Privacy & Security

Training Course Companion

First

Edition

Texas CASA

1501 West Anderson Lane, Suite B-2

Austin, Texas 78757

(512) 473-2627

Privacy & Security

1

Table of Contents

Introduction .................................................................................................................................... 2

Background ..................................................................................................................................... 3

Confidentiality ................................................................................................................................. 4

Privacy ............................................................................................................................................. 7

Security……………………………………………………………………………………………………………………………………12

Breaches of Information…………………………………………………………………………………………………………..21

Glossary……………………………………………………………………………………………………………………………………23

Appendix A Relevant State and Federal Laws…………………………………………………………………………..25

Privacy & Security

2

Introduction

Not long ago, hackers were able to access the computer network of a local

CASA program. The hackers then contacted the program’s executive director and told the ED that their system was being held hostage and would only be

released for a substantial fee. When the ED contacted law enforcement, the

recommendation was, “You better pay up. There’s nothing we can do.”

This Course Companion will introduce you to the specific things you can do to

protect the privacy and security of information and to the various laws,

regulations, policies and procedures intended to help you do just that.

In a different part of the state, an employee inadvertently threw into the trash

documents containing sensitive, personal information about some of the

children in the program’s care. Luckily, the information was retrieved and disposed of properly, but not before causing some bad PR for the program.

Privacy & Security

3

Background

Relating To The Transfer To The Health And Human Services Commission Of Contracting

Authority For Children’s Advocacy Centers And Volunteer Advocate Programs

Senate bill 3541 went into effect Sept. 1, 2015. This legislation moved Texas CASA’s state-level funding from the Office of the Attorney General to the Health and Human

Services Commission (HHSC).

As a result of this change, CASA programs in Texas must now comply with several

additional state and federal regulations. The most important of these is the Health

Insurance Portability and Accountability Act (HIPAA) originally enacted by Congress in

1996.

As of Sept. 1, 2015, HIPAA regulations apply to all CASA volunteers and staff (including

management), not just health care providers.

Among other things, HIPAA requires “covered entities”, such as HHSC, and their “business associates”, such as Texas CASA and all local CASA programs in Texas, to take specific actions to protect what the law refers to as protected health information (PHI).

Additionally, HIPAA and other related laws and regulations set specific rules and

guidelines for confidentiality, privacy, physical and information security, breach

notifications, and staff training.

As a result of these rules and guidelines, HHSC requires its “subcontractors” (e.g., Texas CASA and local programs) to adhere to additional regulations to protect all “confidential information”.

For details regarding the laws and regulations CASA programs in Texas must adhere to,

refer to Appendix A of this Course Companion.

If you have any questions, contact your program’s Privacy and Security Official. The Privacy and Security Official is the person you contact if you have questions or concerns

about HIPAA and other related laws and regulations pertaining to the use and

protection of confidential information. This is also the person you contact to report an

actual or suspected breach of confidential information.

1 http://www.capitol.state.tx.us/BillLookup/History.aspx?LegSess=84R&Bill=SB354

Privacy & Security

4

Confidentiality

CASA volunteers, and often CASA staff members, have access to confidential

information about children and the people involved in those children’s lives. In addition, CASA programs often maintain lists or databases of sensitive, confidential information

relating to donors, board members, etc.

As you already know, all volunteers and staff members are required to receive a

minimum level of training regarding the importance of confidentiality and must sign a

confidentiality agreement.

Much, if not all, of the material in this section, should not be new to you. However, it is

provided as a reminder not only to reiterate the importance of protecting sensitive and

confidential information, but also because we are now subject to more stringent laws

and regulations than in the past and it’s important that EVERY member of the CASA

community know and understand how to protect information.

According to the National CASA training curriculum:

“CASA volunteers may not release [confidential information] except to the child, CASA program staff, the attorney(s) on the case, the caseworker, the

court, and others as instructed by law or local court rule. There are strict

guidelines about who can have access to confidential information.”

By law, CASA volunteers must keep all information regarding the case confidential and

make no disclosure, except by court order or unless provided by law. Mistakes in

handling confidential information can be detrimental to the children involved and can

bring criminal action against the people who misuse the information.

In addition to protecting the information contained in a child’s case file, CASA programs also have a responsibility to protect the privacy and confidentiality of other forms of

sensitive information such as personnel records, donor records, financial data, and so

on.

