Compliance Workshop Privacy & Security Protecting Personal - - PDF document

compliance workshop privacy security
SMART_READER_LITE
LIVE PREVIEW

Compliance Workshop Privacy & Security Protecting Personal - - PDF document

Feb 06, 2023 228 likes •476 views

3/27/2015 Compliance Workshop Privacy & Security Protecting Personal Information & SNAP Program Considerations August 14, 2014 Presentation by: Jennifer L. Cox, J.D. Cox & Osowiecki, LLC Hartford, Connecticut 1 Todays Privacy &

slide-1
SLIDE 1

3/27/2015 1

Compliance Workshop Privacy & Security

Protecting Personal Information & SNAP Program Considerations

August 14, 2014 Presentation by:

Jennifer L. Cox, J.D.

Cox & Osowiecki, LLC Hartford, Connecticut

1

Today’s Privacy & Security Program Topics

  • Overview: Connecticut requirements for the

Protection of Personal Information

  • Security Standards
  • Managing Breach Situations
  • Review SNAP Program Structure
  • Social Media
  • Q&A

2

slide-2
SLIDE 2

3/27/2015 2

CONNECTICUT DATA PROTECTION RULES

State Contractor and Subcontractor Privacy and Security Obligations “PROTECTION OF PERSONAL INFORMATION”

3

Personal Information, Connecticut Agencies’ Requirement For Safeguarding

  • Personal Information means any name, number or other

information that may be used, alone or in conjunction with any other information, to identify a specific individual, including:

  • name, d/o/b, mother's maiden name, motor vehicle operator's

license number, Social Security number, employee identification number, employer or taxpayer identification number, alien registration number, government passport number, health insurance identification number, demand deposit account number, savings account number, credit card number, debit card number or unique biometric data such as fingerprint, voice print, retina or iris image, or other unique physical representation.

4

slide-3
SLIDE 3

3/27/2015 3

Personal Information Breach Occurs if…

Unencrypted Personal Information is: – Misplaced, lost, stolen or in any way compromised – Is seen or acquired by unauthorized persons – Has threatened integrity because it is at risk of compromise – There is a substantial risk of identity theft or fraud to the client, the Contractor, the Department or the State – All state contractors and subcontractors must have a written policy in place to guard against breach of Personal Information – and to ensure reports will be made if there is a breach

  • Note: paper records are always unencrypted

5

Security Policy Required

  • Each contractor and subcontractor doing work

for DSS (including SNAP program work) must have a formal, comprehensive security policy to safeguard “Personal Information” (P.I.) as required for state agency contract work.

  • Note: this is in addition to your HIPAA Security

plan and policy (but they can overlap)…for example, encryption implementation will

  • verlap

6

slide-4
SLIDE 4

3/27/2015 4

Security Policy Controls

  • The security policy must include these features, at a

minimum: – Rules for storage, access and transportation of P.I. (e.g., locked files, locked file rooms) – Reasonable restrictions on employee and other access – Annual review of policies and security measures – Technically secure access controls security – ENCRYPTION for laptops, portable devices and media, and during transmission!!!!

7

Data Integrity Is Essential to Maintaining Privacy

  • Protecting clients’ rights includes information

integrity

  • Incorrect or corrupted information can:

– slow processing of benefits – cause incorrect determinations

  • Potential exposure of data to unauthorized

people

– a mix‐up of individual’s profiles and information will cause the file to be wrong – Client’s have access rights – but they will be accessing materials in “their” file

8

slide-5
SLIDE 5

3/27/2015 5

Encryption of Electronic Data Practically and Realistically UNAVOIDABLE

9

Computers Must Be Set Up To Encrypt During Transmission

  • Encryption technologies essentially apply a code

to the computer and data so that unauthorized users cannot gain access

  • Transmissions of SNAP confidential information

must be encrypted (per DSS contract and federal program guidance)

– Email must stream to DSS in encrypted stream

Need for encryption is a primary reason you cannot use your own device for SNAP work without permission

10

slide-6
SLIDE 6

3/27/2015 6

Encryption For Remote Access

  • Easy part ‐‐ Remote access needs to be

technically secure with VPN, peer‐to‐peer, or

  • ther encryption level method
  • Harder part ‐‐ administrative access rights:

assigning, managing and auditing user access

  • Important to plan for how to manage misuse

(or abuse) of access rights

11

Workstations, Portable Devices, Media Storage

  • Devices that carry confidential data should be

encrypted so if they are lost or stolen, no data can be retrieved

– Not the same for devices that do not have data, but act as access viewer

  • Remote and portable devices have greater risk

because they are easier to lose or steal

  • Remote media storage of confidential data

creates high risk

– Encryption for data at rest: flash drives, discs, tapes

12

slide-7
SLIDE 7

3/27/2015 7

Question: What Security Is As Good As Encryption?

