health data breaches: complying with new hipaa ...media.straffordpub.com/products/health-data... ·...
TRANSCRIPT
Health Data Breaches: Complying with New HIPAA
Notification Rule and Mitigating Damages Navigating Complex Challenges for Healthcare Data Management, Preservation and Protection
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
WEDNESDAY, SEPTEMBER 25, 2013
Presenting a live 90-minute webinar with interactive Q&A
Kimberly J. Gold, Attorney, Mintz Levin Cohn Ferris Glovsky and Popeo, New York
Sound Quality
If you are listening via your computer speakers, please note that the quality of
your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory and you are listening via your computer
speakers, you may listen via the phone: dial 1-888-601-3873 and enter your PIN
when prompted. Otherwise, please send us a chat or e-mail
[email protected] immediately so we can address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
For CLE purposes, please let us know how many people are listening at your
location by completing each of the following steps:
• In the chat box, type (1) your company name and (2) the number of
attendees at your location
• Click the word balloon button to send
FOR LIVE EVENT ONLY
Health Care Data Breaches:
Complying with the New HIPAA Rule
September 25, 2013
Kimberly J. Gold, Esq.
Attorney
New York
212.692.6706
JD, Fordham University
BA, University of Delaware
• Practice focuses on health care and corporate matters such as
regulatory compliance, privacy and security, mergers and acquisitions,
financings, licensing, and reimbursement.
• Experience includes advising health care clients on state and federal
privacy and security laws.
• Prepares compliance programs and counseled clients on breach
notification requirements.
• Focuses on fraud and abuse issues, Medicare and Medicaid
reimbursement, food and drug laws, and state licensure laws and
regulations.
• While in law school, completed a judicial internship for the Honorable
Phyllis Gangel-Jacob of the New York State Supreme Court Appellate
Term.
• Served as the associate editor of the Fordham Intellectual Property,
Media and Entertainment Law Journal.
Kimberly J. Gold
5
• Managing Healthcare Data
– Protected Health Information
– In Litigation
– In Government Investigations, Administrative Proceedings, etc.
– In Transactional Matters
• Best Practices for Protecting Data
– Privacy and Security Requirements
– Policies and Procedures for Collection and Preservation
• Responding to Data Breaches
– HIPAA Breach Notification Rule
– Policies and Procedures
– Mitigation of Damages
• Q&A
Agenda
6
Managing Healthcare Data
7
Protected Health Information
• “Health information” is information relating to past, present, or future physical or mental health of an individual
• “Individually identifiable health information” (IIHI) means health information that identifies an individual
• “PHI” is IIHI created or held by a covered entity in any form or medium
• PHI also includes genetic information as a result of amendments made by the Genetic Information Nondiscrimination Act (GINA)
8
What is Not PHI
• Employment records of the covered entity
• Family Educational Rights and Privacy Act (FERPA) records
– Example: School or university with DOE funding that also has a covered
on-site clinic
9
Other PHI Exceptions
• “De-identified” health information
– Safe harbor: stripped of 18 “identifiers”
– Non-safe harbor: statistical measures
• Summary health information (SHI)
– Similar to DHI, but 5 digit (rather than 3 digit) zip code allowed
– The uses of SHI are restricted
• “Limited data sets”
– 16 identifiers stripped out
– Limited to research purposes
– Subject to a “data use agreement”
10
• Removes PHI from the restrictions of HIPAA
• …"the requirements of this subpart do not apply to information that has been
de-identified in accordance with the applicable requirements of §164.514…"
• Useful for clinical research, policy assessment, QA/QI initiatives, market
research and litigation
• Business Associates may de-identify PHI for their own use
De-Identification
11 11
1) Name
2) Address
3) Birth date
4) Fax number
5) Medical records number
6) Health plan beneficiary number
7) Finger or voice prints
8) Account number
9) Photographic images
10) Certificate/license number
11) Vehicle or device serial number
12) Names of relatives
13) Names of employers
The Identifiers that Make Health Information PHI
12
14) Telephone numbers
15) Social Security number
16) Electronic mail addresses
17) Internet protocol address number
18) Web universal resource locator
19) Any other unique identifying number,
characteristic or code
12
• Safe Harbor Method
• 45 CFR §164.514(b)(2)
• Removal of all 18 types of
identifiers (plus the catch all)
• No actual knowledge that
remaining information could
identify the individual
De-Identification
• Statistical Method
• 45 CFR §164.514(b)(1)
• Some identifiers may be
used
• Applies scientific principles
to confirm that the risk of
identifying individuals with
remaining information is "very
small"
13
• The cleanest way to de-identify if you can do it
• Removal of all 18 identifiers required
• Includes identifiers of the individual or the individual's relatives, employers, or
household members
De-Identification – Safe Harbor Method
• The covered entity also must have no actual knowledge that the remaining
information could be used alone or in combination with other information to
identify the individual who is the subject of the information
14
• Covered entities may de-identify PHI without authorization as a
permissible "health care operation"
De-Identification – Safe Harbor Method
• Business Associates must have permission from their covered
entity collaborators to de-identify PHI
15
• The covered entity may obtain
certification by "a person with appropriate
knowledge of and experience with
generally accepted statistical and
scientific principles and methods for
rendering information not individually
identifiable" that there is a "very small"
risk that the information could be used by
the recipient to identify the individual who
is the subject of the information, alone or
in combination with other reasonably
available information.
