Health Data Breaches: Complying with New HIPAA

Notification Rule and Mitigating Damages Navigating Complex Challenges for Healthcare Data Management, Preservation and Protection

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

WEDNESDAY, SEPTEMBER 25, 2013

Presenting a live 90-minute webinar with interactive Q&A

Kimberly J. Gold, Attorney, Mintz Levin Cohn Ferris Glovsky and Popeo, New York

Sound Quality

If you are listening via your computer speakers, please note that the quality of

your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory and you are listening via your computer

speakers, you may listen via the phone: dial 1-888-601-3873 and enter your PIN

when prompted. Otherwise, please send us a chat or e-mail

sound@straffordpub.com immediately so we can address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

For CLE purposes, please let us know how many people are listening at your

location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of

attendees at your location

• Click the word balloon button to send

FOR LIVE EVENT ONLY

Health Care Data Breaches:

Complying with the New HIPAA Rule

September 25, 2013

Kimberly J. Gold, Esq.

kjgold@mintz.com

Attorney

New York

212.692.6706

KJGold@mintz.com

JD, Fordham University

BA, University of Delaware

• Practice focuses on health care and corporate matters such as

regulatory compliance, privacy and security, mergers and acquisitions,

financings, licensing, and reimbursement.

• Experience includes advising health care clients on state and federal

privacy and security laws.

• Prepares compliance programs and counseled clients on breach

notification requirements.

• Focuses on fraud and abuse issues, Medicare and Medicaid

reimbursement, food and drug laws, and state licensure laws and

regulations.

• While in law school, completed a judicial internship for the Honorable

Phyllis Gangel-Jacob of the New York State Supreme Court Appellate

Term.

• Served as the associate editor of the Fordham Intellectual Property,

Media and Entertainment Law Journal.

Kimberly J. Gold

5

• Managing Healthcare Data

– Protected Health Information

– In Litigation

– In Government Investigations, Administrative Proceedings, etc.

– In Transactional Matters

• Best Practices for Protecting Data

– Privacy and Security Requirements

– Policies and Procedures for Collection and Preservation

• Responding to Data Breaches

– HIPAA Breach Notification Rule

– Policies and Procedures

– Mitigation of Damages

• Q&A

Agenda

6

Managing Healthcare Data

7

Protected Health Information

• “Health information” is information relating to past, present, or future physical or mental health of an individual

• “Individually identifiable health information” (IIHI) means health information that identifies an individual

• “PHI” is IIHI created or held by a covered entity in any form or medium

• PHI also includes genetic information as a result of amendments made by the Genetic Information Nondiscrimination Act (GINA)

8

What is Not PHI

• Employment records of the covered entity

• Family Educational Rights and Privacy Act (FERPA) records

– Example: School or university with DOE funding that also has a covered

on-site clinic

9

Other PHI Exceptions

• “De-identified” health information

– Safe harbor: stripped of 18 “identifiers”

– Non-safe harbor: statistical measures

• Summary health information (SHI)

– Similar to DHI, but 5 digit (rather than 3 digit) zip code allowed

– The uses of SHI are restricted

• “Limited data sets”

– 16 identifiers stripped out

– Limited to research purposes

– Subject to a “data use agreement”

10

• Removes PHI from the restrictions of HIPAA

• …"the requirements of this subpart do not apply to information that has been

de-identified in accordance with the applicable requirements of §164.514…"

• Useful for clinical research, policy assessment, QA/QI initiatives, market

research and litigation

• Business Associates may de-identify PHI for their own use

De-Identification

11 11

1) Name

2) Address

3) Birth date

4) Fax number

5) Medical records number

6) Health plan beneficiary number

7) Finger or voice prints

8) Account number

9) Photographic images

10) Certificate/license number

11) Vehicle or device serial number

12) Names of relatives

13) Names of employers

The Identifiers that Make Health Information PHI

12

14) Telephone numbers

15) Social Security number

16) Electronic mail addresses

17) Internet protocol address number

18) Web universal resource locator

19) Any other unique identifying number,

characteristic or code

12

• Safe Harbor Method

• 45 CFR §164.514(b)(2)

