January 10, 2018

Anne Kimbol, Director of Compliance Services, Texas Health Services Authority

If you have not already, you will soon see contracts coming your way with enhanced privacy and security compliance requirements, particularly from the larger insurance companies. The problem is not you or anything you have done; the new provisions come from regulations adopted in New York and the European Union.

Effective March 1, 2017, companies regulated by the New York State Department of Financial Services (NYDFS), which include insurance companies, must meet the Cybersecurity Requirements for Financial Services Companies and ensure that third-parties with which they contract do the same.

The Requirements direct companies and particularly their boards of directors to get more involved in cybersecurity planning and implementation. The board must provide active oversight and review the cybersecurity policy at least annually. There needs to be a qualified person designated at the Chief Information Security Office,[1] and the company must do a risk-based assessment and base its policies and training around risk areas. While companies should already conduct this sort of assessment under the Health Information Portability and Accountability Act (HIPAA), New York is going to look very closely at the cyber aspects of that assessment and response. The board chair or a senior office of the company must certify annually that the company is in compliance with the Requirements. Failure to comply can come with both civil and criminal penalties, so expect companies to take these rules very seriously. If you are not already, you likely will need to get your board more involved in your cybersecurity planning and implementing corrective action plans based on your risk assessment.

If that was not enough, the European Union has passed the General Data Protection Regulation (GDPR), which is set to take effect on May 25, 2018. What we have seen traditionally and is definitely reflected in these regulations is that Europeans take their privacy more seriously than Americans. This is reflected largely in the definition of personal data and consent requirements in the new regulations. Generally, anyone who gets or processes information involved from the European Union – and be aware that the United Kingdom has stated its intention to pass something similar post-Brexit – will be required to comply with the GDPR; again, this includes insurance companies and will lead to flow-down contract provisions.

Personal data is defined very broadly to include any information that can be used to identify a person directly or indirectly. This includes not only the areas HIPAA requires to be removed for de-identification, but it can also include a person’s IP address or website cookies if they could potentially lead back to a particular person or location.

Those whose information is covered by the GDPR also have “the right to be forgotten,” and so far, no one seems to know how to comply with that in the digital world. The right to be forgotten is basically the right to have all your information removed from wherever it is. This could include information shared with third-parties and information on the internet, where we know information can never truly be deleted. In order to allow this and more privacy information to be provided to those impacted, the GDPR requires specific, detailed accounting and audit logs. You need to be able to provide all information about who has looked at the information, when, and why. No exceptions. There are also retention period requirements.

For anyone doing big data or analytic work, be forewarned – individuals have the right to object to any decisions based on automated decision-making, which includes credit scores and predictive analytics on likely health conditions.

Additionally, the GDPR has its own breach notification requirements – notice must be provided to regulatory entities within 72 hours. Failure to comply comes with a fine of the greater of 10 million euros (just under $12 million) or 2 percent of the global revenues of the companies. Recent guidance from the EU has clarified that the global revenue includes the parent company and all subsidiaries. That means that if the Texas-based subsidiary of a large insurance company violates the GDPR, it will be the worldwide company’s revenue that the 2 percent amount is based upon.

So far this sounds awful, but we have not covered the hardest part of entities doing work with EU data in the US; that is the consent requirements. The GDPR requires a strict opt-in consent policy. Consent must be provided for each use of the data – you cannot have an overall consent to all uses under applicable law or even treatment, payment, or healthcare operations – and the consent document may not be included in other documents and may not be bundled; for example, you cannot have one consent form covering a specific treatment use and use of data in a research project.

While the temptation is to basically do what you can and acknowledge that full compliance is next to impossible, that would be a very costly mistake. For any violations of consent issues or misuse of data, the fine is the greater of 20 million euros ($23.8 million) or 4 percent of the global revenues of the entity. Paraphrasing a bit, the guidance specifically says the fines should hurt and hurt a lot in order to both encourage compliance and ensure that no company is going to risk being non-compliant following an initial violation.

Entities impacted by these provisions will have two options, both expensive and potentially difficult to implement. You either segregate EU data and continue using your US data as you have to date, or you apply these standards to all of your data.

In an increasingly national and global digital world, very few companies in the US will be able to completely avoid the New York regulations or the GDPR. Given the EU’s seriousness on this issue and the size of the potential fines, be sure to consult an attorney, a compliance professional, and your cyber liability insurance carrier if either of these regulations appear in your contract provisions. And beware, New York is now and the EU will soon be “applicable law” if that phrase is in your contracts. Ouch.


[1] And recent studies show the healthcare industry is falling behind in this area: http://www.healthcareitnews.com/news/black-book-84-hospitals-lack-dedicated-security-leader

How the New York and European Privacy Rules Could Impact You