Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Security & Privacy Topics to Watch in 2016
Kirk J. Nahra Wiley Rein LLP
Washington, D.C. 202.719.7335 [email protected] @kirkjnahrawork
(April 27, 2016)
My Presentation
• Address some of the key hot topics for privacy and security in 2016
• Start with “inside HIPAA” issues • Move to issues that are “partially HIPAA,”
even if driven by other rules/laws • And then conclude with what’s “next to”
HIPAA
Page 2
Inside HIPAA - Enforcement
• Remember the HHS OCR overall approach • Many thousands of complaints, limited official
enforcement actions on privacy or security. • Hundreds of complaints referred to DOJ for
criminal investigation • “Our first approach to dealing with any
complaint is to work for voluntary compliance. So far it's worked out pretty well." - (former) OCR Head
Page 3
Enforcement – HITECH
• Expectation of new attitude from the new Administration
• Much higher penalties • New authority for State AGs • Criminal sanctions available against
employees • But not much new yet
Page 4
Enforcement Issues – Criminal
• The Gibson case • Hospice Employee stole patient info, used it
to establish fake credit cards
Page 5
Enforcement Issues – Criminal
• Lots of cases involving insiders mis-using data (not just an issue in health care)
• Celebrities, friends/family, non-friends • Identity theft and health care fraud • Selling records to plaintiffs’ personal injury
lawyers
Page 6
Enforcement Issues – Civil
• $4.3 million penalty against Cignet Health Care in Maryland
• An enormous penalty, related to access violations AND a failure to cooperate with the investigation
• From published documents, Cignet (a) did not take its HIPAA responsibilities seriously AND (b) completely blew off the government investigation.
• Advice – don’t do that.
Page 7
Inside HIPAA - OCR Enforcement Changes
• Despite press reports every time there is a new case, no meaningful increase to date
• Investigations are more thorough and more burdensome
• Increasing pressure to do more on both audits and investigations
• Still generally very reasonable
Page 8
Enforcement
• Cases involving significant failures of compliance
• Cases involving repeated and/or uncorrected problems
• Particularly “noticeable” problems • High impact cases (?)
Page 9
Recent Cases
• Feinstein Institute for Medical Research agreed to pay Office for Civil Rights (OCR) $3.9 million for security problems in research context
• North Memorial Health Care of Minnesota agreed to pay $1,550,000 to settle charges that it potentially violated HIPAA Privacy and Security Rules by failing to enter into a BAA with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.
• Two big cases, on back to back days (Old incidents) • Security failures are driving these settlements
Page 10
Enforcement
• There is pressure to do more • Note – Many of the biggest breaches have
not resulted in enforcement (yet) • Remember – A security breach does not
mean a HIPAA violation • How does the FTC fit into any enforcement
pressure?
Page 11
Breaches
• Too many breaches dealing with health care data • Unclear if there are really “more” breaches, but some
clearly involve more records • A “breach” does not mean the law was violated – most
reported breaches have not resulted in penalties or enforcement
• Compliance Tip – Make sure employees know where to go fast if there is a problem
Page 12
Enforcement - Business Associates
• Now subject to full HIPAA enforcement regime
• Many BAs are not in reasonable compliance with HIPAA Security Rule, particularly on documentation
• Is it fair to think they would be? • Little consistency across BA universe –
compare your PBM to a local document shredder or small consulting firm
Page 13
Business Associates
• No real enforcement involving business associates yet
• A real challenge for OCR – how to treat companies who deal with much more than health care
• And the enormous range of size/sophistication of these entities
• Enormous variations in actual contact with PHI
Page 14
HIPAA Security Compliance
• Keep in mind how compliance with the HIPAA Security Rule works
• Risk assessment and risk management, along with policies and procedures
• Good security practices as a separate idea • Appropriate mitigation and risk assessment
for potential security breaches
Page 15
HIPAA Compliance/Investigations
• Historically, HHS OCR has been very reasonable
• HOWEVER, primary difficulty with security breaches is that you are defending your practices after something has gone wrong
• Doesn’t mean you can’t do it, just a tougher burden
• This is where a company’s history and mitigation matters a lot
Page 16
HIPAA Compliance/Investigations
• HHS OCR investigations typically will trail substantially behind everything else
• Publicity, notification decisions, law suits • Many of the most prominent security breaches in the
healthcare industry have never resulted in an HHS penalty or settlement
• How much of the notice rule is “shame” or pressure to have better practices to avoid notice?
Page 17
HIPAA Compliance/CyberSecurity
• Also keep in mind that the HIPAA Security Rule focuses on PHI – data about patients or insureds
• Cybersecurity focuses on this data PLUS all the other data that you have and how your system works with others in the system
• So, in theory, you should have strong cyber practices if you comply with HIPAA and ensure that the HIPAA approach covers all of your activities.
• But lots of new activities and pressures in this area
Page 18
HIPAA Compliance/Investigations
Expect: • Significant pressure to implement “tougher” security standards • Real pressure for broader encryption • Enforcement and adverse notice publicity to put real pressure on better practices • Both CEs and BAs have exposure in this area. • Pay close attention to problems faced by others – through enforcement, media reports and otherwise.
Page 19
Enforcement – Audits
• Will we finally see the Phase 2 audit program in 2016? (Yes)
• What is the goal of this program? (Not clear) • We can expect that covered entities will do
reasonably well on the Privacy Rule and not as well (and maybe badly) on the Security Rule
• BAs – if included – likely will be bad at all of it.