Privacy & Security

5

Protecting Confidential Information Is Not Just the Volunteer’s Job.

Protecting the confidentiality and integrity of protected health information (PHI) and

other sensitive, confidential information is a responsibility shared by staff, volunteers,

board members, and anyone else in the CASA network who might have a role in

accessing or protecting that information. Shared responsibility has always been a part

of CASA culture. Not only is it required by law and by professional ethics; but it is the

responsible thing to do.

HIPAA and related state and federal laws seek to protect confidential information by

ensuring that CASA program staff, volunteers, management and board members have a

clear understanding of how to protect confidential information as well as periodic

reminders and regular training opportunities to reinforce that understanding.

What Is Confidential Information?

As a volunteer or staff member on a case, your appointment order gives you the

authority to obtain a great deal of information that is, in fact, confidential. Child

Protective Services records are confidential and are not available for public inspection. It

is especially important that the name of any person who has made a report of suspected

child abuse and/or neglect not be revealed. School records are also confidential.

There are legal privileges that protect attorney/client, doctor/patient,

priest/parishioner, psychologist/patient, and caseworker/client communications. Such

communication, whether oral, written or electronic, is all confidential and must remain

so unless a court order specifically states otherwise.

You must regard as confidential any information that the source deems confidential. For

more information regarding confidentiality as defined by HIPAA and other laws and

regulations, refer to Appendix A of this Course Companion.

For a more in depth discussion of confidentiality, refer to Chapter 7 of the National

CASA Volunteer Training Curriculum2.

2 http://www.casaforchildren.org/site/c.mtJSJ7MPIsE/b.5466395/k.42E4/Volunteer_Training_Curriculum.htm

(requires login)

Privacy & Security

6

Confidentiality Dilemmas

Questions of confidentiality in your role as a CASA volunteer or staff member are often

not clear-cut or easily recognized.

SCENARIO 1

Volunteer Shirley Colston was at her neighborhood swimming pool. A

neighbor, Stephanie Moore, asked Shirley what she did as a CASA volunteer.

Shirley thought Stephanie would be a great CASA volunteer and decided to

give her an example of what activities she had done on a recent case. Shirley

gave no case names and slightly changed the facts in the case to preserve

confidentiality. However, as Stephanie heard the altered details of the case,

she still recognized the similarities to an open CPS case involving her cousin.

What confidentiality breach do you see?

What problems could this cause for the child or the case?

Do you think this violates HIPAA?

Whenever you discuss sensitive, confidential information, remember two things:

1. Confidential information may only be used or disclosed for specific, WORK-RELATED

PURPOSES.

2. You must limit use or disclosure of confidential information to the MINIMUM

NECESSARY to do your job.

What are the Consequences of Breaches of Confidentiality?

The potential harm this could cause to the child should be obvious. But, in addition to

harming, endangering or simply embarrassing the child, breaches of confidentiality can

carry with them both civil and criminal penalties which will be discussed in subsequent

sections.

Privacy & Security

7

Privacy

Under HIPAA “covered entities” (such as HHSC) and their “business associates” (such as CASA programs in Texas) have an obligation to protect individually identifiable health

information, also known as “protected health information” or PHI.

In addition to HIPAA, other federal and state laws and agency regulations require

“contractors” like Texas CASA and “subcontractors” like all local programs in the CASA network in Texas to protect all “confidential information”.

CASA volunteers and program staff who have access to or disclose PHI must adhere to

HIPAA requirements. And as a result of Texas CASA’s new funding relationship with HHSC, all CASA programs in Texas are required to implement and follow certain policies

and procedures to help safeguard confidential information (oral, written or electronic).

According to HIPAA, PHI is generally defined as any information that can be used to

identify an individual – living or deceased – that relates to the individual’s past, present or future physical or mental health or condition, including healthcare services and

payments for those services.

When used to identify an individual and when combined with health information, HIPAA

identifiers create PHI.

Any of the following are considered PHI identifiers under HIPAA:

Patient names

Geographic subdivisions (smaller than a state)

Telephone and fax numbers

Social Security numbers

Vehicle identifiers

E-mail addresses

Web URLs and IP addresses

Dates (except year)

Names of relatives

Full face photographs or images

Healthcare record numbers

Account numbers

Biometric identifiers (fingerprints or voiceprints)

Device identifiers

Health plan beneficiary numbers

Privacy & Security

8

Certificate/license numbers

Any other unique number, code, or characteristic that can be linked to an

individual.