• Removal of all 18 types of

identifiers (plus the catch all)

• No actual knowledge that

remaining information could

identify the individual

De-Identification

• Statistical Method

• 45 CFR §164.514(b)(1)

• Some identifiers may be

used

• Applies scientific principles

to confirm that the risk of

identifying individuals with

remaining information is "very

small"

13

• The cleanest way to de-identify if you can do it

• Removal of all 18 identifiers required

• Includes identifiers of the individual or the individual's relatives, employers, or

household members

De-Identification – Safe Harbor Method

• The covered entity also must have no actual knowledge that the remaining

information could be used alone or in combination with other information to

identify the individual who is the subject of the information

14

• Covered entities may de-identify PHI without authorization as a

permissible "health care operation"

De-Identification – Safe Harbor Method

• Business Associates must have permission from their covered

entity collaborators to de-identify PHI

15

• The covered entity may obtain

certification by "a person with appropriate

knowledge of and experience with

generally accepted statistical and

scientific principles and methods for

rendering information not individually

identifiable" that there is a "very small"

risk that the information could be used by

the recipient to identify the individual who

is the subject of the information, alone or

in combination with other reasonably

available information.

Statistical De-Identification

• The person certifying statistical de-

identification must document the

methods used as well as the result of

the analysis that justifies the

determination.

• A covered entity is required to keep

such certification, in written or

electronic format, for at least 6 years

from the date of its creation or the date

when it was last in effect, whichever is

later.

16

• Who is an "expert?"

–The rule is flexible on requisite fields of expertise (statistics, math,

or other scientific domain)

–Office for Civil Rights (OCR) will review the de-identifying expert's

professional training as well as de-identification experience

Statistical De-Identification

• How does the expert assess the risk of identification?

–The rule is flexible on technical approaches

–However, the analysis justifying the conclusion must be

available to OCR upon request

17

• Replicability

–What are the chances that the information will consistently

occur in relation to an individual (blood glucose level vs. birth

date)

Principles for Determining the Identifiability of Health Information

• Data Source Availability

–Are there external sources of patient identifiers? (lab test results

vs. birth date, marriage records)

18

• Distinguishability

–To what extent can the subject's data be distinguished (3 digit zip

code, year of birth and gender vs. 5 digit zip code, date of birth and

gender)

Principles for Determining the Identifiability of Health Information

• The greater the replicability, availability and distinguishability of

the information, the greater the risk of identification

19

• Risk may be mitigated (or reduced to "very small") by modification

of the data set

What if the Risk of Re-Identification is Larger than "Very Small"?

• Key consideration: balancing reduction of risk against data utility

• If reducing the risk to "very small" destroys the value of the data

set, other approaches should be explored (suppression,

generalization, perturbation)

20

• A de-identified data set may be coded (assigned a code, algorithm

or pseudonym to individual records permitting re-identification)

Coding De-Identified Information

• The code should not be derived from the data set

• The code must not be provided to anyone without authority to

view the identified data

21

• OCR Website: http://www.hhs.gov/ocr/privacy

• OCR's De-identification guidance:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/

De-identification/guidance.html

Helpful Links

22

• A covered entity may disclose protected health information to a health

oversight agency for oversight activities authorized by law, including:

– audits;

– civil, administrative, or criminal investigations;

– inspections;

– licensure or disciplinary actions; and

– civil, administrative, or criminal proceedings or actions

• Disclosure for public health activities is permitted

– E.g., the reporting of a disease or injury; reporting vital events, such as

births or deaths; and conducting public health surveillance, investigations,

or interventions

Managing Healthcare Information in Government Investigations and

Oversight Activities

23

• Disclosures of PHI in litigation are permitted upon written

documentation provided to covered entity of "satisfactory assurances"

that:

– The patient was given notice and an opportunity to object (and no

objections raised or request is consistent with how objections were

resolved); or

– A "Qualified Protective Order" has been agreed to by the parties or

submitted to the judge.

