Key HIPAA and Related Challenges: Training Staff, Monitoring and Data Breaches

Joseph Lazzarotti, Esq., CIPP Shareholder, Jackson Lewis

Agenda

▶  Considerations for an effective, efficient and documented training program

▶  Legal and practical issues with monitoring ▶  Data breach response program, preparedness

and response.

Training

▶  Why is training needed? ▶  Who should be trained? ▶  Who should conduct the training? ▶  About what? ▶  When and how often? ▶  How should training be conducted? ▶  Do we have to document?

Training

▶  Why is training needed? –  HIPAA Privacy Rule §  164.530(b) –  HIPAA Security Rule §  164.308(a)(5) –  Specific State Requirements – e.g., Texas §  181.101 –  General State Laws – e.g., Florida §  501.171(2)? –  Accreditation and Industry Guidelines, and “best

practices” –  Risk management –  Strengthening defensible position

Training

▶  Who should be trained? –  Workforce members who have access to PHI, but

possibly not everyone –  Volunteers –  Staffing employees –  Committees (Peer review, risk, audit, compliance) –  HR personnel responsible for discipline, performance

reviews –  Consider needs beyond HIPAA – state law

requirements and company confidential information

Training

▶  Who should conduct the training? –  In-house v. Outsourcing –  Privacy/Security Officer? –  Department Head? –  Person from same location? –  Technical Expert v. People Person…Both?

Training

▶  About what? –  Topics depend on trainees and their responsibilities –  Real situations (de-identified, of course!) –  Focus on key issues

•  Know the basics – e.g., what is protected health information •  Device management •  Spotting, preventing, reporting and mitigating a data breach •  Communicating with family members •  Responding to requests for information from third parties •  Incorporate more stringent state laws •  Your policies and approved practices, not bad habits

Training

▶  When and how often? –  Reasonable time after hire date – but watch state law

(e.g., Texas – 90 days) –  Reasonable time after change in policies –  Sensitivity of information, volume –  Change in technology, software, devices –  Acquire a new business –  Following a security incident –

•  Even if not incurred by your company •  Even if no breach happened

Training

▶  How should training be conducted? –  Notices, newsletters, dashboard –  In-person –  Online courses, videos –  Testing –  Tabletops –  ERG – Employee Resource Group –  Combination

Training

▶  Do we have to document? –  Yes, required under HIPAA and state laws –  Document program itself and who participates –  Standard request in agency audits and breach

investigations –  Helps to support wrongful termination claims –  Helps to defend negligence and similar claims in

litigation

Monitoring

▶  Why monitor? –  Facility security –  Safeguard residents –  Monitoring employee performance –  Avoid identity theft/data breach –  Detect and dissuade improper behavior – abuse,

harassment, discrimination, bullying –  At the request of families

Monitoring

▶  How are you monitoring? –  Video –  Audio, including telephone –  Smart home devices that can collect physiological,

location, and movement data –  GPS –  Information Systems – employee email, website

activity, etc.

Monitoring

▶  Practical concerns –  Technology can promote isolation –  Are systems user friendly –  Ability to individualize –  Costs of installation, operation, updates, etc. –  Reluctance to use because of fears about privacy and

technology –  Storage, record retention and destruction

Monitoring

▶  Legal Concerns - General –  Varied concerns relating to residents, employees,

visitors –  Balance: Privacy v. safety v. security –  Constitutional principles: Reasonableness

•  O’Connor v. Ortega •  City of Ontario v. Quon

–  Duty to monitor created? –  Data captured can become evidence –  How to handle the information obtained?

Monitoring

▶  Legal Concerns – Residents –  HIPAA compliance

•  Is the information captured PHI •  Are recordings maintained securely •  Are employees trained •  Business associate agreements with vendors

–  State law requirements •  Industry regulations •  Common law protections •  Voyeurism

Monitoring

▶  Legal Concerns – Residents –  Granny Cams

•  Few states have enacted laws requiring that residents have the right to install. See, e.g., Texas and Oklahoma. Some recent effort in other states. See, e.g., New Jersey and Massachusetts.

•  Do you have a process for handling requests, addressing cameras that have been installed without your knowledge?

Monitoring

▶  Insider Threat –  “A growing number of companies are under pressure

to protect sensitive data — and not just from hackers lurking outside the digital walls. They're also looking to protect it from insiders — employees who may want to swipe information such as customer bank account numbers or electronic medical records.”