Statistical De-Identification
• The person certifying statistical de-
identification must document the
methods used as well as the result of
the analysis that justifies the
determination.
• A covered entity is required to keep
such certification, in written or
electronic format, for at least 6 years
from the date of its creation or the date
when it was last in effect, whichever is
later.
16
• Who is an "expert?"
–The rule is flexible on requisite fields of expertise (statistics, math,
or other scientific domain)
–Office for Civil Rights (OCR) will review the de-identifying expert's
professional training as well as de-identification experience
Statistical De-Identification
• How does the expert assess the risk of identification?
–The rule is flexible on technical approaches
–However, the analysis justifying the conclusion must be
available to OCR upon request
17
• Replicability
–What are the chances that the information will consistently
occur in relation to an individual (blood glucose level vs. birth
date)
Principles for Determining the Identifiability of Health Information
• Data Source Availability
–Are there external sources of patient identifiers? (lab test results
vs. birth date, marriage records)
18
• Distinguishability
–To what extent can the subject's data be distinguished (3 digit zip
code, year of birth and gender vs. 5 digit zip code, date of birth and
gender)
Principles for Determining the Identifiability of Health Information
• The greater the replicability, availability and distinguishability of
the information, the greater the risk of identification
19
• Risk may be mitigated (or reduced to "very small") by modification
of the data set
What if the Risk of Re-Identification is Larger than "Very Small"?
• Key consideration: balancing reduction of risk against data utility
• If reducing the risk to "very small" destroys the value of the data
set, other approaches should be explored (suppression,
generalization, perturbation)
20
• A de-identified data set may be coded (assigned a code, algorithm
or pseudonym to individual records permitting re-identification)
Coding De-Identified Information
• The code should not be derived from the data set
• The code must not be provided to anyone without authority to
view the identified data
21
• OCR Website: http://www.hhs.gov/ocr/privacy
• OCR's De-identification guidance:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/
De-identification/guidance.html
Helpful Links
22
• A covered entity may disclose protected health information to a health
oversight agency for oversight activities authorized by law, including:
– audits;
– civil, administrative, or criminal investigations;
– inspections;
– licensure or disciplinary actions; and
– civil, administrative, or criminal proceedings or actions
• Disclosure for public health activities is permitted
– E.g., the reporting of a disease or injury; reporting vital events, such as
births or deaths; and conducting public health surveillance, investigations,
or interventions
Managing Healthcare Information in Government Investigations and
Oversight Activities
23
• Disclosures of PHI in litigation are permitted upon written
documentation provided to covered entity of "satisfactory assurances"
that:
– The patient was given notice and an opportunity to object (and no
objections raised or request is consistent with how objections were
resolved); or
– A "Qualified Protective Order" has been agreed to by the parties or
submitted to the judge.
