Current Compliance Issues
Public safety agencies cannot keep pace with the rapid growth of consumer technology. Multi-million dollar contracts and 12-18 month RFP/bid approval processes stand in the way of the agency’s ability to keep pace with current technology. As a result agency employees rely on consumer apps and use personally owned devices in order to meet real-time communication and information exchange needs. Unfortunately, consumer apps were never created OR intended to be used in police work or government.
As a result, many agencies’ risk and exposure through non-compliance with FOIA, CJIS, HIPAA, and state records retention laws is growing – literally daily. We are unaware of any consumer app that is not in violation of CJIS, HIPAA, and state laws relating to public records retention, storage, and release.
The simple use of even a department-owned phone can violate CJIS simply because messages can be deleted and not logged. Of equal importance, the data exchange itself is not encrypted and certainly not encrypted to CJIS standards.
The risk associated with a lack of CJIS compliance is eloquently explained in this article: https://authanvil.com/blog/not-complying-with-cjis-here-are-the-risks-and-punishments
Similarly, in our experience, patient data (hospitalized prisoners) is routinely transmitted via consumer apps. Again there is a significant risk to the Agency: https://www.totalhipaa.com/hipaa-sanction-policies/
State Open Records Laws / FOIA
Since 1967, the Freedom of Information Act (FOIA) has provided the public the right to request access to records from any federal agency. It is often described as the law that keeps citizens in the know about their government. FOIA is applied to the federal government. Every state in America has freedom of information laws that govern documents and information release at the state and local level.
Since the 1980s with the rise of 24-hour news stations and cycles, media and reporters have used the phrase “FOIA” to submit public records requests within states, city/county governments, and law enforcement agencies. Within these areas, it is really a “public records request” (under state law) OR State Sunshine Laws. State sunshine laws are the laws in each state that govern public access to governmental records. These laws are sometimes known as open records laws or public records laws and are also collectively referred to as FOIA laws, after the federal Freedom of Information Act.
Is deleting texts “Evidence Tampering” – in many states it may well be:
The cost of FOIA litigation:
Since 2006, FOIA lawsuits have increased 57% and the cost of defending these lawsuits is millions of dollars.
With Evertel, our platform provides an efficient and proven effective manner to share FOIA documents to those requesting. Once your legal experts provide the policy, the executives auditing your agency’s platform can immediately release the approved documents in minutes, avoiding multi-year litigations and expensive legal costs.
Government litigation costs exceeded $40 million in 2017:
It is very expensive to defend bad decisions related to FOIA requests. The Federal Government racked up more than $40 million in litigations fees/expenses defending their decisions.
With Evertel, our platform makes these decisions much easier for all of Government, city/county/state/federal. Avoid unnecessary litigation expenses and run a more efficient form of Government.
State Record Retention Laws
Every state has its own rules regarding records retention in addition to federal government rules. Be aware that every state has what is called a “State Archivist” who documents these record retention rules for all levels of government agencies.
As a resource for your state’s records retention rules can be located in the links below.
Relevant articles / litigation
From the U.S. Department of Just, Federal Bureau of Investigation “Criminal Justice Information Services (CJIS) Security Policy” (Version 5.8, 6/01/2019) states in section 188.8.131.52 “Penalties” that:
“Improper access, use or dissemination of CHRI and NCIC Non-Restricted Files information is serious and may result in administrative sanctions including, but not limited to, termination of services and federal criminal penalties”.
The key agency requirements of CJIS compliance are summarized here:
- Policy Area 1: Information Exchange Agreements – If you’re sharing CJIS-protect data with another organization, you must have a written agreement between the organizations that you will both comply with CJIS security standards.
- Policy Area 2: Security Awareness Training – Any employees handling CJIS data must have security training within the first six months of being assigned to their role and additional training every other year in the future.
- Policy Area 3: Incident Response – You must have safeguards in place to detect and contain any data breaches. You also need data recovery measures in place. Any data breach must be reported to the appropriate authorities.
- Policy Area 4: Auditing and Accountability – You should implement audit controls to monitor who is accessing data, when they are accessing it, and for what purpose they are accessing it. This information should be logged for any future audits.
- Policy Area 5: Access Control – Under CJIS policy area 5, you must have the ability to control who can access your data. This can include controlling who can access, upload, download, transfer, and delete secure data. It also impacts your login management systems, remote access controls, and more.
- Policy Area 6: Identification and Authentication – To access CJIS data, users must align with CJIS login credential standards, meet password requirements, and use advanced authentication methods like one-time passwords and multi-factor authentication.
- Policy Area 7: Configuration Management – Per area 7, only authorized users can make configuration adjustments, like upgrading systems or initiating modifications.
- Policy Area 8: Media Protection – CJIS-related data must be protected in all forms, digital and physical, both in transit and at rest. Equipment that is no longer being used by your organization must be sanitized and disposed of in alignment with CJIS policies.
- Policy Area 9: Physical Protection – The physical location for stored CJIS data must be secured at all times, preventing access from unauthorized persons.
- Policy Area 10: System and Communications Protection and Information Integrity – Not only should your data be protected, but your organization’s systems and communications should also be protected, as well. This policy section outlines the steps you must take to protect your systems, like encryption, network security, data breach detection measures, and more.
- Policy Area 11: Formal Audits – If you use and manage CJIS data, you are subject to audits a minimum every three years by either the CJIS Audit Unit (CAU) or the CJIS Systems Agency (CSA) for your state.
- Policy Area 12: Personnel Security – Everyone associated with your organization – from employees to contractors and subcontractors – must submit to security screenings and national fingerprint-based record checks.
- Policy Area 13: Mobile Devices – Even your employees’ mobile devices (like smartphones and tablets) are subject to CJIS oversight. You must establish usage restrictions, and authorize, monitor, and control access to your systems via these devices.
Relevant articles / litigation
It is important to note upfront that HIPAA compliance requirements are primarily focused on health providers. Having said that, government agencies, and in particular 1st Responders, are typically transmitting HIPAA data daily and in non-compliant fashions. In today’s litigious world, it makes sense to comply with HIPAA requirements and remove or minimize the risk.
First, what’s the risk?
HIPAA violations are expensive. The penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges that can result in jail time.
Fines increase with the number of patients and the amount of neglect. The lowest fines start with a breach where you didn’t know and, by exercising reasonable diligence, would not have known that you violated a provision. At the other end of the spectrum are fines levied where a breach is due to negligence and not corrected in 30 days. In legalese, this is known as mens rea (state of mind). So fines increase in severity from no mens rea (didn’t know) to assumed mens rea (willful neglect).
The fines and charges are broken down into 2 major categories: Reasonable Cause and Willful Neglect. Reasonable Cause ranges from $100 to $50,000 per incident and does not involve any jail time. Willful Neglect ranges from $10,000 to $50,000 for each incident and can result in criminal charges.
While encryption is an addressable (rather than required) specification, it does not mean optional. The vast majority of data breaches are due to stolen or lost data that was unencrypted. When in doubt, you should implement the addressable implementation specifications of the Security Rule. Most of them are best practices.
Breaches can occur when employees lose unencrypted portable devices, mistakenly send PHI to vendors who post that information online and disclose personally identifiable, sensitive information on social networks.
These are all examples from actual cases. Employee training and adherence to security policies and procedures are extremely important.
Data Stored on Devices
Almost half of all data breaches are the result of theft. When laptops, smartphones, etc. are unencrypted the risk of a breach increases considerably. With Evertel, your data is safely stored off-premise; so that a lost or stolen mobile phone or laptop has no data on it and hence and no PHI is compromised.