HIPAA Breach & Investigations: Managing State Attorneys General and HHS while Minimizing your Risk
FairWarning® Ready Executive Webinar Series April 30, 2013
View the Replay on YouTube
Agenda
• Overview of the HHS Final “Omnibus” HIPAA Rules and How They Impact Enforcement
• How to approach an Attorney General’s Office regarding data breaches and strategies for addressing enforcement by those Offices
• Risk-prevention Efforts and Resources • Insights regarding the concept of a “breach rehearsal” including
testing an organization's ability to conduct a forensics search of audit logs for "root cause of a major breach"
Today’s Panel
Colin Zick Partner, Foley Hoag LLP [email protected]
Kurt J. Long FairWarning® Founder and CEO [email protected]
Kevin Conroy Counsel, Foley Hoag LLP [email protected]
© 2013 Foley Hoag LLP. All Rights Reserved. Managing Enforcement Risk | 4
Managing State Attorneys
General and HHS OCR
While Minimizing Your Risk
Colin J. Zick
Foley Hoag LLP
(617) 832-1275
PART I: Overview of the HHS Final “Omnibus”
HIPAA Rules and How They Impact Enforcement
Managing Enforcement Risk | 5 © 2013 Foley Hoag LLP. All Rights Reserved.
Overview of the New “Omnibus” HIPAA
Privacy and Security Regulations
In the 563 pages of the regulations and related regulatory comments, there are many substantive and technical changes. However, we distilled two major themes in these revisions:
Extension of HIPAA generally, and in particular the direct extension of HIPAA to business associates and their subcontractors, so that now the entire food chain that deals with PHI falls under HIPAA’s privacy and security regulations; and
Ramping up the regulations on data breach, including shifting of the burden on breach notification, so that it squarely now sits on the covered entity/business associate to prove a “low probability” that PHI will be compromised.
Both these changes impact how OCR will enforce the rules.
Managing Enforcement Risk | 6 © 2013 Foley Hoag LLP. All Rights Reserved.
HHS OCR Review and Investigations
Requirement if possible violation from willful neglect; discretionary otherwise
Every complaint will be investigated preliminarily
HHS OCR may disclose PHI to other agencies on request
FTC, HHS OCR and DoJ are working together and can assist state AGs
Levels of penalties remain the same from prior interim final rule:
– $100-$50,000 – did not know
– $1000-$50,000 – reasonable cause
– $10,000-$50,000 -- willful neglect corrected
– $50,000 - willful neglect NOT corrected
“Reasonable cause” -- knew it was a violation but committed without willful neglect:
– Is this the “stupid mistake”?
“Willful neglect” standard remains the same: “conscious, intentional failure or
reckless indifference”
Managing Enforcement Risk | 7 © 2013 Foley Hoag LLP. All Rights Reserved.
Breach Notification– New Rule Penalties The factors that are taken into account for imposing civil penalties have been revised to
include:
– “The number of individuals affected”;
– “The time period during which the violation occurred”;
– “Financial harm” to the affected individuals;
– “Harm to an [affected] individual’s reputation”;
– “Hinder[ing] an [affected] individual’s ability to obtain health care”.
In other words, breaches that impact more people over a longer time with resulting harm
will be punished more severely
A history of previous “indications of non-compliance” also will be factored into this HIPAA
civil penalty analysis. 45 C.F.R. § 160.408
Also notable is what these regulations did not do: they did not raise the cap on HIPAA
civil monetary penalties. It remains at $1.5 million, which is somewhat surprising, in light
of the increasing frequency and scope of breaches involving PHI, and the increasingly
large penalties the Office of Civil Rights has imposed for HIPAA privacy and security
violations.
Managing Enforcement Risk | 8 © 2013 Foley Hoag LLP. All Rights Reserved.
Breach Notification– New Rule Penalties
Business associates (and subcontractors) may also be liable for the
increased penalties for noncompliance based on the level of culpability, up
to a maximum penalty of $1.5 million, as HHS OCR can:
– Receive and investigate complaints
– Submit reports to HHS OCR, cooperate with investigations
– Perform compliance reviews on them
– They must abide by whistleblower protections
Liability for CMPs by covered entity for business association agreements
and subcontractors is based on federal common law of agency law:
– Did the covered entity control or have the right to control or direct the agent’s conduct in
performing the contracted service?
– If there is a business associate agreement, isn’t the answer always “yes”?
© 2013 Foley Hoag LLP. All Rights Reserved. Managing Enforcement Risk | 9
Managing State Attorneys
General and HHS OCR
While Minimizing Your Risk
Part II: How to approach an Attorney
General’s Office regarding data breaches
and strategies for addressing
enforcement by those Offices
Kevin C. Conroy
Foley Hoag LLP
(617) 832-1145
Managing Enforcement Risk | 10 © 2013 Foley Hoag LLP. All Rights Reserved.