Page 20
Partially HIPAA
• Potential new legislation – 21st Century Cures • Major legislation, with small number of privacy
provisions (receiving almost no attention) • Current provisions could dramatically change research
rules • Also could allow pharma to buy PHI for “research” or
“pubic health” without payment limits • Will this open up HIPAA again?
Page 21
Partially HIPAA
• Potential new legislation – 21st Century Cures • Major legislation, with small number of privacy
provisions (receiving almost no attention) • Current provisions could dramatically change research
rules • Also could allow pharma to buy PHI for “research” or
“public health” without payment limits • Will this open up HIPAA again?
Page 22
Next to HIPAA
• What is “outside” of HIPAA is growing • Web sites gather and distribute healthcare
information - ranging from commercial web sites (e.g., Web MD) to patient support groups.
• Significant expansion of mobile applications directed to healthcare data or offered in connection with health information
• “Wearables”
Page 23
More “next generation” issues
• An emerging (and related) issue - bringing “outside” HIPAA information “inside” HIPAA
• CEs are gathering all kinds of data about their patients/customers/insureds from outside the health care system and using it for “health care purposes”
Page 24
Recent Headlines
• Bloomberg - “You may soon get a call from your doctor if you’ve let your gym membership lapse, made a habit of picking up candy bars at the check-out counter or begin shopping at plus-sized stores.”
• New York Times - Health plan prediction models using consumer data from data brokers (e.g., income, marital status, number of cars), to predict emergency room use and urgent care.
• Fortune - Employers Are Quietly Using Big Data to Track Employee Pregnancies.
Page 25
What’s Next?
• The debate about “non-HIPAA” healthcare data is not going away
• Lots of pressure from many fronts to “do something” about this non-HIPAA health care data
• There is too much data being used by too many people in too many risky contexts
• Therefore . . .
Page 26
Tentative Predictions
3 Main Options • Something specific for this non-HIPAA health care data • Something that covers all health care data (a “general” HIPAA) • A broader overall privacy law (with or without a HIPAA carve-out)
Page 27
De-Identification Issues
• Lots of discussion and debate about the de-identification standards
• Some guidance has been issued, with more likely to come
• Lots of publicity about “re-identification” concerns, but no situation where HIPAA de-identified data has been re-identified
Page 28
De-Identification Issues
• HIPAA standard remains the “gold standard” in terms of detail and effectiveness
• Growth in “non-HIPAA” health care data presents significant complications for de-identification standards
• Growing ability to gather and analyze data from broader variety of sources
• Ongoing challenges to ensure appropriate de-identification with differing data standards
Page 29
De-Identification Issues
• Should the de-identification rules change? • Have the principles kept pace with technology?
(A key but somewhat disingenuous issue for “privacy advocates”)
• Is it “too easy” to re-identify individuals? • How does “big data” affect de-identification or re-
identification? • Compliance Challenge – How is this issue relevant to
your company?
Page 30
Breach Litigation
• More and more cases being brought after breaches
• Plaintiffs’ class action bar is not letting this issue go
• But they are facing ongoing challenges in making these cases stick
• “Standing” and actual injury are real sticking points
Page 31
Smith v. Chase Manhattan Bank
• Facts of the case • What do you think of the result? • Why are we talking about this case? • “The ‘harm’ at the heart of this purported class
action is that class members were merely offered products and services which they were free to decline. This does not qualify as actual harm.”
Page 32
Maglio v. Advocate Health and Hospitals Corporation
• Facts of the case • For the healthcare industry, what are the key
issues here? • Relevance of allegation that “hospital failed to
meet its obligation to abide by the best practices and industry standards concerning the security of personal information and the computers associated therewith.”
Page 33
Maglio v. Advocate Health and Hospitals Corporation
• “Plaintiffs did not allege that their personal information was used in any unauthorized manner as a result of the burglary, but they claimed that they face an increased risk of identity theft and/or identity fraud.”
• Implications of this decision for health care companies (and others)
• Relevance of HIPAA to this case?
Page 34
Maglio v. Advocate Health and Hospitals Corporation
• “plaintiffs’ allegations of injury are clearly speculative, and therefore plaintiffs lack standing to bring suit. Their claims that they face an increased risk of, for example, identity theft are purely speculative and conclusory, as no such identity theft has occurred to any of the plaintiffs. Thus, their allegations fail to show a distinct and palpable injury.”
Page 35
Maglio v. Advocate Health and Hospitals Corporation
• Plaintiffs further argue that the medical information at issue here warrants a finding that the harm is implicit. They urge that an actual injury occurs when a medical professional fails to keep a patient’s medical information private. Such information is, they assert, inherently personal and particularized to the individual. We reject plaintiffs’ argument.
Page 36
Northwestern Memorial Hospital v. John Ashcroft
• Facts of the case • Discussion of the HIPAA standard for
subpoenas • What do you think of the result?
Page 37
Northwestern Memorial Hospital v. John Ashcroft
• “even if there were no possibility that a patient’s identity might be learned from a redacted medical record, there would be an invasion of privacy.”
Page 38
Questions?
For further information, contact: • Kirk J. Nahra
Wiley Rein LLP 202.719.7335 [email protected] @kirkjnahrawork
• Subscribe (for free) to Privacy in Focus - http://www.wileyrein.com/publications.cfm?sp=newsletters
Page 39