Module 16 - DHS Privacy Training - Part 3B
Arkansas State Law Which Governs Sensitive InformationPart 3BArkansas Personal Information Protection Act (PIPA)
1What is Sensitive Information?Sensitive information exists in several forms:Printed SpokenElectronic
2014 DHS IT Security & Privacy Training2
Even if HIPAA doesnt apply you still have to comply with PIPA!!!
Just as HIPAA protects PHI, PIPA protects Personal Identifying Information (PII).2014 DHS IT Security & Privacy Training3
Sensitive Information Is PII
What is PII? A clients first initial or first name and last name in combination with one or more of the following when either the name or the information is not encrypted:Name + Medical informationName + Social Security Number (SSN)Name + Drivers license number or AR Identification card numberName + an account number, credit card number, or debit card number in combination with any required security code, access code or password that would permit access to an individuals financial account
2014 DHS IT Security & Privacy Training4
4Mental Health and the Law/Janis ChalmersPIPA Breach Notice RequirementsPIPA requires breach notification letters where a reasonable probability of harm exists.
As with HITECH, the PIPA letter should contain information which does the following:Describes what happened, including the date of the breach, and the discovery date of the breach, if known. Describes the types of unsecured personal information that were involved in the breach.2014 DHS IT Security & Privacy Training5
5Mental Health and the Law/Janis Chalmers
Breach Notification Requirements ContinuedAny steps the individual should take to protect himself/herself from potential harm resulting from the breach.
A brief description of what DHS is doing to investigate the breach, to mitigate harm to the individuals, and to protect against further breaches.
Contact procedures for individuals to ask questions or learn additional information, which includes a toll-free telephone number, an e-mail address, website, or postal address.
2014 DHS IT Security & Privacy Training6
PIPA Use ScenarioAn employee loses files which include diet plans and SSNs.
What would you do?Must you notify anyone?Is a breach notification letter to the client required? 2014 DHS IT Security & Privacy Training7
StepsStep One: Report this immediately to your supervisor and your designated Privacy Officer.Step Two: The Privacy Officer must determine which laws apply and determine which standard of harm applies. If PIPA applies - whether there is a reasonable probability of harm. If HIPAA applies whether there is a probability of reputational or financial harm. Step Three: A letter must be written if it is determined as required by the applicable law that there is a probability of harm. In some instances, a phone call or contacting the media will be necessary.
2014 DHS IT Security & Privacy Training8
Wrapping Up..The next few slides contain some helpful links.
2014 DHS IT Security & Privacy Training9
Helpful LinksHIPAA Privacy Rule protections and requirements: http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html If you want to know more about PIPA find it here: http://www.dis.arkansas.gov/security/Documents/Act1526.pdfWant more information? http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html If you need to file a privacy complaint with DHS please refer to DHS Form 4005 or if you need to file one with OCR find the link here: http://www.hhs.gov/ocr/office/about/rgn-hqaddresses.html
2014 DHS IT Security & Privacy Training10
Reminders: Employees must report a security or privacy incident. Remember the Incident Reporting site: https://dhs.arkansas.gov/reporting
If you fail to report a incident you are in direct violation of DHS Policy 5007.
Find Security & Privacy Policies here:http://dhsshare/DHS%20Policies/Forms/Security%20and%20Privacy%20Policies.aspx
2014 DHS IT Security & Privacy Training11
11
Top Related