State Enforcement of Data Breaches Nearly every State has a data breach law, which requires notice of a data breach to the
state’s Attorney General and sometimes other state officials
Notice required when:
– a breach of security; or
– personal information of resident compromised.
Notice generally must include:
– nature of the breach of security or the unauthorized access or use of personal information;
– number of affected residents; and
– steps the notifying entity is taking or plans to take, relating to the incident.
Some notices require:
– consumer’s right to obtain a police report;
– how a consumer requests a security freeze;
– information a consumer will need to provide to request a security freeze; and
– disclosure of fees associated with placing, lifting, or removing a security freeze.
Some state laws provide that if notice is properly provided under federal law, then have
complied with the notification provisions of state law
Managing Enforcement Risk | 11 © 2013 Foley Hoag LLP. All Rights Reserved.
Attorneys General and Data Breaches
In early 2007, State AGs came together regarding investigation of TJX
massive data breach:
– Resolved in 2009 with 41 other states
– Included 45 million credit card numbers
– Breach leads to Mass. Data Breach Notification Law and many other state laws
– Although State AGs given authority to enforce data breaches, very few states given increased
resources to enforce
Recent increased attention by AGs on Data Breaches
– Under the federal HITECH Act of 2009, Attorneys General can obtain damages against a health
care provider on behalf of state residents
– This month National Association of Attorneys General Presidential Initiative focused on privacy and
data breach issues (led by MD AG Gansler)
– Many state AGs resolving high profile cases and gaining media attention
– California AG indicates she will focus on health care data breaches
– Some AGs (California, Connecticut, Indiana, Maryland) creating units/divisions to focus on data
breach issues
Managing Enforcement Risk | 12 © 2013 Foley Hoag LLP. All Rights Reserved.
Massachusetts Attorney General Experience
Provides Lessons Nationally
Massachusetts AG’s Office averages approximately 700 data breach
notifications a year or two a day
– 82% of reported data breaches affected fewer than 100 people
– 4% of reported data breaches affected between 1,000 and 10,000 people
– 14% of reported data breaches affected more than 10,000 people
Although AG’s Office receives 700 data breach notifications a year, the
Office has only six resolved data breach matters (two in health care)
– An overwhelming majority of notices lead to no investigation by Office
– Office only has resources to investigate significant data breaches
AG’s Office would rather that you adequately address the breach than it
having to address the breach
Generally, consumer protection staff handling data breaches
Managing Enforcement Risk | 13 © 2013 Foley Hoag LLP. All Rights Reserved.
Themes of AG Enforcement
Large number of consumers affected
Media attention prior to enforcement or notice
Entity that was the subject of the data breach had no data policy at all
Failure to encrypt data
Actions involving contractors/third party agreements where no control in
any way of contractors
With authority under federal law, more state AGs focusing on enforcement
in the health care area
Usually does not matter if there are no reports of unauthorized use of
information
Managing Enforcement Risk | 14 © 2013 Foley Hoag LLP. All Rights Reserved.
Dealing with Attorney General’s Office
The Notice Letter to the AG’s Office is crucial
Goal: Show the AG’s Office you are adequately addressing data breach
Tips:
– Quickly and effectively learn the information about the breach
– If breach involves a possible crime (i.e. theft of laptop), contact law enforcement
– Address how and why the breach occurred
– Address that a comprehensive WISP exists that has all of the elements needed to satisfy state law
– Address whether WISP was followed
– If contractor is involved, address agreements with contractor that are in place and why contractor
needed access to the information (Do not assume that AG’s Office understands why you need to
share information with a contractor)
– Address efforts to provide notification to affected residents and discuss prompt and thorough notice
– Provide credit monitoring for affected residents
– Note in the letter that you have provided notice to both AG and other agencies responsible
– Media reports may force you to accelerate reporting of data breach
Managing Enforcement Risk | 15 © 2013 Foley Hoag LLP. All Rights Reserved.
Dealing with Attorney General’s Office
If substantial breach, make decision about substitute notice early
Be prepared for the AG’s Office to alert the press through a press release in
case of substantial breach
Be cautious regarding what you tell the AG’s Office
– In most circumstances, there should be no need to call the AG’s Office
– Rely on the notice letter
If the AG’s Office decides to investigate, it will likely not resolve a matter
unless it conducts an investigation and reviews the WISP and other
documents
AG enforcement action likely to begin with Civil Investigative
Demand/Subpoena
AG enforcement will take longer than you think to resolve
AG’s Office will issue press release once case resolved
© 2013 Foley Hoag LLP. All Rights Reserved. Managing Enforcement Risk | 16
Managing State Attorneys
General and HHS OCR
While Minimizing Your Risk
Colin J. Zick
Foley Hoag LLP
(617) 832-1275
PART III: Risk-Prevention Efforts and Resources
Managing Enforcement Risk | 17 © 2013 Foley Hoag LLP. All Rights Reserved.
