Revisiting Your Breach Response Plan: Nebraska Amends Data Breach Act
Earlier this year, Nebraska’s Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 (the “Nebraska Act”) was amended. Specifically, the amendments require entities to notify the Nebraska Attorney General in the event of a data breach; expand the definition of “personal information;” and state that data is not encrypted if the encryption process or key was acquired as a result of the breach. The amendments are effective as of July 21, 2016. Health care organizations should become familiar with the new requirements and review breach response plans, as data breaches affecting health care organizations may require an analysis under both the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the various state data breach notification laws. The analysis includes an examination of the data involved; whether or not the data was compromised or breached; and the notification obligations to affected individuals.
Types of Data Involved
Entities must determine what data is involved in the incident. The information could be protected under HIPAA, state law, or both. Under HIPAA, “protected health information” (“PHI”) includes individually identifiable health information that relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care; and that identifies the individual or where there is a reasonable basis to believe the information can be used to identify the individual. PHI includes, but is not limited to, medical records, demographic information, medical record and account numbers, social security numbers, and e-mail addresses.
Under the Nebraska Act, “personal information” means a Nebraska resident’s first name or first initial and last name in combination with: (i) social security number; (ii) motor vehicle operator’s license number or state identification card number; (iii) account number or credit/debit card number, in combination with any required security code, access code, or password that would permit access to the individual’s account; (iv) unique biometric data, such as a fingerprint, voice print, or retina/iris image, or other unique physical representation. Pursuant to the recent amendments, “personal information” also includes a user name or e-mail address, in combination with a password or security question and answer, that would permit access to an online account.
Some data breaches might only involve PHI protected by HIPAA. For example, if the breach does not include names, the Nebraska Act might not apply. Other breaches might include both PHI and personal information – for example, if a document containing patient names, e-mail addresses, and patient portal passwords was stolen.
Analysis of Breach/Compromise
The next step is to determine whether a data breach occurred that gives rise to notification obligations under HIPAA and/or state law. This analysis requires careful review of the regulatory framework set forth in HIPAA and state laws. Under HIPAA, an acquisition, use, or disclosure of PHI not permitted under the HIPAA Privacy Rule is presumed to be a “breach,” unless the covered entity can demonstrate that there is a low probability that the PHI has been compromised. The compromise analysis involves a four-part risk assessment looking at the nature and extent of PHI involved; the unauthorized recipient of the PHI; whether the PHI was actually viewed or acquired; and the extent to which the risk to the PHI has been mitigated. Risk assessments must be thorough and will be fact-specific to each incident.
Under the Nebraska Act, a “breach” means “the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the entity.” Following a breach, the Nebraska Act (as well as many other states) requires that entities conduct an investigation to determine the likelihood that personal information has been or will be used for an unauthorized purpose. This includes, for example, the likelihood that an unauthorized recipient could commit identity theft or other financial fraud. The investigation will likely include an analysis of potential harm (including, but not limited to, financial, reputational or other harm).
Depending on the facts, an incident might be a HIPAA breach but not rise to a breach under the Nebraska Act (for example, if there is no reasonable likelihood that the recipient will use the personal information for an unauthorized purpose). Again, entities must be thorough in their investigation and analysis, and retain supporting documentation for their conclusion(s).
Once an entity determines that a breach has occurred, notification obligations under HIPAA and/or state law(s) must be followed. This includes drafting notification letters in accordance with the various laws and regulations. In addition, there are various timelines that must be followed. Under HIPAA, a covered entity must notify the affected individual(s) no later than 60 days after discovery of a breach. Depending on the number of affected individuals, the covered entity may also have to provide media notification. HIPAA breaches must also be reported to the Federal Office for Civil Rights. Breaches involving more 500 or more individuals must be reported contemporaneously with the individual notifications. Breaches involving less than 500 individuals must be reported to the Office for Civil Rights no later than 60 days after the end of each calendar year.
State breach notification statutes also contain various timelines for notification. For example, the Nebraska Act states that an entity must notify affected individuals as soon as possible and without unreasonable delay. Under the amended Nebraska Act, an entity must also notify the Nebraska Attorney General’s office (through the Attorney General’s website or paper form) at the time when individual notices are provided. Some states have a threshold (for example, 500 or more affected individuals) when Attorney General notification is triggered. The Nebraska Act does not have such a threshold and requires Attorney General notification anytime an individual is notified of a breach under the Nebraska Act.
Finally, if breach notification must be provided pursuant to HIPAA and state law, many states, including Nebraska, allow entities to meet state law notification obligations by complying with the HIPAA notification requirements. This means that two (2) separate notification letters would not need to be sent. In Nebraska, if following the HIPAA notification rules, an entity still must notify the Nebraska Attorney General’s office when the notification letters are sent to affected individuals.
An effective response to a potential data breach incident is critical. As part of the overall incident response plan and process, entities should regularly review and update policies and procedures to reflect HIPAA and the various state data breach notification laws.
Sean T. Nakamoto, Summer Associate