More tweaks to the Massachusetts data privacy regulations on the way

According to the Hunton & Williams blog:

On October 30, as reported by the Bureau of National Affairs (“BNA”), the Massachusetts Office of Consumer Affairs and Business Regulation stated that final amendments to its information security regulations had been filed with the Massachusetts Secretary of State.  The Standards for the Protection of Personal Information of Residents of the Commonwealth have been the subject of much commentary and a series of amendments as regulators seek to address concerns expressed by businesses over the stringent and specific nature of the regulations.  The most recent round of amendments was announced August 17, 2009.

A final version of the latest amendments has not yet been made public, but the BNA has circulated a copy of what is purported to be the final draft, which includes changes to provisions related to service providers.  First, the definition of “service provider” has been modified to (1) clarify that “any person” who “stores” personal information through the provision of services will fall within the definition’s scope (the term “stores” was not included in the prior version’s definition), and (2) remove the express exclusion of the U.S. Postal Service from the term “service provider.”

The “safe harbor” provision with respect to existing service provider contracts also has been revised.  Pursuant to the regulations, businesses that are subject to the regulations generally must require by contract that third-party service providers implement and maintain appropriate security measures for personal information.  While the previous version of the regulation stated that “any contract a person has entered into with a third party service provider prior to March 1, 2012, shall be deemed in compliance . . . notwithstanding the absence in any such contract of [this requirement], so long as the contract was entered into before March 1, 2010,”  the new version provides that “until March 1, 2012, a contract a person has entered into with a third party service provider to perform services . . . satisfies [this provision] even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010.”  The revision clarifies that the deadline for updating service provider contracts entered into prior to March 1, 2010 is March 1, 2012, and any contracts entered into after March 1, 2010 must comply with the regulations upon execution.

On October 30, as reported by the Bureau of National Affairs (“BNA”), the Massachusetts Office of Consumer Affairs and Business Regulation stated that final amendments to its information security regulations had been filed with the Massachusetts Secretary of State.  . . .

A final version of the latest amendments has not yet been made public, but the BNA has circulated a copy of what is purported to be the final draft, which includes changes to provisions related to service providers.  First, the definition of “service provider” has been modified to (1) clarify that “any person” who “stores” personal information through the provision of services will fall within the definition’s scope (the term “stores” was not included in the prior version’s definition), and (2) remove the express exclusion of the U.S. Postal Service from the term “service provider.”

The “safe harbor” provision with respect to existing service provider contracts also has been revised.  Pursuant to the regulations, businesses that are subject to the regulations generally must require by contract that third-party service providers implement and maintain appropriate security measures for personal information.  While the previous version of the regulation stated that “any contract a person has entered into with a third party service provider prior to March 1, 2012, shall be deemed in compliance . . . notwithstanding the absence in any such contract of [this requirement], so long as the contract was entered into before March 1, 2010,”  the new version provides that “until March 1, 2012, a contract a person has entered into with a third party service provider to perform services . . . satisfies [this provision] even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010.”  The revision clarifies that the deadline for updating service provider contracts entered into prior to March 1, 2010 is March 1, 2012, and any contracts entered into after March 1, 2010 must comply with the regulations upon execution.

I will provide an update as soon as the latest changes to the frequently amended regulations are available.

Virginia regulators enforce privacy provisions against insurance agents

A 6-year-old Virginia law requires insurers, agents and insurance supported organizations to design and implement a written policy for ensuring the security and confidentiality of policyholder information.

The Virginia State Corporation Commission Bureau of Insurance officials confirmed that it brought an action against a licensed life, health, property-casualty agent in Chesapeake, Va., and her property-casualty insurance company, for failing to properly protect policyholder information.  The action was the first issued by the state. The agent and the company were cited for six other infractions and fined $1,000 in September.

See more here.

Are you an agent or broker?  Have you looked at your insurance regulations to see if there are privacy compliance provisions in them?

Judiciary Committee Urges Repeal of Maine Children’s Privacy Law

The Joint Standing Committee on the Judiciary in the Maine Legislature will be recommending to the leadership of both houses that the legislature repeal the “Act to Prevent Predatory Marketing Practices Against Minors.”

According to the Committee:

“It is very critical to report that the Judiciary Committee believes that this issue raises a number of important and complex questions in a new and emerging area of privacy law that need to be addressed within the framework of various federal and state constitutional provisions, but there is no adequate way to amend the existing text to resolve those questions.  The Committee believes that the best option would be to recommend that the existing statute be repealed, but that new legislation should move forward to address these concerns with some guiding parameters.  The Committee’s report will list those parameters.”

New HIPAA penalties have real teeth

The Health & Human Services Department today published an interim final rule that strengthens its enforcement of the Health Insurance Portability and Accountability Act (HIPAA) by aligning it with tougher privacy terms of the stimulus law.

