HIPAA: One Year After the Final Rule

September 11, 2014 11:00 a.m. – 12:00 p.m. (EST) This webinar is sponsored by American Health Lawyers Association Enterprise Risk Management Task Force

Faculty: Lynn Sessions Partner BakerHostetler Houston, TX

2

OCR Resolution Agreements

• Providence Health & Services ($100K)

• CVS Pharmacy ($2.25M)

• Rite-Aid ($1M)

• Management Services Organization of Washington ($35K)

• Cignet ($4.3M)

• Massachusetts General Hospital ($1M)

• UCLA Health Services ($865K)

• Blue Cross Blue Shield of Tennessee ($1.5M)

• Alaska Medicaid ($1.7M)

• Phoenix Cardiac Surgery, P.C. ($100K)

• Massachusetts Eye and Ear Infirmary ($1.5M)

• Hospice of North Idaho ($50K)

• Idaho State University ($400K)

• Shasta Regional Medical Center ($275K)

• WellPoint ($1.7M)

• Affinity Health Plan ($1.2M)

• Adult & Pediatric Dermatology, P.C. of Massachusetts ($150K)

• Skagit County, Washington ($215K)

• QCA Health Plan, Inc. ($250K)

• Concentra Health Services ($1.725M)

• New York and Presbyterian Hospital ($3.3M)

• Columbia University ($1.5M)

• Parkview Health System ($800K)

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

Director OCR

Leon Rodriguez

3

What has OCR said about enforcement?

• Breach is presumed

• Breach analysis modified

• Business Associates are directly liable

• Business Associate negotiations

• Increased regulatory scrutiny

• Focus on Security Rule

• Other clarifications

4

Changes that followed the Final Rule

5

Where are the threats?

• Inside threats

‒Employee negligence

Security failures

Lost mobile devices

‒Employee ignorance

Improper disposal of personal information (dumpsters)

Lack of education and awareness

‒Malicious employees

• Outside threats

‒ Hackers

Malware

Phishing and Spear Phishing

‒ Thieves (including Social Engineering Tools)

‒ Vendors

6

What kinds of information are at risk?

Patient Information

• Patient information

• Protected Healthcare Information (PHI), including medical records, test results, appointment history, insurance information

• Credit Cards, Debit Cards, and other payment information

• Social Security Numbers

• Financial information, like account balances, loan history, and credit reports

• Non-PII, like email addresses, phone lists, and home address that may not be independently sensitive, but may be more sensitive with one or more of the above

Employee Information

• Employers have at least some of the above information on all of their employees

Business Partners

• Vendors and business associates may provide some of the above information

Baseline definition of a breach remains unchanged.

• § 164.402: Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under Subpart E of this part which compromises the security or privacy of the protected health information.

7

What is a breach?

• An acquisition, access, use, or disclosure of protected health information in a manner not permitted . . . is presumed to be a breach

• Unless, the CE or BA can demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment

• Compromise is not defined

8

Breach Analysis

9

Risk Assessment

• Risk Assessment

– Documented

– Based on at least 4 factors

The nature and extent of the PHI

The unauthorized person involved

Whether the PHI was actually acquired or viewed

Extent to which any risk has been mitigated

State Law May Be More Restrictive

10

A Simplified Response Methodology

Handling the Long-Term

Consequences

Managing the Short-Term

Crisis

Evaluation of the Data Breach

Discovery of a Data Breach

Theft, loss, or Unauthorized Disclosure of Personally Identifiable Non-Public

Information or Third Party Corporate Information that is in the care, custody or control of the Insured Organization, or

a third party for whom the Insured Organization is legally

liable

Forensic Investigation and

Legal Review

Notification and Credit Monitoring

Class-Action Lawsuits

Regulatory Fines, Penalties, and

Consumer Redress

Public Relations

Reputational Damage

Income Loss

• Directly liable for regulatory compliance

• Limited by contract with Covered Entity

• CE not absolved from reporting responsibility

• Both parties may be investigated by OCR/AGs

• Both parties may be sued

Business Associate Agreements are Critical

11

Business Associate Liability

• Risk Analysis – A copy of the most recent risk analysis performed for or by the Covered Entity/Business Associate. (45 CFR § 164.308(a)(1)(ii)(A))

