View
217
Download
0
Category
Preview:
Citation preview
Data Breaches in Healthcare: Responding to the Growing Threat of Cyber Attacks Managing Risk, Responding to Breaches and OCR Investigations, Minimizing HIPAA Liability
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
WEDNESDAY, APRIL 1, 2015
Presenting a live 90-minute webinar with interactive Q&A
James B. Wieland, Principal, Ober Kaler, Baltimore
Edward G. Zacharias, Partner, McDermott Will & Emery, Boston
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-570-7602 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail sound@straffordpub.com immediately so we can
address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
For CLE purposes, please let us know how many people are listening at your
location by completing each of the following steps:
• In the chat box, type (1) your company name and (2) the number of
attendees at your location
• Click the SEND button beside the box
If you have purchased Strafford CLE processing services, you must confirm your
participation by completing and submitting an Official Record of Attendance (CLE
Form).
You may obtain your CLE form by going to the program page and selecting the
appropriate form in the PROGRAM MATERIALS box at the top right corner.
If you'd like to purchase CLE credit processing, it is available for a fee. For
additional information about CLE credit processing, go to our website or call us at
1-800-926-7926 ext. 35.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
www.ober.com
James B. Wieland Ober|Kaler
410-230-7397
jbwieland@ober.com
Data Breaches in Health Care: Responding to the Growing Threat of Cyber-Attacks
Strafford Publications Webinar April 1, 2015
www.ober.com
www.ober.com
Data Breach Risk Management Strategies: Risk Allocation in Business Associate Agreements
No one size fits all Business Associate Agreement
Simple form available on the OCR website may fit for simple relationships http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
Post-HITECH environment makes most relationships complex
Breach detection and responsibilities upon discovery
Possible vicarious liability of Covered Entity for Civil Monetary Penalties imposed on Business Associate if Business Associate is an agent under federal common law
– Test is power to give “interim instructions”
OCR can declare a service provider a Business Associate even if there is no Business Associate Agreement in place
6
www.ober.com
Risk Allocation in Business Associate Agreements
Current Due Diligence Issues
Does the Business Associate use a third party Data Center or the Cloud?
On-shore vs. Off- shore presence of PHI
Contractual Risk Controls
Initial and ongoing monitoring and right to audit
Questionnaire tied to representations and warranties
Indemnification
Third party certifications
AICPA Service Organization Control (SOC) Audit
Health Information Trust Alliance (HITRUST) Certification
Information Practices (Cyber liability) Insurance
7
www.ober.com
Risk Allocation in Business Associate Agreements
Current Breach issues:
Who provides Breach Notice
Who determines if an exemption applies
Who pays the direct costs of response
Providing notice
Credit monitoring insurance
“Security Incidents” as distinct from Breaches
Attempted or actual interference with information system
Pings, port scans, and other common events
8
www.ober.com
Risk Allocation in Business Associate Agreements
The battle of the forms – Business Associate Agreement terms now highly negotiable except for HIPAA mandated provisions
Are state breach laws included in the Business Associate responsibilities?
How are HIPAA mandated amendments handled?
How is responsibility for Sub-Contractor Business Associates handled?
– Permission to sub-contract
– Responsibility for sub-contractor’s actions
Reviewing Business Associate’s risk assessment and other security documentation
– Need to know vs confidentiality
– Can too much oversight help create an agency relationship
9
www.ober.com
HIPAA Compliance
Breach analysis was changed significantly by HITECH
Potential harm is irrelevant
Breaches are presumed absent exemption
Narrow statutory exemptions
Four factor test
Breaches of over 500 are automatically investigated
Enforcement is increasing, with funding from penalties
Despite HITECH Act amendments to penalty provisions, OCR emphasis is still on voluntary resolution
10
www.ober.com
State Law Compliance
All states, except three, plus Washington D.C., Puerto Rico and the U.S. Virgin Islands, have breach notification laws
Generally applies to unencrypted personal information; several states include paper records
Initial scope was name plus social security number, drivers license number or banking information
Notice to state agencies, typically Attorney General, is a common requirement
Trend is to broaden definition of personal information
Initially, to include medical information
Currently, leading edge adds on-line account access information and health insurance information
11
www.ober.com
State Law Compliance
Some states exempt entities covered by HIPAA or other regulatory schemes for data security
Florida leads the way, at least at present, in stringent requirements
30 day notification requirement for individuals and the state
Notice includes any services offered to individuals without charge, e.g. credit monitoring insurance
Along with a number of other states, statute requires reasonable security measures to avoid breaches
State of residence on affected individual governs
Note FTC actions as unfair or deceptive business practices after breaches, when a health care provider or other entity promises more security than it delivers on its on-line Privacy Practices.