Hint: Empty Box

13

If There Is A Breach of Personal Information…

  • The contractor (or subcontractor) has strict

notification requirements to the patient/client, and the state

  • Credit monitoring and protection must be
  • ffered to the affected individuals
  • Costs are the responsibility of the

contractor/subcontractor

  • This is in addition to any HIPAA notification
  • bligations

14

slide-8
SLIDE 8

3/27/2015 8

Steps If You Detect A Possible Breach

  • Have a formal structure in place for processing

any potential breach (if that is a privacy

  • fficer, be sure to have a back up for vacation

schedules, or other non‐availability)

  • Be sure staff knows process for breach

reporting (who to go to, generally what information will be expected)

15

Handling Breach, DSS Contract

  • Internal investigation is essential

– Documentation of your internal review is required regardless of whether you find an actual breach

  • ccurred

– If e‐record, include your IT/IS team from the start

  • First step: verify whether a breach actually
  • ccurred

16

slide-9
SLIDE 9

3/27/2015 9

Breach Reporting

  • If there was a BREACH, your reporting

requirement is QUICKLY approaching:

– 24 hours after breach occurs or is suspected – 3 days to present credit monitoring and protection plan

  • …To inform DSS and the Office of the Attorney

General

  • If you are a subcontractor, you must also inform

your contractor ASAP, and coordinate response!!

17

Reporting Breach to DSS or the Office

  • f the Attorney General
  • Cooperate as much as possible with the

regulators

  • Recognize that the regulator may not be an

expert in handling breach (and may be familiar ONLY with HIPAA breach, may not be familiar with technical security)

  • Politely ask for regulator to review any steps

with you that you do not agree with, or that seem contraindicated

18

slide-10
SLIDE 10

3/27/2015 10

Breach Remediation

  • Think through any steps that could be taken

immediately to

– Avoid a repeat occurrence – Reduce harm of the current breach

  • Longer term issues:

– Retraining – New policies or processes

19

Privacy and Security For SNAP

SNAP Program Drill Down

20

slide-11
SLIDE 11

3/27/2015 11

S.N.A.P.

  • SNAP = Supplemental Nutrition Assistance

Program, formerly “FSP”…the Food Stamps Program

  • The implementing federal legislation is the “Food

Stamp Act” (FSA); that terminology still appears throughout program materials

  • “SNAP benefits” can be processed through

various media and methods (e.g., electronic benefits transfer cards)

  • “Food stamps” lingo outdated, but frequently still

referenced by community and consumers

21

SNAP Purpose

SNAP is “designed to promote the general welfare and to safeguard the health and well being of the Nation's population by raising the levels of nutrition among low‐income households."

22

slide-12
SLIDE 12

3/27/2015 12

SNAP Design Flow: Top Down

Federal SNAP Program Law, Regulations, Guidance State Snap Programs Contractors and Subcontractors

23

Federal Regulations

Primary set of regulations for SNAP:

  • 7 CFR parts 271 through 283
  • You can read these at www.ecfr.gov
  • States’ role and operational requirements
  • utlined with highly granular detail in the

federal regulations, very little flexibility

  • In turn, States must require contractors to

follow the same strict rules

24

slide-13
SLIDE 13

3/27/2015 13

Different Programs’ Privacy Rules: Not Always Logical And Not Interchangeable

  • SNAP has its own rules, carefully designed to allow the

program to function while protecting client and household information

  • Avoid extrapolating from other rules you know and use

(e.g., DO NOT just apply HIPAA!!)

  • Key operational differences v. HIPAA Privacy include

ENTIRELY DIFFERENT:

– legal protections – consents and forms – sharing and access rules

  • SNAP designed for government administration of the

program, HIPAA designed for flow of access across an open continuum of care and payment (private and government)

25

Federal Guidance to States On SNAP Outreach Activities

Definition of Outreach:

  • Outreach activities are defined as

discretionary educational and informational efforts promoting the nutrition and other benefits of participating in the program which are directed to nonparticipating but potentially eligible persons.

26

slide-14
SLIDE 14

3/27/2015 14

Access Activities

Definition of Access:

  • Access activities are considered to be those

discretionary activities that help current participants maintain and continue their participation, and include pre‐certification efforts, but fall short of activities that are essentially certification.

  • Access activities might include projects intended to:

increase retention rates of participants; support a client friendly environment; simplify applications or the application process; educate persons who are losing TANF benefits about their possible continued eligibility …. or deal with other issues of access improvement for clients.