Managing Healthcare Information in Litigation

24

• Under HIPAA and most state laws, PHI can be disclosed in response to

a court order or search warrant, but:

– PHI must be relevant and material to legitimate law enforcement inquiry;

– Request must be specific and limited in scope; and

– De-identified information could not reasonably be used

Managing Healthcare Information in Litigation

25

• A covered entity may use and disclose PHI without patient

authorization in the case of:

– the sale, transfer, merger or consolidation of all or part of a covered

entity to or with another covered entity, or an entity that following

such activity will become a covered entity; and

–Related due diligence

• Disclosure of PHI permitted for actual physical transfer of patient

records

Managing Healthcare Information in Transactional Matters

26

• Subject to "minimum necessary" standards

• Covered entity must enter into business associate agreement with

advisors

• Through due diligence, ensure target entity has complied with HIPAA

Managing Healthcare Information in Transactional Matters

27

Best Practices for Protecting Data

28

• A “Covered Entity” may not use or disclose PHI except as

–Authorized by the individual who is the subject of the information or as explicitly required, or

–Required or permitted by the rule

• Where disclosure is permitted, a Covered Entity may only disclose the “minimum amount necessary” to accomplish the intended purpose of the disclosure (this does not apply to direct treatment providers)

Privacy and Security Requirements

The Privacy Rule

29

• Limited to PHI in electronic form (“ePHI”)

• Violations of the security rule can also be violations of the privacy rule

• High statutory bar—ensure confidentiality, integrity, and availability of

PHI

• Applies to covered entities, to business associates and now to

subcontractors of business associates (no limitations or exceptions)

• Requires compliance with administrative, physical, and technical

safeguards

The Security Rule

30

• Document policies and procedures

• Implement appropriate administrative, technical, and physical safeguards

• Mitigate harmful effects of violations

• Train the workforce

• Designate privacy official

• Designate a security official

• Establish a complaint process

• Refrain from intimidating/retaliatory acts

• Enter into BA agreements with business associates

Covered Entity Requirements

31

• Who Are Business Associates?

–Business associates are those outside entities that create, receive,

maintain or transmit protected health information in the course of

performing functions on behalf of a covered entity, including:

• Contractors, consultants, data storage companies, health

information organizations, and

• Subcontractors of business associates

Omnibus Rule and Business Associate Liability

32

• OCR’s longstanding position has been that entities acting as mere

conduits for PHI and do not access PHI other than on a random basis

are not business associates

• They may have incidental exposure to PHI, but their jobs do not require

them to access or review PHI (e.g., United States Postal Service)

• OCR’s commentary to the Omnibus Rule explains that the conduit

analysis is narrow and limited to transmission organizations

• An entity that stores PHI, even if it does not access PHI, is a business

associate (e.g., vendors of cloud-based solutions)

Omnibus Rule and Business Associate Liability: The “Conduit”

Analysis

33

• The Omnibus Rule clarified that subcontractors of business associates

are regulated as business associates

• Business associates and downstream entities are subject to audit,

investigation and enforcement for noncompliance

• Common law rules of agency apply: covered entity is liable for

breaches of its business associate where there is an agency

relationship

• Omnibus Rule applies the “minimum necessary” standard directly to

business associates and their subcontractors

Omnibus Rule and Business Associate Liability

34

• Permitted uses and disclosures

• Requirement to use appropriate safeguards

• Requirement to report non-permitted uses and disclosures to covered entity

• Requirement to extend same terms and conditions to subcontractors and agents (e.g., TPA that subcontracts U/R)

Business Associate Requirements

35

• Administrative, physical, and technical safeguards

• Flexibility and scalability

–Standards

–Required implementation specifications

–Addressable implementation specifications

• “Risk Assessment”--required starting point

Policies and Procedures for Collection and Preservation

36

• Security management process

• Assigned security responsibility

• Workforce security

• Information access management

• Security incident procedures

• Security awareness and training

• Contingency plan and evaluation

• Business associate contracts

Administrative Safeguards

37

• Facility access controls

• Workstation use

• Workstation security

• Device and media controls

Physical Safeguards

38

• Access controls

• Audit controls

• Integrity

• Person or entity authentication

• Transmission security

Technical Safeguards

39

• Update policies, procedures and forms to reflect Omnibus Rule

requirements

• Implement changes

• Covered Entities: Review your list of business associates and

subcontractors in light of the expanded definition of "business

associate"

–Are any of your "conduits" actually "business associates?"

