HIPAA: One Year After the Final Rule
September 11, 2014 11:00 a.m. – 12:00 p.m. (EST) This webinar is sponsored by American Health Lawyers Association Enterprise Risk Management Task Force
Faculty: Lynn Sessions Partner BakerHostetler Houston, TX
2
OCR Resolution Agreements
• Providence Health & Services ($100K)
• CVS Pharmacy ($2.25M)
• Rite-Aid ($1M)
• Management Services Organization of Washington ($35K)
• Cignet ($4.3M)
• Massachusetts General Hospital ($1M)
• UCLA Health Services ($865K)
• Blue Cross Blue Shield of Tennessee ($1.5M)
• Alaska Medicaid ($1.7M)
• Phoenix Cardiac Surgery, P.C. ($100K)
• Massachusetts Eye and Ear Infirmary ($1.5M)
• Hospice of North Idaho ($50K)
• Idaho State University ($400K)
• Shasta Regional Medical Center ($275K)
• WellPoint ($1.7M)
• Affinity Health Plan ($1.2M)
• Adult & Pediatric Dermatology, P.C. of Massachusetts ($150K)
• Skagit County, Washington ($215K)
• QCA Health Plan, Inc. ($250K)
• Concentra Health Services ($1.725M)
• New York and Presbyterian Hospital ($3.3M)
• Columbia University ($1.5M)
• Parkview Health System ($800K)
“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
Director OCR
Leon Rodriguez
3
What has OCR said about enforcement?
• Breach is presumed
• Breach analysis modified
• Business Associates are directly liable
• Business Associate negotiations
• Increased regulatory scrutiny
• Focus on Security Rule
• Other clarifications
4
Changes that followed the Final Rule
5
Where are the threats?
• Inside threats
‒Employee negligence
Security failures
Lost mobile devices
‒Employee ignorance
Improper disposal of personal information (dumpsters)
Lack of education and awareness
‒Malicious employees
• Outside threats
‒ Hackers
Malware
Phishing and Spear Phishing
‒ Thieves (including Social Engineering Tools)
‒ Vendors
6
What kinds of information are at risk?
Patient Information
• Patient information
• Protected Healthcare Information (PHI), including medical records, test results, appointment history, insurance information
• Credit Cards, Debit Cards, and other payment information
• Social Security Numbers
• Financial information, like account balances, loan history, and credit reports
• Non-PII, like email addresses, phone lists, and home address that may not be independently sensitive, but may be more sensitive with one or more of the above
Employee Information
• Employers have at least some of the above information on all of their employees
Business Partners
• Vendors and business associates may provide some of the above information
Baseline definition of a breach remains unchanged.
• § 164.402: Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under Subpart E of this part which compromises the security or privacy of the protected health information.
7
What is a breach?
• An acquisition, access, use, or disclosure of protected health information in a manner not permitted . . . is presumed to be a breach
• Unless, the CE or BA can demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment
• Compromise is not defined
8
Breach Analysis
9
Risk Assessment
• Risk Assessment
– Documented
– Based on at least 4 factors
The nature and extent of the PHI
The unauthorized person involved
Whether the PHI was actually acquired or viewed
Extent to which any risk has been mitigated
State Law May Be More Restrictive
10
A Simplified Response Methodology
Handling the Long-Term
Consequences
Managing the Short-Term
Crisis
Evaluation of the Data Breach
Discovery of a Data Breach
Theft, loss, or Unauthorized Disclosure of Personally Identifiable Non-Public
Information or Third Party Corporate Information that is in the care, custody or control of the Insured Organization, or
a third party for whom the Insured Organization is legally
liable
Forensic Investigation and
Legal Review
Notification and Credit Monitoring
Class-Action Lawsuits
Regulatory Fines, Penalties, and
Consumer Redress
Public Relations
Reputational Damage
Income Loss
• Directly liable for regulatory compliance
• Limited by contract with Covered Entity
• CE not absolved from reporting responsibility
• Both parties may be investigated by OCR/AGs
• Both parties may be sued
Business Associate Agreements are Critical
11
Business Associate Liability
• Risk Analysis – A copy of the most recent risk analysis performed for or by the Covered Entity/Business Associate. (45 CFR § 164.308(a)(1)(ii)(A))
