Wednesday, September 9, 2009

California Increases HIPPA Penalties

New California Laws Increase Penalties for Privacy Breaches of Confidential Patient Data

On September 30, 2008, California Governor Arnold Schwarzenegger signed into law two bills that provide new oversight, stricter requirements, and increased penalties for breaches of medical data confidentiality. Sponsored by the California Department of Public Health (CDPH), AB 211 and SB 541 were prompted in part by disclosures that employees at the University of California, Los Angeles Medical Center had been “snooping” into celebrity medical data and by concerns about the unauthorized use of patient data for fundraising and marketing. The laws become effective on January 1, 2009.

These new laws break new ground by making providers, health plans, and individuals accountable for unauthorized access to medical information, not just for unlawful use or disclosure. AB 211 requires providers, health care service plans, and contractors to safeguard confidential medical information reasonably and prevent unauthorized access. It also creates a new state office to oversee the enforcement of state laws on medical information privacy. The companion bill, SB 541, increases fines for immediate jeopardy from the current maximum of $25,000 (in the absence of departmental regulations) to $100,000, and makes such fines applicable to clinics, health facilities, home health agencies, and hospices. It also sets forth specific administrative penalties for privacy breaches.

Both laws define unauthorized access as “the inappropriate review or viewing of patient medical information without a direct need for diagnosis, treatment, or other lawful use as permitted by the Confidentiality of Medical Information Act (CMIA) (Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code) or by other statutes or regulations governing the lawful access, use, or disclosure of medical information.”

AB 211
AB 211 adds Sections 130200 – 130205 to the California Health and Safety Code, which require every provider of health care to implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient's medical information and safeguard it from unauthorized access or unlawful access, use, or disclosure.

The law establishes the California Office of Health Information Integrity (CalOHII) within the California Health & Human Services Agency to enforce state law that mandates the confidentiality of medical information and to impose administrative fines for the unauthorized access, disclosure, or use of medical information. AB 211 authorizes CalOHII to levy administrative fines against any person and certain providers of health care (whether licensed or unlicensed), issue regulations, and refer violators to the appropriate licensing board for oversight. However, CalOHII may not assess administrative penalties against clinics, health facilities, home health agencies, or hospices licensed under the California Health and Safety Code that are governed by the provisions enacted in the companion bill, SB 541.

CalOHII is authorized to assess administrative penalties in the amounts specified in CMIA, which range from $25,000 to $250,000 for violations. In assessing fines, CalOHII is directed to consider factors such as the defendant's efforts to comply with the law; the nature and seriousness of the conduct; the harm to the patient, enrollee, or subscriber; the number of violations; the willfulness of the misconduct; the persistence of the misconduct; the length of time over which the misconduct occurred; and the defendant's assets, liability, and net worth.

SB 541
SB 541 amends Sections 1280.1 and 1280.3 and adds Section 1280.15 to the California Health and Safety Code. The law extends the administrative penalty provisions for immediate jeopardy — that currently apply solely to hospitals — to clinics, health facilities, home health agencies, and hospices. It also increases the amount of the administrative penalties for immediate jeopardy (in the absence of regulations) from $25,000 for an immediate jeopardy deficiency to a graduated scale of a maximum of $50,000 for the first administrative penalty, $75,000 for the second subsequent administrative penalty, and $100,000 for the third and every subsequent violation. The CDPH can assess higher penalties if it issues regulations to implement these provisions. SB 541 defines the term “immediate jeopardy” as a situation in which the licensee's noncompliance with one or more requirements of licensure has caused, or is likely to cause, serious injury or death to the patient.

Under this law, clinics, health facilities, home health agencies, and hospices also must safeguard confidential information in accordance with California Health and Safety Code Section 130203. SB 541 gives the CDPH the authority to assess administrative penalties for privacy breaches. CDPH may assess fines of up to $25,000 per patient whose medical information was accessed, used, or disclosed without authorization, and up to $17,500 per subsequent occurrence of unlawful or unauthorized access, use, or disclosure of that patient's medical information.

SB 541 also requires the specified health care providers to report all incidents of unlawful or unauthorized access to, use, or disclosure of a patient's medical information. The reports must be made to CDPH and to the affected patient (or the patient's representative) within five days after detection of the breach. The clinic, health facility, agency, or hospice may be fined $100 per day for failure to report. The total combined penalty assessed under these provisions may not exceed $250,000 per reported event.

Both of these laws make it even more important for a much wider variety of health care providers — much more than hospitals — to look at privacy, security, and quality of care issues. Many providers probably have policies in place that would address these issues. However, providers will find it much more critical to put efforts into their compliance programs to address these issues, including:

AB 211

  • Ensure that policies prohibit unauthorized access, rather than merely “unlawful” access to medical information
  • Assess security measures, including administrative, technical, and physical safeguards for medical information
  • Educate employees on privacy laws and the provider's policies on privacy of medical information
  • Implement robust security audits of access to medical information that identify unauthorized access
  • Take appropriate, documented action should unauthorized access to medical information occur
  • Include access to medical information within the provider's compliance program and encourage reporting by employees of suspected unauthorized access
SB 541
  • Understand state reporting laws
  • Report when legally required to do so
  • Assess all events that involve noncompliance with licensure that causes, or is likely to cause, serious injury or death to the patient
  • Look for opportunities for improvement and take appropriate action if reportable events occur

PCI Compliance For Dummies

For most people, the world of PCI [Payment Card Industry] is very complicated, frustrating, and extremely boring. So, in an effort to help you keep your sanity, Katana has put together the following information for every online business owner that's been told that they need PCI Scanning or PCI Compliance for their website, but don't ever get a straight answer as to what it is, why they need it, what to do about it, or how to get it. The goal here is to simplify PCI for you so that you can make a clear, educated decision and weigh your options on your terms. You won't find any other resource like this online, so be sure to bookmark it or print it out so you can easily access it again.

