I sat in a webinar on CyberSecurity Law: The Best Offense is a Good Defense sponsored by Pillsbury Winthrop Shaw Pittman LLP. One aspect of the presentation was the Health Information Technology for Economic and Clinical Health Act.
This created the first federal data breach notification law. It also substantially revised HIPAA regulations regarding privacy and security.
A “Breach” means:
- Unauthorized access, use or disclosure of Public Health Information
- That compromises the security, privacy or integrity of the Public Health Information
- Does not include unintentional disclosures if made in good faith and within course and scope of employment or business associate relationship, provided that the Public Health Information is not further acquired, accessed used or disclosed
The difference between the HITECH Act and the state date breach notification laws deals with encryption, not security. It focuses on medical information, not just financial/identification information. Only California and Texas include medical information in data breach notification law.
The regulations from the FTC are very detailed. You must notify each US citizen and resident whose information was acquired by an unauthorized person and FTC. The Burden is on the company to demonstrate that all required notifications are made
Sending the breach notification:
- By 1st class mail to last known address
- By email “if specified as preference by the individual” (express affirmative consent required – pre-checked boxes and disclosures in TOS/Privacy Policy are NOT sufficient)
- May provide notice via telephone or other means if Breach is deemed to require urgency (e.g.,due to possible imminent misuse of PHI)
Notification may be delayed for law enforcement purposes consistent with HIPAA Privacy Rule
If more than 10 individuals, Covered Entity must:
- post notice on home page (and “landing pages” for existing account holders (FTC))
- provide notice to major print/broadcast media in relevant geographic area, including tollfree phone number
- must be prominent, clear and conspicuous, stated in plain language and run multiple times
Jurisdiction is split between the FTC and Health and Human Services. You are still subject to state enforcement of data breaches under state law.