We now have a precise date for the European Union’s General Data Protection Regulation to go into effect: May 25, 2018. The official version has been published and is available here. The GDPR, in its official published version, contains 87 densely-packed pages of recitals and articles, and many new and expanded obligations for both “controllers” and “processors” of personal data. Many companies will need the full two years’ lead time to bring their operations and contracts into compliance. (Read our bullet point summary here.)
If you have had to provide data breach notices across any number of states (and who hasn’t….), you would know that they vary widely in how those notices must be provided to state regulators. In some states (for example, California, North Carolina, Indiana, and New York), the Attorney General’s office has established an online portal that must be used for breach notices. In still other states, notice letters must be sent to one or multiple regulators.
Pursuant to the Massachusetts data breach notification statute, M.G.L. 93H, notices must be provided to the affected resident, the Attorney General’s office and to the Office of Consumer Affairs and Business Regulation (OCABR). It is not enough that Massachusetts has a sui generis breach notice content statutory requirement (you must tell affected residents of the breach, but you can’t tell them about the breach), now the OCABR has created its own notice submission portal that is a separate form and not just a place to upload a copy of the AG notice. A letter sent out earlier this month also says “It is important to note that this electronic submission form only satisfies the notification requirement for OCABR. The submission does not relieve businesses of their legal obligation to separately notify the AGO and the affected Massachusetts residents.”
Make sure you update your incident response plan to account for this additional notice requirement.
At long last, the Department of Health and Human Services Office for Civil Rights (OCR) has released a revamped audit protocol that now addresses the requirements of the 2013 Omnibus Final Rule. OCR will be using the audit protocol for its impending Phase 2 audits of covered entities and business associates, which are set to begin next month.
The protocol covers the following subject areas:
- Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
- Security Rule requirements for administrative, physical, and technical safeguards.
- Breach Notification Rule requirements.
OCR has also released other materials that shed light on the logistics of the audit process, including a copy of the Audit Pre-Screening Questionnaire that it will use to collect demographic information about covered entities and business associates. OCR will use this information to create a pool of potential auditees.
Entities selected for audit will be required by OCR to identify and provide detailed information regarding their business associates. The information collected by OCR will be used to help identify business associates for the Phase 2 audits. OCR has released a template with the information that covered entities will have to provide, including the business associate’s name, contact information, type of services, and website.
Covered entities and business associates should be working to ensure that they have the required compliance documents and materials ready, especially given OCR’s aggressive timetable: if selected for an audit, an auditee will have only 10 days to respond to OCR.
As we have discussed previously on this blog, the audit protocol is an excellent HIPAA compliance tool, especially for audit readiness assessment. Unfortunately, the version of the tool on the OCR website can be unwieldy to use in practice. In order to assist covered entities and business associates with their HIPAA compliance efforts, we have repackaged the audit protocol into a more user-friendly format that can be downloaded here.
Originally posted to Mintz Levin’s Health Law & Policy Matters Blog on 4/20/16
Please join us in our webinar at 1 pm EDT today to learn more about the Article 29 Working Party’s opinion on Privacy Shield (register here). We will look at the opinion’s likely impact on Privacy Shield’s rocky progress through the EU bureaucracy, as well as on the legal attacks that we expect Privacy Shield will face if and when it is ultimately adopted by the Commission.
UPDATE: The Article 29 Working Party has released surprisingly brief comments on Privacy Shield, available here. Consistent with the press briefing held earlier today (see below), WP29 has concluded that Privacy Shield falls short without providing specific guidance as to what, exactly, an acceptable version of Privacy Shield would look like.
Earlier today, the Article 29 Working Party (“WP29”) held a press conference to give a preview of its assessment of the proposed EU-US Privacy Shield arrangements that were slated to replace the struck-down Safe Harbor program and bring much-needed certainty to companies that transfer personal data from the EU to the US.
While full comments will be available later today, we know now that WP29 has declined to give Privacy Shield its support. It appears that WP29 has serious concerns about the limitations of US national security agencies to conduct mass surveillance. WP29 is also skeptical about the rights of redress for EU residents and would prefer that EU residents be able to bring complaints immediately via their local EU data protection authorities. We will cover the WP29 assessment more fully during our webinar on Thursday, April 14. Register here. In the meantime, for those who would like to listen to the press briefing, an audio recording is available here: https://scic.ec.europa.eu/streaming/article-29-working-party
As we reported last month, the FCC was preparing a proposed rulemaking (NPRM) to establish privacy and data security requirements for broadband internet access service (BIAS) providers. The FCC has now released that proposal with comments and reply comments due May 27th and June 27th respectively.