NOTE: the official PCI documentation can be found at: www.pcisecuritystandards.org.

Question: What are PCI compliance and how does it apply to me?

Answer: PCI stands for Payment Card Industry. It is an organization that was founded by the five major credit card companies: American Express, Discover, JCB, MasterCard, and Visa. It was formed in order to create a uniform set of security standards for companies to follow when processing credit card transactions. Until the PCI Council was organized, each of these companies had their own standards that were similar to each other but not uniform, which created a lot of problems.

These standards are part of your merchant agreement that you sign when you decide to accept payment cards and whether you're aware of it or not, you are ultimately financially responsible if someone steals your customer's credit cards and you're found not in compliance. And one fact you may not be aware of, all of the other parties that are involved in the process of helping you process credit cards have the ability to pass these exorbitant non-compliance fines and penalties on to you, the merchant.

The PCI council actually has 12 main security requirements that all merchants are required to be compliant with. [Yes, I ended in a preposition.] However, the extent to which the 12 requirements need to be met depend on the number of transactions that a company processes in a year, which are separated into 4 levels. They are broken down below for you, but if you need more information, the "offical" documentation can be found at:

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml


Question: So, what exactly do I need to do to become PCI Compliant?

Answer: As mentioned above, the requirements for PCI Compliance depend on which merchant level you fit into based on the number of transactions you process in a year. Basically, all merchants are required to do two things: quarterly PCI Scanning on all external-facing IP addresses and a yearly Report On Compliance.

PCI Scanning involves having a PCI ASV [Approved Scanning Vendor] scan any and all IP addresses that the public has access to, that participate in the transaction process. This typically includes your websites IP address, however, if you transfer your customers to a third-party shopping cart hosted by your shopping cart provider during the checkout process, then you should include their IP address to be scanned as well.

Report On compliance is basically a report that you submit to your acquirer [an acquirer is typically the company whom you initially signed up with so that you could process credit cards, i.e. a third-party service provider, your actual bank, etc.] to show them that you are compliant. The type of report varies depending on the merchant level you fall into.

Here's a breakdown of 4 Merchant Levels, and what is required for each level:

Level 1 is any merchant that does over 6,000,000 transactions a year. Basically you need to bring an assessor on-site called a QSA to evaluate your security and create an in-depth Report On Compliance for you. Quarterly PCI Scans are also required.

Level 2 is any merchant that does between 1,000,000 and 6,000,000 transactions a year. In lieu of a full Report On Compliance, the PCI Council allows Level 2 merchants to complete a Self-Assessment Questionaire [SAQ] instead. Quarterly PCI Scans are also required. Level 2 merchants also have an extra one-page form that takes about 5 minutes to fill out that basically states that they don't keep certain types of credit card information on file.

Level 3 is any merchant that does between 20,000 and 1,000,000 transactions a year. In lieu of a full Report On Compliance, the PCI Council allows Level 3 merchants to complete a Self-Assessment Questionaire [SAQ] instead. Quarterly PCI Scans are also required.

Level 4 is any merchant that does between 1 and 20,000 transactions a year. In lieu of a full Report On Compliance, the PCI Council allows Level 4 merchants to complete a Self-Assessment Questionaire [SAQ] instead. Quarterly PCI Scans are also required.

As you can see, the requirements for Levels 2-4 are all basically the same [except the extra form for Level 2]. For all three levels, you essentially need to get quarterly PCI Scans performed by an ASV and you also need to complete an annual SAQ.

It's worth mentioning that these compliance requirements will be much more simple and stress free if you DON'T STORE CREDIT CARDS ON YOUR SERVER. If you store customers' credit cards with a Payment Gateway Provider like Authorize.net, LinkPoint, Paypal, etc., the SAQ is a breeze. If you store credit cards on your own server, then the SAQ gets MUCH more complicated.

Once you've completed your PCI Scan and SAQ then you submit these documents to your acquirer. If you're a Level 4 merchant, depending on your acquirer and when you signed up, you may be able to have the quarterly scan requirement waived, although with the new PCI 1.2 standards implemented on October 1st, 2008 for all new merchants, more and more acquirers are requiring quarterly scans.


Question: I'm a Level 4 Merchant and I heard that PCI Scanning was optional, is that right?

Answer: Effective October 1, 2008 PCI Level 4 merchants using third-party software are required to either use PCI-validated payment applications or be PCI compliant in order to board as a new merchant with Bank of America.

http://corp.bankofamerica.com/public/public.portal?_pd_page_label=landing/merchantnews/padss&subct=PA-DSS&ctid=2

According to the new standards, if you are a level 4 merchant that processes less than 20,000 transactions and you don't store payment card information on your server, and your shopping cart provider is PCI validated, then you don't necessarily need to do quarterly scans, but you will still need to fill out the annual SAQ. However, if your shopping cart provider is not PCI validated, then you will need to be PCI Compliant and provide an annual SAQ and quarterly scans of your IP, and possibly scan your shopping cart providers IP if the shopping cart is hosted on their server and not directly on yours.

What it really boils down to is your acquirer's [your merchant bank's] specific requirements, as each acquirers requirements are different. Your acquirer has a lot of influence on what you need to provide as far as PCI compliance. If you are concerned about your liability or your responsibility as a merchant, contact your acquirer and ask them what they require from you in order for you to be PCI Compliant. Although, it's important to keep in mind that no matter what your acquirer does or does not recommend that you do in order to be PCI compliant, you could still be financially responsible if something happens.