Federal personal information protection statute has been proposed
12
www.ober.com
Insurance Coverage
Breach liabilities generally not covered by general liability or errors and omissions
Information practices insurance, commonly referred to as cyber liability is the trend
First party liability risk coverage
Data breach
Data restoration
Network extortion
Business interruption
13
www.ober.com
Insurance Coverage
Third party risk coverage
Privacy liability
Media liability
Network security
14
www.mwe.com
Boston Brussels Chicago Dallas Düsseldorf Frankfurt Houston London Los Angeles Miami Milan Munich New York Orange County Paris Rome Seoul Silicon Valley Washington, D.C.
Strategic alliance with MWE China Law Offices (Shanghai)
© 2015 McDermott Will & Emery. The following legal entities are collectively referred to as "McDermott Will & Emery," "McDermott" or "the Firm": McDermott Will & Emery LLP, McDermott Will & Emery AARPI, McDermott Will & Emery Belgium LLP, McDermott Will & Emery Rechtsanwälte Steuerberater LLP, McDermott Will & Emery Studio Legale Associato and McDermott Will & Emery UK LLP. These entities coordinate their activities through service agreements. This communication may be considered attorney advertising. Previous results are not a guarantee of future outcome.
Edward G. Zacharias
(617) 535-4018
ezacharias@mwe.com
April 1, 2015 – Strafford Live CLE Webinar
Data Breach Response & Responding
to an OCR Investigation
www.mwe.com
Boston Brussels Chicago Dallas Düsseldorf Frankfurt Houston London Los Angeles Miami Milan Munich New York Orange County Paris Rome Seoul Silicon Valley Washington, D.C.
Strategic alliance with MWE China Law Offices (Shanghai)
© 2015 McDermott Will & Emery. The following legal entities are collectively referred to as "McDermott Will & Emery," "McDermott" or "the Firm": McDermott Will & Emery LLP, McDermott Will & Emery AARPI, McDermott Will & Emery Belgium LLP, McDermott Will & Emery Rechtsanwälte Steuerberater LLP, McDermott Will & Emery Studio Legale Associato and McDermott Will & Emery UK LLP. These entities coordinate their activities through service agreements. This communication may be considered attorney advertising. Previous results are not a guarantee of future outcome.