27

Certification is Specifically Not An Outreach/Access Activity

  • Certification is an essential and thus a

nondiscretionary activity that generally is performed as a routine administrative function of the …local [SNAP] agency, with certain conditions and with certain waivers, under contract with other entities.

28

slide-15
SLIDE 15

3/27/2015 15

Role Delegated to Each State for SNAP

  • Certification of applicant households
  • Issuance, control, and accountability of coupons
  • Developing and maintaining complaint

procedures

  • Developing, conducting, and evaluating training
  • Conducting performance reporting reviews
  • Keeping records necessary to determine

whether the program is being conducted in compliance with these regulations

  • Submitting accurate and timely financial and

program reports

29

SNAP In Connecticut

  • DSS is the SNAP agency in Connecticut
  • DSS contracts with a variety of entities to ensure

there is a sufficient team in place for the smooth

  • peration of the SNAP program
  • CHCACT (as contractor) and various health

centers (as subcontractors) are part of that team

  • The DSS SNAP contract for SNAP Outreach covers
  • utreach and access functions
  • CHCACT has other subcontractors (including for

processing data submissions)

30

slide-16
SLIDE 16

3/27/2015 16

SNAP Outreach Contract Scope of Work

CHCACT & Participating Centers

  • Work one‐on‐one with potentially eligible clients, assisting

them in the SNAP application process

  • Application assistance includes:

– assistance completing the application, including delivery of the application electronically and/or on paper to the DSS Regional local Offices.

  • Outreach services include providing information to address

the individual’s and family’s immediate basic needs

  • Education and information sharing also part of the contract

services

  • Various reporting and quality measures are part of the

contract

31

But HIPAA Still Applies to…

  • A health center’s medical chart, and any information

about a person gained because of the relationship with the center as a patient, including communications with/between health center staff about treatment or payment for services including Medicare, Medicaid, and/or private insurance eligibility or coverage

  • Challenge:

– individuals are more familiar with HIPAA for core health center activities – we want to ensure that individuals understand their respective rights (otherwise there is risk that a person could waive rights based on a misperception)

32

slide-17
SLIDE 17

3/27/2015 17

Sharing Information About SNAP Applicants

  • r Recipients Is Highly Restricted!!
  • SNAP information from an individual or

household can only be shared as specifically directed by the federal rules!!

  • Most of the rules apply to DSS
  • But it affects outreach

33

Permitted Disclosure of SNAP Applicant or Participant Household Information

Use or disclosure of information obtained from food stamp applicant or recipient households shall be restricted to:

  • (i) Persons directly connected with the administration or

enforcement of the provisions of the Food Stamp Act or regulations, other Federal assistance programs, federally‐ assisted State programs providing assistance on a means‐ tested basis to low income individuals, or general assistance programs which are subject to the joint processing requirements in § 273.2(j)(2).

  • Note: this extends to “administration or enforcement” of

virtually ALL federal or state assistance programs – not just SNAP

34

slide-18
SLIDE 18

3/27/2015 18

Permitted Administration and Enforcement Related Sharing Is Very Broad

  • Application: information gathering, face‐to‐

face discussions, explanation of eligibility thresholds

  • Verification of status and identity, interviews
  • Quality Control reviews
  • Program Evaluation reporting
  • Fulfilling client‐based outcome measures

35

Joint Application for Assistance Programs

  • Connecticut (as permitted by federal rules) has a

combined application form that includes SNAP and other assistance applications to be jointly processed (e.g., Medicaid eligibility)

  • Joint form makes excellent sense because:

– Many programs have thresholds that would indicate categorical eligibility for SNAP – Far easier for clients to fill out a joint form

  • But: it also complicates the privacy picture for
  • utreach work…more sharing and access are

always in tension with privacy protection

36

slide-19
SLIDE 19

3/27/2015 19

Require Use of Approved Forms, Including Notices and Consents

  • The program structure and rules are complicated

– We need to simplify messaging to clients but not miss key points

  • At a consumer level, we want to reduce confusion about:

– Why certain information is being requested – Who sees the information and why – What privacy rights the client has, and how to exercise them

  • Consent forms allow us to communicate that to a client and
  • btain permission for information sharing
  • Forms vary from agency‐to‐agency, and between states,

because there is design flexibility in how to inform applicants/clients about the program

  • Mandated notifications are not flexible, and those are

incorporated into program materials

37

Other Permitted Disclosures

  • Very specific list

38

slide-20
SLIDE 20

3/27/2015 20

Scope of Permitted Disclosures

  • The following slides contain the balance of the

SNAP privacy protection rule and affects DSS and contractors who are determining eligibility (or detecting fraud or non‐eligibility) based on the program rules more directly than it affects outreach work

