Privacy can mean different things to different people. Some people will post a picture on Facebook of every meal they eat. Others live completely off the internet grid, afraid that an Orwellian big brother is spying on them.
Privacy means different things in different laws, as well. The well-known Federal Health Insurance Portability and Accountability Act (HIPAA) medical privacy law describes personally identifiable health information, broadly, as: information used to identify an individual, and created or used in providing health care by a covered entity. Almost every word HIPAA uses to describe private information is itself further defined.
HIPAA’s definition of private information differs from the Federal Trade Commission definition of personally identifiable information used in the regulation of commerce: data is personally identifiable when it can be reasonably linked to a particular person, computer, or device. Examples include device identifiers, media access control addresses, static IP addresses, and retail loyalty card numbers, information types not found in other laws.
The U.S. Department of Labor uses yet another definition when regulating its employees’ personally identifiable information: information that permits the identity of an individual to be reasonably inferred either directly (name, address, social security number) or, indirectly by combining separate data elements (such as combining a state identifier with a birthdate.)
Clearly, there is no one legal definition of private personal information. To add to the confusion, almost every state has a data privacy law. They are all different and they are all rapidly changing as technology changes.
Lousiana Has a New Data Privacy Law
Effective August 1, 2018, Louisiana has a new and expanded definition of personal private information. Updating the law that has been in effect since 2005, La. R.S. 51:3073(2) and (4)(a) and La. R.S. 51:3074 apply to anyone that does business in the state, including healthcare businesses otherwise also regulated by HIPAA. In fact, the data protected by the new law in some ways is broader than the data protected by HIPAA.
This new law defines personal information that in some ways may be obvious. A first name, or a first initial and a last name, and (for example) a passport and driver’s license number is personal information. Importantly, for the first time, state law specifically defines biometric data as personal information.
La. R.S. 51:3073(4)(v) defines biometric data as a unique biologic characteristic, like a fingerprint, a retina or iris scan, or any biological data that is used to authenticate an individual’s identity to access a system or account.
Biometric data requires state protection for a very good reason. A hacker stealing biometric data is far more dangerous than one who steals a password. A hacked password, however complex, can be changed as many times as needed. Fingerprints or retinal scan identifiers are for life.
The new Louisiana law also imposes new and different time limits for data breach notification to the Attorney General and to the media, together with several other new regulations. This law, in contrast to HIPAA, includes a right by the individual to sue the business responsible under the unfair trade practice rules (La. R.S. 51:1405).
Steps you could take to comply with the new state law include things you might already be doing to address other privacy laws:
1. Have a plan. A written information security action plan should describe a step-by-step quick and efficient way to identify and stop a breach of private data. Include contact phone numbers as well as email addresses, communication notification trees and applicable cybersecurity insurance policies.
2. Test the plan. Practice following the plan. Test the response, note the weak points and practice again. Update the plan based on the practice results.
3. Have a team. The first line response team is like a hospital code team. Everyone on the team should already know they are on the team, and already know the tools and protocols.
Because privacy has no one legal definition, it is important to find out which definition(s) applies to your unique circumstance. For further guidance on the new data privacy law, contact the LAMMICO Risk Management and Patient Safety Department at 504.841.5211.