So%ware  That  Sees  Employees,  Not  Outsiders,  As  The  Real  Threat,  Shahani,    NPR,  all  tech  considered,  July  23,  2014  

Monitoring

▶  Legal Concerns - Employees –  Expectation of privacy –  Notice requirements - CT, DE for electronic monitoring –  Common law intrusion upon seclusion –  Restrictions on requesting or requiring employees or

applicants to disclose social media/online account usernames and passwords - does monitoring/spyware provide a backdoor

–  Wage and hour issues –  Handling “theft” of resident records

Monitoring

▶  Legal Concerns - Employees –  Stored Communications Act

•  Service provider and consent exceptions •  ER can access employee’s “stored” electronic communications

on its systems. Fraser v. Nationwide Mutual Insurance Co., 352 F.3d 107 (3d Cir. 2003)

•  Policies are important: No implied consent to search employee’s web-based personal emails when policy limited to “Company equipment” Pure Power Boot Camp v Warrior Fitness Boot Camp, 587 F. Supp. 2d 2d 548 (S.D.N.Y. 2008)

–  Electronic Communications Privacy Act •  Service provider and consent exceptions •  Spyware - Contemporaneously transmitted "screen shots" of

computer activity to a remote location violates the Wiretap Act. Shefts v. Petrakis, 2012 U.S. Dist. LEXIS 130542

Monitoring

▶  Legal Concerns - Employees –  National Labor Relations Act – protected concerted

activity •  ER’s monitoring of email system is lawful so long as the ER

does nothing “out of the ordinary,” such as increasing its monitoring during an organizational campaign or focusing its monitoring efforts on protected conduct or union activists. In Re Purple Communications

Monitoring

▶  “Life is like a box of chocolates” –  Resident abuse –  Resident/visitor communications –  Employee medical information – ADA, GINA, FMLA,

HIPAA –  Attorney client communications –  Personal communications –  Section 7 communications –  Highly-sensitive company information –  Child pornography

Monitoring

▶  Planning a Monitoring Program –  Who and what gets monitored, and when? –  Who decides? –  Who performs the monitoring? –  Who can access what is monitored? –  Who monitors the monitors? –  We find something, now what? –  Plan for further investigation? Data incident? –  Do we act on what we find and how?

Data Breach

▶  What is a Breach? –  Unauthorized use of, or access to, records or data

containing personal information •  First name (or first initial) and last name in combination with: •  Social Security Number •  Drivers License or State identification number •  Account number or credit or debit card number in combination

with access or security code •  Biometric Information (e.g. NC, NE, IA, WI) •  Medical Information (e.g. HIPAA, AR, CA, DE, MO, TX, VA) •  Broader view taken by FTC – email address, phone numbers,

etc. –  Can affect: Residents, Employees, Family Members

Data Breach

▶  How can it happen? –  The lost laptop/bag –  Inadvertent access –  Data inadvertently put in the “garbage” –  Theft/intentional acts, hacking, phishing attacks other

intrusions –  Inadvertent email attachment(s) –  Stressed software applications –  Rogue employees –  Remote access –  Wireless networks –  Peer to peer networks –  Vendors

Data Breach

▶  First Steps –  Get your breach response plan – hopefully you have one –  Immediately alert data breach response team, counsel,

and insurance carrier, if applicable –  Take steps to secure information systems, including any

and all files containing customer, employee and other individuals' personal information that may be at risk

–  Coordinate with law enforcement, as needed –  Identify key person to monitor and drive team progress –  Involve top management, public relations –  Make preliminary assessments and consider preliminary

actions, notices –  Consider implementing litigation hold

Data Breach

▶  Did a breach occur? –  Review applicable federal, state and local laws

•  FTC/HIPAA/SEC considerations •  Risk of harm trigger…e.g., in Michigan – no notification if “the

security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, 1 or more residents of this state”

•  Police investigation/consultation •  Consider whether immediate federal and/or state notification

required/recommended –  Conservative vs. aggressive approach

•  Breach involves “risk of harm” states and “non-risk of harm” states

•  Notify individuals, but not state agencies

Data Breach

▶  Issues that have to be considered –  Who should be notified? –  What should the notice say? –  How should it be delivered and when? –  Should we offer credit monitoring? –  Do we need a call center? –  Does insurance cover this? –  Do we have to notify the media? –  What is notices are undeliverable? –  Who should respond to questions from affected

individuals, federal and state agencies?

Data Breach

▶  Basic breach preparedness –  Take reasonable steps to prevent breaches – develop

and implement a written information security program –  Have a data breach response plan –  Educate employees about the plan, practice the plan,

follow the plan –  Be transparent, credible, responsive

Questions?

Thank you!!

Joseph Lazzarotti Jackson Lewis PC

973-451-6363 www.workplaceprivacyreport.com