- While Fox Rothschild LLP’s new Data Breach 411 iOS application shouldn’t be the sole resource healthcare organizations and their business associates (BAs) use when responding to data breaches, the app may be useful for compliance or privacy officers who need to quickly look up state or federal breach law.
Scott L. Vernick, partner at the national law firm of Fox Rothschild LLP and head of its Privacy and Data Security Practice, was at the forefront the application’s creation, which was meant to assist organizations affected by a breach find different federal and state rules and regulations. Vernick detailed the items included on the app in a conversation with HealthITSecurity.com:
State Security Breach Statutes – An alphabetical listing of the 46 states that have data breach laws in place and links to all the relevant notification statutes.
HIPAA/HITECH Statutes – Breach notifications rules and other pertinent information related to the loss or theft of personal health information.
Resources – Links to credit agencies, credit monitoring services, the FTC website, Children’s Online Privacy Protection Act (COPPA) and links to Fox’s data security blogs.
“When you help a client respond to a data breach, whether you’re talking about PHI or consumer data such as credit card or Social Security information, it’s obviously stressful because it never happens at a convenient time,” Vernick said. “You’re trying to get your arms around what happened and what information was compromised, as well as feeling the pressure to notify the public of the breach quickly and transparently.”
To make things easier for these organizations, Vernick said Fox wanted to put this information at their fingertips. Because there are breach notification statutes across 46 different states, it can be complicated for organizations that have cross-state customers to respond to a data breach. “There are timing, notification and threshold differences as well as various nuances for each state,” Vernick said. “Of course, if you’re reporting under the HITECH amendment and HIPAA, there are other nuances that come into play.”
Vernick explained that the information isn’t hard to find, but Fox wanted to make it less cumbersome and more accessible. In-house lawyers and privacy and security professionals may refer to the application which has all of the information aggregated, if they need the information immediately.
Over the past 12 months, Vernick said he’s seen just about every type of breach. From low-tech, human error breaches such as a notebook going missing to some very sophisticated attacks originating overseas, Fox has seen a broad scope of incidents. He also believes new HIPAA regulations have had an impact on how clients handle breaches. “[The HIPAA Omnibus Rule] has some very real-world implications for [breach] reporting, as the regulations are very specific about when and how organizations need to report a breach to the Office for Civil Rights (OCR),” he said
Vernick also added that it’s going to be interesting to see is the [potential] jurisdiction fight between the Federal Trade Commission (FTC) and OCR regarding the LabMD case. “It’s more about health information than about consumer information, but the FTC has taken a lead role in that case,” he said.