b'Data Privacy LawWho, What, Why . . . Who does it apply to: Any entity that conducts business in Texas(3) payment for the provision of health care to the individual. and owns or licenses computerized data that includes sensitiveWhat is a security breach: Any unauthorized acquisition of data personal information, and any entity that maintains sensitivethat compromises the security, confidentiality, or integrity of SPI, personal information it does not own, whether or not the entityincluding data that is encrypted if the person accessing the data conductsbusinessinTexas.Additionaldutiesmayapply,has the key required to decrypt the data.depending upon the nature of the business.What do I do if I become aware of a security breach: You must What is the rule: Your business should implement and maintaindisclose any breach of system security to all people whose reasonable procedures, including appropriate corrective action,SPI was or is reasonably believed to have been acquired by to protect against a security breach. Additionally, your businessan unauthorized person. Depending on how many people were shoulddestroyorarrangeforthedestructionofcustomeraffected and their place of residency, you may also have to recordscontainingsensitivepersonalinformationthatisnoprovide notice to the state attorney general and credit reporting longer needed.agencies.Why does this matter to me: Local, state, and federal lawsWhataboutHIPAA:TheHealthInsurancePortabilityand often require businesses to take in an enormous amount ofAccountabilityAct(HIPAA)protectstheexchangeofhealth personal information about employees and security breachesinformation between patients and certain covered entities. In arebecomingincreasinglycommon.Damagesforsecuritymost cases, the privacy protections of HIPAA do not extend to breaches may be assessed on a per person, per breach basis.employers or the health information contained in employment By combining a compliant data privacy policy and strong datarecords. For example, you may ask an employee to provide a security, you can safeguard sensitive employee data and avoiddoctors note or information related to sick leave without violating an expensive breach.HIPAA. However, if you ask an employees health care provider directly for the same information, the employee must authorize What information is protected: Lots of the information employersthe providerlikely a covered entityto make the disclosure. obtainfromemployeesisconsideredSensitivePersonal Information (SPI).SPI includes an individuals first name/initialNote that even if HIPAA is not applicable, employers may still and last name in combination with any of the following: (1) socialhave an obligation to protect employee health data. While a security number; (2) drivers license number or government- security breach may not be a violation of HIPAA, it may constitute issued identification number; or (3) account number or credit/ a violation of Texas data privacy law. Additionally, the Americans debit card number in combination with any required securitywithDisabilitiesAct(ADA)requiresemployerstomaintain code,accesscode,orpasswordpermittingaccesstoanemployee disability-related medical information in a confidential individuals financial account. Both the name and the items mustfile, separate from personnel files. This information may only be unencrypted to qualify as SPI.be disclosed in limited situations to specific individuals. The Genetic Information Nondiscrimination Act (GINA) has similar SPI also includes information that identifies an individual andrequirements related to the collection, storage, maintenance, relatesto:(1)anindividualsphysicalormentalhealthoranddisclosureofemployeegeneticinformation.(Seethe condition; (2) the provision of health care to the individual; orsections on ADA and GINA for more information.)95'