Module 16 - DHS Privacy Training - Part 3B

Arkansas State Law Which Governs Sensitive InformationPart 3BArkansas Personal Information Protection Act (PIPA)

1What is Sensitive Information?Sensitive information exists in several forms:Printed SpokenElectronic

2014 DHS IT Security & Privacy Training2

Even if HIPAA doesnt apply you still have to comply with PIPA!!!

Just as HIPAA protects PHI, PIPA protects Personal Identifying Information (PII).2014 DHS IT Security & Privacy Training3

Sensitive Information Is PII

What is PII? A clients first initial or first name and last name in combination with one or more of the following when either the name or the information is not encrypted:Name + Medical informationName + Social Security Number (SSN)Name + Drivers license number or AR Identification card numberName + an account number, credit card number, or debit card number in combination with any required security code, access code or password that would permit access to an individuals financial account

2014 DHS IT Security & Privacy Training4

4Mental Health and the Law/Janis ChalmersPIPA Breach Notice RequirementsPIPA requires breach notification letters where a reasonable probability of harm exists.

As with HITECH, the PIPA letter should contain information which does the following:Describes what happened, including the date of the breach, and the discovery date of the breach, if known. Describes the types of unsecured personal information that were involved in the breach.2014 DHS IT Security & Privacy Training5

5Mental Health and the Law/Janis Chalmers

Breach Notification Requirements ContinuedAny steps the individual should take to protect himself/herself from potential harm resulting from the breach.

A brief description of what DHS is doing to investigate the breach, to mitigate harm to the individuals, and to protect against further breaches.

Contact procedures for individuals to ask questions or learn additional information, which includes a toll-free telephone number, an e-mail address, website, or postal address.

2014 DHS IT Security & Privacy Training6

PIPA Use ScenarioAn employee loses files which include diet plans and SSNs.

What would you do?Must you notify anyone?Is a breach notification letter to the client required? 2014 DHS IT Security & Privacy Training7

StepsStep One: Report this immediately to your supervisor and your designated Privacy Officer.Step Two: The Privacy Officer must determine which laws apply and determine which standard of harm applies. If PIPA applies - whether there is a reasonable probability of harm. If HIPAA applies whether there is a probability of reputational or financial harm. Step Three: A letter must be written if it is determined as required by the applicable law that there is a probability of harm. In some instances, a phone call or contacting the media will be necessary.

2014 DHS IT Security & Privacy Training8

Wrapping Up..The next few slides contain some helpful links.

2014 DHS IT Security & Privacy Training9

Helpful LinksHIPAA Privacy Rule protections and requirements: http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html If you want to know more about PIPA find it here: http://www.dis.arkansas.gov/security/Documents/Act1526.pdfWant more information? http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html If you need to file a privacy complaint with DHS please refer to DHS Form 4005 or if you need to file one with OCR find the link here: http://www.hhs.gov/ocr/office/about/rgn-hqaddresses.html

2014 DHS IT Security & Privacy Training10

Reminders: Employees must report a security or privacy incident. Remember the Incident Reporting site: https://dhs.arkansas.gov/reporting

If you fail to report a incident you are in direct violation of DHS Policy 5007.

Find Security & Privacy Policies here:http://dhsshare/DHS%20Policies/Forms/Security%20and%20Privacy%20Policies.aspx

2014 DHS IT Security & Privacy Training11

11