A Framework for Breach Response for Covered Entities and ... · •Practical application of the NIST Cybersecurity Framework •The NIST process for managing information security

© Clearwater Compliance | All Rights Reserved© Clearwater Compliance | All Rights Reserved

A Framework for Breach Response for Covered Entities and Business Associates

June 21, 2018

© Clearwater Compliance | All Rights Reserved

Legal DisclaimerAlthough the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.

Copyright NoticeAll materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

22018-1


3

About Your Presenter

Erin Brisbay McMahon, Chief Compliance Officer & Senior Director, LegalJ.D.• 25+ years legal experience (licensed in Kentucky only)• 20+ years practicing healthcare law• Former Data Privacy Counsel for one of the world’s largest providers of diversified business process services• Former health care service team partner at a large regional law firm – counseled healthcare providers and

health plans on HIPAA compliance, including responding to OCR investigations• Former President, Fayette County (KY) Bar Association• Woodward/White’s Best Lawyers in America® 2011-17 in the area of health care• Adjunct faculty, Health Law, University of Kentucky College of Law, Fall 2004• Speaker and published author on HIPAA compliance and other healthcare topics



We’re excited about what we do because… …we’re helping organizations improve patient safety and the quality of care by safeguarding the very personal and private

healthcare information of millions of fellow Americans…

…And, keeping those same organizations off the Wall of Shame!


5

2018EXCLUSIVE

ENDORSEMENT

SOLE SOURCE PROVIDER

SOFTWARE USED BY NSA/CAEs

INDUSTRY COLLABORATOR

2017

Clearwater Recognition Highlights

2018

INDUSTRY RESOURCE PROVIDER


6

Some Webinar Logistics

1. Slide materials – Link In Chat Box. Should have also received in reminder email earlier today.

2. Please ask Questions in “Question Area” 3. In case of technical issues, check “Chat

Area”4. All attendees are in “Listen Only Mode”5. Please complete Exit Survey when you leave

session 6. Recorded version and final slides within 48

hours


7

What type of organization do you represent?

Hospital / Health System

Other CE

Business Associate

HybridDon’t Know

Pause and Quick Poll


8

Discussion Progression

1. Case for Action 2. Think Big Picture3. Learn Explicit Requirements 4. Get Started With Actionable, Practical Next Steps5. Educational Resources


9

By the Numbers

• Total dollars collected by OCR $79.4MM• Total Resolution Agreements/CAPs 56• Total ePHI Cases 42• Total Adverse Risk Analysis Findings 37• Total Adverse Risk Management Findings 35

Will the Risk Analysis and Risk Management focus continue?


10

Pause and Quick Poll

Have you seen / read an OCR Investigation Letter and Initial Data Request?


11

PnPs Are ALWAYS Requested


12




13

Big picture• Never forget you are on the clock (and sometimes on MANY clocks)• State (in motion), Federal, International laws (in motion)

• Correction/mitigation

• MSA/BAA

• Public perception clock

• Contain the incident if possible

• Initial assessment – How many persons affected, is there an exception, etc., do you need to involve law enforcement

• Broker and Cyber Insurer - If claim might exceed deductible, then call broker immediately

• Litigation hold – let employees/agents know not to destroy any notes pertinent to the investigation. Disable auto-delete rules that might affect the investigation


14

Panels•Many cyber insurance carriers have panels – entities that can

assist through a breach notification and beyond. The carriers have negotiated discounts with these panelists:• Attorneys• Mailing/copying centers• PR• Forensics• Call Center• Credit Monitoring/ID Theft Protection


15




16

Covered Entity Requirements• Has there been an unauthorized use or disclosure or a security

incident?• Evaluate whether there is a Breach of Unsecured PHI• Was the information encrypted according to HHS standards?• Does an exception apply?• Balance:

• Nature and extent of PHI involved, including types of identifiers and likelihood of re-identification• The unauthorized person who used the PHI or to whom the disclosure was made• Whether the PHI was actually acquired or viewed• The extent to which the risk to the PHI has been mitigated


17

Covered Entity Requirements• DOCUMENT, DOCUMENT, DOCUMENT!

• What if the conclusion is a Breach?• Notification letter – engage competent counsel and consider statutory and regulatory

requirements beyond HIPAA

• Timing and contents of letter

• Who gets the letter – plan members, minors, estates

• What if the letter comes back?

• Press release

• Notice to OCR – when?

• Consider informal notice to OCR and state regulators

• Mitigate – corrective action within 30 days of discovery; other mitigation to assist affected individuals


18

Business Associate Requirements• Three requirements to report to Covered Entity

• Unauthorized Use or Disclosure• Security Incident • Breach of Unsecured PHI

• What does this mean?• You will be asked to share information about your breach analysis with the Covered Entity

• Look at your Contract/BAA requirements with your Covered Entity• Can you find your contracts/BAAs?