Data Breach Response
www.mwe.com 17
Definition of Breach
Interim final breach notification rule (IFR) adopted under the HITECH Act became effective 9/23/09
Final Omnibus Rule effective for breaches on or after 9/23/13
The IFR and Final Rule generally define “Breach” to mean the acquisition, access, use or disclosure of PHI in a manner not permitted by the HIPAA Privacy Standards which compromises the security or privacy of PHI
The IFR defines “compromises the security or privacy of PHI” to mean “poses a significant risk of financial, reputational or other harm to the individual”
OCR concluded that the risk of harm standard was applied inconsistently by CEs and BAs and led to under-reporting of unauthorized disclosures to individuals
www.mwe.com 18
Definition of Breach (cont’d)
Final Rule eliminated the risk of harm standard
A Breach is presumed unless CE or BA demonstrates that there is a “low probability” that the privacy of PHI has been compromised based on a risk assessment considering at least the following factors:
– The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
– The unauthorized person who used the PHI or to whom the disclosure was made
– Whether the PHI was actually acquired or viewed
– The extent to which the risk to the PHI has been mitigated
The CE or BA has the burden to prove that an unauthorized disclosure is not a Breach
www.mwe.com 19
Definition of Breach (cont’d)
Risk assessment requires an analysis of whether there is more
than a “low probability” that PHI compromised
OCR intends that the Breach determination no longer turn on a
subjective assessment of the potential harm to an individual, but
OCR’s preamble discussion of the four required factors invites an
assessment of:
– Sensitivity of data
– Probability that the PHI could be used by an unauthorized recipient in a
manner adverse to the individual
– Number of Direct Identifiers and risk of re-identification
www.mwe.com 20
Breach Exceptions
Final Rule preserves following statutory exceptions:
– Unintentional use by workforce member in good faith, within scope of
authority and without further impermissible disclosures
– Inadvertent disclosures by a person authorized to access PHI to
another person authorized to access PHI at the same CE or BA and
without further impermissible disclosures
– Unauthorized recipient would not reasonably be able to retain PHI
Determine whether an exception applies before conducting
risk assessment
Factor # 1: PHI Involved
Factor # 1: The nature and extent of the PHI involved,
including the types of identifiers and the likelihood of re-
identification
Under this factor, CE/BA should consider:
– Amount and detail of clinical information
– Access to information about mental health conditions/services,
substance abuse, HIV/AIDs or other sexually transmitted diseases,
genetic test results or other sensitive Information
– Access to SSNs or other data creating a financial identity theft risk
– Access to health plan ID numbers or other information creating a
medical identity theft risk
www.mwe.com 21
Factor # 2: Unauthorized Recipient of PHI
Factor # 2: The unauthorized person who used the PHI or to
whom the disclosure was made
Under this factor, CE/BE should consider:
– Whether the recipient is workforce member of a CE or BA
– Whether the recipient has taken actions that demonstrate integrity
– Did the recipient access the PHI with criminal or other bad intent?
www.mwe.com 22
Factor # 3: Actual Access
Factor # 3: Whether the PHI was actually acquired or viewed
Under this factor, CE/BA should consider:
– Evidence of access in software audit logs
– Forensic analysis
– Was the envelope/package containing paper PHI opened?
www.mwe.com 23
Factor # 4: Risk Mitigation
Factor # 4: The extent to which the risk to the PHI has been
mitigated
Under this factor, CE/BA should consider:
– Whether equipment containing EPHI was recovered
– Whether paper PHI was recovered
– A security flaw promptly discovered and corrected
– Whether security controls mitigated the risk of unauthorized access
• Note passwords and screen saver locks after period of inactivity are
important, but provide weak security as compared to encryption
• Remote wipe capabilities
www.mwe.com 24
Factors Other Than Mandatory Factors
The four factors are not the exclusive list of factors that may
be considered
CE or BA may consider:
– Risk of financial identity theft
– Risk of medical identity theft
– Risk of embarrassment or reputational harm
– Whether PHI is already public
www.mwe.com 25
26
Who must be notified?
CE must notify
– Individuals to whom PHI relates (always)
– OCR (always)
– Prominent media outlets (depends)
BA must notify
– Covered Entity
Final Rule Preamble: “Covered entities and business
associates should consider which entity is in the best position
to provide notice to the individual”
– CE and BA and agree for BA to handle CE’s notification obligations
27
Notice periods
CEs must notify every individual affected by a breach of unsecured PHI without unreasonable delay and in no case later than 60 days after discovery of the breach
BA must notify CE of a Breach without unreasonable delay and in no case later than 60 days after discovery of the breach
60 days is an outer limit (be aware of shorter state law timeframes)
“If a BA is acting as an agent of a CE, then . . . the BA’s discovery
of the breach will be imputed to the CE.”
– i.e., CE required to notify within 60 days of when breach discovered by BA
28
When is breach discovered?
Breaches treated as “discovered” as of the first day the
breach is known to the CE or BA, or by exercising
reasonable diligence would have been known to the CE or
BA
Not when management and/or Privacy/Security Officer
knows:
– HITECH Act provides that breach treated as discovered by CE or BA
when ‘‘any person, other than the individual committing the breach,
that is an employee, officer, or other agent of such entity or associate’’
knows or should reasonably have known of the breach.
