Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Privacy & Security
Training Course Companion
First
Edition
Texas CASA
1501 West Anderson Lane, Suite B-2
Austin, Texas 78757
(512) 473-2627
Privacy & Security
1
Table of Contents
Introduction .................................................................................................................................... 2
Background ..................................................................................................................................... 3
Confidentiality ................................................................................................................................. 4
Privacy ............................................................................................................................................. 7
Security……………………………………………………………………………………………………………………………………12
Breaches of Information…………………………………………………………………………………………………………..21
Glossary……………………………………………………………………………………………………………………………………23
Appendix A Relevant State and Federal Laws…………………………………………………………………………..25
Privacy & Security
2
Introduction
Not long ago, hackers were able to access the computer network of a local
CASA program. The hackers then contacted the program’s executive director and told the ED that their system was being held hostage and would only be
released for a substantial fee. When the ED contacted law enforcement, the
recommendation was, “You better pay up. There’s nothing we can do.”
This Course Companion will introduce you to the specific things you can do to
protect the privacy and security of information and to the various laws,
regulations, policies and procedures intended to help you do just that.
In a different part of the state, an employee inadvertently threw into the trash
documents containing sensitive, personal information about some of the
children in the program’s care. Luckily, the information was retrieved and disposed of properly, but not before causing some bad PR for the program.
Privacy & Security
3
Background
Relating To The Transfer To The Health And Human Services Commission Of Contracting
Authority For Children’s Advocacy Centers And Volunteer Advocate Programs
Senate bill 3541 went into effect Sept. 1, 2015. This legislation moved Texas CASA’s state-level funding from the Office of the Attorney General to the Health and Human
Services Commission (HHSC).
As a result of this change, CASA programs in Texas must now comply with several
additional state and federal regulations. The most important of these is the Health
Insurance Portability and Accountability Act (HIPAA) originally enacted by Congress in
1996.
As of Sept. 1, 2015, HIPAA regulations apply to all CASA volunteers and staff (including
management), not just health care providers.
Among other things, HIPAA requires “covered entities”, such as HHSC, and their “business associates”, such as Texas CASA and all local CASA programs in Texas, to take specific actions to protect what the law refers to as protected health information (PHI).
Additionally, HIPAA and other related laws and regulations set specific rules and
guidelines for confidentiality, privacy, physical and information security, breach
notifications, and staff training.
As a result of these rules and guidelines, HHSC requires its “subcontractors” (e.g., Texas CASA and local programs) to adhere to additional regulations to protect all “confidential information”.
For details regarding the laws and regulations CASA programs in Texas must adhere to,
refer to Appendix A of this Course Companion.
If you have any questions, contact your program’s Privacy and Security Official. The Privacy and Security Official is the person you contact if you have questions or concerns
about HIPAA and other related laws and regulations pertaining to the use and
protection of confidential information. This is also the person you contact to report an
actual or suspected breach of confidential information.
1 http://www.capitol.state.tx.us/BillLookup/History.aspx?LegSess=84R&Bill=SB354
Privacy & Security
4
Confidentiality
CASA volunteers, and often CASA staff members, have access to confidential
information about children and the people involved in those children’s lives. In addition, CASA programs often maintain lists or databases of sensitive, confidential information
relating to donors, board members, etc.
As you already know, all volunteers and staff members are required to receive a
minimum level of training regarding the importance of confidentiality and must sign a
confidentiality agreement.
Much, if not all, of the material in this section, should not be new to you. However, it is
provided as a reminder not only to reiterate the importance of protecting sensitive and
confidential information, but also because we are now subject to more stringent laws
and regulations than in the past and it’s important that EVERY member of the CASA
community know and understand how to protect information.
According to the National CASA training curriculum:
“CASA volunteers may not release [confidential information] except to the child, CASA program staff, the attorney(s) on the case, the caseworker, the
court, and others as instructed by law or local court rule. There are strict
guidelines about who can have access to confidential information.”
By law, CASA volunteers must keep all information regarding the case confidential and
make no disclosure, except by court order or unless provided by law. Mistakes in
handling confidential information can be detrimental to the children involved and can
bring criminal action against the people who misuse the information.
In addition to protecting the information contained in a child’s case file, CASA programs also have a responsibility to protect the privacy and confidentiality of other forms of
sensitive information such as personnel records, donor records, financial data, and so
on.