Best Practices

40

• Update your Notice of Privacy Practices

–Group Health Plans: distribute updates in the next annual mailing

–Model NPPs on OCR's website:

www.hhs.gov/privacy/hipaa/modelnotices.html

• Business associates and subcontractors: Develop and implement

HIPAA compliance programs

Best Practices

41

• Update and conduct training and circulate awareness communications

– Inform personnel of changes as soon as possible

–Plan a training session ASAP

• Monitor compliance and risks on an ongoing basis

–Covered entities must actively monitor compliance of personnel and

business associates

• Review and update security program at least annually

–Failure to update = non compliance

Best Practices

42

• Review and possibly amend business associate agreements

• Business associate agreements must now include additional provisions

• Sample provisions posted on OCR website:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/co

ntractprov.html

• Make necessary changes by September 22, 2014

• Any existing agreement modified after September 23, 2013 must

include any previously omitted provisions

Best Practices

43

• More guidance on the Omnibus Rule

• More audits (targeting business associates and group health plans)

– An updated audit protocol

• Fines for those who ignore requirements or identified problems

• Administrative follow-up for those who make a good faith effort to

comply and promptly address identified problems

• An expectation that regulated entities know the rules by now

• Continued focus on mobile devices

• Continued focus on the right to access PHI

• New, expanded accounting

What We Expect from the Office for Civil Rights in the Near Future

44

Responding to Data Breaches

45

• Notice must be provided in the event of an “unauthorized acquisition,

access, use or disclosure” of PHI that is “unsecured” (i.e., a “breach”)

• PHI is “secure” (and the HITECH breach-notice rules are not triggered)

if the PHI is encrypted or destroyed in the manner prescribed by HHS

Breach Notification Rule

46

• Prior law

–No obligation to notify individuals or HHS of a breach of the privacy

or security rules

–CEs (but not BAs) were obliged to mitigate harm caused by a

breach, which may have included notification

• HITECH added two sets of notice rules

–CEs and BAs

–Personal health record (PHR) vendors and related entities (non-

CEs)

Breach Notification Rule

47

• HITECH creates breach reporting requirements for covered entities and

business associates

• Breaches of “Unsecured PHI” must be reported to affected individuals

and to the federal government (the Department of Health and Human

Services Office of Civil Rights)

–“Unsecured PHI” is PHI that has not be secured in accordance with

federal standards (encrypted or destroyed)

• A loss of Unsecured PHI that does not present a risk of financial,

reputational or other harm may not be a reportable breach

Breach Notification Rule

48

• Secured PHI means PHI that has been rendered “unusable,

unreadable, or indecipherable to unauthorized individuals”

• HHS issued guidance on April 17, 2009, identifying two acceptable

methods for securing PHI—encryption (electronic) and destruction

(electronic and paper)

Clarifications in Aug. 24, 2009 Interim rule

–Redaction of paper-based PHI does not qualify

–Encryption keys must be stored separately

• Intended to be exhaustive, not illustrative

• Use acts as a “safe harbor”

• HHS will likely issue further guidance

Encryption/Destruction

49

• Applies generally to covered entities and business associates, but

–Business associate is required to notify covered entity, not affected

individuals (unless the covered entity delegates this responsibility)

–Notice must be provided without unreasonable delay…in no case

later than 60 days following discovery of the breach

• "discovery" is when the covered entity knew or "should have

known" about the breach

• Per OCR: 60 days is the outer limit for reporting. In most cases,

reporting at the latter end of the 60-day time frame will violate

the rule

Breach Notification Rule

50

• Business associate and subcontractor knowledge of a breach is

imputed to the covered entity and starts the 60-day clock ticking

• Business associate must have breach notice policies and procedures

consistent with these requirements.

