Julia Huddleston, CIPP | US, CIPM, CCSFP
What happens now that US Organizations who thought they were off the GDPR hook, are so on it.
The onset of the GDPR, at first glance, seemed straightforward. Are you in the EU? Do you employ or do business with anyone in the EU? No? All good on personal data privacy. Except that your one-time, at-a-glance, high level assessment won’t hold up. Blame the GDPR’s broad definition of personal data. And realize that Europeans are far more guarded of their personal data privacy than the US, at a very granular level. Beyond health or financial information, or minor’s personal information, the GDPR goes far deeper.
Examples of GDPR-defined personal data
- Work email address
- Political party
- Religious beliefs
- Racial or ethnic information
GDPR defines “personal data” as:
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
There are also two important functional roles defined under the GDPR: the Data Controller and the Data Processor. A data processor is defined as someone who processes data on behalf of the data controller. That may be a company providing a 3rd party software or platform that stores data. The data controller is the entity that collects the data, such as a health plan collecting member data or a bank collecting customer data.
So how does a US organization, particularly one typically highly adherent to strict compliance standards deal with the GDPR? A company that has attained certification through HITRUST or SOC2 likely feels fairly confident of being able to meet the GDPR’s requirements. Unfortunately, one does not equal the other.
6 Actions You Can Take to Support GDPR Compliance
- Be sure that your Security Risk Analysis encompasses all “personal data” as defined under the GDPR, not just PHI and PII. Remember location data counts, too! If you’re a data controller, you’ll also need to look at impact assessments that relate to GDPR-defined personal data.
- Check that your 3rd party data processor is approved by the data controller. PHI that falls into the GDPR personal data category can only be used and disclosed on instruction from the data controller. That means that what typically would be ok use by a Business Associate under HIPAA isn’t if the data is defined as “personal data” under GDPR.
- Appoint your EU-based representative and designate a Data Protection Officer. This is a major point of compliance with the GDPR. The DPO’s contact info must be publicly published as well as formally shared with the EU’s Privacy Commissioners.
- Be sure you’re authorized to engage in data flow transfers that relate to the individuals, or “natural persons” under the GDPR regs. Validate under your operations management contract that the data transfer is necessary and authorized.
- Modify your security incident response plan to include the GDPR breach notification guidelines. Under the GDPR, data controllers only have 72 hours from the breach discovery to notify the EU Data Protection Authorities. Be sure to test your ability to comply with the requirement.
- Prominently display your privacy practices and the privacy rights of individuals to conform with the GDPR. Individual privacy rights include access to data collected, ability to correct that data, how they can restrict the processing of the data, even to require that you erase the personal data.
Under the GDPR, US companies who discover from their data analysis that they deal with personal data of any kind from people who live in the EU (even non-EU citizens), must comply with its requirements. The cost of non-compliance is huge – up to 20,000,000 EUR. For US healthcare organizations who still struggle to meet HIPAA requirements over two decades after its enactment, the GDPR may well mean that they simply choose not to do business with EU residents.
Are you contemplating how to comply with the GDPR? Contact Apgar & Associates for a data inventory and risk assessment: 503-384-2538.
The OCR announcement of a $4.3 million price tag on MD Anderson’s Cancer Center for noncompliance highlights the cost of unmitigated risk. A 2006 security risk analysis showing that a lack of encryption posed a PHI security threat prompted the Center to develop policies for portable device encryption. Smart. But then an OCR breach investigation uncovered that the policy wasn’t actually enacted for years. Not smart.
Loss of USB devices and a stolen laptop exposed the disconnect between the stated policy and actual application of the policy. What could they have done differently? Followed through on their stated policies. Would a demonstrable attempt at PHI protection by alternate means, although encryption wasn’t implemented, have helped? Perhaps. It’s hard to know.
What likely didn’t help the Center was its 2011 internal Information Security Program report that stated ePHI on mobile devices and other portable storage devices was not yet mitigated – a written acknowledgement of failure to enforce its own policies. The USB device loss and the laptop theft happened in 2012 and 2013. In light of that fact, it’s fortunate that OCR asked for penalties under Tier 2’s Reasonable Cause vs Tier 3’s Willful Neglect, if only from the point of view of preserving (somewhat) MD Anderson’s Cancer Center’s reputation.
In light of the cost of “over-promising and under delivering” now is the ideal time to get a compliance assessment of your policies and procedures on the schedule. Are you in danger of an unmitigated risk? Are your policies realistic? Are they being practiced? Can you prove it?
4 Tips for Policy Follow-Through
- Tie your policies and procedures back to your actual business operation workflow and processes. Implementing an enforcement mechanism such as encryption gives policies “teeth.”
- Make sure you’re following the rules. Policies and practices need to align with the regulations you’re required to follow.