For more details about the HIPAA Privacy Rule, refer to the Code of Federal Regulation3.

Protected health information does not include individually identifiable health

information in education records covered by the Family Educational Rights and Privacy

Act (FERPA); and employment records held by a program in its role as an employer, such

as HR records showing an employee’s ADA status. However, this type of data would still be considered “confidential information”.

In addition to protecting PHI, CASA staff and volunteers are responsible for protecting all

confidential information relating to the children we serve, not just their medical records.

Additionally, staff members are responsible for protecting sensitive, confidential

information relating to employees, donors, etc.

So, what else constitutes sensitive or confidential information?

Simply put, ANYTHING that could be used to identify an individual which is not “publicly available”.

According to The Identity Theft Enforcement and Protection Act4 it is “information that

alone or in conjunction with other information identifies an individual”; but it does not include “publicly available information that is lawfully made available to the public from the federal government or a state or local government.”

According to HHSC, “confidential information” includes:

1. Client information

2. Protected health information (including electronic and unsecured PHI)

3. Sensitive personal information

4. Federal tax information

5. Personally identifiable information

6. Social security administration data (including Medicaid information)

7. All information designated as confidential under the constitution and laws of the State

of Texas and of the United States

3 http://www.ecfr.gov/cgi-bin/text-

idx?SID=7df19c2fbf329170fee0772e5dd82331&mc=true&node=pt45.1.164&rgn=div5#sp45.1.164.e 4 http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htm

Privacy & Security

9

For details regarding the laws and regulations CASA programs in Texas must adhere to, refer

to Appendix A of this Course Companion.

Prior Authorization Required

CASAS volunteers and staff may access confidential information but only when

necessary to perform their job-related duties and only after they are authorized to do

so.

Except in very limited circumstances, such as by court order, if a volunteer or staff

member discloses confidential information without prior authorization or without a

specific, job-related reason for doing so, they are violating federal and state laws, and

agency regulations, and may be subject to civil and criminal penalties.

Unauthorized Access

It is never acceptable for a volunteer or staff member to look at confidential information

“just out of curiosity”, even if no harm is intended (i.e., retrieving an address to send a

‘get well’ card).

It is never acceptable for a volunteer or staff member to look at confidential information

about a child on another person’s behalf unless the volunteer or staff person is directly involved in the child’s case and must do so for job-related reasons.

SCENARIO 2

CASA volunteer Tonya Mills was at home working on her court report. She had

all of her case notes on her kitchen table when her friend Caitlyn stopped by

for coffee. While Tonya was preparing the coffee, Caitlyn read the top page of

Tonya’s case notes and learned the name of the family and several facts about the case. Later that day, Caitlyn was talking to her friend Amy and mentioned

the case to her. Amy is the juvenile court clerk in the county where the case is

open.

What confidentiality breach do you see?

What problems could this cause for the child or the case?

Do you think this a violation?

Privacy & Security

10

Minimum Necessary

Even when volunteers and staff members are authorized to access or disclose sensitive,

confidential information, HIPAA requires that only that information that is the

MINIMUM NECESSARY to accomplish the intended purpose be used or disclosed.

Communicating in Public Areas

Be aware of your surroundings when discussing confidential information. Do not discuss

confidential information in public areas such as in restaurants, in school, while riding the

bus, etc.

Use caution when conducting conversations in:

semi-private rooms

waiting rooms

corridors

elevators and stairwells

SCENARIO 3

CASA volunteer Janie Bell was in the program office after a court hearing. She

overheard another volunteer talking to program staff about a case in which a

4-year-old girl was going to be placed for adoption as soon as her parents’ rights were terminated. Janie mentioned this adoption possibility to a friend

who wanted very much to adopt a child. This friend then called CPS to inquire

about adopting the 4-year-old girl.

What confidentiality breach do you see?

What problems could this cause for the child or the case?

Do you think this violates HIPAA?

Privacy & Security

11

Privacy Review

Confidential information exists in many forms: oral, written, and electronic.

There are a number of state and federal laws that impose privacy and security

requirements (and penalties), including the Texas Medical Records Privacy Act and

HIPAA.

Confidential information includes Social Security numbers, credit card numbers,

driver’s license numbers, personnel information, computer passwords, and PHI. When used to identify an individual and when combined with health information,

HIPAA identifiers create PHI.

Two primary HIPAA regulations are the Privacy Rule and the Security Rule.