The brief background to this proposal is that in 2015, the FCC adopted net neutrality rules in Open Internet Order, which reclassified BIAS as a common carrier telecommunications service subject to regulation under Title II of the Communications Act. The Commission determined that, as a consequence of reclassification, Section 222 of the Communications Act, which is part of Title II, would now apply to BIAS providers. Section 222 regulates a telecommunications carrier’s use and disclosure of Customer Proprietary Network Information (“CPNI”) – which includes information related to the quantity, location, and amount of use of a telecommunications service. The FCC concluded in its Open Internet Order that the rules implementing Section 222 were telephone-centric and ill-suited to BIAS, and so chose to forbear from applying those rules to ISPs. With this latest release, the FCC is proposing a new set of rules implementing Section 222 that would apply to BIAS providers. Continue Reading
Everyone loves a good courtroom drama. So just imagine this pitch: henchmen of an evil dictator hack their way into a movie studio computer system. Once inside, they steal the most sensitive personal information of the studio’s stars, executives and employees. Their most intimate secrets, spilled over the Internet. Who can help these poor souls? Why, the brave and hard working class action lawyers, that’s who. Through grit, pluck and lawyerly derring-do, our intrepid heroes soon bring the evil wrongdoers to justice. Think “The Manchurian Candidate” meets “Erin Brockovitch.”
But real life is rarely like the movies, even when it involves the movies. Yes, Sony Pictures Entertainment (“SPE”) did suffer a cyberattack that disclosed employees’ personally identifiable information (“PII”). The data breach was allegedly perpetrated by North Korean hackers in retaliation for SPE’s release of “The Interview,” a satirical comedy depicting an attempt on the life of North Korean dictator Kim Jong-Un. And class action litigation predictably followed. But the evil wrongdoers who faced the wrath of class counsel? Alas, the hackers were inconveniently beyond the reach of our legal system and, thus, unavailable to answer for their crime. So SPE, the studio victimized by the hack, would have to do. Continue Reading
Our latest update is available here, and it should be part of your incident response “toolbox” and part of your planning.
Some changes of note
Tennessee is our most recent state to amend its existing state data breach notification law. Last week, the Governor signed an amendment into law that takes effect on July 1, 2016:
- Joins several other states in tightening the notice period to “no later than 45 days from the discovery or notification of the breach…”
- Eliminates the “encryption safe harbor,” i.e., notification obligations are triggered even where the accessed or acquired data elements are encrypted.
- Specifically defines “unauthorized person” to include an employee “who is discovered … to have obtained personal information and intentionally used it for an unlawful purpose.”
California, Connecticut, Montana, Nevada, North Dakota, Oregon, Rhode Island, Washington and Wyoming all amended data breach laws in 2015. Some amendments signed into law in 2015 do not take effect until later this year, so make sure to note the effective dates on the Mintz Matrix when consulting various states.
What should you do now?
Spring cleaning. Given the number of changes at the state level (and no prospect for federal legislation easing this pain….), spring is a good time to review your incident response plan and data privacy policies to bring everything in line. In particular:
- Note tightened response deadlines (Rhode Island, Tennessee)
- Add identity theft prevention or identity theft mitigation services (Connecticut, California)
- Review data classification to take into account expanded definitions of personal information (Montana, Wyoming)
- Revise notice templates to comply with the new California format
As always, the Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.
Hat tip to the newest member of the Mintz Levin Privacy team, Michael Katz, for great work on this update!
The HHS Office for Civil Rights (“OCR”) officially launched the long-awaited (and dreaded) Phase 2 of the HIPAA Audits Program on March 21st. Covered Entities and Business Associates need to be prepared for these audits and be on the lookout for emails (check your spam filter!) from OCR that will begin the audit process.
Why Audits? Why Now?
The Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) requires OCR to periodically audit both Covered Entities and Business Associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. OCR conducted Phase 1 audits in 2011 and 2012. The Phase 1 audits only examined Covered Entities and the results were generally disappointing. Only 11% of the entities audited had no findings or observations and many findings related to Security Rule compliance. After many delays, OCR is now proceeding with Phase 2. Continue Reading
For our HIPAA-covered entity readers, we have asked these questions before: Have you taken a business associate inventory ? Have you undertaken a comprehensive risk assessment as required by HIPAA?
It’s all getting real – read on. Continue Reading