- Be realistic when drafting policies and procedures. “Audits will occur at weekly intervals” may not be a realistic policy to accomplish if you’re already overstretched. (See #1)
- Maintain proof of policy enactment. Document and be able to demonstrate you take action on all of your policies. For example: That information could include the date a policy was enacted, any time there was an internal citation for correction, and documentation of how it was corrected.
Your policies and procedures are essentially marching orders for your staff. Be sure those policies are clear and accurate so you can not only enforce them, but also document that you’ve done so. Then when a breach happens and OCR comes in, you’re better positioned.
Apgar & Associates helps you discover privacy and security vulnerabilities so you can manage risks before a breach occurs. Contact us to schedule your assessment today: 503-384-2583.
From digital startups to financial firms, the ability to demonstrate information security per not only investor demands, but also board members and potential business partners, is widespread. As privacy and security consultants who also prep companies for certification, we’re seeing how the need for privacy and security compliance, long since a demand for healthcare, now stretches across industries.
Take this example. An online company selling a product that’s gained rapid popularity attracts the attention of a multi-national interest. It’s a dream scenario for a start-up. A great concept, proven, that garners the best possible outcome: a well-heeled investor. Then a painful reality sets in during due diligence.
The straightforward request of “Let’s start with a review your policies and procedures” has everyone scrambling. Why? Because they don’t exist – at least in the format and detail that a true commitment to privacy and information security calls for.
A high-dollar investment from an established global entity is going to have requirements attached to it that a digital startup likely didn’t include in their gotta-get-launched-yesterday operational plan. Especially when the investor demand reflects an expected alignment with the standards to which their organization adheres, ISO 27001.
Digital startups are one thing, but what about established businesses? Maybe there are industry-related policies and procedures in place but the type of business never called for compliance with a particular set of security standards. Now there’s an opportunity to expand into government work. To play in the big sandbox, there’s a need not only to implement an information security program, but one that adheres to the NIST cybersecurity framework that was updated in April 2018. That’s a big leap.
There are common denominators for most certifications and regulatory needs. You may be asked to achieve ISO 27001 certification or HITRUST. Or you may need to choose the best assessor for your SOC certification process. Almost certainly, no matter your business, you’ll need a security risk analysis.
Start with the fundamentals. In nearly every state there are breach notification laws that require you to have an information security program in place. If not a specific program, then at minimum you need to be able to demonstrate administrative, technical and physical safeguards of sensitive data – whether that’s PHI or client financial information. Once you take care of the basics, your business will be ready for the next great opportunity, and able to meet investor demands.
Work with a team that knows how to map your path to certifications and regulatory standards regardless of industry. Apgar & Associates’ certification readiness preps you for HITRUST, ISO and more. Call us today to get started: 503-384-2538.
Well, the royal family’s security could be compromised, for one. If you missed it, Heathrow Airport, one of the busiest airports and Britain’s largest, is scrambling to understand how a memory stick (aka thumb drive) with extremely sensitive information ended up on a busy west London street. The documents on the unencrypted drive detailed airport security measures and plans, including the routes typically used for Her Majesty’s route to and from the airport.
The documents were all marked “confidential” or “restricted.” Yet the thumb drive had no encryption and was just lying on the street, available for anyone to pick up and use. The scariest part? This could happen to anyone, to any business, at any time.
How do you prevent this type of blatant risk to sensitive information? Ask yourself the following about your security and privacy policies and procedures:
- What have we done – or can we do – to assure our sensitive data’s security isn’t compromised like this?
- How well does our own senior leadership follow the same strict security measures as line staff?
- Do we allow sensitive data to be stored, or even temporarily used for transport, on unencrypted drives?
- Who is allowed to access sensitive data and in what way can they interact with it? Should they even be able to?
Frightening as this event is, it’s also far too unsurprising. Before you decide that portable media is fine for transporting or storage of your sensitive data, think twice, then think again. Convenience should not override the need for data protection.
Apgar and Associates’ HIPAA privacy, information security, HITECH and regulatory compliance consulting services support the health care industry and the vendors that work with them. The firm works across industry sectors to help businesses prepare for ISO, SOC II and HITRUST certifications, as well.
As CFO and COO of our privacy and security compliance consulting firm, every year I’m on the receiving end of email promotions and pop-up ads for tax preparation software. DIY, guaranteed, “We’ll take the hit for the audit if it happens” software. I have to admit, if privacy and security compliance software were as comprehensive, interactive and penalty-proof, we’d do a lot of thumb twiddling. Thankfully (for us) the apps aren’t there yet.
What makes tax preparation software so workable is that it’s highly interactive and intuitive. You’re told if you made a mistake, or if a deduction is in the wrong place, even if you should itemize vs taking the standard deduction. You’re guided by the hand start-to-finish, with triggers and excellent logic branches throughout.
