Susan Blair, MSJ, MBA, CIPP, CCEP, CIA
Chief Privacy Officer, University of Florida
DO
PLAN
WATCH




Privacy Complaint: An allegation by an individual
that an organization is not complying with the
requirements of the federal privacy and/or
security regulations or the organization’s own
policies and procedures related to the privacy /
security of personal information.
Privacy Incident: A known or suspected action,
inconsistent with the organization’s privacy
policies and procedures, or an adverse event,
related to restricted or sensitive information.
250
200
All Other
150
Research
Personal
Academic
100
Health
50
0
2003
2004
2005
2006
2007
2008
250
200
150
UF Campus
Health Ctrs
100
50
0
2003
2004
2005
2006
2007
2008







PHI: 3,440
PHI/PII: 335,353
PII: 825
Student Record: 4,955
PII/Student Record: 13,516
Financial: 2
Human Resources: 32

College of Dentistry: 334,238#/7

College of Medicine: 3,501/91

Academic Technology-CLAS: 11,562/2

College of Engineering: 4,423/3

Reitz Union: 612/1

IFAS: 271/2

College of Education: 145/1

*Number of Violations/Incidents
#334,234 were both PHI and PII violations
Genetic Information Nondiscrimination Act
Red Flag Rules
American Reinvestment and Recovery Act (ARRA)
Health Information Technology for Economic and
Clinical Health Act (HITECH)



Results of genetic tests for
individuals or family members that
provides any data about medical
history; includes predictive testing
Mandates modification of HIPAA’s
Privacy Rule so that genetic
information is treated as protected
health information; became effective
May 21, 2009
Confidentiality safeguards required
for collection, maintenance, and
storage; also limits disclosure of
genetic information.


FTC Red Flag Rules, became
effective May 1, 2009 but delayed
to August 1, 2009
Written ID Theft Prevention
Program for any ‘covered account’
for individuals or households.
 regularly extending, renewing, or
continuing credit;
 regularly arranging for such credit;
 acting as an assignee of an original
creditor








Inventory and Risk Assessment of
Accounts
Board of Trustees Review and Approval
of Written Policies and Procedures
Red Flags Training
Departmental Procedures & Training
Compliance Audits
Cross-reference to Critical Incident
and Breach Notification Plan and SSN
Monitoring
Add or revise contract language to require
contractors to establish a written identity
theft program or to mirror the
University’s Red Flags Program
Audit compliance at least annually.


Restrictions on Disclosures prohibited with
limited exceptions (as required by law)
Enforcement by State Attorney General
◦
◦
◦
◦

Civil case (violation) on interest to state residents
Damages and court fees to be awarded
Federal court venue
Effective for violations that occurred after enactment
Tiered Civil Monetary Penalties Collected
◦ Employees or individuals can be found liable under
HIPAA.

Minimum Penalties

Maximum Penalties
“Did not know”
◦ Tier A
$100
◦ Tier A $25,000
“Reasonable cause”
◦ Tier B
$1,000
◦ Tier B
“Willful neglect”
◦ Tier C $10,000
◦ Tier C $250,000
“Uncorrected violation”
◦ Tier D $50,000
◦ Tier D $1,500,000
Minimum per Violation
Annual Maximum
$100,000
August 2009: Breach notification
provisions and PHI breach notification
February 2010: Business Associates
and Marketing
August 2010: Minimum Necessary and
Prohibition on sale of electronic health
records/PHRs.
January 2011: Accounting for
Disclosures
February 2011: Enforcement for
‘willful neglect’

Section 13402 requires HIPAA
covered entities to notify affected
individuals of a breach of
“unsecured protected health
information”
◦ “Not secured through the use of a
technology or methodology specified by
the Secretary of HHS through guidance”

April 17th HHS Guidance
recommends either encryption or
destruction.

Encryption According to National Institute of
Standards and Technology (“NIST”) or Federal
Information Processing Standards (“FIPS”):
◦ “Data at rest” - NIST 800-111, Guide to Storage
Encryption Technologies for End User Devices
◦ “Data in motion” – FIPS 140-2, including
 NIST 800-52, Guidelines for the Selection and Use of
Transport Layer Security Implementation
 NIST 800-77, Guide to IPSet VPNs
 NIST 800-113, Guide to SSL VPNs

Destruction :
◦ Paper, film, or other hard copy media must be
shredded or destroyed to the extent that the PHI
cannot be read or reconstructed.
◦ Electronic media must be cleared, purged or
destroyed such that the PHI cannot be retrieved,
and such destruction must be consistent with
NIST 800-88, Guidelines for Medical Sanitization.

Notification: Sets thresholds for triggering
breach notification requirements as well as
parameters for the method, content, and
timing of the notification. For example,
◦ Must provide notice to consumers and FTC within 60
days of discovery;
◦ Notice must include mitigation details; and
◦ If 10 or more individuals cannot be reached, must
post conspicuously for six months on homepage of
website; or, provided to print and broadcast media
outlets in areas affected by breach.

Applies to breaches discovered on or after
September 18, 2009.


Over 50 colleges and universities have experienced
multiple reported privacy incidents since 2001. At a
state level, California is home to seven twice
breached universities, while Ohio follows at four
schools.
At least four universities have experienced five or
more publicized privacy incidents.




Purdue University (7)
Ohio University (5)
University of Florida (5)
University of Iowa (5)











Stanford University 72,000
University Georgia: 4,250
University Akron: 800
University of Florida: 101
Ohio University 492
Tennessee Tech: 990
University Texas: 2,500
University of Maryland 23,000
Penn State: 677
Georgetown University: 38,000
University of Florida: 1,900












University Minnesota: 3,100
Long Island University: 30,000
Middle Tenn. State: 1,500
Texas A&M: 3,000
Harvard University: 6,600
Binghamton University: 300
University of Miami: 2,100,000
University of Florida: 11,300
University of Utah: 2,200,000
University of Florida: 344, 448
Oklahoma St. University:
70,000
UC San Francisco: 3, 569







Data-rich information systems
creating a natural target.
Outdated and non-enforced data
security safeguards.
Sophisticated intruders with
potential criminal intent.
Careless or inattentive data
systems management.
Negligent hiring practices or
employee misuse of data.
Demonstrated opportunities for
repeat access.
Business partners or research
sponsors who fail to protect
information.


Seminal means “Highly original and
influencing the development of future
events”.
When does Privacy Breach cause
harm?
◦ Identity theft and financial fraud
◦ Offensive publication of illicitly acquired PII
◦ Limit economic opportunities, i.e. job
applicant

Canada, Australia, New Zealand are
codifying that privacy-security
breaches can cause harm.



Federal Precedent: Ninth Circuit
Court (Stollenwerk) opined that
‘harm’ was not necessary for class
action lawsuits resulting from
data breach.
Partnering of Federal Agencies:
FTC joined OCR to pursue claims
against CVS with settlement costs
of $2.25 million. Also, FTC can
levy penalties where identity theft
results.
States’ Action: ARRA permits
states’ AG to sue for damages on
behalf of residents.




Increased Governmental
Regulations, especially for identity
theft and healthcare operations
Emerging Technology Risks
and Expanding Data Security
Obligations
Probable Civil Case Law
Developments as well as
Enhanced Enforcement,
especially from state AGs.
Continuing infrastructure and
resource challenges
UF Privacy Office
◦ http://privacy.ufl.edu
◦ 352-273-5094
◦ Toll-free Hotline: 866-876-4472