Guest Blog by David Krebs, Miller Thomson LLP, for Legal Works and Privacy Works Sweden.
Data breaches, in particular those involving personal information and sensitive personal information, are becoming increasingly high-profile reputational issues for healthcare organizations. Breaches may occur through lapses in technology and security or due to individual error and errors in judgment. It is estimated that in the United States over 50% of the population has had their information exposed, increasingly so due to hacking rather than data loss and manufacturers are struggling to keep pace with the risks posed by hackers.
E-health as a concept and as integral part of the future of healthcare delivery requires public trust that data will be safe. It follows that data breaches are subject to increasingly more regulatory scrutiny (and fines) and in many jurisdictions breach notification is now mandatory. These laws place a variety of different obligations on organizations and while there are similarities, organizations need to be cognizant of the fact that they are not uniform. Below is a brief summary contrasting some of the relevant requirements under the European General Data Protection Regulation (GDPR) and those applicable in the US under HIPPA/HITECH and in Canada under various federal and provincial laws. These are by no means the only jurisdictions with these requirements but serve as a good example of similarities/differences that can exist.
On Nov 1, 2018 the Breach of Security Safeguards Regulations came into force in Canada and will apply to all organizations to which the Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies (private sector federal privacy legislation in Canada). The final version of the guidelines in connection with mandatory reporting of breaches of security safeguards outline obligations of the organizations if a breach is discovered.
Beginning on November 1, 2018, organizations will be required to: (i) report to the Privacy Commissioner beaches of security safeguards involving personal information, (ii) notify individuals affected by relevant breaches, and (iii) maintain records of breaches. Notification must be given as “soon as feasible,” without a set maximum time period.
For more a more detailed discussion about the upcoming changes, this article provides a more detailed analysis (click here). Note that a number of Canadian Provinces have their own private sector as well as health information-specific legislation (click here for more detail) requiring breach notification. Ontario, for instance, has breach notification guidelines applicable to “custodians” of personal health information under the Personal Health Information Protection Act. The Ontario Commissioner strongly recommends a privacy breach protocol is in place to respond to such instances.
United States: HIPPA/HITECH
In the US, data breaches are subject to a number of local State laws (e.g. California) as well as federal requirements applicable to the healthcare industry. The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA “covered entities” and their business associates to provide notification of breaches with respect to unsecured protected health information. This includes hospitals and other healthcare providers as well as their suppliers that handle PHI. Similar provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers under the HITECH Act. “Unsecured” means that breaches regarding information that has been rendered unusable, unreadable, or indecipherable through the use of a certain technology or methodology would not be subject to the mandatory breach notification rules. The acceptable technologies are described here.
The notice provisions under HIPAA/HITECH are quite different from what we would expect under the GDPR (and Canadian PIPEDA). Relevant breaches must be reported “without unreasonable delay,” up to a maximum of 60 days. Depending on the number of affected people, notification must be given to individuals, the authorities, and possibly the media. “Business associates” (similar to processors) also have a duty to report breaches – to the covered entity (similar to the “controller” in this case) without unreasonable delay and within a maximum of 60 days of discovery. Breaches were there are 500 or more affected individuals must adhere to a specific breach reporting process and form: all notifications to the Secretary must be submitted via a specific web portal.
Under the GDPR, the obligation is somewhat different, in particular as it relates to the exception and the timing of reports. All personal data breaches must be reported to the organization’s Data Protection Officer or another individual in the organization should it not have appointed a DPO. A breach must be reported by the “controller,” the organization that determined the means and processing of that data, to the competent Data Protection Authority within 72h of discovering that breach. The exception here is that breaches need to be reported “unless the breach is unlikely to cause risks to individuals,” for example, when the information was already publically available. But as the Article 29 Working Party cautioned: “…even where data is encrypted, a loss or alteration can have negative consequences for data subjects where the controller has no adequate backups. In that instance communication to data subjects would be required, even if the data itself was subject to adequate encryption measures.”
In cases of “high risk to the rights and freedoms” of individuals, the controller must notify the relevant individuals in a “prompt” manner. A controller must keep records of all breaches, whether reported or not. Should there be a delay in reporting the organization must supply reasons for the delay in the report to the authorities.
Guest Blogger Bio: David Krebs