Privacy & Security
5
Protecting Confidential Information Is Not Just the Volunteer’s Job.
Protecting the confidentiality and integrity of protected health information (PHI) and
other sensitive, confidential information is a responsibility shared by staff, volunteers,
board members, and anyone else in the CASA network who might have a role in
accessing or protecting that information. Shared responsibility has always been a part
of CASA culture. Not only is it required by law and by professional ethics; but it is the
responsible thing to do.
HIPAA and related state and federal laws seek to protect confidential information by
ensuring that CASA program staff, volunteers, management and board members have a
clear understanding of how to protect confidential information as well as periodic
reminders and regular training opportunities to reinforce that understanding.
What Is Confidential Information?
As a volunteer or staff member on a case, your appointment order gives you the
authority to obtain a great deal of information that is, in fact, confidential. Child
Protective Services records are confidential and are not available for public inspection. It
is especially important that the name of any person who has made a report of suspected
child abuse and/or neglect not be revealed. School records are also confidential.
There are legal privileges that protect attorney/client, doctor/patient,
priest/parishioner, psychologist/patient, and caseworker/client communications. Such
communication, whether oral, written or electronic, is all confidential and must remain
so unless a court order specifically states otherwise.
You must regard as confidential any information that the source deems confidential. For
more information regarding confidentiality as defined by HIPAA and other laws and
regulations, refer to Appendix A of this Course Companion.
For a more in depth discussion of confidentiality, refer to Chapter 7 of the National
CASA Volunteer Training Curriculum2.
2 http://www.casaforchildren.org/site/c.mtJSJ7MPIsE/b.5466395/k.42E4/Volunteer_Training_Curriculum.htm
(requires login)
Privacy & Security
6
Confidentiality Dilemmas
Questions of confidentiality in your role as a CASA volunteer or staff member are often
not clear-cut or easily recognized.
SCENARIO 1
Volunteer Shirley Colston was at her neighborhood swimming pool. A
neighbor, Stephanie Moore, asked Shirley what she did as a CASA volunteer.
Shirley thought Stephanie would be a great CASA volunteer and decided to
give her an example of what activities she had done on a recent case. Shirley
gave no case names and slightly changed the facts in the case to preserve
confidentiality. However, as Stephanie heard the altered details of the case,
she still recognized the similarities to an open CPS case involving her cousin.
What confidentiality breach do you see?
What problems could this cause for the child or the case?
Do you think this violates HIPAA?
Whenever you discuss sensitive, confidential information, remember two things:
1. Confidential information may only be used or disclosed for specific, WORK-RELATED
PURPOSES.
2. You must limit use or disclosure of confidential information to the MINIMUM
NECESSARY to do your job.
What are the Consequences of Breaches of Confidentiality?
The potential harm this could cause to the child should be obvious. But, in addition to
harming, endangering or simply embarrassing the child, breaches of confidentiality can
carry with them both civil and criminal penalties which will be discussed in subsequent
sections.
Privacy & Security
7
Privacy
Under HIPAA “covered entities” (such as HHSC) and their “business associates” (such as CASA programs in Texas) have an obligation to protect individually identifiable health
information, also known as “protected health information” or PHI.
In addition to HIPAA, other federal and state laws and agency regulations require
“contractors” like Texas CASA and “subcontractors” like all local programs in the CASA network in Texas to protect all “confidential information”.
CASA volunteers and program staff who have access to or disclose PHI must adhere to
HIPAA requirements. And as a result of Texas CASA’s new funding relationship with HHSC, all CASA programs in Texas are required to implement and follow certain policies
and procedures to help safeguard confidential information (oral, written or electronic).
According to HIPAA, PHI is generally defined as any information that can be used to
identify an individual – living or deceased – that relates to the individual’s past, present or future physical or mental health or condition, including healthcare services and
payments for those services.
When used to identify an individual and when combined with health information, HIPAA
identifiers create PHI.
Any of the following are considered PHI identifiers under HIPAA:
Patient names
Geographic subdivisions (smaller than a state)
Telephone and fax numbers
Social Security numbers
Vehicle identifiers
E-mail addresses
Web URLs and IP addresses
Dates (except year)
Names of relatives
Full face photographs or images
Healthcare record numbers
Account numbers
Biometric identifiers (fingerprints or voiceprints)
Device identifiers
Health plan beneficiary numbers
Privacy & Security
8
Certificate/license numbers
Any other unique number, code, or characteristic that can be linked to an
individual.
