BCLP Banking Blog

Bank Bryan Cave

Data Security

Main Content

Many Banks Will Become Subject to HIPAA's Privacy, Security and Breach Provisions Effective February 17, 2010

On February 17, 2010, many banks and financial institutions will, for the first time, become directly subject to the privacy and security provisions of the Health Insurance Portability and Accountability Act (“HIPAA”), and to the enforcement powers of the United States Department of Health and Human Services (“HHS”).  The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), passed as part of last year’s stimulus bill, extended HIPAA’s privacy and security provisions to business associates of covered entities.  Many banks and financial institutions will fall into this category by virtue of their provision of so-called medical lockboxes or medical banking services to healthcare providers or other covered entities under HIPAA that require them to handle personal health information (“PHI”).

The HITECH Act also established strict reporting requirements, allowed for increased enforcement by HHS and state attorneys general, and provided for enhanced civil and criminal penalties and statutory damages for breaches and disclosures of unprotected PHI.  A separate provision of the HITECH Act addresses entities that offer services to store individuals’ health information online, and places these “vendors” under the regulatory authority of the FTC.  Among other things, the new law’s provisions affecting business associates and covered entities:

  1. Make clear that all privacy and security provisions of HIPAA and its implementing regulations apply to business associates to the same extent as to covered entities;
  2. Require that all Business Associate Agreements (“BAAs”) be amended to incorporate HIPAA’s privacy and security rules;
  3. Impose specific notification requirements in the event of a breach;
  4. Require covered entities to provide notice to affected individuals within 60 days of discovery of a breach. In any case in which 500 or more person are affected by a breach, the covered entity must provide notices to HHS and to major local media outlets;
  5. Require business associates to notify the covered entity of any breach of confidentiality of PHI acquired from that covered entity;
  6. Subject both covered entities and business associates to enhanced civil penalties, and in some cases criminal penalties, for violation of the security regulations.  Civil penalties range from $100 to $50,000 per violation with maximum yearly penalties of up to $1.5 million.  Yearly maximums apply, however, only for violations of “identical requirement[s] or prohibition[s],” and in theory could be stacked where there are violations of multiple requirements or prohibitions;
  7. Eliminates certain affirmative defenses to civil monetary penalties;
  8. Give state attorneys general new civil enforcement authority to seek injunctions and statutory damages for violations of HIPAA on behalf of citizens of that state.  (The first such suit by a state attorney general has reportedly already been filed.  According to a report from AHA News Now, on January 20, 2010, the Connecticut Attorney General filed suit against Health Net of Connecticut, for failing to secure the PHI of approximately 446,000 plan members.) Significantly, the HITECH Act leaves in effect state laws allowing for enforcement by private attorneys general, opening the door to greater HIPAA scrutiny and enforcement;  and
  9. Imposes stronger controls on the sale of PHI.

Under regulations announced by HHS on August 24, 2009, and effective February 22, 2010, there is a “risk of harm” threshold that triggers the breach notification provisions.  HHS guidance also indicates that where PHI is properly encrypted as specified by HHS, notification to affected individuals may not be required because such information would not be “unsecured.”

Read More

Red Flags Rule Compliance is Delayed to June 10, 2010 in a Last Minute Decision

The FTC announced over the weekend that, at the request of members of Congress, the compliance date for the Red Flags Rule is now delayed to June 1, 2010. This gives companies additional time to prepare their required Red Flags Rule Plans. The FTC has said it will continue to provide guidance on the development and implementation of these Plans, especially for companies who want to voluntarily adopt identity theft protection measures for the benefit of their customers and business reputation (Click here for the FTC’s Red Flags Rule website). This delay does not affect any other agency oversight or other federal regulations relating to data security and identity theft.

On a related note, a federal court (District of Columbia) issued the first ruling regarding the application of the Red Flags Rule on October 30, 2009. That decision held that the FTC may not apply the Red Flags Rule to attorneys. This case (and any appeals) are independent of the June 1, 2010 delay, but companies should keep an ear out for other decisions that may directly affect their industry.

Read More

REMINDER – Red Flags Rule Takes Effect Nov. 1

Barring some last minute legislative/regulatory activity, the FTC will expect companies to be red flags rule compliant as of November 1, 2009.  Companies should recognize that there is not a “one size” approach to addressing identity theft risks in making a Red Flags Rule Plan.  Instead, the FTC expects each company’s plan to be tailored to its own needs and circumstances.   Click here for help on steps your company can take.

Read More

Missouri Joins The Ranks of Notification-Requiring States for Data Breaches

Missouri recently enacted a law which made it the 45th state to adopt data breach notification regulations. The law goes into effect August 28, 2009.  Similar to other states’ laws, Missouri’s law applies to any persons and companies who have personal information of a Missouri resident, regardless of size, nature of business or other factors.

What Type of Information is Covered? Missouri’s law defines “personal information” expansively to include:

  • social security numbers;
  • driver’s license numbers or similar unique identification numbers created by a government body;
  • financial account numbers (with a required security code, access code or password which would permit access to the account);
  • credit card or debit card numbers (with a required security code, access code or password which would permit access to the account);
  • unique electronic identifiers or routing codes (with a required security code, access code or password which would permit access to the account);
  • medical information; and
  • health insurance information.

What You Must Do After a Breach. If a breach occurs, you must provide notice to the Missouri resident that a breach has occurred without any unreasonable delay. That notice must include, at minimum:

  1. a description of the incident in general terms;
  2. the type of information that was obtained in the breach;
  3. a contact number for the person or company for further assistance; and
  4. contact information for consumer reporting agencies.

Read More

The attorneys of Bryan Cave Leighton Paisner make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.