29
Notice by BA to CE
Notice by BA to CE must include, to the extent possible:
– Identification of each affected individual
– Any other available information that CE is required to include in notice
to individuals (discussed below)
• If information becomes available after initial notice to CE, BA must provide
such additional information to CE
30
Notice to affected individuals
Content of notice to affected individuals (to the extent possible):
– A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
– A description of the types of unsecured PHI that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
– Any steps individuals should take to protect themselves from potential harm resulting from the breach;
– A brief description of what CE is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches (free credit monitoring; reviewing P&P; retraining etc.); and
– Contact procedures for individuals to ask questions or learn additional information, which shall include a toll free telephone number, an e-mail address, web site, or postal address.
31
Notice to affected individuals
Plain language requirement
Form of notice
– First-class mail at the last known address
– Email (if the individual has previously agreed to electronic notice)
– If individual deceased, written notification by first-class mail to either
the next of kin or personal representative
– Substitute notice
32
Notice to affected individuals
Substitute notice when insufficient or out-of-date contact information
– If fewer than 10 individuals, alternative form of written notice, telephone, or other means.
– Ten or more individuals:
• Either: (1) conspicuous posting for 90 days on the home page of the CE web site; or (2) conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and
• Must include a toll-free phone number that remains active for at least 90 days where an individual can learn whether the individual’s unsecured protected health information may be included in the breach.
Notice in Urgent Circumstances
– Possible imminent misuse of unsecured PHI
– CE may provide information to individuals by telephone or other means, as appropriate, to be followed up by written notice
33
Notice to OCR
CE must notify OCR in the event of a breach
Less than 500 individuals affected
– Within 60 days following the end of the calendar year when breach is
discovered
500 or more individuals affected
– Contemporaneously with notice to individuals
Form of notice:
– Complete and submit OCR online notice form
– http://ocrnotifications.hhs.gov/
34
Media Notice
In the event that the Breach involves PHI from more than 500
individuals of a state or jurisdiction, the CE must also notify
prominent media outlets in the jurisdiction
– Citywide? Statewide?
– “Outlets” (at least two)
– Print and/or broadcast media
Must include same information as individual notices
Breach at BA, affecting more than 500 from multiple CEs
– 500 per CE, not in the aggregate
35
Mitigation / Remediation
Act quickly following discovery of breach
Promptly take steps to mitigate potential harm and to prevent
similar incident from happening in the future
– Technical (e.g., turning off application; add additional security)
– Non-Technical (e.g., law enforcement, private investigator, get data back)
– Employee disciplinary action
• Sanctions are a required Implementation Standard
– Post-incident review and modification of policies and procedures
– Additional training
Mitigation / Remediation, cont.
Goals of prompt mitigation
– Prevent or lessen harm to potentially affected individuals
– Prevent similar incidents from occurring in the future
• Proactive vs. reactive
– Quickly come into compliance with HIPAA Privacy,
Security and/or Breach Notification Standards
– Preparedness for potential OCR investigation
(demonstrated compliance)
www.mwe.com 36
37
Beach Preparedness / Be Proactive
Implement security breach response policies and procedures
– Expressly require that RA address at least the four enumerated factors
Thoroughly document risk assessment, particularly one finding a “low probability” that PHI was compromised
Train workforce on breach policies and procedures
CEs and BAs must have written sanctions policy and apply appropriate
sanctions against workforce members who fail to comply with policies and
procedures
Ensure Vendors have appropriate safeguards to prevent, detect and respond to breaches
Be nimble (“60 days is an outer limit” for HIPAA reporting) – State law!
Expect future OCR guidance on risk assessments
www.mwe.com
Boston Brussels Chicago Dallas Düsseldorf Frankfurt Houston London Los Angeles Miami Milan Munich New York Orange County Paris Rome Seoul Silicon Valley Washington, D.C.