For more details about the HIPAA Privacy Rule, refer to the Code of Federal Regulation3.
Protected health information does not include individually identifiable health
information in education records covered by the Family Educational Rights and Privacy
Act (FERPA); and employment records held by a program in its role as an employer, such
as HR records showing an employee’s ADA status. However, this type of data would still be considered “confidential information”.
In addition to protecting PHI, CASA staff and volunteers are responsible for protecting all
confidential information relating to the children we serve, not just their medical records.
Additionally, staff members are responsible for protecting sensitive, confidential
information relating to employees, donors, etc.
So, what else constitutes sensitive or confidential information?
Simply put, ANYTHING that could be used to identify an individual which is not “publicly available”.
According to The Identity Theft Enforcement and Protection Act4 it is “information that
alone or in conjunction with other information identifies an individual”; but it does not include “publicly available information that is lawfully made available to the public from the federal government or a state or local government.”
According to HHSC, “confidential information” includes:
1. Client information
2. Protected health information (including electronic and unsecured PHI)
3. Sensitive personal information
4. Federal tax information
5. Personally identifiable information
6. Social security administration data (including Medicaid information)
7. All information designated as confidential under the constitution and laws of the State
of Texas and of the United States
3 http://www.ecfr.gov/cgi-bin/text-
idx?SID=7df19c2fbf329170fee0772e5dd82331&mc=true&node=pt45.1.164&rgn=div5#sp45.1.164.e 4 http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htm
Privacy & Security
9
For details regarding the laws and regulations CASA programs in Texas must adhere to, refer
to Appendix A of this Course Companion.
Prior Authorization Required
CASAS volunteers and staff may access confidential information but only when
necessary to perform their job-related duties and only after they are authorized to do
so.
Except in very limited circumstances, such as by court order, if a volunteer or staff
member discloses confidential information without prior authorization or without a
specific, job-related reason for doing so, they are violating federal and state laws, and
agency regulations, and may be subject to civil and criminal penalties.
Unauthorized Access
It is never acceptable for a volunteer or staff member to look at confidential information
“just out of curiosity”, even if no harm is intended (i.e., retrieving an address to send a
‘get well’ card).
It is never acceptable for a volunteer or staff member to look at confidential information
about a child on another person’s behalf unless the volunteer or staff person is directly involved in the child’s case and must do so for job-related reasons.
SCENARIO 2
CASA volunteer Tonya Mills was at home working on her court report. She had
all of her case notes on her kitchen table when her friend Caitlyn stopped by
for coffee. While Tonya was preparing the coffee, Caitlyn read the top page of
Tonya’s case notes and learned the name of the family and several facts about the case. Later that day, Caitlyn was talking to her friend Amy and mentioned
the case to her. Amy is the juvenile court clerk in the county where the case is
open.
What confidentiality breach do you see?
What problems could this cause for the child or the case?
Do you think this a violation?
Privacy & Security
10
Minimum Necessary
Even when volunteers and staff members are authorized to access or disclose sensitive,
confidential information, HIPAA requires that only that information that is the
MINIMUM NECESSARY to accomplish the intended purpose be used or disclosed.
Communicating in Public Areas
Be aware of your surroundings when discussing confidential information. Do not discuss
confidential information in public areas such as in restaurants, in school, while riding the
bus, etc.
Use caution when conducting conversations in:
semi-private rooms
waiting rooms
corridors
elevators and stairwells
SCENARIO 3
CASA volunteer Janie Bell was in the program office after a court hearing. She
overheard another volunteer talking to program staff about a case in which a
4-year-old girl was going to be placed for adoption as soon as her parents’ rights were terminated. Janie mentioned this adoption possibility to a friend
who wanted very much to adopt a child. This friend then called CPS to inquire
about adopting the 4-year-old girl.
What confidentiality breach do you see?
What problems could this cause for the child or the case?
Do you think this violates HIPAA?
Privacy & Security
11
Privacy Review
Confidential information exists in many forms: oral, written, and electronic.
There are a number of state and federal laws that impose privacy and security
requirements (and penalties), including the Texas Medical Records Privacy Act and
HIPAA.
Confidential information includes Social Security numbers, credit card numbers,
driver’s license numbers, personnel information, computer passwords, and PHI. When used to identify an individual and when combined with health information,
HIPAA identifiers create PHI.
Two primary HIPAA regulations are the Privacy Rule and the Security Rule.