“The Department`s implementation of these HITECH Act enforcement provisions will strengthen the HIPAA protections and rights related to an individual`s healthinformation,” said Georgina Verdugo, the director of HHS Office for Civil Rights(OCR).

Under the previous HIPAA rule, HHS could not fine healthcare organizations more than $100 for each violation and imposed a ceiling of $25,000 for all similar violations of the same provision.

The new rule significantly increases the maximum individual penalty for civil violations of HIPAA

Under the new rule:

The minimum civil penalty is $100 per violation if the covered entity was unaware of it and, by exercising reasonable diligence, would not have known about the violation.

The minimum civil penalty is $1,000 per violation for those that were the result of “reasonable cause” involving circumstances that would make it unreasonable for the covered entity to comply.

The minimum penalty is $10,000 for violations that result from willful neglect and are subsequently corrected.

The minimum penalty is $50,000 for violations that result from willful neglect but are not corrected.

The maximum penalty for multiple violations is $1.5 million per calendar year.

The new penalty amounts apply to HIPAA violations occurring on or after Feb. 18.

The law also removes a defense under HIPAA that barred HHS from imposing civil penalties on a so-called “covered entity” that could demonstrate “it did not know that it violated the HIPAA rules,” according to an HHS statement. Now, under the new rule, “A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.”

The new rule goes into effect November 30, 2009, The Office for Civil Rights is accepting comments on the interim final rule until Dec. 29.

The Health & Human Services Department today published an interim final rule that strengthens its enforcement of the Health Insurance Portability and Accountability Act (HIPAA) by aligning it with tougher privacy terms of the stimulus law.

“The Department`s implementation of these HITECH Act enforcement provisions will strengthen the HIPAA protections and rights related to an individual`s healthinformation,” said Georgina Verdugo, the director of HHS Office for Civil Rights(OCR).

Under the previous HIPAA rule, HHS could not fine healthcare organizations more than $100 for each violation and imposed a ceiling of $25,000 for all similar violations of the same provision.

The new rule significantly increases the maximum individual penalty for civil violations of HIPAA

Under the new rule:

• The minimum civil penalty is $100 per violation if the covered entity was unaware of it and, by exercising reasonable diligence, would not have known about the violation.
• The minimum civil penalty is $1,000 per violation for those that were the result of “reasonable cause” involving circumstances that would make it unreasonable for the covered entity to comply.
• The minimum penalty is $10,000 for violations that result from willful neglect and are subsequently corrected.
• The minimum penalty is $50,000 for violations that result from willful neglect but are not corrected.
• The maximum penalty for multiple violations is $1.5 million per calendar year.

The new penalty amounts apply to HIPAA violations occurring on or after Feb. 18.

The law also removes a defense under HIPAA that barred HHS from imposing civil penalties on a so-called “covered entity” that could demonstrate “it did not know that it violated the HIPAA rules,” according to an HHS statement. Now, under the new rule, “A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.”

The new rule goes into effect November 30, 2009, The Office for Civil Rights is accepting comments on the interim final rule until Dec. 29.

FTC Extends Red Flags Again – Lawyers not bound by Red Flags

In a late-day press release today (October 30, 2009), the FTC announced that, in response to pressure from Congress, it is further extending the deadline for Red Flags compliance to June 1, 2010.

Also, a U.S. District Court Judge today ruled that lawyers are not bound by the Red Flags Rule. See more.

Delay clock from Studio Bloomm

Regulator heal thyself – Massachusetts Data Privacy Regulations hardly proactive

It is an axiom of organizational compliance – awareness of compulsory policies is the first step (or hurdle) to compliance.  The new Massachusetts data privacy regulations, currently scheduled to have a required compliance date of March 1, 2010 (originally May 1, 2009, then January 1, 2010), are comprehensive, forward thinking, proactive in nature but little known by rank and file businesses (even here in Massachusetts).

The best drafted compliance program within an organization isn’t worth the paper its written on if no one knows about it.  The same is true for mandatory, prescriptive regulations.  The best that could come of these regulations if more outreach isn’t done, is enforcement once a breach has occurred.  The rules, as written and as intended, are meant to protect Massachusetts residents from exposure — to be proactive.

Lots of chatter – It’s true there is lots of chatter about the new regulations, but by whom?  Me, for one. The folks that are paying attention are either consultants to businesses in areas of compliance and data security, or organizations large enough to have an independent compliance function (or larger organizations still that have dedicated data privacy offices). Most small and mid-sized businesses that have had no prior experience with data privacy issues are not informed.

Most small and mid-sized businesses clueless – When I speak to executive and mid-level managers who need to be informed about the regulations, and the risks in their business processes which inherently give rise to the need for the regulations, they are clueless. Clueless in regard to the magnitude of the risk, their potential exposure, the fact that the State has promulgated these new rules. Moreover, most are incredulous in the face of the prospect that yes, indeed, this means you.

