Home > Legal Updates >

Data Privacy & Security Developments: HIPAA, "Red Flag," Breach Notification, Applicant Protections

The trend toward increasing obligations for maintaining the privacy and security of certain information continues. As the January 1, 2010, deadline for compliance with Massachusetts data security regulations looms, other legislative and regulatory developments continue to drive businesses to take more aggressive and comprehensive steps toward safeguarding the personal information they maintain. Some key developments should be considered.

HIPAA Enforcement Team Expands and Reorganizes

After years of light enforcement, things may be changing:

• On August 3, 2009, the Department of Health and Human Services (HHS) announced two open Health Information Privacy Specialist positions for its enforcement team.
• On the same date, the Office of Civil Rights (OCR) announced that the Secretary of HHS delegated to the Director of OCR the authority to administer and enforce the HIPAA Security Rule. Previously, with respect to HIPAA, OCR was charged solely to administer and enforce the HIPAA Privacy Rule, and the Centers for Medicare and Medicaid Services (CMS) enforced the HIPAA Security Rule. The agency’s stated goal for making the change is to improve its ability to protect individuals’ health information   
• On August 11, 2009, HHS announced two additional open Senior Health Information Privacy Outreach Specialist positions for its enforcement team.

These developments are consistent with changes to HIPAA under the American Recovery and Reinvestment Act of 2009 (ARRA).  The changes were designed to expand and enhance the ability to enforce the privacy and security regulations under HIPAA. (For more information, see Federal Stimulus Means New HIPAA Privacy and Security Mandates.)

“Red Flag” Regulation Deadline Extended

The “Red Flag” regulations, issued simultaneously by a number of federal agencies, including the FTC, the federal bank regulatory agencies, and the National Credit Union Administration, require financial institutions and creditors to develop and implement written identity theft prevention programs to detect, prevent, and mitigate instances of identity theft. In response to continuing confusion about the application of the “Red Flag” regulations and a request from the House Appropriations Committee, the Federal Trade Commission has announced [http://www.ftc.gov/opa/2009/07/redflag.shtm] that it would “redouble its efforts” to provide additional resources and guidance concerning compliance and further delays its enforcement of the Rule from August 1 to November 1, 2009. Accordingly, entities subject to the FTC’s oversight in this regard, such as health care providers and small businesses, should take this opportunity to ensure they are compliant with the new requirements. (For more information, see FTC Grants Three-Month Delay of Enforcement of Identity Theft Prevention Rule.)  

Missouri Enacts a Data Breach Notification Law

Effective August 28, 2009, the State of Missouri becomes the 45th state to require businesses holding certain personal information to provide notification in the event of a breach. Only Alabama, Kentucky, Mississippi, New Mexico, and South Dakota remain without such a law. While all of the state breach notification statutes are similar, they are not the same. Thus, in a multistate breach requiring notification, each state’s law needs to be examined to ensure compliance with the particular requirements.

Like most data breach notification laws, Missouri’s law requires businesses, as well as governmental agencies in Missouri, to notify state residents if their unencrypted or unredacted computerized personal information is breached.  However, while the information triggering a breach in most states is limited to Social Security numbers, drivers’ license or state identification numbers and financial account numbers, Missouri joins a handful of other states, including Arkansas, California, and Texas in requiring a notification where certain types of health data has been breached.

HIPAA-covered entities and certain vendors handling HIPAA-protected health information with breaches in these states also will have to contend with the new HIPAA breach notification requirement to become effective later this year. (For more information, see Federal Stimulus Means New HIPAA Privacy and Security Mandates.)

The Missouri Attorney General enforces the law and may seek “actual damages for a willful and knowing violation” of the law, as well as civil penalties of up to $150,000 per breach or series of related breaches. 

Job Applicants’ Personal Information Protected in Connecticut and Utah

Connecticut. As part of an overall effort to ensure privacy and curb identity theft, Connecticut has promulgated a requirement for employers to safeguard employment applications. Beginning October 1, 2009, Nutmeg state employers will be required to “obtain and retain” employment applications in a secure manner.  Additionally, when discarding such applications, employers need to “employ reasonable measures to destroy or make [them] unreadable,” such as by shredding the documents. These requirements will apply whether the company accepts applications in paper or electronic format, creating additional issues for employers with an electronic on-boarding system.

Utah. The Utah Employment Selection Procedures Act, effective May 12, 2009, regulates the employment application process for companies with 15 employees in Utah. Covered employers may need to change when they collect certain information from job applicants, safeguard the information when they collect it, and limit how long they keep it.

In general, the law prohibits covered employers from requesting an applicant’s Social Security number, date of birth, or driver’s license number before making a job offer to the applicant.  Exceptions to the law include the situation where the information is needed to obtain a criminal background check or credit history.

If the employer requests the information under an exemption, it must take the action for which it is seeking the information. For example, if the employer requests the information so it can perform a criminal background check, it must conduct the background check for that particular applicant.

Employers may not use the information obtained for any marketing or profiling purposes, nor may the information be disclosed to any other outside party, unless required by law. In addition, employers must maintain a specific policy regarding document retention, disposition, access and confidentiality of the information, and may not retain the information for more than two years after the applicant provides the information, if the employer does not hire the applicant within that two-year period.

The Utah Antidiscrimination & Labor Division of the Utah Labor Commission is drafting administrative rules for the complaint and investigatory processes to enforce these rules.

* * *

Regulation of the use, disclosure and safeguarding of personal information to protect privacy and security will continue to grow. Businesses should evaluate the kinds of information they maintain for commercial and employment purposes in order to determine the extent to which these laws may apply. Implementation of appropriate policies and procedures, among other steps, can go far to reducing potential liability. Members of our Employee Benefits, including Complex ERISA Litigation, Workplace Privacy and Executive Compensation practice group are available to assist your business to understand your obligations and plan accordingly.