A staff and volunteers must have written authorization or a job-related reason for
accessing or disclosing confidential information.
Limit access to confidential information to the minimum necessary to do your job.
Be especially careful when discussing confidential information in public or semi-
private areas.
Privacy & Security
12
Security
"Eight years of research on data breach costs has shown employee behavior to
be one of the most pressing issues facing organizations today.”
Top examples of “employee behavior” (aka. Human error):
failure to follow policies and procedures
general carelessness
failure to get up to speed on new threats
lack of expertise with websites and software
IT staff failure to follow policies and procedures
A Meritalk study5 found:
66 % of federal network users believe security is time-consuming and restrictive.
69 % say their work takes longer because of additional cyber security measures.
One in five users report an inability to complete work because of security measures.
31 % of users work around security measures at least once a week.
A Forrester study6 found:
36 % of breaches stem from inadvertent misuse of data by employees.
42 % received training on how to remain secure at work, which means 58 percent
haven't had training at all.
57 % say they’re not even aware of their organization’s current security policies. 25 % say a breach occurred because of abuse by a malicious insider.
5 http://www.federaltimes.com/article/20131015/IT01/310150006/Report-Many-employees-bypass-
cybersecurity-measures 6 http://www.forrester.com/Understand+The+State+Of+Data+Security+And+Privacy+2013+To+2014/fulltext/-/E-
RES82021
Privacy & Security
13
The HIPAA Security Rule concentrates on safeguarding PHI by focusing on the
confidentiality, integrity, and availability of PHI. Confidentiality means that data or
information is not made available or disclosed to unauthorized persons or processes.
Integrity means that data or information has not been altered or destroyed in an
unauthorized manner. Availability means that data or information is accessible and
useable upon demand only by an authorized person.
For more details about the HIPAA Security Rule, refer to the Code of Federal
Regulation7.
The HIPAA Security Rule requires administrative, technical and physical safeguards to
protect the privacy of PHI. These 3 types of safeguards must:
protect PHI from any unauthorized use or disclosure in computer systems and
work areas.
limit accidental disclosures (such as discussions in waiting areas or hallways).
include specific practices and procedures such as encryption, document
shredding, locked offices and storage areas, use of secure passwords and use of
access codes.
The administrative, technical and physical safeguards required by the HIPAA Security
Rule require local CASA programs to put in place certain policies and technical solutions
described below.
By implementing these safeguards and following the related policies and procedures,
programs will be able to greatly reduce the risk that confidential information will be lost,
stolen or misused.
Malicious Software
Malicious software, or “malware” comes in many forms: viruses, worms, spyware and spam. All of these various types of malware are dangerous for different reasons.
Implementing specific technical safeguards will help to protect programs, volunteers
and the children we serve.
7 http://www.ecfr.gov/cgi-bin/text-
idx?SID=7df19c2fbf329170fee0772e5dd82331&mc=true&node=pt45.1.164&rgn=div5#sp45.1.1
64.c
Privacy & Security
14
Viruses, Worms and spyware
Computer viruses can modify how your computer operates and can even destroy data.
Worms are malicious software programs that, once installed (by a virus, for example),
can run without any action or knowledge of the user. Spyware is software that is
secretly installed on a computer which can monitor user activity and share information
without the user’s knowledge.
Malicious websites can infect your computer with any or all of these various types of
malware. This is ONE reason why personal browsing on a work computer is not
recommended.
Spam and Phishing
Spam in any form of unsolicited or junk email. It usually comes in the form of bulk
advertising and may contain viruses, spyware or scams (remember the “Nigerian prince” scam?).
Phishing attacks are especially dangerous because they are often clever attempts to
convince the user to reveal sensitive information, such as a password or bank account
number.
As a general rule, you should NEVER disclose passwords, social security numbers, or any
other confidential information via email. And if you’re even the least bit suspicious of the source of an email, do not open it or click on any links. When it doubt, don’t click!
According to a 2012 study8 by the Canadian government, phishing attacks affect
an average of 80,000 people worldwide EVERY SINGLE DAY.
According to a 2015 Verizon study9, “23 percent of recipients open phishing messages, and 11 percent open attachments. Is that not crazy? One in 10 people
opens an attachment when they have no idea what they’re opening.”