On the compliance software side, there remains a challenge. That said, Chris and I are very much in favor of automation both to support your compliance program activities, and to provide transparency between you and your business partners. We work with several vendors whose digital apps are solid, supportive and easy to use, from privacy and security task management to documentation management.
The caveat is this: Technology cannot be your compliance program. For example:
- You can document that you’re on-task, but you also need to be able to demonstrate that you’ve completed the actions that you checked off.
- You can establish a password protocol, but how do you know it’s a good password protocol?
- You can assure an auditor that you know who has access to what, but where is the audit trail to back it up and assure appropriate access?
- And most importantly – you can firmly believe that you’ve completed a security risk analysis for meaningful use – but your online risk assessment is not the HIPAA Security Risk Analysis the auditors want to see.
If you still aren’t convinced, answer this question honestly, “Are you ready for Round 2 HIPAA Audits?” Because until privacy and security technology can make the leap to intuitive hand-holding through the myriad compliance requirements, the best path to compliance remains a combination of supportive automation and old-fashioned, subjective, ongoing people work. Who knows, maybe the ideal technology will arrive just in time for my retirement. A consultant can dream.
Julia Huddleston, CIPP/CIPM, is CFO / COO Apgar & Associates and a Certified Information Privacy Manager as well as a Certified Information Privacy Professional. She works with clients on compliance assessments, security risk analysis and policy and procedure review and implementation. Apgar and Associates can help you with questions and concerns about your privacy and security compliance program at 877-376-1981.
With the HHS / OCR announcing the launch of Phase 2 of the HIPAA Audits, it’s a good time to re-evaluate your audit risk. Now, I realize that many practices and healthcare vendors are operating with tight resources, so it may seem worth it to play the odds.
After all, when you take into account the sheer number of covered entities and business associates, aren’t you at a relatively low risk for an OCR HIPAA audit? Yes. But unfortunately, there are several, far-too-common instances where you can unexpectedly find those odds weighing against you:
After a breach report.
You have a privacy breach when someone accidentally contacted the wrong patient and left a voicemail about their test results. You must report the breach. Now you’re on OCR’s radar.
After a complaint call.
A patient (or anonymous consumer) complains to OCR about your privacy practices because when sitting next to you on the commuter train they could clearly see patient information on your laptop screen.
After a whistleblower report.
A former (disgruntled) employee complains to OCR about your information security; lack of lockdown, people sharing passwords, information left openly on desks.
Putting together a tight privacy and security compliance program takes time and resources, it’s true. But when you’re weighing the odds, remember that It comes down to the longtime, simple fact that privacy and security compliance is the law. Why take the risk?
Apgar and Associates can help you prepare for OCR HIPAA Audits. Contact us for more information, or with questions and concerns about your program at 877-376-1981. Apgar and Associates is also the home of the compliance consulting subscription program for qualifying organizations.
When State law requirements are tougher than HIPAA, then it’s likely that the State law is the one you need to follow.
When does it not? When it’s “contrary.” Then, it may be submitted for exemption – in other words, may be up for consideration to “trump” the federal regulations. However, it’s rare that a State law will even be considered for exemption. Generally, the federal law preempts the States when it comes to HIPAA privacy and security requirements.
As a general rule, if your State’s law around privacy and security requirements is more stringent that the federal regulations, you need to toe the line accordingly. So if the State law gives even greater individual rights and calls for greater protections around PHI that the federal codes do? You’re better off erring on the side of the State than protesting, “But the federal law says…”
The toughest part of the whole does it or doesn’t it may actually be interpreting the lingo of what’s “contrary” and what’s “more stringent”!
Julia Huddleston, CIPP/CIPM, works with Apgar & Associates clients on compliance assessments, security risk analysis and policy and procedure review and implementation. She also oversees and directs Apgar & Associates’ day-to-day business functions, including finance, operations and marketing.
Everyone has an opinion about whether or not Tim Cook, CEO of Apple, Inc., should cave to the demands of the federal government to decrypt the iPhone belonging to the San Bernadino shooter. No one likes the idea of terrorists living next door. We would all like to know what deep secrets and clues are on that personal mobile device. But…
The bigger picture – beyond the fact that it would ultimately undermine everything we love about our Apple products – is where the responsibility lies for the mobile device and its use. The iPhone in question belongs to the county. It’s an employer-owned phone.
If I were to break out my crystal ball about this matter, I’d say employers, be prepared for more scrutiny from your regulators, particularly if the matter goes to Congressional Hearing, as it looks to be. Think about how, for instance, our own financial infrastructure is designated by Homeland Security as a “vitally critical part of US infrastructure” – much like utilities.
Should mobile devices, particularly employer-owned mobile devices, be swept into such an expanded definition, guess what? Employers will be looking at one more regulation that will direct what needs to be done if you allow mobile device use in the workplace.