  • It is important to see how strict the rules are
  • Keep in mind, this is the entire list of when

SNAP information can be shared

39

Permitted Disclosure of SNAP Applicant or Participant Household Information

Use or disclosure of information obtained from food stamp applicant or recipient households shall be restricted to:

  • (ii) Persons directly connected with the

administration or enforcement of the programs which are required to participate in the State income and eligibility verification system (IEVS) as specified in § 272.8(a)(2), to the extent the food stamp information is useful in establishing

  • r verifying eligibility or benefit amounts under

those programs;

40

slide-21
SLIDE 21

3/27/2015 21

Permitted Disclosure of SNAP Applicant or Participant Household Information

Use or disclosure of information obtained from food stamp applicant or recipient households shall be restricted to: (iii) Persons directly connected with the verification of immigration status of aliens applying for food stamp benefits, through the Systematic Alien Verification for Entitlements (SAVE) Program, to the extent the information is necessary to identify the individual for verification purposes; (iv) Persons directly connected with the administration of the Child Support Program under part D, title IV of the Social Security Act in order to assist in the administration of that program, and employees of the Secretary of Health and Human Services as necessary to assist in establishing or verifying eligibility or benefits under titles II and XVI of the Social Security Act;

41

Permitted Disclosure of SNAP Applicant or Participant Household Information

Use or disclosure of information obtained from food stamp applicant or recipient households shall be restricted to

  • (v) Employees of the Comptroller General's Office of the

United States for audit examination authorized by any other provision of law; and

  • (vi) Local, State, or Federal law enforcement officials, upon

their written request, for the purpose of investigating an alleged violation of the Food Stamp Act or regulation. The written request shall include the identity of the individual requesting the information and his authority to do so, violation being investigated, and the identity of the person on whom the information is requested.

42

slide-22
SLIDE 22

3/27/2015 22

Permitted Disclosure of SNAP Information – Law Enforcement Access

  • (vii) Local, State or Federal law enforcement officers, upon written request, for the

purpose of obtaining the address, social security number, and, if available, photograph

  • f any household member, if the member is fleeing to avoid prosecution or custody for a

crime, or an attempt to commit a crime, that would be classified as a felony (or in the State of New Jersey, a high misdemeanor), or is violating a condition of probation or parole imposed under a Federal or State law. The State agency shall not require a household to present photographic identification as a condition of eligibility and must accept any document that reasonably establishes the applicant's identity. The State agency shall also provide information regarding a household member, upon the written request of a law enforcement officer acting in his or her official capacity, where such member has information necessary for the apprehension or investigation of another member who is fleeing to avoid prosecution or custody for a felony, or has violated a condition of probation or parole. If a law enforcement officer provides documentation indicating that a household member is fleeing to avoid prosecution or custody for a felony, or has violated a condition of probation or parole, the State agency shall terminate the participation of the member. A request for information absent documentation would not be sufficient to terminate the member's participation. The State agency shall disclose only such information as is necessary to comply with a specific written request of a law enforcement agency authorized by this paragraph.

43

Newest Permitted Disclosure: Intersection With School Lunch Program

SNAP sharing allowed for…

  • (viii) Local educational agencies administering

the National School Lunch Program established under the Richard B. Russell National School Lunch Act or the School Breakfast Program established under the Child Nutrition Act of 1966, for the purpose of directly certifying the eligibility

  • f school‐aged children for receipt of free meals

under the School Lunch and School Breakfast programs based on their receipt of Supplemental Nutrition Assistance Program benefits.

44

slide-23
SLIDE 23

3/27/2015 23

Social Media and Social Marketing

  • Part of the SNAP Outreach work involves

social marketing, such as Facebook and Twitter

  • Social media can be a great tool for

connecting with clients and community

  • But it is critical to avoid mixing PERSONAL use
  • f social media with work‐based social media

and marketing Much easier line to cross than people realize!!

45

Social Media and Social Marketing

  • Common error: posting something to your PERSONAL

Facebook page that seems de‐identified, but in fact some people can figure out who and what you are describing

– That can create a privacy failure!!

  • Ensure workers are careful with:

– Pictures of clients (including on phone) – Dates, times, locations – Initials instead of name DOES NOT de‐identify a person

  • Social media is like a spider’s web, and it spreads

quickly

46

slide-24
SLIDE 24

3/27/2015 24

Social Media and Social Marketing

There should be a plan for:

  • How often the social media is observed and

reviewed

  • Who will contact people who used social media

where direct and individual contact or follow up is needed

  • What steps workforce member is supposed to

take if a client crosses into the workforce member’s PERSONAL social media

  • How to remove offensive or inappropriate

materials from the public social media postings

47

Q&A

Questions

48