8 http://cacm.acm.org/magazines/2012/1/144811-the-state-of-phishing-attacks/fulltext 9 http://news.verizonenterprise.com/2015/04/2015-data-breach-report-info/
Privacy & Security
15
Safe Web Browsing Habits
Safe browsing habits on the Internet can help reduce the possibility of infection by
malware.
Local programs, as well as all individual staff members and volunteers, should use
antivirus and anti-spyware software and make sure it is regularly updated (with patches
and/or upgrades).
Do not open email or click embedded links from an unknown or untrusted site.
If the computer or mobile device you are using stores any work-related confidential
information, personal use of the Web is not recommended.
Safeguard confidential information – Look for signs of security when providing
confidential information (i.e. the web address starts with “https” or a padlock icon is
displayed in the status bar).
Keep your Web browser updated and use security settings – Stay current with browser
updates and application updates such as Adobe Flash and Acrobat. Enable browser
security settings to alert you to threats to your computer like popups, spyware, and
malicious cookies.
Use security software – There are a number of free and easily available software
products to protect your computer from malware, spyware, and virus threats. Talk to
your IT support personnel to find out which software best fits your needs.
Safe downloading and streaming – When in doubt just don’t do it! If a download looks too good to be true, it might be malware. Downloaded files like software or other media
can contain hidden malware. Streaming media websites might seem harmless, but
watching or listening to streaming media may require downloading a special media
player that may contain malware.
Encryption
One of the most reliable ways to protect confidential information is to make it
impossible to read for those who are not authorized to do so. This is what encryption
does. Once a message or document is encrypted, only those with the ‘key’ are able to decrypt it and read it. Without that key, it’s jumbled mess of symbols and characters.
Privacy & Security
16
Any time that confidential information is stored on any end-user electronic device
(laptop, USB, tablet, smartphone, external hard drive, desktop computer, etc.), that
device MUST use encryption software (FIPS 140-2 encryption or better).
Also, any time that confidential information is transmitted via email, that email MUST
be encrypted.
Mobile Devices
Over the course of the last few years, mobile devices such as tablets, laptops and
smartphones have become ever more common and necessary in our day-to-day lives,
both at work and at home. However, because they go with us everywhere we go, these
devices can pose as much if not more of a risk to confidential information than other
types of devices do.
As much as possible, confidential information should not be viewed, stored or
transmitted on mobile devices such as laptops, tablets or smartphones. If such devices
are used, volunteers and staff members must do the following to protect confidential
information:
Use strong power-on passwords
Automatic log-off
Display screen lock after certain period of inactivity
Encryption
Never leave devices unattended
Immediately report loss or theft
Remember, for mobile devices, encryption is the best defense!
Passwords
Often, security breaches can come from within an organization and many of these
breaches are caused by bad password habits.
Use Strong Passwords – passwords must contain at least 8 characters, contain both
upper and lower-case letters, numbers and special characters.
Privacy & Security
17
Change Passwords Frequently – passwords must be changed at least every 90 days;
among other things, this is to make it harder for hackers using automated tools to guess
your password.
Never Share Your Password -- In your personal life, there might be plenty of good
reasons to share passwords with people. HBO even recommends it! But in your role as a
CASA volunteer or staff member, you should never divulge your password to anyone.
Don’t Write Down Your Password – Use secure, encrypted password management
software such as LastPass or Dashlane.
With the growing trend for websites and services to require visitors to create new user
IDs and passwords to access the site, people are finding it difficult to safely manage a
large number of accounts. One solution is to use a “password vault,” which provides an easy method to store all of one’s passwords in an encrypted format.
More information about password managers:http://lifehacker.com/5529133/five-best-
password-managers
Other Technical safeguards
Copiers: erase all data from hard drives.
Faxes: confirm authorization instructions; verify telephone numbers before faxing;
when possible, use pre-programmed numbers.
Devices: encrypt; enable and use password protection.
Printers: Printers (and copiers) used for printing of confidential information should be in
secure, non-public locations. If the equipment is in a public location, the information
being printed or copied is required to be strictly monitored. Printed versions of
confidential information must not be left unattended and open to compromise.
Confidential information printed to a shared printer should be promptly removed.
Never, EVER, disclose confidential information through social media (Facebook, Twitter, etc.).
Privacy & Security
18
Remote Access
All computers and mobile devices used to connect to a local program’s networks or electronic systems from home or other off-site locations should meet the same
minimum security standards that apply to work computers.