A staff and volunteers must have written authorization or a job-related reason for

accessing or disclosing confidential information.

Limit access to confidential information to the minimum necessary to do your job.

Be especially careful when discussing confidential information in public or semi-

private areas.

Privacy & Security

12

Security

"Eight years of research on data breach costs has shown employee behavior to

be one of the most pressing issues facing organizations today.”

Top examples of “employee behavior” (aka. Human error):

failure to follow policies and procedures

general carelessness

failure to get up to speed on new threats

lack of expertise with websites and software

IT staff failure to follow policies and procedures

A Meritalk study5 found:

66 % of federal network users believe security is time-consuming and restrictive.

69 % say their work takes longer because of additional cyber security measures.

One in five users report an inability to complete work because of security measures.

31 % of users work around security measures at least once a week.

A Forrester study6 found:

36 % of breaches stem from inadvertent misuse of data by employees.

42 % received training on how to remain secure at work, which means 58 percent

haven't had training at all.

57 % say they’re not even aware of their organization’s current security policies. 25 % say a breach occurred because of abuse by a malicious insider.

5 http://www.federaltimes.com/article/20131015/IT01/310150006/Report-Many-employees-bypass-

cybersecurity-measures 6 http://www.forrester.com/Understand+The+State+Of+Data+Security+And+Privacy+2013+To+2014/fulltext/-/E-

RES82021

Privacy & Security

13

The HIPAA Security Rule concentrates on safeguarding PHI by focusing on the

confidentiality, integrity, and availability of PHI. Confidentiality means that data or

information is not made available or disclosed to unauthorized persons or processes.

Integrity means that data or information has not been altered or destroyed in an

unauthorized manner. Availability means that data or information is accessible and

useable upon demand only by an authorized person.

For more details about the HIPAA Security Rule, refer to the Code of Federal

Regulation7.

The HIPAA Security Rule requires administrative, technical and physical safeguards to

protect the privacy of PHI. These 3 types of safeguards must:

protect PHI from any unauthorized use or disclosure in computer systems and

work areas.

limit accidental disclosures (such as discussions in waiting areas or hallways).

include specific practices and procedures such as encryption, document

shredding, locked offices and storage areas, use of secure passwords and use of

access codes.

The administrative, technical and physical safeguards required by the HIPAA Security

Rule require local CASA programs to put in place certain policies and technical solutions

described below.

By implementing these safeguards and following the related policies and procedures,

programs will be able to greatly reduce the risk that confidential information will be lost,

stolen or misused.

Malicious Software

Malicious software, or “malware” comes in many forms: viruses, worms, spyware and spam. All of these various types of malware are dangerous for different reasons.

Implementing specific technical safeguards will help to protect programs, volunteers

and the children we serve.

7 http://www.ecfr.gov/cgi-bin/text-

idx?SID=7df19c2fbf329170fee0772e5dd82331&mc=true&node=pt45.1.164&rgn=div5#sp45.1.1

64.c

Privacy & Security

14

Viruses, Worms and spyware

Computer viruses can modify how your computer operates and can even destroy data.

Worms are malicious software programs that, once installed (by a virus, for example),

can run without any action or knowledge of the user. Spyware is software that is

secretly installed on a computer which can monitor user activity and share information

without the user’s knowledge.

Malicious websites can infect your computer with any or all of these various types of

malware. This is ONE reason why personal browsing on a work computer is not

recommended.

Spam and Phishing

Spam in any form of unsolicited or junk email. It usually comes in the form of bulk

advertising and may contain viruses, spyware or scams (remember the “Nigerian prince” scam?).

Phishing attacks are especially dangerous because they are often clever attempts to

convince the user to reveal sensitive information, such as a password or bank account

number.

As a general rule, you should NEVER disclose passwords, social security numbers, or any

other confidential information via email. And if you’re even the least bit suspicious of the source of an email, do not open it or click on any links. When it doubt, don’t click!

According to a 2012 study8 by the Canadian government, phishing attacks affect

an average of 80,000 people worldwide EVERY SINGLE DAY.

According to a 2015 Verizon study9, “23 percent of recipients open phishing messages, and 11 percent open attachments. Is that not crazy? One in 10 people

opens an attachment when they have no idea what they’re opening.”