No effort to educate – Outside of the industries and consultants that already have data privacy infrastructure, there is little evidence that the State has given much thought to awareness. Remember, the first axiom of organization compliance I mentioned. In fact, it is even difficult to navigate the website of the Massachusetts Office of Consumer Affairs and Business Regulation so that you can find the goodies that are posted (deep within) that are helpful. Go ahead and try and report back to me.

The regulators in Massachusetts need to fix this problem if there is any hope that a prevention model of data privacy regulation can lead to a positive change for the citizens. It does much less good to have a mechanism to punish poor practices rather than prescribe and enforce good practices before a data breach occurs.  As they say, its much better to close the barn door before the horse is out.

Awfully stupid for a bunch of smart people

Warning, this post is slightly off-topic (but not entirely).

I was amused (and annoyed – for more reasons than one) when I read a post on the law.com Corporate Counsel Blog entitled ‘Draconian’ Measures: Top Lawyers Give Tips on Watching the Wallet.

WAIT! I wouldn’t use that link, however, because a pop-over advertisement for the AMLAW 100 issue of the American Lawyer publication (not linked on purpose) prevents you from seeing the post.  That is the first reason I was annoyed.  I had to copy and past the post into my word processor just to read it.  For your convenience, I reproduced it here (without permission I might add).

The post is about how in-house counsel are using draconian measures to control costs related to outside counsel.  It is draconian, the authors and interviewees suggest, to require alternative billing (away from the billable hour).

First, welcome to this decade.  Those of us who actually have reasonable hourly fees have been offering flexible compensation models for, well, almost -ever.  We have been doing this partly because it makes sense, and partly because we need to differentiate ourselves in order to compete with antiquated notions that big bloated law firms are better equipped to handle corporate outside-counsel work (I admit this may be true for some matters).

Second, and here comes the “awfully stupid” part.  If in-house counsel were truly honest about the work that they farm out, it would be apparent that it’s just plain stupid to hire AMLAW 100 (or 200 or 500 or even 1000) to do much of the work.  Much of these outsourced legal services assigned to $500 to $1,000 per hour partners is actually performed by proportionally overpriced inexperienced associates.

Why not find independent (solo or small firm) practitioners with more or equal experience to the partners who will actually do the work, give you great customer service and keep the budget to reasonable?  Stop whining and acting elitist (stupid) and move into the next generation of provisioning professional services.

How does this relate to privacy?  Data privacy offices (especially those within general counsel departments) have to hire outside counsel too.

Disclosure of Patient Records Does Not Violate HIPAA or Consumer Protection Statute

From the Security, Privacy and the Law blog at Foley Hoag:

In Mercier v. Courtyard Nursing Care Center, 2009 WL 1873746 (Mass. Super. Ct. Jun. 11, 2009), a resident of a nursing home sued the home in Massachusetts Superior Court for negligence after being assaulted by another resident.  The injured resident moved to obtain medical records maintained by the home regarding the resident who had allegedly committed the assault.  The home contended that disclosure of the records would violate both HIPAA’s prohibition on disclosure of medical records without a patient’s authorization and Mass. Gen. L. ch. 93A, the Massachusetts unfair and deceptive practices statute.

The court, however, held HIPAA permitted disclosure of medical records “in the course of a judicial proceeding,” including in response to a court order, subpoena or discovery request. The court further observed that, although a Massachusetts regulation states that unauthorized release of a patient’s personal or medical record violates ch. 93A, the regulation contains a specific exception for disclosures “required by law.”

Disclosure of Patient Records Does Not Violate HIPAA or Consumer Protection Statute

From the Security, Privacy and the Law blog at Foley Hoag:

In Mercier v. Courtyard Nursing Care Center, 2009 WL 1873746 (Mass. Super. Ct. Jun. 11, 2009), a resident of a nursing home sued the home in Massachusetts Superior Court for negligence after being assaulted by another resident.  The injured resident moved to obtain medical records maintained by the home regarding the resident who had allegedly committed the assault.  The home contended that disclosure of the records would violate both HIPAA’s prohibition on disclosure of medical records without a patient’s authorization and Mass. Gen. L. ch. 93A, the Massachusetts unfair and deceptive practices statute.

The court, however, held HIPAA permitted disclosure of medical records “in the course of a judicial proceeding,” including in response to a court order, subpoena or discovery request. The court further observed that, although a Massachusetts regulation states that unauthorized release of a patient’s personal or medical record violates ch. 93A, the regulation contains a specific exception for disclosures “required by law.”

Czech Republic illegally collecting prescription data

The Czech Republic State Institute for Drug Control has been requiring that pharmacies forward information from 200,000 drug prescriptions a day for the last six months showing who uses what kind of medicine.

A database of tens of millions of prescriptions filled across the country by more than 1,500 pharmacies was even accessible on the internet with a code. It was promptly erased when the personal information office revealed the full extent of the problem, and the State Institute for Drug Control has said the information was not compromised.

The collection was a violation of CZ law.  See more here.