• The HIPAA DBN Rule requires no unreasonable delay and no greater than 60 days from date of discovery; what does the contract require? More often than not, anywhere from immediately to 5 business days

• Who is your contact at the Covered Entity?• What are your obligations with respect to notification and indemnity/reimbursement? You

need to know and your cyber insurer needs to know.


19




20

Thinking Proactively• Incident Response Team – Tabletop Exercises• BAA spreadsheet and binder• Cyber carrier review - what is in your policy?

• First-party• Attorneys’ fees• Forensics• Mailings • Credit monitoring/ID Theft Protection• Crisis Management• Regulatory settlements/fines

• Third-party claims• Cyberextortion• Media liability• Business Interruption


21

Educational Resources• OCR Breach Notification Rule - https://www.ecfr.gov/cgi-bin/text-

idx?SID=3ef2a528fd403fa7cd1a2f69d3b08b3f&mc=true&node=sp45.1.164.d&rgn=div6• OCR Sample BAA Spreadsheet - https://www.hhs.gov/hipaa/for-

professionals/compliance-enforcement/audit/batemplate/index.html• State Data Breach Notification laws -

http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx• General Data Protection Regulation (Europe) –

https://ec.europa.eu/info/law/law-topic/data-protection_en• Colorado’s new law (effective 9/1/18) -

https://leg.colorado.gov/sites/default/files/documents/2018A/bills/2018a_1128_signed.pdf

https://www.ecfr.gov/cgi-bin/text-idx?SID=3ef2a528fd403fa7cd1a2f69d3b08b3f&mc=true&node=sp45.1.164.d&rgn=div6

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/batemplate/index.html

http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

https://ec.europa.eu/info/law/law-topic/data-protection_en

https://leg.colorado.gov/sites/default/files/documents/2018A/bills/2018a_1128_signed.pdf


At Clearwater Compliance, we have a passion for education.This is why we offer so many complimentary HIPAA compliance and cyber risk management resources.

Upcoming Educational Live Web Events

For more information & a complete list of upcoming web events please visit: http://bit.ly/clearwaterlivewebevents

June 27Complimentary

WebinarSponsored by Texas Hospital

Association

First, Do No Harm!The Impact of Cyber

Risks on Patient Safety

June 28Complimentary

WebinarSponsored by the Maine Hospital

Association

Managing Cyber Risk Right

July 9Complimentary

Webinar

HIPAA 101

http://bit.ly/clearwaterlivewebevents


Present:CHIME CIO 2018 Virtual Cybersecurity Symposium™

This event is complimentary and open only to CHIME members.Not a CHIME member yet? Join CHIME at: http://bit.ly/joinCHIME

6 Hours Of Live, Educational Content + 30 Days of Mentoring & Support from Subject Matter Experts

JULY 19, JULY 26 & AUGUST 2 | 12-2pm ETReserve your seat @

https://go.clearwatercompliance.com/2018_chime_cio_symposium_register

Designed for CHIME CIOs, the curriculum focuses on the most pressing issues facing healthcare providers and their business partners today

as defined by the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) and responds to the intensifying focus on information / cyber risk management.

http://bit.ly/joinCHIME

https://go.clearwatercompliance.com/2018_chime_cio_symposium_register


Present:AEHiS CISO 2018 Virtual Cybersecurity Symposium™

This event is complimentary and open only to AEHIS members.Not an AEHIS member yet? Join at: https://aehis.org/join-aehis/

10 Hours Of Live, Educational Content + 30 Days of Mentoring & Support from Subject Matter Experts

Aug 9, 16, 23, 30 & Sept 6 | 12-2pm ET

Reserve your seat @https://go.clearwatercompliance.com/2018_aehis_ciso_symposium_register

Designed for AEHIS CISOs, the curriculum focuses on: • Practical application of the NIST Cybersecurity Framework

• The NIST process for managing information security risk (based on NIST SP 800-39) and • Adopting a maturity model to address today’s continuously evolving healthcare providers and their business partners.

https://aehis.org/join-aehis/

https://go.clearwatercompliance.com/2018_aehis_ciso_symposium_register


25

Questions? | We are here to help.

Please fill out the short survey when you exit the session.We appreciate your feedback!

[email protected]


www.ClearwaterCompliance.comLINKEDIN | http://www.linkedin.com/in/bobchaput/

TWITTER | @clearwaterhipaaYOUTUBE | Search: ClearwaterCompliance

800-704-3394


Thank You.

Documents

A Framework for Breach Response for Covered Entities and ... · •Practical application of the NIST Cybersecurity Framework •The NIST process for managing information security