8 http://cacm.acm.org/magazines/2012/1/144811-the-state-of-phishing-attacks/fulltext 9 http://news.verizonenterprise.com/2015/04/2015-data-breach-report-info/

Privacy & Security

15

Safe Web Browsing Habits

Safe browsing habits on the Internet can help reduce the possibility of infection by

malware.

Local programs, as well as all individual staff members and volunteers, should use

antivirus and anti-spyware software and make sure it is regularly updated (with patches

and/or upgrades).

Do not open email or click embedded links from an unknown or untrusted site.

If the computer or mobile device you are using stores any work-related confidential

information, personal use of the Web is not recommended.

Safeguard confidential information – Look for signs of security when providing

confidential information (i.e. the web address starts with “https” or a padlock icon is

displayed in the status bar).

Keep your Web browser updated and use security settings – Stay current with browser

updates and application updates such as Adobe Flash and Acrobat. Enable browser

security settings to alert you to threats to your computer like popups, spyware, and

malicious cookies.

Use security software – There are a number of free and easily available software

products to protect your computer from malware, spyware, and virus threats. Talk to

your IT support personnel to find out which software best fits your needs.

Safe downloading and streaming – When in doubt just don’t do it! If a download looks too good to be true, it might be malware. Downloaded files like software or other media

can contain hidden malware. Streaming media websites might seem harmless, but

watching or listening to streaming media may require downloading a special media

player that may contain malware.

Encryption

One of the most reliable ways to protect confidential information is to make it

impossible to read for those who are not authorized to do so. This is what encryption

does. Once a message or document is encrypted, only those with the ‘key’ are able to decrypt it and read it. Without that key, it’s jumbled mess of symbols and characters.

Privacy & Security

16

Any time that confidential information is stored on any end-user electronic device

(laptop, USB, tablet, smartphone, external hard drive, desktop computer, etc.), that

device MUST use encryption software (FIPS 140-2 encryption or better).

Also, any time that confidential information is transmitted via email, that email MUST

be encrypted.

Mobile Devices

Over the course of the last few years, mobile devices such as tablets, laptops and

smartphones have become ever more common and necessary in our day-to-day lives,

both at work and at home. However, because they go with us everywhere we go, these

devices can pose as much if not more of a risk to confidential information than other

types of devices do.

As much as possible, confidential information should not be viewed, stored or

transmitted on mobile devices such as laptops, tablets or smartphones. If such devices

are used, volunteers and staff members must do the following to protect confidential

information:

Use strong power-on passwords

Automatic log-off

Display screen lock after certain period of inactivity

Encryption

Never leave devices unattended

Immediately report loss or theft

Remember, for mobile devices, encryption is the best defense!

Passwords

Often, security breaches can come from within an organization and many of these

breaches are caused by bad password habits.

Use Strong Passwords – passwords must contain at least 8 characters, contain both

upper and lower-case letters, numbers and special characters.

Privacy & Security

17

Change Passwords Frequently – passwords must be changed at least every 90 days;

among other things, this is to make it harder for hackers using automated tools to guess

your password.

Never Share Your Password -- In your personal life, there might be plenty of good

reasons to share passwords with people. HBO even recommends it! But in your role as a

CASA volunteer or staff member, you should never divulge your password to anyone.

Don’t Write Down Your Password – Use secure, encrypted password management

software such as LastPass or Dashlane.

With the growing trend for websites and services to require visitors to create new user

IDs and passwords to access the site, people are finding it difficult to safely manage a

large number of accounts. One solution is to use a “password vault,” which provides an easy method to store all of one’s passwords in an encrypted format.

More information about password managers:http://lifehacker.com/5529133/five-best-

password-managers

Other Technical safeguards

Copiers: erase all data from hard drives.

Faxes: confirm authorization instructions; verify telephone numbers before faxing;

when possible, use pre-programmed numbers.

Devices: encrypt; enable and use password protection.

Printers: Printers (and copiers) used for printing of confidential information should be in

secure, non-public locations. If the equipment is in a public location, the information

being printed or copied is required to be strictly monitored. Printed versions of

confidential information must not be left unattended and open to compromise.

Confidential information printed to a shared printer should be promptly removed.

Never, EVER, disclose confidential information through social media (Facebook, Twitter, etc.).

Privacy & Security

18

Remote Access

All computers and mobile devices used to connect to a local program’s networks or electronic systems from home or other off-site locations should meet the same

minimum security standards that apply to work computers.