• As a practical matter, the workforce must PROMPTLY report breaches

and even suspected breaches

Breach Notification Rule

51

• Business associates must immediately report known or suspected

breaches of PHI to covered entities (so that covered entities may report

within the 60 day time frame)

• Speed is key

• Be sure to report even SUSPECTED breaches

–Business associate agreements may impose specific reporting time

frames. Some may require reporting by within 24-48 hours of the

breach.

–Covered entities typically require business associates to cover the

costs of their breaches (mitigation, such as credit monitoring, notice

to affected individuals, fines, attorney fees, settlements, claims,

class action lawsuits…)

Breach Reporting – Business Associate Obligations

52

• The unauthorized acquisition, access use or disclosure of protected

health information in violation of the Privacy Rule is presumed to be a

reportable breach unless

–The covered entity or business associate demonstrates there is a

low probability that the information has been compromised based on

a risk assessment of certain factors, or

– The breach fits within certain exceptions

• Covered entities must ensure that their policies incorporate and apply

this new standard

What Constitutes a Breach?

53

• Exception if unauthorized person could not have reasonably retained

the PHI

• Exceptions for unintentional acquisition, access, or use

–By workforce member or authorized person

–Made in good faith/within scope of authority

–Does not result in further use or disclosure

What's Not a Breach?

54

• The proposed rule provided a "harm standard" for the identification of

reportable breaches

• The Omnibus Rule creates an objective, four-factor test for determining

whether or not PHI has been compromised

–Nature and extent of the PHI involved

–Unauthorized person who used the PHI or to whom disclosure was

made

–Whether the PHI was actually acquired or viewed

–The extent to which the risk to PHI has been mitigated

• Under the Omnibus Rule, there is a presumption of reportable breach

New Breach Notification Analysis

55

• Revise breach notification policies and procedures and breach

response plans

–Final rule eliminates “harm threshold” provision

– Instead, assess probability that PHI has been compromised

–Make sure that procedures ensure timely notification of regulators

and affected individuals

Breach Notification – Policies and Procedures

56

• Written notice to the individual (or next of kin if the individual is deceased) at the last known address by first-class mail

• For insufficient or out-of-date contact information, or in the case of 10 or more individuals with insufficient contact information, conspicuous posting (for 90 days) on the CEs home page or conspicuous notice in major print or broadcast media

• Where there is a possibility of imminent misuse of the unsecured PHI, additional notice by telephone or other methods

Notice to Individuals

57

• Notice to prominent media outlets within the State or jurisdiction is required if a breach of unsecured PHI affects or is reasonably believed to affect more than 500 residents of that State or jurisdiction

Notice to the Media

58

• Notice to HHS by CEs immediately for breaches involving more than 500 individuals and annually for all other breaches

• Posting on HHS Web site of a list that identifies each covered entity involved in a breach in which the unsecured PHI of more than 500 individuals is acquired or disclosed

Notice to and by HHS

59

• The Office of Civil Rights and US Attorney enforce the civil and criminal

provisions of HIPAA and HITECH

• HITECH gave state attorneys general the authority to enforce HIPAA

• Under HITECH, the Office of Civil Rights will be allowed to retain a

portion of the fines that it collects from violators

–This may be why we are seeing 7-figure fines from OCR.

