By David Holtzman, JD, CIPP, Executive Advisor, CynergisTek
Twitter: @cynergistek
Twitter: @HITPrivacy
State governments are not waiting for the United States Congress to pass a comprehensive national set of data privacy and cybersecurity standards. Each of the 50 states now has its own breach notification laws, with nearly one-half adopting data security and/or data disposal requirements to protect consumers’ personally identifiable information (PII) from unauthorized disclosure. While most states are not taking a sectorial approach to the type of PII that must be protected, New York and South Carolina have adopted cybersecurity requirements that target industries that include health plans and insurers.
A number of state attorneys general (AGs) are bringing enforcement actions to protect consumer information from unauthorized disclosure. AGs in Massachusetts, New York, and New Jersey have been extremely aggressive, collecting millions of dollars in settlements from healthcare systems and an assortment of IT services vendors for failing to safeguard data containing sensitive personal information.
A recent Pennsylvania Supreme Court ruling could alter the landscape even further. In a sweeping decision in a case where a cybersecurity incident resulted in the theft of employee PII which was alleged to have been used for financial fraud and identity theft, the court found that those that collect PII have a legal duty under Common Law to use reasonable safeguards to prevent its theft or unauthorized access.
The California Consumer Privacy Act (CCPA) is on track to have a significant impact on healthcare organizations and their business partners when it goes into effect in January 2020. Although the California legislature quickly passed an amendment and technical correction that rolled back some of the act’s provisions to exempt data that is regulated by the HIPAA privacy standards – sparing some health care organizations from the state law’s requirements – the act will cover many businesses throughout the U.S. that collect the personal information of California residents through their physical or digital presence in the state. The act gives consumers many new rights over their data and will pose real compliance challenges for companies that are covered by the law.
Every participant in the healthcare industry should take steps now to assess what state requirements need to be met in their day-to-day operations as well as in the event of an incident in which data is compromised. The scope of the information required to perform the needed assessment must be undertaken through a team approach. It is likely that vital details will be needed from outside the organization, such as outside legal counsel, business management services or a third-party information technology vendor.
Some key issues that may need to be addressed include:
- Identify each of the states in which your organization has a business presence.
- This question has both practical and legal implications.
- Many states have passed laws to define what it means to be doing business in its state, including by merely having a digital presence.
- Seek advice of legal counsel to assist in identifying what activities comprise doing business in a specific state.
- Identify and inventory what personally identifiable information is created, transmitted, or maintained by, or on behalf, of your organization.
- Include data in all forms and from any source (e.g. employees, patients or enrollees, online marketing, or website tracking).
- What is the state of residency for each individual that has contributed PII?
- It may be necessary to refer to state specific definitions of “what is PII?” to perform a complete inventory.
- Research and review the laws in each state in which your organization does business or holds the PII of a state’s residents.
- How does that state define PII?
- What is a “breach” and when is the breach reportable; who must receive notification; and, when must notifications be made?
- What are the applicable state data protection or data disposal standards?
- Are there industry specific cybersecurity program requirements (e.g. NY, SC)?
- How do state laws and requirements apply third-party vendors when they maintain data PII?
- Pay particular attention in assessing if your organization is doing business in California
- Carefully review the requirements of the CCPA and to who they apply.
- Is any part of your organization a for-profit business?
- Does your organization have greater than $25 million in total revenue or annually handle the PII of 50,000 California residents through a physical or digital presence?
- Seek the advice of legal counsel in answering these questions and assessing if your organization is subject to CCPA.
- Carefully review the requirements of the CCPA and to who they apply.
State breach notification and data protection laws to safeguard consumer PII have created a patchwork of complex, and potentially conflicting obligations. The tiered cybersecurity program requirements in New York and South Carolina, and California’s pending CCPA privacy notice, accounting of disclosure and opt-out provisions will be challenging. The cost of compliance will be substantial. The penalties and litigation costs for those organizations that do not yet effectively protect all their PII will be backbreaking.