• Risk Management – A copy of the most recent risk management measures to address identified risks through the implementation of policies/procedures or controls. (45 CFR § 164.308(a)(1)(ii)(B))

• Response and Reporting – Evidence of the policies/procedures implemented to authorize access to ePHI. (45 CFR § 164.308(a)(4)(i))

• Response and Reporting – A copy of the incident report prepared regarding the theft of the computer, including any corrective actions taken by Covered Entity /Business Associate. (45 CFR § 164.308(a)(6)(ii))

• Contingency Plan – Evidence that physical and technical safeguards for ePHI are built into contingency plans; processes are in place to incorporate system modifications into contingency plans; all information systems and peripherals are identified and incorporated into emergency planning and testing. (45 CFR § 164.308(a)(7)(ii))

• Data Backup Plan – Evidence of implementation of backup recovery system and of safeguards for ePHI stored on backup media. (45 CFR § 164.308(a)(7)(ii)(A))

• Business Associate Agreements – A copy of the Business Associate agreement in place at the time of the incident. (45 CFR § 164.308(b))

12

Office for Civil Rights (“OCR”) Requests

• Facility Security Plan – A copy of the Covered Entity /Business Associate’s facility security plan, showing it is comprehensive and up-to-date. (45 CFR § 164.310(a)(2)(ii))

• Encryption and Decryption – Evidence of the implementation of encryption/decryption plan to safeguard ePHI; that mechanisms are available to the workforce to encrypt/decrypt ePHI and that there is a policy in place regarding workforce use of encryption/decryption technologies. (45 CFR § § 164.312(a)(2)(iv))

• Notification to Individuals – Documentation that all affected individuals were notified of the breach in a timely way. (45 CFR § 164.404(a) and (b))

• Notification of Media – Documentation that prominent media outlets were notified on a timely basis. (45 CFR § 164.406(a) and (b))

• Burden of Proof – A copy of the most recent risk assessment performed for or by Covered Entity /Business Associate, showing that objective standards were applied. (45 CFR § 164.414(b))

• Uses/Disclosures – The Covered Entity /Business Associate’s policies and procedures for complying with HIPAA Privacy Rule prohibition against impermissible disclosure. (45 CFR § 164.502(a))

• Safeguards – Covered Entity/Business Associate’s policy/procedure for safeguarding ePHI. (45 CFR § 164.530(c))

13

OCR Requests – cont’d

14

Regulatory Hot Buttons

• Risk Assessments and Risk Management Plans

• Vendor Management

• Incident Report and Process

• Encryption of Devices – Focus has been on mobile devices, recent change towards biomedical devices and desk top computers

• Third Party Access to PHI

• Inventory of PHI and ePHI

• Staff Education and Sanctions

• Business Associate Agreements

• Minimum Necessary

• Accounting of Disclosures

• Old Data

• Security Rule compliance

15

Litigation

• Class Action and Personal Litigation

• Statutory Liability

• Invasion of Privacy

• Breach of Contract

• Negligence

16

HIPAA as Standard of Care

Hinchey v. Walgreens, Indiana Superior Court (2013)

• Jury verdict of $1.44M

• HIPAA does not create private cause of action

• HIPAA establishes the standard of care for provider

• Walgreens found vicariously liable for pharmacist

• Expect to have more breaches reported

• Greater scrutiny and enforcement

• Increased CMP amounts

• CE and BA relationship tension

• More litigation

– Class Action

– Personal litigation

17

What does it mean?

• IRT Leader/Coordinator

• Privacy Officer

• Legal

• Risk Management

• Others as appropriate

– Information Security

– HR, Employee Relations, Patient Relations

– Public Relations

– Security

18

Membership of the Incident Response Team

• Costs of breach notification

• Forensics

• Public relations/crisis management

• Patients’ trust

• Regulatory investigation & CMPs

• Corrective action & sanctions

• Litigation

19

Enterprise Impact

20

Q & A

HIPAA: One Year After the Final Rule © 2014 is published by the American Health Lawyers Association. All rights reserved. No part of this publication may be reproduced in any form except by prior written permission from the publisher. Printed in the United States of America.

Any views or advice offered in this publication are those of its authors and should not be construed as the position of the American Health Lawyers Association.

“This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought”—from a declaration of the American Bar Association