• Risk Management – A copy of the most recent risk management measures to address identified risks through the implementation of policies/procedures or controls. (45 CFR § 164.308(a)(1)(ii)(B))
• Response and Reporting – Evidence of the policies/procedures implemented to authorize access to ePHI. (45 CFR § 164.308(a)(4)(i))
• Response and Reporting – A copy of the incident report prepared regarding the theft of the computer, including any corrective actions taken by Covered Entity /Business Associate. (45 CFR § 164.308(a)(6)(ii))
• Contingency Plan – Evidence that physical and technical safeguards for ePHI are built into contingency plans; processes are in place to incorporate system modifications into contingency plans; all information systems and peripherals are identified and incorporated into emergency planning and testing. (45 CFR § 164.308(a)(7)(ii))
• Data Backup Plan – Evidence of implementation of backup recovery system and of safeguards for ePHI stored on backup media. (45 CFR § 164.308(a)(7)(ii)(A))
• Business Associate Agreements – A copy of the Business Associate agreement in place at the time of the incident. (45 CFR § 164.308(b))
12
Office for Civil Rights (“OCR”) Requests
• Facility Security Plan – A copy of the Covered Entity /Business Associate’s facility security plan, showing it is comprehensive and up-to-date. (45 CFR § 164.310(a)(2)(ii))
• Encryption and Decryption – Evidence of the implementation of encryption/decryption plan to safeguard ePHI; that mechanisms are available to the workforce to encrypt/decrypt ePHI and that there is a policy in place regarding workforce use of encryption/decryption technologies. (45 CFR § § 164.312(a)(2)(iv))
• Notification to Individuals – Documentation that all affected individuals were notified of the breach in a timely way. (45 CFR § 164.404(a) and (b))
• Notification of Media – Documentation that prominent media outlets were notified on a timely basis. (45 CFR § 164.406(a) and (b))
• Burden of Proof – A copy of the most recent risk assessment performed for or by Covered Entity /Business Associate, showing that objective standards were applied. (45 CFR § 164.414(b))
• Uses/Disclosures – The Covered Entity /Business Associate’s policies and procedures for complying with HIPAA Privacy Rule prohibition against impermissible disclosure. (45 CFR § 164.502(a))
• Safeguards – Covered Entity/Business Associate’s policy/procedure for safeguarding ePHI. (45 CFR § 164.530(c))
13
OCR Requests – cont’d
14
Regulatory Hot Buttons
• Risk Assessments and Risk Management Plans
• Vendor Management
• Incident Report and Process
• Encryption of Devices – Focus has been on mobile devices, recent change towards biomedical devices and desk top computers
• Third Party Access to PHI
• Inventory of PHI and ePHI
• Staff Education and Sanctions
• Business Associate Agreements
• Minimum Necessary
• Accounting of Disclosures
• Old Data
• Security Rule compliance
15
Litigation
• Class Action and Personal Litigation
• Statutory Liability
• Invasion of Privacy
• Breach of Contract
• Negligence
16
HIPAA as Standard of Care
Hinchey v. Walgreens, Indiana Superior Court (2013)
• Jury verdict of $1.44M
• HIPAA does not create private cause of action
• HIPAA establishes the standard of care for provider
• Walgreens found vicariously liable for pharmacist
• Expect to have more breaches reported
• Greater scrutiny and enforcement
• Increased CMP amounts
• CE and BA relationship tension
• More litigation
– Class Action
– Personal litigation
17
What does it mean?
• IRT Leader/Coordinator
• Privacy Officer
• Legal
• Risk Management
• Others as appropriate
– Information Security
– HR, Employee Relations, Patient Relations
– Public Relations
– Security
18
Membership of the Incident Response Team
• Costs of breach notification
• Forensics
• Public relations/crisis management
• Patients’ trust
• Regulatory investigation & CMPs
• Corrective action & sanctions
• Litigation
19
Enterprise Impact
20
Q & A
HIPAA: One Year After the Final Rule © 2014 is published by the American Health Lawyers Association. All rights reserved. No part of this publication may be reproduced in any form except by prior written permission from the publisher. Printed in the United States of America.
Any views or advice offered in this publication are those of its authors and should not be construed as the position of the American Health Lawyers Association.
“This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought”—from a declaration of the American Bar Association