Upload
eringold
View
153
Download
0
Tags:
Embed Size (px)
Citation preview
Presented By:
Cybersecurity and Healthcare: The Key to Limiting Your Risk is Being Informed
February 26, 2015
HIPAA/HITECH: Risks and Liabilities in an Increasing Enforcement Environment
Gregory M. Fliszar, J.D., Ph.D.
(215) 665-4737
Agenda
• HIPAA Refresher• HITECH Final Rule
– significant changes • Top HIPAA Issues • Healthcare Risks• Enforcement
Environment
2
What is HIPAA?
• The Health Insurance Portability And Accountability Act of 1996 (HIPAA)– Administrative Simplification
• Standards for health care electronic transactions and code sets
• Security of electronically stored and transmitted health information
• Privacy of individually identifiable health information
3
What is HIPAA?
• Privacy Rule – sets the standards for who may have access to PHI – applies to all forms of PHI whether electronic,
written or oral
• Security Rule – sets the standards for ensuring that only those who should have access to electronic PHI (ePHI) will actually have access– Only applies to PHI that is in electronic form
4
HIPAA Applicability
• Covered Entities– Health plans - including, for example:
• Group Health Plans (medical, dental and LTC plans)
• Health insurance issuers• Issuers of Flexible spending accounts
– Health care providers that transmit electronic information in connection with health claims transactions
– Health care clearinghouses
5
HIPAA Applicability
• Business Associates– a person or organization, other than a
member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information
– Examples include billing companies, attorneys, accountants, consultants, etc.
6
HIPAA Applicability
• HIPAA applies only to “Protected Health Information” (PHI)– Individually identifiable information– Received or created by a Covered Entity– Relating to a person’s past, present or
future health condition, treatment or payment
– Transmitted or stored by a Covered Entity in any form (including oral)
7
HIPAA General Rule
• PHI may not be disclosed without patient authorization unless the disclosure is otherwise permitted under HIPAA or required by law.
• Failure to comply = breach– Breach notification if unsecured PHI
8
HIPAA/HITECH Final Omnibus Rule
• Significant changes: Business Associates – Definition of business associate broadened
to include: (1) subcontractors of business associates and
(2) Health Information Organizations or other entities that provide data transmission services to a covered entity that require access to PHI on a routine basis
9
Business Associates
• Business Associates– HIPAA now applies to an enormous number
and variety of service providers to the health-care industry
– Downstream contractors included– Not limited to traditional health care
• Storage companies• Cloud providers
10
HIPAA/HITECH Final Omnibus Rule
– BAs now directly liable under HIPAA for violations of the Security Rule and for impermissible uses and disclosures of PHI under the Privacy Rule
– Significant compliance obligations– BAs subject to:
• HIPAA audits• Civil monetary penalties • Criminal sanctions
11
Business Associates
• HIPAA audits expected to resume in 2015 - BAs are expected to be prime targets– Many reported covered entity breaches involved Bas
• Business Associate Agreements are no longer boilerplate– Most include indemnification provisions requiring the BA to
indemnify the Covered Entity from all claims and expenses resulting from the acts or omissions of the BA or any of its subcontractors
– Many also require BA to pay costs of breach caused by BA/subcontractor
12
Business Associates
• Due to the enforcement and liability risks, BAs should take immediate steps to become HIPAA compliant
• Compliance steps should include, at a minimum:– Conducting a written security risk analysis– Designating a security officer– Implementing required security policies and
procedures
13
Business Associates
– Implementing technical security measures and facility access controls
– Conducting HIPAA training programs for staff and management
– Entering into business associates agreements with subcontractors
– Developing policies and procedures to provide breach notification to the covered entity upon discovering a privacy or security breach
14
HIPAA/HITECH Final Omnibus Rule
• Revised Definition of “Breach:”– Breach presumed unless:
• “LoProCo:” The CE or BA can demonstrate that there is a low probability that the PHI has been compromised based on:
– Nature and extent of the PHI involved (including the types of identifiers and the likelihood of re-identification;
– The unauthorized person who used the PHI or to whom the disclosure was made;
– Whether the PHI was actually acquired or viewed; and – The extent to which the risk to the PHI has been mitigated.