Strategic alliance with MWE China Law Offices (Shanghai)
© 2015 McDermott Will & Emery. The following legal entities are collectively referred to as "McDermott Will & Emery," "McDermott" or "the Firm": McDermott Will & Emery LLP, McDermott Will & Emery AARPI, McDermott Will & Emery Belgium LLP, McDermott Will & Emery Rechtsanwälte Steuerberater LLP, McDermott Will & Emery Studio Legale Associato and McDermott Will & Emery UK LLP. These entities coordinate their activities through service agreements. This communication may be considered attorney advertising. Previous results are not a guarantee of future outcome.
Responding to an OCR
Investigation
Complaint/Compliance Review Process
www.mwe.com 39
Source: OCR website: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/process/index.html
OCR Stated Approach to Enforcement
OCR first attempts to resolve non-compliance by obtaining:
– Voluntary compliance;
– Corrective action; and/or
– Resolution agreement.
Resolution Agreements: “These agreements are reserved to settle investigations with more serious outcomes” (23 to date)
Formal CMP enforcement process (only 1 to date)
– HHS administrative law judge hearing, in which OCR has burden of proof on liability issues and CE or BA has burden of proof on CMP quantum issues
– Appeal to HHS Departmental Appeals Board
– Appeal to U.S. Court of Appeals
www.mwe.com 40
OCR’s HIPAA Enforcement History
Between April 2003 and January 2015, of ~42,000 cases of
potential HIPAA violations over which OCR found it had
jurisdiction:
– In ~8,000 cases (19%), OCR intervened early with technical assistance
on compliance in place of an investigation
– In ~11,000 cases (26%), OCR found no violation had occurred
– OCR resolved the remaining ~23,000 cases (55%) through a
combination of demonstrated compliance, technical assistance, and
corrective action plans – without any monetary payments
– OCR has required monetary settlements in just 23 cases (0.06%)
– Only 1 formal Civil Monetary Penalty Action to Date
41
OCR Monetary Settlement History
www.mwe.com 42
OCR Enforcement Perspectives
Recent comments from OCR senior leadership and local representatives indicate OCR is now substantially toughening its enforcement positions
– “[C]ontinued enforcement is a critical component of OCR’s arsenal of tools” – Jocelyn Samual, OCR Dirctor.
Final Privacy Rule is 12 yrs old / Final Security Rule is 10 yrs old
Political Pressure
“[T]he overall record of [HIPAA] enforcement is simply not satisfactory” – Senator Al Franken, December 2011 Hearing before Senate Judiciary Subcommittee on Privacy, Technology, and Law.
“OCR did not meet [certain] Federal requirements critical to the oversight and enforcement of the Security Rule” (OIG Report, Nov. 2013)
Budgetary Considerations
– OCR level funded for 2015
– “[A]ny civil monetary penalty or monetary settlement collected with respect to an offense punishable under [HIPAA] . . . shall be transferred to the Office for Civil Rights of the Department of Health and Human Services to be used for purposes of enforcing [HIPAA]”. HITECH Act.