At a minimum, you should:

Make use of a Virtual Private Network (VPN) at home or off-site, AND transmit

confidential information only to locations within the network. Otherwise,

sensitive, confidential data must be encrypted.

Run Windows Update or the update feature of the particular operating system

that you are using. Don’t forget to also update your applications (e.g., QuickTime, RealPlayer, and your preferred Web browser).

Keep virus definitions current by using the antivirus software recommended and

supported by your program.

A University of Rochester Medical Center physician misplaced an unencrypted

USB drive containing PHI of 537 patients, including demographic identifiers as

well as diagnostic information. Because of this negligence, the Medical Center

must notify all of the individuals affected by this breach, the attorney general,

and HHS, triggering the possibility of further investigation and large fines.

Whenever possible, avoid using external storage devices to store confidential information. If

you must use such devices, including “thumb” or “flash” drives, use encryption, and adhere to the following:

Use portable storage media only for transporting information, and not to

permanently store information.

Once you’ve used the information, erase it from the device. Consider attaching your memory stick to your key ring -- you are less likely to lose

your keys.

Volunteer and staff responsibilities

Avoid storing confidential information on mobile devices and portable media, but if you

must, you must use encryption.

Privacy & Security

19

Always keep portable devices physically secure to prevent theft and unauthorized

access.

Access information only as necessary for your authorized job responsibilities.

Keep your passwords confidential.

Comply with the Security and Privacy policies of your local program, Texas CASA, HHSC,

HIPAA, etc. (for details, refer to the list of laws and regulations in Appendix A).

Report promptly to your supervisor and your program’s Privacy or Security Official the loss or misuse of devices storing confidential information.

Disposal of Data

Confidential information, should NEVER be placed in the regular trash.

Volunteers and staff members must observe the following procedures for the disposal

of confidential information:

Hard copy materials such as paper must be shredded, burned, pulverized or

otherwise made completely unreadable and indecipherable.

Magnetic media such as diskettes or hard drives must be physically destroyed or

“wiped” using approved software and procedures. CD ROM disks must be rendered unreadable by shredding, breaking or defacing

the recording surface.

At a large, state university…

On several occasions sensitive materials were left in file cabinets or office

desks that were turned in to the university surplus department. The surplus

staff found the sensitive materials and returned them to the Compliance Office

before anyone picked up the furniture. If any of that furniture had been sold to

the public before the sensitive materials were found, it would’ve been difficult and costly for the university to retrieve the materials and manage the breach.

Physical Security

In addition to the technical safeguards described above, certain procedures must be

followed to protect the physical security of confidential information and any electronic

systems where it is stored.

Privacy & Security

20

Equipment such as PCs, servers, mainframes, fax machines, and copiers must be

physically protected. Ideally, they should be kept behind locked doors with access

limited to only those with a pre-determined, work-related purpose for using them.

Computer screens, copiers, and fax machines must be placed so that they cannot

be accessed or viewed by unauthorized individuals.

Computers must use password-protected screen savers.

PCs that are used in open areas must be protected against theft or unauthorized

access.

Servers must be in a secure area where physical access is controlled.

Disciplinary Actions

Volunteers and staff members who violate privacy or information security policies will

be subject to appropriate disciplinary action as outlined in each local program’s personnel policies, as well as subject to possible criminal or civil penalties under state

and federal law.

General Penalties for Failure to Comply

According to section 1177 of the Social Security Act, failure to comply with the

requirements and standards found in HIPAA can carry a broad range of civil penalties

depending on the nature of the violation.

Additionally, Civil penalties for willful neglect are increased under the HIPAA HITECH

Act. These penalties can extend up to $250,000, with repeat/uncorrected violations

extending up to $1.5 million.

Security Review

Change your password(s) frequently and keep them confidential.

Keep notes, files and mobile devices in a secure place and be careful not to leave

them unattended, anywhere.

If storing or transmitting confidential information on a mobile device use

encryption

Follow appropriate disposal procedures such as document shredding

Do not include confidential information in emails

Do not open emails or attachments from unknown or untrusted sources

Keep anti-malware and other software up-to-date

Privacy & Security

21

Breaches of Information

Breaches of information privacy and security may result in both civil and criminal

penalties, as well as employee or volunteer sanctions.

A breach occurs when information that, by law, must be protected is:

lost, stolen or improperly disposed of (i.e., paper or device upon which the

information is recorded cannot be accounted for);

“hacked” into by people or mechanized programs that are not authorized to have access (e.g., the system in which the information is located is compromised

through a “worm”), or

communicated or sent to others who have no official need to receive it (e.g.,

gossip about information learned from a case file).

