, we reported that the Oregon legislature was considering amending its data breach notification and information security laws. That legislation has now passed the Oregon legislature and been signed into law by Oregon’s governor.  A copy of the new law is available here. The most notable changes are as follows:

Amendments to Oregon’s Breach Notification Law, O.R.S. 646A.604

  • The law expands the scope of those who must provide notice of a security breach to include a person who “otherwise possesses” personal information. Existing law applies only to persons who own or license personal information.
  • The law requires that notice of the breach be provided “in the most expeditious manner possible, without unreasonable delay, but not later than 45 days after discovering or receiving notification of the breach of security.” The law continues to define “breach of security” as “an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.” With this amendment, Oregon joins a growing number of states that have moved away from ambiguous timing language and instead require notice to be provided in a specific number of days.
  • Notably, HIPAA covered entities are exempt from the 45-day notice requirement.

Read more on JDSupra.

Apr 062018

Hunton & Williams write:

As reported in BNA Privacy Law Watch, on March 21, 2018, South Dakota enacted the state’s first data breach notification law. The law will take effect on July 1, 2018, and includes several key provisions:

  • Definitions of Personal Information and Protected Information. The law defines personal information as a person’s first name or first initial and last name in combination with any one or more of the following data elements: (1) Social Security Number; (2) driver’s license number or other unique identification number created or collected by a government body; (3) account, credit card or debit card number, in combination with any required security code, access code, password, routing number, PIN or any additional information that would permit access to a person’s financial account; (4) health information; and (5) an identification number assigned to a person by the person’s employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes. The law further defines “protected information” as (1) a username or email address in combination with a password, security question answer, or other information that permits access to an online account; and (2) account number or credit or debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account. Notably, the definition of “protected information” does not include a person’s name.
  • Breach Notification Requirement. The law requires notification to affected individuals (and, in certain circumstances, the Attorney General, as explained below) in the event of unauthorized acquisition of unencrypted computerized data (or encrypted computerized data and the encryption key) by any person that materially compromises the security, confidentiality or integrity of personal information or protected information.

Read more on Privacy & Information Security Law Blog.

Apr 062018

Yesterday, I posted an item about a settlement between New Jersey and Virtua Medical Group after a 2016 data leak by their transcription vendor exposed approximately 1,600 patients’ information on the internet.  New Jersey took the position that this was a HIPAA violation and that the entity was responsible for what its vendor had done or not done.

But the NJ settlement is just one clue that things may be changing in terms of holding entities responsible for vendors. Adam H. Greene and Rebecca L. Williams of Davis Wright Tremaine write:

Recent statements at the 27th National HIPAA Summit suggest that the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) may be changing its position and expecting a greater level of vendor due diligence under HIPAA. Although surprising to many, the HIPAA regulations do not specifically require vendor due diligence or monitoring. Rather, HIPAA requires a business associate agreement (BAA) and that the covered entity take action upon learning of a business associate’s pattern of activity or practice in breach of the BAA. The same is true with respect to the relation between business associates and their subcontractors.

Read more on DWT.com.