• HITECH enforcement is designed to be a public, embarrassing,

process. See, the OCR “wall of shame”:

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationru

le/breachtool.html

Enforcement

60

• HHS audited CEs only in response to complaints

• HITECH directs HHS to conduct periodic audits of CEs and BAs, even

if no complaint has been filed

• Where a preliminary investigation indicates “willful neglect”

– An audit is required, and

– Penalties must be imposed for willful neglect

Enforcement – Enhanced Audits

61

• State Attorneys General are authorized to bring a civil action for HIPAA

violations to enjoin violations and seek damages

–Damages calculated by multiplying number of violations by $100,

not to exceed $25,000. Court may award costs and reasonable

attorneys’ fees to State

–State action may not be brought during pendency of Federal action

Enforcement – State AGs

62

• Individuals to recover portion of HHS civil penalty or monetary

settlements

• HHS is directed to report to Congress regarding complaints filed and

their disposition (will be made available to the public)

Enforcement – Individuals

63

• Penalties range from $100 to $50,000 per violation, depending on the

level of culpability

• $1.5 million cap per calendar year for multiple violations of identical

provisions

• Criminal penalties of up to 10 years’ imprisonment

• Willful neglect is at the top of the scale

• Even where there is merely a possibility of a violation due to willful

neglect, the Department of Health and Human Services (“HHS”) can

impose civil monetary penalties without exhausting informal resolution

options

New Penalty-Based System

64

• Tier 1: $100 per violation, not to exceed $25,000

• Tier 2: If due to “reasonable cause” but not willful neglect, at least $1,000/violation, not to exceed $100,000

• Tier 3: If due to willful neglect and corrected in 30 days, at least $10,000/violation, not to exceed $250,000

• Tier 4: If due to willful neglect and is not corrected in 30 days, at least $50,000/violation, not to exceed $1.5 million

Annual Penalties

65

• A server containing PHI of 780,000 patients was hacked into and PHI was

stolen for one month until the breach was discovered and the server was shut

down.

• An Atlanta health care company misplaced 10 backup disks for more than

315,000 surgical patients treated between 1990 and 2007. About 228,000 of the

files included patient Social Security numbers, names, surgery dates,

diagnoses and procedure codes.

• A South Carolina Department of Health and Human Services employee

compiled data on more than 228,000 people and sent it to a private email

account. About 22,600 people had their Medicaid ID numbers stolen (linked to

Social Security numbers). Patient names, addresses and birth dates were also

stolen. He was charged with five counts of violating medical confidentiality laws

and one count of disclosure of confidential information.

Big Breaches of 2012

66

2 USC 1320d-5(d)(2)(c):

Reduction of Damages — In assessing damages under subparagraph

(A), the court may consider the factors the Secretary may consider in

determining the amount of a civil money penalty under subsection (a)

under the HIPAA privacy regulations.

Mitigation of Damages

67

• Who impermissibly used/received the PHI?

– Was it another covered entity or federal agency (less risk), or someone

without separate privacy obligations?

• Can you take immediate steps to mitigate (e.g., obtain recipient’s

assurances that the info will not be further disclosed or will be

destroyed)?

• Was information returned without being opened or accessed (forensic

analysis would be required on laptops, etc.)

Factors Considered in Reducing Damages

68

• Greater Risk of Harm:

• Name of individual, along with sensitive service types or provider types: – Oncology services

– Substance abuse treatment

– AIDS treatment

– Abortion clinic

– Plastic surgery

• Name of individual, along with information that increases risk of identity theft: – SSN

– Credit card info

– Mother’s maiden name

• Lesser Risk of Harm:

• Name of individual and fact that he/she received services from a particular

hospital as long as service type was not disclosed or sensitive and no financial

info.

Factors Considered in Reducing Damages

69

• 46 states have adopted them

• The laws generally protect “personal information” or name, first initial

and last name, coupled with social security, credit card or financial

account number or state issued identification number (including

Medicare/Medicaid number)

• The breach or loss of “personal information” triggers state reporting

obligations

• These reporting obligations apply in addition to HIPAA reporting

obligations

State Data Security Laws

70

The challenge:

• State laws impose separate security and sometimes contracting

requirements (use more stringent requirements)

• Breach reporting time frames vary widely

• Breach reporting requirements vary widely

• Compliance can be extremely complex for organizations operating in

multiple states or serving individuals from multiple states

State Data Security Laws

71

Visit our blogs!

www.healthlawpolicymatters.com

www.privacyandsecuritymatters.com

72