Compliance Workshop Privacy & Security Protecting Personal - PDF document

3/27/2015 Compliance Workshop Privacy & Security Protecting Personal Information & SNAP Program Considerations August 14, 2014 Presentation by: Jennifer L. Cox, J.D. Cox & Osowiecki, LLC Hartford, Connecticut 1 Today’s Privacy & Security Program Topics • Overview: Connecticut requirements for the Protection of Personal Information • Security Standards • Managing Breach Situations • Review SNAP Program Structure • Social Media • Q&A 2 1

3/27/2015 CONNECTICUT DATA PROTECTION RULES State Contractor and Subcontractor Privacy and Security Obligations “PROTECTION OF PERSONAL INFORMATION” 3 Personal Information, Connecticut Agencies’ Requirement For Safeguarding • Personal Information means any name, number or other information that may be used, alone or in conjunction with any other information , to identify a specific individual, including: • name, d/o/b, mother's maiden name, motor vehicle operator's license number, Social Security number, employee identification number, employer or taxpayer identification number, alien registration number, government passport number, health insurance identification number, demand deposit account number, savings account number, credit card number, debit card number or unique biometric data such as fingerprint, voice print, retina or iris image, or other unique physical representation. 4 2

3/27/2015 Personal Information Breach Occurs if… Unencrypted Personal Information is: – Misplaced, lost, stolen or in any way compromised – Is seen or acquired by unauthorized persons – Has threatened integrity because it is at risk of compromise – There is a substantial risk of identity theft or fraud to the client, the Contractor, the Department or the State – All state contractors and subcontractors must have a written policy in place to guard against breach of Personal Information – and to ensure reports will be made if there is a breach • Note: paper records are always unencrypted 5 Security Policy Required • Each contractor and subcontractor doing work for DSS (including SNAP program work) must have a formal, comprehensive security policy to safeguard “Personal Information” (P.I.) as required for state agency contract work. • Note: this is in addition to your HIPAA Security plan and policy (but they can overlap)…for example, encryption implementation will overlap 6 3

3/27/2015 Security Policy Controls • The security policy must include these features, at a minimum: – Rules for storage, access and transportation of P.I. ( e.g. , locked files, locked file rooms) – Reasonable restrictions on employee and other access – Annual review of policies and security measures – Technically secure access controls security – ENCRYPTION for laptops, portable devices and media, and during transmission!!!! 7 Data Integrity Is Essential to Maintaining Privacy • Protecting clients’ rights includes information integrity • Incorrect or corrupted information can: – slow processing of benefits – cause incorrect determinations • Potential exposure of data to unauthorized people – a mix ‐ up of individual’s profiles and information will cause the file to be wrong – Client’s have access rights – but they will be accessing materials in “their” file 8 4

3/27/2015 Encryption of Electronic Data Practically and Realistically UNAVOIDABLE 9 Computers Must Be Set Up To Encrypt During Transmission • Encryption technologies essentially apply a code to the computer and data so that unauthorized users cannot gain access • Transmissions of SNAP confidential information must be encrypted (per DSS contract and federal program guidance) – Email must stream to DSS in encrypted stream Need for encryption is a primary reason you cannot use your own device for SNAP work without permission 10 5

3/27/2015 Encryption For Remote Access • Easy part ‐‐ Remote access needs to be technically secure with VPN, peer ‐ to ‐ peer, or other encryption level method • Harder part ‐‐ administrative access rights: assigning, managing and auditing user access • Important to plan for how to manage misuse (or abuse) of access rights 11 Workstations, Portable Devices, Media Storage • Devices that carry confidential data should be encrypted so if they are lost or stolen, no data can be retrieved – Not the same for devices that do not have data, but act as access viewer • Remote and portable devices have greater risk because they are easier to lose or steal • Remote media storage of confidential data creates high risk – Encryption for data at rest: flash drives, discs, tapes 12 6

3/27/2015 Question: What Security Is As Good As Encryption? Hint: Empty Box 13 If There Is A Breach of Personal Information… • The contractor (or subcontractor) has strict notification requirements to the patient/client, and the state • Credit monitoring and protection must be offered to the affected individuals • Costs are the responsibility of the contractor/subcontractor • This is in addition to any HIPAA notification obligations 14 7

3/27/2015 Steps If You Detect A Possible Breach • Have a formal structure in place for processing any potential breach (if that is a privacy officer, be sure to have a back up for vacation schedules, or other non ‐ availability) • Be sure staff knows process for breach reporting (who to go to, generally what information will be expected) 15 Handling Breach, DSS Contract • Internal investigation is essential – Documentation of your internal review is required regardless of whether you find an actual breach occurred – If e ‐ record, include your IT/IS team from the start • First step: verify whether a breach actually occurred 16 8

3/27/2015 Breach Reporting • If there was a BREACH, your reporting requirement is QUICKLY approaching: – 24 hours after breach occurs or is suspected – 3 days to present credit monitoring and protection plan • …To inform DSS and the Office of the Attorney General • If you are a subcontractor, you must also inform your contractor ASAP, and coordinate response!! 17 Reporting Breach to DSS or the Office of the Attorney General • Cooperate as much as possible with the regulators • Recognize that the regulator may not be an expert in handling breach (and may be familiar ONLY with HIPAA breach, may not be familiar with technical security) • Politely ask for regulator to review any steps with you that you do not agree with, or that seem contraindicated 18 9

3/27/2015 Breach Remediation • Think through any steps that could be taken immediately to – Avoid a repeat occurrence – Reduce harm of the current breach • Longer term issues: – Retraining – New policies or processes 19 Privacy and Security For SNAP SNAP Program Drill Down 20 10

3/27/2015 S.N.A.P. • SNAP = Supplemental Nutrition Assistance Program, formerly “FSP”…the Food Stamps Program • The implementing federal legislation is the “Food Stamp Act” (FSA); that terminology still appears throughout program materials • “SNAP benefits” can be processed through various media and methods (e.g., electronic benefits transfer cards) • “Food stamps” lingo outdated, but frequently still referenced by community and consumers 21 SNAP Purpose SNAP is “designed to promote the general welfare and to safeguard the health and well being of the Nation's population by raising the levels of nutrition among low ‐ income households." 22 11

3/27/2015 SNAP Design Flow: Top Down Federal SNAP Program Law, Regulations, Guidance State Snap Programs Contractors and Subcontractors 23 Federal Regulations Primary set of regulations for SNAP: • 7 CFR parts 271 through 283 • You can read these at www.ecfr.gov • States’ role and operational requirements outlined with highly granular detail in the federal regulations, very little flexibility • In turn, States must require contractors to follow the same strict rules 24 12

3/27/2015 Different Programs’ Privacy Rules: Not Always Logical And Not Interchangeable • SNAP has its own rules , carefully designed to allow the program to function while protecting client and household information • Avoid extrapolating from other rules you know and use (e.g., DO NOT just apply HIPAA!!) • Key operational differences v. HIPAA Privacy include ENTIRELY DIFFERENT: – legal protections – consents and forms – sharing and access rules • SNAP designed for government administration of the program, HIPAA designed for flow of access across an open continuum of care and payment (private and government) 25 Federal Guidance to States On SNAP Outreach Activities Definition of Outreach: • Outreach activities are defined as discretionary educational and informational efforts promoting the nutrition and other benefits of participating in the program which are directed to nonparticipating but potentially eligible persons. 26 13