HHS OCR HIPAA Audit Program Protocol:
What is it?
The OCR HIPAA Audit program analyzes processes,
controls, and policies of selected covered entities pursuant
to the HITECH Act audit mandate. OCR established a
comprehensive audit protocol that contains the requirements
to be assessed through these performance audits.
The entire audit protocol is organized around modules,
representing separate elements of privacy, security, and
breach notification. The combination of these multiple
requirements may vary based on the type of covered entity
selected for review.
Managing Enforcement Risk | 18 © 2013 Foley Hoag LLP. All Rights Reserved.
HHS OCR HIPAA Audit Program Protocol:
What does it cover?
The audit protocol covers Privacy Rule requirements for:
– (1) notice of privacy practices for PHI
– (2) rights to request privacy protection for PHI
– (3) access of individuals to PHI
– (4) administrative requirements
– (5) uses and disclosures of PHI
– (6) amendment of PHI, and
– (7) accounting of disclosures.
The protocol covers Security Rule requirements for administrative,
physical, and technical safeguards
The protocol covers requirements for the Breach Notification Rule
Managing Enforcement Risk | 19 © 2013 Foley Hoag LLP. All Rights Reserved.
HHS OCR HIPAA Audit Program Protocol:
What’s happening?
KPMG is conducting the audits on behalf of HHS OCR
115 HIPAA audits completed
OCR is reviewing the results of its pilot HIPAA
compliance audit program:
– a more streamlined audit process is promised;
– but also an expanded pool of organizations to be audited in an
ongoing, permanent program
Managing Enforcement Risk | 20 © 2013 Foley Hoag LLP. All Rights Reserved.
Key Issues Identified in Audits
Privacy: – Records of deceased
– Personal representatives
– Business associate agreements
– Disclosures to courts and government entities
– Verification of identity
Security – Monitoring authorized users
– Contingency planning
– Authentication and integrity
– Media reuse and destruction
– Risk assessments
– Granting or modifying user access
Managing Enforcement Risk | 21 © 2013 Foley Hoag LLP. All Rights Reserved.
How to Manage the Risk of Audit or Violation?
Develop and maintain an effective compliance
program
Education and training
Discipline for violations
Self-audit
Managing Enforcement Risk | 22 © 2013 Foley Hoag LLP. All Rights Reserved.
RESOURSES
OCR: http://www.hhs.gov/ocr/privacy
Audit protocol:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/prot
ocol.html
My blog: http://www.securityprivacyandthelaw.com
HIPAA Breach & Investigations: Managing State Attorneys General and HHS while Minimizing your Risk
FairWarning® Ready Executive Webinar Series April 30, 2013
Defining Moment
• According to the “The Risk of Insider Fraud, Second Annual Study”, released by the Ponemon Institute in February 2013:
– It takes an organization an average of 87 days to determine that insider fraud has occurred and 105 days to determine root cause
– With only one‐third of the cases being closed with actionable evidence the data implies that the organizations, as well as patients and providers are vulnerable to repeat offenses
Identity Theft Scenario: Mid-size health system that has 4 hospitals & 10 clinics in the South Eastern US
• ePHI was stolen over a period of time by an employee with authorized access on
the EHR System • The employee collaborated with a regional crime ring where the identities were
further sold for use in medical identity theft, creation of false tax returns, and to generate credit cards for fraudulent use
• The incident is ultimately reported by the media as details of a crime ring come to light
• Initial reports from the media indicate that a large number of innocent victims may have been impacted
• Within moments of the media release, the health system is flooded with calls from potential victims, other media outlets, and regulators. Enforcement officials are not far behind.
Importance of Forensics
• Pressure to determine root cause and scope quickly • Encourage and use both internal and external tip sources • Review of audit logs across systems for suspicious
behavior by unauthorized and authorized users • Volume of log data may cause delays • Manual approach is suspect to interpretation errors, and
contributes greatly to inaccurate communications • Confidence killer that sets the stage for future doubt
How to prepare now
• Create a crisis management team & seek management buy-in • Identify specific processes for how the crisis management team will
work together at the time of a breach • Identify & align a PR point of contact & develop a media plan • Evaluate what IT resources are needed to conduct a forensics
investigation of a breach • Make sure access is readily available to the audit logs of all major
systems that contain ePHI • Rehearse all of the above & test process to respond to root cause
analysis
Fully rehearse your breach response processes including forensics
Contact Information
Colin Zick Partner, Foley Hoag LLP [email protected]
Kurt J. Long FairWarning® Founder and CEO [email protected]
Kevin Conroy Counsel, Foley Hoag LLP [email protected]