At a minimum, you should:
Make use of a Virtual Private Network (VPN) at home or off-site, AND transmit
confidential information only to locations within the network. Otherwise,
sensitive, confidential data must be encrypted.
Run Windows Update or the update feature of the particular operating system
that you are using. Don’t forget to also update your applications (e.g., QuickTime, RealPlayer, and your preferred Web browser).
Keep virus definitions current by using the antivirus software recommended and
supported by your program.
A University of Rochester Medical Center physician misplaced an unencrypted
USB drive containing PHI of 537 patients, including demographic identifiers as
well as diagnostic information. Because of this negligence, the Medical Center
must notify all of the individuals affected by this breach, the attorney general,
and HHS, triggering the possibility of further investigation and large fines.
Whenever possible, avoid using external storage devices to store confidential information. If
you must use such devices, including “thumb” or “flash” drives, use encryption, and adhere to the following:
Use portable storage media only for transporting information, and not to
permanently store information.
Once you’ve used the information, erase it from the device. Consider attaching your memory stick to your key ring -- you are less likely to lose
your keys.
Volunteer and staff responsibilities
Avoid storing confidential information on mobile devices and portable media, but if you
must, you must use encryption.
Privacy & Security
19
Always keep portable devices physically secure to prevent theft and unauthorized
access.
Access information only as necessary for your authorized job responsibilities.
Keep your passwords confidential.
Comply with the Security and Privacy policies of your local program, Texas CASA, HHSC,
HIPAA, etc. (for details, refer to the list of laws and regulations in Appendix A).
Report promptly to your supervisor and your program’s Privacy or Security Official the loss or misuse of devices storing confidential information.
Disposal of Data
Confidential information, should NEVER be placed in the regular trash.
Volunteers and staff members must observe the following procedures for the disposal
of confidential information:
Hard copy materials such as paper must be shredded, burned, pulverized or
otherwise made completely unreadable and indecipherable.
Magnetic media such as diskettes or hard drives must be physically destroyed or
“wiped” using approved software and procedures. CD ROM disks must be rendered unreadable by shredding, breaking or defacing
the recording surface.
At a large, state university…
On several occasions sensitive materials were left in file cabinets or office
desks that were turned in to the university surplus department. The surplus
staff found the sensitive materials and returned them to the Compliance Office
before anyone picked up the furniture. If any of that furniture had been sold to
the public before the sensitive materials were found, it would’ve been difficult and costly for the university to retrieve the materials and manage the breach.
Physical Security
In addition to the technical safeguards described above, certain procedures must be
followed to protect the physical security of confidential information and any electronic
systems where it is stored.
Privacy & Security
20
Equipment such as PCs, servers, mainframes, fax machines, and copiers must be
physically protected. Ideally, they should be kept behind locked doors with access
limited to only those with a pre-determined, work-related purpose for using them.
Computer screens, copiers, and fax machines must be placed so that they cannot
be accessed or viewed by unauthorized individuals.
Computers must use password-protected screen savers.
PCs that are used in open areas must be protected against theft or unauthorized
access.
Servers must be in a secure area where physical access is controlled.
Disciplinary Actions
Volunteers and staff members who violate privacy or information security policies will
be subject to appropriate disciplinary action as outlined in each local program’s personnel policies, as well as subject to possible criminal or civil penalties under state
and federal law.
General Penalties for Failure to Comply
According to section 1177 of the Social Security Act, failure to comply with the
requirements and standards found in HIPAA can carry a broad range of civil penalties
depending on the nature of the violation.
Additionally, Civil penalties for willful neglect are increased under the HIPAA HITECH
Act. These penalties can extend up to $250,000, with repeat/uncorrected violations
extending up to $1.5 million.
Security Review
Change your password(s) frequently and keep them confidential.
Keep notes, files and mobile devices in a secure place and be careful not to leave
them unattended, anywhere.
If storing or transmitting confidential information on a mobile device use
encryption
Follow appropriate disposal procedures such as document shredding
Do not include confidential information in emails
Do not open emails or attachments from unknown or untrusted sources
Keep anti-malware and other software up-to-date
Privacy & Security
21
Breaches of Information
Breaches of information privacy and security may result in both civil and criminal
penalties, as well as employee or volunteer sanctions.
A breach occurs when information that, by law, must be protected is:
lost, stolen or improperly disposed of (i.e., paper or device upon which the
information is recorded cannot be accounted for);
“hacked” into by people or mechanized programs that are not authorized to have access (e.g., the system in which the information is located is compromised
through a “worm”), or
communicated or sent to others who have no official need to receive it (e.g.,
gossip about information learned from a case file).
