Mid-Atlantic Health Law TOPICS
You Know About HIPAA, But What About PIPA?
The Maryland Personal Information Protection Act (PIPA), became effective on January 1, 2008. PIPA imposes information security and data breach requirements on all businesses, including hospitals, doctors and insurers, regardless of size, that have personal information about Maryland residents. Violation of PIPA is an unfair or deceptive trade practice, and may be enforced by private lawsuits. Penalties are also authorized.
Since information disseminated or listed in accordance with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) is not covered by PIPA, many health care organizations have assumed incorrectly that PIPA does not apply to them. While this is generally true for patient information, PIPA also applies to personal information about employees of health care organizations, and, therefore, health care organizations need to comply.
A. Covered Information
PIPA protects "personal information" of Maryland residents. Personal information means an individual's first name or initial and last name in combination with one or more of the following data elements: Social Security number, driver's license number, individual taxpayer identification number, or a financial account number, including a credit or debit card number, that in combination with any required security code, access code or password, would permit unauthorized access to an individual's financial account. Encrypted information is not covered.
B. Effect on Health Care Organizations
During the 2007 legislative process, there was an effort to exempt health care organizations from PIPA completely. That effort failed, and the resulting exemption is more narrow: personal information protected by PIPA does not include any information that is "disseminated or listed in accordance with [HIPAA]."
This means that PIPA does not apply to protected health information (PHI), as defined by HIPAA, and that is protected as required by HIPAA. PHI is information that (i) is individually identifiable, (ii) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse, and (iii) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.
PIPA, however, applies to any personal information of patients that is not PHI. This means, for example, that, in the event of a breach involving an electronic data base that contains only patient names and credit card numbers (which data base might not be PHI), a health care organization should follow PIPA's data breach notice requirements.
In addition to the exemption for PHI, PIPA also provides that any business that complies with the data breach notice procedures, information security rules or information destruction rules established by its primary state or federal regulator is "deemed" to be in compliance with PIPA. Therefore, compliance with Maryland's Confidentiality of Medical Records Act would likely be deemed compliance with PIPA with respect to information covered by the Medical Records Act.
Notwithstanding these exemptions, all health care organizations have "personal information" pertaining to their employees, and, therefore, health care organizations must comply with PIPA with respect to information about their employees who are Maryland residents.
C. PIPA Requirements
PIPA's requirements for information security and disposal of personal information apply to all forms of records, electronic and paper, while the data breach notice requirements only apply to computerized data.
To protect against unauthorized access, PIPA requires organizations to implement and to maintain reasonable security procedures to protect personal information. Practically, this requires creation, adoption and maintenance of a written information security policy.
If the organization shares personal information with third party vendors, vendor contracts must incorporate PIPA's requirements beginning in 2009.
When destroying personal information, PIPA requires an organization to take reasonable steps to make sure that the information does not fall into the hands of fraudsters.
If someone gains unauthorized access to personal information, an organization must conduct a prompt, good faith investigation to determine the likelihood that the personal information has been or will be misused. The organization must determine the risk of harm to those persons whose personal information has been accessed. If misuse has occurred or is likely, the affected Maryland residents must be notified as soon as possible.
In addition to other things, PIPA requires the notice to inform affected individuals how to contact each of the three national credit reporting agencies, as well as how to obtain information about protecting against identity theft from the Federal Trade Commission and the Office of the Maryland Attorney General. Before the notices can be sent, the affected organization must first notify the Maryland Attorney General.
D. PIPA Violations
Any violation of PIPA is deemed an unfair or deceptive trade practice under the Maryland Consumer Protection Act, which is a criminal statute. Aggrieved persons can file a complaint with the Maryland Attorney General, who may issue a cease and desist order, and assess civil money penalties of up to $1,000 for the first violation, with subsequent violations resulting in penalties of up to $5,000.
Also, individuals may bring private lawsuits as a result of a violation of PIPA to recover their injuries or losses, and they may also recover their attorneys' fees.
While it is not yet settled, in all likelihood, failing to have an appropriate policy, or failing to follow one's policy in the event of a breach, would both constitute PIPA violations, but a breach of privacy itself might not constitute a PIPA violation.
The reputational harm that could result from a violation of PIPA is perhaps just as
critical as any monetary penalty. A health care organization's reputation may be harmed if it is perceived as not being committed to personal information security and confidentiality.
E. Conclusion
Experience shows that data breaches and other information security incidents do occur. One recent survey found that as many as 85% of businesses nationwide had suffered a security breach within the past year, and the Federal Trade Commission reported in February that identity theft was the most common consumer complaint received.
Accordingly, Maryland health care organizations should have a current and comprehensive information security policy that meets the requirements of PIPA. They should also act quickly in the event of an information security incident, and follow their up-to-date information security policy in that situation.