Personally, I love my iPhone and iPad. I was an early adopter. As a privacy and security wonk, I derive great satisfaction from the stonewall that Apple provides as a matter of course in all their products. So I’m not interested in having the integrity of that system compromised. I don’t like the idea of “GovtOS” that can crack my phone. You probably don’t either. And I knew people who never came home on September 11th, so yes, I do think combatting terrorism is serious work.
Big companies’ IT infrastructure, with every bell and whistle, encryption and firewall imaginable, come under attack every day. Part of what we try to do is make hackers really have to work at it by putting barriers in place, and by being careful with our information. Let this genie out of the bottle and who knows what might follow.
Julia Huddleston is a Certified Information Privacy Manager as well as a Certified Information Privacy Professional, and works with Apgar & Associates clients on compliance assessments, security risk analysis and policy and procedure review and implementation. She also oversees and directs Apgar & Associates’ day-to-day business functions, including finance, operations and marketing.
When the much threatened 9.0 quake hits the Pacific Northwest, your first reaction should be, “OMG, we’ve just had a mega-quake. I want to make sure that my family and friends are safe.“ That’s cool. BUT – if cables and power lines get cut accidentally, you want to make sure that your reaction is not about “Yay! Unscheduled days off” but rather “I don’t have electricity and phones to run my business. How can I make sure I have electricity and phones, somewhere, to run my business?”
In other words, a Business Continuity Plan (BCP) is really about planning for the impact of the event on your business and how you can continue to function or how fast you can recover. Take the approach of focusing on the potential impacts of the disaster and think about reasonable steps to help you mitigate those impacts. Remember, they could be as minor as phones down for a couple of days or as large as losing your entire building.
There’s also a big difference between having a Disaster Recovery Plan and having a Business Continuity Plan. Disaster recovery is a component of BCP. For example, your DRP has your data safe at an off-site secondary location several states away. Accessing that data so you can run your business is the BCP portion of the equation. Rather than data centered (disaster recovery) a BCP is business centered. You want to:
- Assure you can continue to provide services to your customers.
- Have a way to assure your customers that you are still in business – and stable!
- Be able to reassure your vendors and business partners that you’re stable and can deliver services or products, despite delays.
Start with a Business Impact Analysis (BIA) to identify what your core, mission-critical functions are and to determine the level of impact the loss of those functions could have on your business. For instance, you’ll consider:
- Loss or delay of income.
- Labor costs to re-start, stabilize. Increased expenses.
- Potential fines or penalties due to regulations or service level agreements.
- Loss of customers, customer satisfaction suffers.
- New business development can’t happen.
To create a BIA, you’ll want to involve managers and other key personnel who have detailed knowledge of your business processes. Ask them what they think potential impacts to business are just as related to their particular areas of responsibility. Your BIA should identify not only the critical resources and business processes needed for business continuity, but also report which of those business processes take top priority, i.e., are most critical to resume first.
Call on Apgar & Associates to conduct a BIA for your business. We’ll also help you develop a BCP (with a DRP!): 877-376-1981.
Here in the Northwest, legislatures in both Oregon and Washington hold their regular sessions during the winter and spring of the year. In their regular sessions in 2015, both amended state laws related to data breach notification, which means your Incident Response Plan (IRP) likely needs updating.
Washington state data breach notification law changes are effective July 24, 2015. Changes include:
- A covered entity that complies with HIPAA Breach Notification Rule requirements is deemed to have also complied with Washington State law.
- Information about what must be included in the consumer notice.
- A new requirement that if a single breach impacts more than 500 Washington state residents, the attorney general must also be sent an electronic copy of the breach notice by the time consumers receive notice. The AG must also be informed of the number of people impacted by the breach. This requirement also applies to covered entities that have been deemed compliant by complying with HIPAA.
- Notice must be provided to consumers no more than 45 days after breach discovery unless law enforcement requests a delay.
Oregon state data breach notification law changes are effective January 1, 2016.
- The definition of personal information has been expanded to include:
- Biometric information that is used to authenticate identity (like your thumbprint, Apple IOS users)
- Health insurance policy or subscriber number
- Information about medical history, mental or physical condition or diagnosis or treatment
- There is a new requirement that if a single breach impacts more than 250 Oregon state residents, the attorney general must also be notified.
- If consumer reporting agencies must be notified because the breach impacts more than 1,000 Oregon residents, then any police report number assigned to the breach by law enforcement must be included in the notice.
- A covered entity that complies with HIPAA Breach Notification Rule requirements is deemed to have also complied with Oregon State law as long as the CE sends a copy of the breach notice to the AG.
Business associates – even though the covered entity complies with both state laws if the CE complies with the HIPAA Breach Notification Rule – this interpretation does not apply to you as a business associate.
State laws are tricky, and always changing. If you would like help updating your Incident Response Plan (IRP) and data breach notification templates, give Apgar and Associates a call at 877-376-1981.