For more details about HIPAA Breach Notification Rules, refer to the Code of Federal

Regulation10:

Reporting Breaches

Volunteers or staff members who witness or suspect a privacy or security breach should

report it to their supervisor and to their program’s Privacy and Security Official.

Volunteers, staff and board members, or contractors may not threaten or take any

retaliatory action against any individual for exercising his or her rights under HIPAA or

for filing a HIPAA report or complaint, including notifying of a privacy or security breach.

Penalties for Breaches

Breaches of the HIPAA Privacy and Security Rules have serious ramifications for all involved

and may include both civil and criminal penalties. Statutory and regulatory penalties for

breaches may include:

Civil Penalties: $50,000 per incident up to $1.5 million per incident for violations that

are not corrected, per calendar year

Criminal Penalties: $50,000 to $250,000 in fines and up to 10 years in prison

10 http://www.ecfr.gov/cgi-bin/text-

idx?SID=7df19c2fbf329170fee0772e5dd82331&mc=true&node=pt45.1.164&rgn=div5#sp45.1.164.d

Privacy & Security

22

Texas law requires that CASA programs notify potentially affected individuals of

information breaches involving their Social Security numbers and other personal

identifying information. HIPAA requires that programs notify individuals of any breaches

involving their unsecured PHI.

According to Subchapter D of the Texas Identity Theft Enforcement and Protection Act11,

“a person who fails to take reasonable action to comply with section 521.053” can be fined by the state up to $250,000.

Breach Notification Requirements

Any impermissible use or disclosure that compromises PHI or other sensitive,

confidential information (such as a lost or stolen laptop) may trigger breach notification

requirements. Depending upon the results of a risk analysis of the impermissible use or

disclosure, breach notification may have to be made to:

Texas CASA

the Department of Health and Human Services

all individuals whose information was breached or disclosed

the media

Letters of explanation describing the circumstances, including responsible parties, may

have to be sent. A breach can significantly impact both the economic and human

resources of the effected program. The estimated average cost per compromised record

in a data breach can exceed $200. Needless-to-say, a breach has great potential to harm

the reputation of the program, as well.

Each local CASA program in Texas is required to maintain its own policies and

procedures regarding breach notifications and how to handle them. It is recommended

that these policies and procedures be included in the program’s crisis communication plan.

If you have questions, contact your program’s Privacy and Security Official.

11 http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htm

Privacy & Security

23

Glossary

Authorized User means a person:

(1) Who is authorized (by a local CASA program) to create, receive, maintain, have

access to, process, view, handle,

examine, interpret, or analyze confidential information;

(2) For whom a local CASA program warrants and represents has a demonstrable need

to create,

receive, maintain, use, disclose or have access to the confidential information; and

(3) Who has agreed in writing to be bound by the disclosure and use limitations

pertaining to the confidential information as required by the local CASA program, Texas

CASA and HHSC.

Business associate

Texas CASA and all local CASA programs in Texas are considered “business associates” of HHSC and the U.S. Dept. of HHS.

Under the HIPAA Omnibus Rule, a Business Associate is directly liable for compliance

with HIPAA Privacy and Security requirements and must:

enter into a Business Associate Agreement (called a BAA) with the covered entity

(HHSC)

use appropriate safeguards to prevent the unpermitted access, use or disclosure

of PHI

obtain assurances from subcontractors that appropriate safeguards are in place

to prevent the access, use or disclosure of PHI

notify the covered entity of any breach of unsecured PHI for which the Business

Associate was responsible upon discovery

ensure its employees and/or those of its subcontractors receive HIPAA training

protect PHI to the same degree as a covered entity

Confidential Information means:

any communication or record (whether oral, written, electronically stored or

transmitted, or in any other form) that consists of or includes any or all of the following:

(1) Client Information;

(2) Protected Health Information in any form including without limitation, Electronic

Protected Health Information or Unsecured Protected Health Information;

(3) Sensitive Personal Information defined by Texas Business and Commerce Code Ch.

