Nebraska LB 757: Are Nebraska Hospitals Prepared to Extend HIPAA Protections to Employment Data?
On February 28, 2018, Governor Pete Ricketts signed LB 757, which amends sections of the Credit Report Protection Act and Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006, into law. Although introduced by Senator Morfeld in response to the Equifax breach and his belief that Equifax’s response was insufficient to protect consumers, the bill’s provisions go significantly beyond post-breach notification actions and now requires entities to establish reasonable security measures designed to prevent breaches.
Effective July 19, 2018, any individual or commercial entity conducting business in Nebraska that “owns, licenses, or maintains computerized data that includes personal information about a resident of Nebraska” is required to:
implement and maintain reasonable security procedures and practices that are appropriate to the nature and sensitivity of the personal information owned, licensed, or maintained and the nature and size of, and the resources available to, the business and its operations, including safeguards that protect the personal information when the individual or commercial entity disposes of the personal information.
Neb. Rev. Stat. § 87-808 (2018), as revised by LB 757. This standard is almost identical to that of the HIPAA Security Rule, which requires covered entities and business associates to “[i]mplement reasonable and appropriate policies and procedures” to protect protected health information (“PHI”) and electronic PHI (ePHI). 45 C.F.R. § 164.316. Similar to HIPAA’s business associate agreement requirement, if an individual or commercial entity “discloses computerized data that includes personal information about a Nebraska resident to a nonaffiliated, third-party service provider,” such service provider must contractually agree to implement and maintain security practices and procedures that: (1) “Are appropriate to the nature of the personal information disclosed to the service provider”; and (2) “Are reasonably designed to help protect the personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.” Neb. Rev. Stat. § 87-808 (2).
Legislative Bill 757 contains an alternative compliance provision that treats individuals and commercial entities as complying with LB 757 if they: (1) comply with a federal or state law that provides greater protection to personal information than those imposed by LB 757, or (2) are subject to HIPAA and/or the Gramm-Leach-Bliley Act and comply with the regulations promulgated therein. This is good for health care providers with respect to current policies and procedures to protect PHI/ePHI. However, the scope of LB 757 is much broader than HIPAA because it governs all “computerized data that includes personal information about a resident of Nebraska,” not just PHI. For Nebraska health care providers, LB 757’s data protection requirements apply to their employee, volunteer, contractor, board of director or trustee data, and any other “computerized data” containing Nebraska residents’ personal information.
Health care providers will need to begin to examine how to extend their HIPAA policies and procedures to the other computerized records containing personally identifiable information of Nebraska residents. For example, if a hospital uses a third party vendor for key aspects of its payroll system where an employee’s individual information is maintained (e.g, bank account information for automatic deposit), it must ensure that its contract with the vendor providing the payroll services contains the LB 757 data protection requirements. While Nebraska health care providers are in a better position than many organizations to comply with LB 757 given their current HIPAA compliance obligations, expanding policies and protection to this additional data and reviewing independent contractor agreements by the effective date of July 19th raises significant administrative, economic, and technical challenges.