– Focus on the risk to the data, instead of risk of harm to the individual
15
Top HIPAA Issues
• Security Breaches– Covered Entity responsible for BA breaches– Everyone will eventually experience a
breach: be prepared – Conduct a risk assessment, implement
policies and do training– Encryption is a safe harbor– Don’t forget state identity theft reporting
requirements– Paper is still a big risk
16
Top HIPAA Issues
• Mobile Devices/BYOD– Develop a strategy– Encryption, Encryption, Encryption !!!– FTC may jump in with regulations
17
Healthcare Risks
• Healthcare information is now a HIGH priority target for cybercriminals
• A complete health record is worth at least 10x more than credit card information on the black market
• Health care records include a treasure trove of personal information– Identity theft– Filing false insurance claims– Obtaining prescription medications
18
Healthcare Risks
• Security protections currently in place in the healthcare industry tend to lag behind those in the banking and financial sector
• Health information seen as “low hanging fruit”
• FBI warned in August 2014 that hackers were possibly seeking PHI
19
Anthem
• On February 4, 2015 Anthem disclosed that it was the victim of a “very sophisticated” cyberattack
• Exposed the birthdates, social security numbers, medical ID numbers, street and email addresses and employee data of 80 million customers and employees
• Data was not encrypted in its database
20
Anthem
• Hack believed to have begun with phishing e-mails sent to a handful of its employees
• The e-mails were used to trick the individuals into visiting malicious websites or executing malware
21
Anthem
• FBI investigating the breach• HHS Office of Inspector General
working with law enforcement• State Attorney Generals looking into the
breach• Numerous class action and individual
lawsuits filed in several states• Reputational Harm: Anthem = Breach
22
HIPAA Enforcement
• HIPAA enforcement has changed dramatically since 2011 as evidenced by some recent high-profile and high-penalty enforcement actions taken by OCR– HITECH increased monetary penalties available for HIPAA
violations
• CEs and BAs must also be on the alert for actions by state Attorney Generals, potential class action lawsuits, OCR’s HIPAA audit program, and even FTC investigations
23
OCR Enforcement
• Skagit County, WA (March 2014)– First settlement with a county government– For 2 weeks Skagit County disclosed the ePHI
of 1,581 individuals by providing access to the ePHI on its public server
– Failed to provide notification to all of the individuals whose ePHI had been compromised
– Failed to have sufficient policies and procedures in place
– Paid $215,000 and entered into a three-year corrective action plan (“CAP”)
24
OCR Enforcement
• Concerta Health Services
• QCA Health Plan, Inc. of Arkansas (April 2014)– Stolen, unencrypted
laptops– Concerta paid
$1,725,220 plus CAP– QCA paid $ 250,000
plus CAP
25
OCR Enforcement
• Anchorage Community Mental Health Services (December 2014)– Breach of unsecured ePHI that affected 2,743
individuals. – Breach resulted from malware compromising the
security of ACMHS’ information technology resources.
– Failed to conduct a thorough risk assessment and implement reasonable and appropriate security policies and procedures.
– $150,000 and entered into a 2 year CAP
26
Lessons Learned
• Appropriate Safeguards can prevent breaches:– Evaluate the risk to e-PHI when at rest on
removable media, mobile devices and computer hard drives – Conduct a RISK ANALYSIS
– Take reasonable and appropriate measures to safeguard e-PHI – policies and procedures
– Encrypt data stored on portable/moveable devices & media
– Consider appropriate data backup– Train workforce members on how to effectively
safeguard data and report security incidents
27
HHS HIPAA Audits – Phase 2
• Primarily internally staffed• Selected entities will receive notification and
data requests• Entities will be asked to identify their BAs and
provide their current contact information• Will select BA audit subjects • Significant noncompliance can lead to a
formal investigation by OCR– Backdoor enforcement tool
28
FTC Enforcement
• LabMD– FTC used general security enforcement
approach– Wanted monitoring for 20 years
• Mobile applications• FTC reviewing potential rules for mobile
devices and applications• Health care is part of this review
29
State Attorney General Enforcement
• State Attorney Generals have started to exercise the authority granted by HITECH to bring civil actions on behalf of state residents for violations of HIPAA
• Connecticut, Vermont, Massachusetts, Minnesota AGs have brought actions under HIPAA• Minnesota went against a BA• Many looking into Anthem breach
30
Data Breach Class Actions
• Examples:– Tenet Health – settled a 17 year old breach case
for $32.5 million in October 2014. – AvMed settled a class action for $3 million last
October where 2 unencrypted laptops contained AvMed health plan member PHI
– Community Health System – faces a class action brought over the data breach that it reported on August 18 (4.5 million customers affected)
– Anthem
31
Employer Liability
• Walgreens– Indiana jury awarded $1.44 million to a
Walgreen’s customer due to allegations that a Walgreen’s pharmacist improperly used and disclosed the customer’s prescription information
– Rogue employee in a love triangle– HIPAA used as standard of care– Walgreens found 80% liable– Upheld on appeal
32
Recommendations
• CEs and BAs must:• conduct thorough risk assessments and
appropriately update the same • develop and update robust HIPAA policies and
procedures – including use of encryption• conduct ongoing HIPAA training and awareness
programs with all staff• make sure agreements are in place with all BAs
and subcontractors having access to PHI• emphasis should be on the risks, use and
safeguards of portable electronic devices, which are frequently at the center of a data breach
33