For more details about HIPAA Breach Notification Rules, refer to the Code of Federal
Regulation10:
Reporting Breaches
Volunteers or staff members who witness or suspect a privacy or security breach should
report it to their supervisor and to their program’s Privacy and Security Official.
Volunteers, staff and board members, or contractors may not threaten or take any
retaliatory action against any individual for exercising his or her rights under HIPAA or
for filing a HIPAA report or complaint, including notifying of a privacy or security breach.
Penalties for Breaches
Breaches of the HIPAA Privacy and Security Rules have serious ramifications for all involved
and may include both civil and criminal penalties. Statutory and regulatory penalties for
breaches may include:
Civil Penalties: $50,000 per incident up to $1.5 million per incident for violations that
are not corrected, per calendar year
Criminal Penalties: $50,000 to $250,000 in fines and up to 10 years in prison
10 http://www.ecfr.gov/cgi-bin/text-
idx?SID=7df19c2fbf329170fee0772e5dd82331&mc=true&node=pt45.1.164&rgn=div5#sp45.1.164.d
Privacy & Security
22
Texas law requires that CASA programs notify potentially affected individuals of
information breaches involving their Social Security numbers and other personal
identifying information. HIPAA requires that programs notify individuals of any breaches
involving their unsecured PHI.
According to Subchapter D of the Texas Identity Theft Enforcement and Protection Act11,
“a person who fails to take reasonable action to comply with section 521.053” can be fined by the state up to $250,000.
Breach Notification Requirements
Any impermissible use or disclosure that compromises PHI or other sensitive,
confidential information (such as a lost or stolen laptop) may trigger breach notification
requirements. Depending upon the results of a risk analysis of the impermissible use or
disclosure, breach notification may have to be made to:
Texas CASA
the Department of Health and Human Services
all individuals whose information was breached or disclosed
the media
Letters of explanation describing the circumstances, including responsible parties, may
have to be sent. A breach can significantly impact both the economic and human
resources of the effected program. The estimated average cost per compromised record
in a data breach can exceed $200. Needless-to-say, a breach has great potential to harm
the reputation of the program, as well.
Each local CASA program in Texas is required to maintain its own policies and
procedures regarding breach notifications and how to handle them. It is recommended
that these policies and procedures be included in the program’s crisis communication plan.
If you have questions, contact your program’s Privacy and Security Official.
11 http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htm
Privacy & Security
23
Glossary
Authorized User means a person:
(1) Who is authorized (by a local CASA program) to create, receive, maintain, have
access to, process, view, handle,
examine, interpret, or analyze confidential information;
(2) For whom a local CASA program warrants and represents has a demonstrable need
to create,
receive, maintain, use, disclose or have access to the confidential information; and
(3) Who has agreed in writing to be bound by the disclosure and use limitations
pertaining to the confidential information as required by the local CASA program, Texas
CASA and HHSC.
Business associate
Texas CASA and all local CASA programs in Texas are considered “business associates” of HHSC and the U.S. Dept. of HHS.
Under the HIPAA Omnibus Rule, a Business Associate is directly liable for compliance
with HIPAA Privacy and Security requirements and must:
enter into a Business Associate Agreement (called a BAA) with the covered entity
(HHSC)
use appropriate safeguards to prevent the unpermitted access, use or disclosure
of PHI
obtain assurances from subcontractors that appropriate safeguards are in place
to prevent the access, use or disclosure of PHI
notify the covered entity of any breach of unsecured PHI for which the Business
Associate was responsible upon discovery
ensure its employees and/or those of its subcontractors receive HIPAA training
protect PHI to the same degree as a covered entity
Confidential Information means:
any communication or record (whether oral, written, electronically stored or
transmitted, or in any other form) that consists of or includes any or all of the following:
(1) Client Information;
(2) Protected Health Information in any form including without limitation, Electronic
Protected Health Information or Unsecured Protected Health Information;
(3) Sensitive Personal Information defined by Texas Business and Commerce Code Ch.