www.mwe.com 43
CMP Penalty Range
www.mwe.com 44
Violation Category Min. Per-Violation Penalty Max. Penalty for all Violations of an Identical
Provision in a Year
Tier 1: The entity did not know (and,
by exercising reasonable diligence,
would not have known) that it violated the applicable provision
$100
42 U.S.C. § 1320d-5(a)(3)(A)
45 C.F.R. § 160.404(b)(2)(i)(A)
$25,000 Under HITECH Act
42 U.S.C. § 1320d-5(a)(3)(A)
- - - - - - - - - - - - - - - - - - - - -
$1,500,000 Under HHS Regulations
45 C.F.R. § 160.404(b)(2)(i)(B)
Tier 2: Violation is due to reasonable cause and not to willful neglect
$1,000
42 U.S.C. § 1320d-5(a)(3)(B)
45 C.F.R. § 160.404(b)(2)(ii)(A)
$100,000 Under HITECH Act
42 U.S.C. § 1320d-5(a)(3)(B)
- - - - - - - - - - - - - - - - - - - - -
$1,500,000 Under HHS Regulations
45 C.F.R. § 160.404(b)(2)(ii)(B)
Tier 3: Violation is due to willful
neglect and is corrected within 30
days of when the entity knew or by
exercising reasonable diligence
would have known that the violation occurred
$10,000
42 U.S.C. § 1320d-5(a)(3)(C)
45 C.F.R. § 160.404(b)(2)(iii)(A)
$250,000 Under HITECH Act
42 U.S.C. § 1320d-5(a)(3)(C)
- - - - - - - - - - - - - - - - - - - - -
$1,500,000 Under HHS Regulations
45 C.F.R. § 160.404(b)(2)(iii)(B)
Tier 4: Violation is due to willful
neglect and is not corrected within 30
days of when the entity knew or by
exercising reasonable diligence
would have known that the violation occurred
$50,000
42 U.S.C. § 1320d-5(a)(3)(D)
45 C.F.R. § 160.404(b)(2)(iv)(A)
$1,500,000 Under HITECH Act
42 U.S.C. § 1320d-5(a)(3)(D)
- - - - - - - - - - - - - - - - - - - - -
$1,500,000 Under HHS Regulations
45 C.F.R. § 160.404(b)(2)(iv)(B)
Steps to Maximize Chance of Good
Outcome
1. Be proactive
– Conduct/update comprehensive risk analysis
– Implement risk management plan based on risk analysis findings
– Develop, maintain, and periodically assess strong privacy, security,
and breach response policies and procedures
– Adequately train employees and document training
– Follow and enforce the P&Ps once in place
– Encourage employees to promptly and accurately report potential
breaches to appropriate internal officers
45
Steps to Maximize Chance of Good
Outcome, ctd.
2. Investigate breach reports promptly
– Quickly determine basic facts, even if more time will be required to nail
down all details
– Promptly take steps to mitigate potential harm and to prevent similar
incident from happening in the future
– Regulators want to be notified sooner rather than later (60 days is an
outer limit)
– Regulators often do not understand intra- or inter-organizational
communications challenges
46
Steps to Maximize Chance of Good
Outcome, ctd.
3. Communicate early and often
– Make sure regulators hear about a potential breach first from you—not
from the media, a whistle-blower, or an impacted patient
– Consider informally give regulator basic facts, with caveat that
investigation is ongoing, facts may ultimately prove to be different, etc.
– Allows entity to establish rapport with regulator
• Want regulator to view as responsible and cooperative actor with patients’
best interests in mind
– Gives entity more control over message
47
Steps to Maximize Chance of Good
Outcome, ctd.
4. Communicate effectively
– Choose a single spokesperson, whether that be an in-house lawyer,
outside counsel, or someone else
– Stick with that spokesperson unless there is a good reason to change
– Be prepared to show concrete steps taken to improve safeguards
(“lessons learned”) before being required to do so through a
negotiated settlement
48
Steps to Maximize Chance of Good
Outcome, ctd.
5. Be cooperative wherever possible with your regulators,
but analyze critically
– Regulators’ interpretation of law is not always supported
– Regulators do not want to bring an enforcement action and lose
– Regulators are repeat players who will be impacted by negative court
or ALJ decisions interpreting ambiguous laws and regulations
– Do not be afraid to politely, but firmly, push back on regulators’
theories
• Best done through outside counsel
49
So What Do I Do When I Get a Post-
Breach Inquiry from OCR?
Acknowledge receipt and tell OCR that an appropriate person will respond promptly
Quickly report it to the appropriate officer in the organization
Involve in-house or outside counsel experienced in dealing with OCR investigations
– Work with counsel to come up with response and communications plan (internal and external)
Start collecting requested information quickly—don’t wait for stated deadline
– Document all steps taken to do so
– Note privilege context of collected documents
50
So What Do I Do When I Get a Post-
Breach Inquiry from OCR, ctd.?
Keep original file of all documents collected, including
privileged documents
– Offer privilege log before preparing—regulator may not want
Other than legitimate privilege assertions, be forthcoming
– Avoid splitting hairs wherever possible
– Perceived “cover up” usually leads to worse outcome than underlying
incident would have
Respond within deadline or, alternatively, proactively seek
extension
51
Recommended