521;

(4) Federal Tax Information;

Privacy & Security

24

(5) Personally Identifiable Information;

(6) Social Security Administration Data, including, without limitation, Medicaid

information;

(7) All privileged work product;

(8) All information designated as confidential under the constitution and laws of the

State of

Texas and of the United States, including the Texas

Health information means:

any information, including genetic information, whether oral or recorded in any form or

medium, that: (1) Is created or received by a health care provider, health plan, public

health authority, employer, life insurer, school or university, or health care

clearinghouse; and (2) Relates to the past, present, or future physical or mental health

or condition of an individual; the provision of health care to an individual; or the past,

present, or future payment for the provision of health care to an individual.

Individually identifiable health information is:

information that is a subset of health information, including demographic information

collected from an individual, and: (1) Is created or received by a health care provider,

health plan, employer, or health care clearinghouse; and (2) Relates to the past,

present, or future physical or mental health or condition of an individual; the provision

of health care to an individual; or the past, present, or future payment for the provision

of health care to an individual; and (i) That identifies the individual; or (ii) With respect

to which there is a reasonable basis to believe the information can be used to identify

the individual.

Protected health information means:

individually identifiable health information: (1) Except as provided in paragraph (2) of

this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic

media; or (iii) Transmitted or maintained in any other form or medium. (2) Protected

health information excludes individually identifiable health information: (i) In education

records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C.

1232g; (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) In employment

records held by a covered entity in its role as employer; and (iv) Regarding a person who

has been deceased for more than 50 years.

Workforce means:

employees, volunteers, trainees, and other persons whose conduct, in the performance

of work for a covered entity or business associate, is under the direct control of such

covered entity or business associate, whether or not they are paid by the covered entity

or business associate.

Privacy & Security

25

Appendix A: Relevant State and Federal Laws

1. Health Insurance Portability and Accountability Act of 1996 (45 CFR Parts 160 – 164)

More information about HIPAA is available on the U.S. Dept. of Health and Human

Services website.

The HIPAA Privacy Rule provides federal protections for individually identifiable

health information held by covered entities and their business associates and gives

patients an array of rights with respect to that information.

The Security Rule specifies a series of administrative, physical, and technical

safeguards for covered entities and their business associates to use to assure the

confidentiality, integrity, and availability of electronic protected health information.

2. HIPAA HITECH Act

The Health Information Technology for Economic and Clinical Health (HITECH) Act,

enacted as part of the American Recovery and Reinvestment Act of 2009 promotes

the adoption and meaningful use of health information technology. Subtitle D of the

HITECH Act addresses the privacy and security concerns associated with the

electronic transmission of health information, in part, through several provisions

that strengthen the civil and criminal enforcement of the HIPAA rules.

3. HIPAA Omnibus Rule

HHS’ Office for Civil Rights announced this final rule that implements a number of provisions of the HITECH Act, enacted as part of the American Recovery and

Reinvestment Act of 2009, to strengthen the privacy and security protections for

health information established under HIPAA.

4. The Social Security Act

Among other things, this act establishes the minimum and maximum fines which can

be levied by the federal government related to breaches of confidential information.

5. The Privacy Act of 1974

The Privacy Act protects records that can be retrieved from a system of records by

personal identifiers such as a name, social security number, or other identifying

number or symbol.

Privacy & Security

26

6. Internal Revenue Code, Title 26 of the United States Code, and Publication 1075

This publication provides safeguards for protecting federal tax returns and return

information.

7. OMB Memorandum 07-18

8. Texas Health and Safety Code

9. Texas Medical Records Privacy Act

This act is broader in scope than HIPAA because it applies not only to health care

providers, health plans and other entities that process health insurance claims but

also to any individual, business, or organization that obtains, stores, or possesses PHI

as well as their agents, employees and contractors if they create, receive, obtain,

use or transmit PHI.

10. Texas Public Information Act

Formerly known as the Open Records Act, this Act provides a mechanism for citizens

to inspect or copy government records. It also provides for instances in which

governmental bodies wish to, or are required by law to, withhold government

records from the public.

11. Texas Government Code, Ch. 552 and section 2054.1125

12. Texas Business and Commerce Code Ch. 521 - The Identity Theft Enforcement and

Protection Act

13. Title 1, Part 10, Chapter 202, Subchapter B, Texas Administrative Code

14. Federal Information Security Management Act of 2002 (FISMA)

15. National Institute of Standards and Technology (NIST) Special Publication 800-66,

800-53, 800-53A, 800-47, 800-88, 800-111

NIST is a federal agency that sets computer security standards for the federal

government and publishes reports on topics related to IT security.