521;
(4) Federal Tax Information;
Privacy & Security
24
(5) Personally Identifiable Information;
(6) Social Security Administration Data, including, without limitation, Medicaid
information;
(7) All privileged work product;
(8) All information designated as confidential under the constitution and laws of the
State of
Texas and of the United States, including the Texas
Health information means:
any information, including genetic information, whether oral or recorded in any form or
medium, that: (1) Is created or received by a health care provider, health plan, public
health authority, employer, life insurer, school or university, or health care
clearinghouse; and (2) Relates to the past, present, or future physical or mental health
or condition of an individual; the provision of health care to an individual; or the past,
present, or future payment for the provision of health care to an individual.
Individually identifiable health information is:
information that is a subset of health information, including demographic information
collected from an individual, and: (1) Is created or received by a health care provider,
health plan, employer, or health care clearinghouse; and (2) Relates to the past,
present, or future physical or mental health or condition of an individual; the provision
of health care to an individual; or the past, present, or future payment for the provision
of health care to an individual; and (i) That identifies the individual; or (ii) With respect
to which there is a reasonable basis to believe the information can be used to identify
the individual.
Protected health information means:
individually identifiable health information: (1) Except as provided in paragraph (2) of
this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic
media; or (iii) Transmitted or maintained in any other form or medium. (2) Protected
health information excludes individually identifiable health information: (i) In education
records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C.
1232g; (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) In employment
records held by a covered entity in its role as employer; and (iv) Regarding a person who
has been deceased for more than 50 years.
Workforce means:
employees, volunteers, trainees, and other persons whose conduct, in the performance
of work for a covered entity or business associate, is under the direct control of such
covered entity or business associate, whether or not they are paid by the covered entity
or business associate.
Privacy & Security
25
Appendix A: Relevant State and Federal Laws
1. Health Insurance Portability and Accountability Act of 1996 (45 CFR Parts 160 – 164)
More information about HIPAA is available on the U.S. Dept. of Health and Human
Services website.
The HIPAA Privacy Rule provides federal protections for individually identifiable
health information held by covered entities and their business associates and gives
patients an array of rights with respect to that information.
The Security Rule specifies a series of administrative, physical, and technical
safeguards for covered entities and their business associates to use to assure the
confidentiality, integrity, and availability of electronic protected health information.
2. HIPAA HITECH Act
The Health Information Technology for Economic and Clinical Health (HITECH) Act,
enacted as part of the American Recovery and Reinvestment Act of 2009 promotes
the adoption and meaningful use of health information technology. Subtitle D of the
HITECH Act addresses the privacy and security concerns associated with the
electronic transmission of health information, in part, through several provisions
that strengthen the civil and criminal enforcement of the HIPAA rules.
3. HIPAA Omnibus Rule
HHS’ Office for Civil Rights announced this final rule that implements a number of provisions of the HITECH Act, enacted as part of the American Recovery and
Reinvestment Act of 2009, to strengthen the privacy and security protections for
health information established under HIPAA.
4. The Social Security Act
Among other things, this act establishes the minimum and maximum fines which can
be levied by the federal government related to breaches of confidential information.
5. The Privacy Act of 1974
The Privacy Act protects records that can be retrieved from a system of records by
personal identifiers such as a name, social security number, or other identifying
number or symbol.
Privacy & Security
26
6. Internal Revenue Code, Title 26 of the United States Code, and Publication 1075
This publication provides safeguards for protecting federal tax returns and return
information.
7. OMB Memorandum 07-18
8. Texas Health and Safety Code
9. Texas Medical Records Privacy Act
This act is broader in scope than HIPAA because it applies not only to health care
providers, health plans and other entities that process health insurance claims but
also to any individual, business, or organization that obtains, stores, or possesses PHI
as well as their agents, employees and contractors if they create, receive, obtain,
use or transmit PHI.
10. Texas Public Information Act
Formerly known as the Open Records Act, this Act provides a mechanism for citizens
to inspect or copy government records. It also provides for instances in which
governmental bodies wish to, or are required by law to, withhold government
records from the public.
11. Texas Government Code, Ch. 552 and section 2054.1125
12. Texas Business and Commerce Code Ch. 521 - The Identity Theft Enforcement and
Protection Act
13. Title 1, Part 10, Chapter 202, Subchapter B, Texas Administrative Code
14. Federal Information Security Management Act of 2002 (FISMA)
15. National Institute of Standards and Technology (NIST) Special Publication 800-66,
800-53, 800-53A, 800-47, 800-88, 800-111
NIST is a federal agency that sets computer security standards for the federal
government and publishes reports on topics related to IT security.