Managing Healthcare Information in Litigation
24
• Under HIPAA and most state laws, PHI can be disclosed in response to
a court order or search warrant, but:
– PHI must be relevant and material to legitimate law enforcement inquiry;
– Request must be specific and limited in scope; and
– De-identified information could not reasonably be used
Managing Healthcare Information in Litigation
25
• A covered entity may use and disclose PHI without patient
authorization in the case of:
– the sale, transfer, merger or consolidation of all or part of a covered
entity to or with another covered entity, or an entity that following
such activity will become a covered entity; and
–Related due diligence
• Disclosure of PHI permitted for actual physical transfer of patient
records
Managing Healthcare Information in Transactional Matters
26
• Subject to "minimum necessary" standards
• Covered entity must enter into business associate agreement with
advisors
• Through due diligence, ensure target entity has complied with HIPAA
Managing Healthcare Information in Transactional Matters
27
Best Practices for Protecting Data
28
• A “Covered Entity” may not use or disclose PHI except as
–Authorized by the individual who is the subject of the information or as explicitly required, or
–Required or permitted by the rule
• Where disclosure is permitted, a Covered Entity may only disclose the “minimum amount necessary” to accomplish the intended purpose of the disclosure (this does not apply to direct treatment providers)
Privacy and Security Requirements
The Privacy Rule
29
• Limited to PHI in electronic form (“ePHI”)
• Violations of the security rule can also be violations of the privacy rule
• High statutory bar—ensure confidentiality, integrity, and availability of
PHI
• Applies to covered entities, to business associates and now to
subcontractors of business associates (no limitations or exceptions)
• Requires compliance with administrative, physical, and technical
safeguards
The Security Rule
30
• Document policies and procedures
• Implement appropriate administrative, technical, and physical safeguards
• Mitigate harmful effects of violations
• Train the workforce
• Designate privacy official
• Designate a security official
• Establish a complaint process
• Refrain from intimidating/retaliatory acts
• Enter into BA agreements with business associates
Covered Entity Requirements
31
• Who Are Business Associates?
–Business associates are those outside entities that create, receive,
maintain or transmit protected health information in the course of
performing functions on behalf of a covered entity, including:
• Contractors, consultants, data storage companies, health
information organizations, and
• Subcontractors of business associates
Omnibus Rule and Business Associate Liability
32
• OCR’s longstanding position has been that entities acting as mere
conduits for PHI and do not access PHI other than on a random basis
are not business associates
• They may have incidental exposure to PHI, but their jobs do not require
them to access or review PHI (e.g., United States Postal Service)
• OCR’s commentary to the Omnibus Rule explains that the conduit
analysis is narrow and limited to transmission organizations
• An entity that stores PHI, even if it does not access PHI, is a business
associate (e.g., vendors of cloud-based solutions)
Omnibus Rule and Business Associate Liability: The “Conduit”
Analysis
33
• The Omnibus Rule clarified that subcontractors of business associates
are regulated as business associates
• Business associates and downstream entities are subject to audit,
investigation and enforcement for noncompliance
• Common law rules of agency apply: covered entity is liable for
breaches of its business associate where there is an agency
relationship
• Omnibus Rule applies the “minimum necessary” standard directly to
business associates and their subcontractors
Omnibus Rule and Business Associate Liability
34
• Permitted uses and disclosures
• Requirement to use appropriate safeguards
• Requirement to report non-permitted uses and disclosures to covered entity
• Requirement to extend same terms and conditions to subcontractors and agents (e.g., TPA that subcontracts U/R)
Business Associate Requirements
35
• Administrative, physical, and technical safeguards
• Flexibility and scalability
–Standards
–Required implementation specifications
–Addressable implementation specifications
• “Risk Assessment”--required starting point
Policies and Procedures for Collection and Preservation
36
• Security management process
• Assigned security responsibility
• Workforce security
• Information access management
• Security incident procedures
• Security awareness and training
• Contingency plan and evaluation
• Business associate contracts
Administrative Safeguards
37
• Facility access controls
• Workstation use
• Workstation security
• Device and media controls
Physical Safeguards
38
• Access controls
• Audit controls
• Integrity
• Person or entity authentication
• Transmission security
Technical Safeguards
39
• Update policies, procedures and forms to reflect Omnibus Rule
requirements
• Implement changes
• Covered Entities: Review your list of business associates and
subcontractors in light of the expanded definition of "business
associate"
–Are any of your "conduits" actually "business associates?"
Best Practices
40
• Update your Notice of Privacy Practices
–Group Health Plans: distribute updates in the next annual mailing
–Model NPPs on OCR's website:
www.hhs.gov/privacy/hipaa/modelnotices.html
• Business associates and subcontractors: Develop and implement
HIPAA compliance programs
Best Practices
41
• Update and conduct training and circulate awareness communications
– Inform personnel of changes as soon as possible
–Plan a training session ASAP
• Monitor compliance and risks on an ongoing basis
–Covered entities must actively monitor compliance of personnel and
business associates
• Review and update security program at least annually
–Failure to update = non compliance
Best Practices
42
• Review and possibly amend business associate agreements
• Business associate agreements must now include additional provisions
• Sample provisions posted on OCR website:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/co
ntractprov.html
• Make necessary changes by September 22, 2014
• Any existing agreement modified after September 23, 2013 must
include any previously omitted provisions
Best Practices
43
• More guidance on the Omnibus Rule
• More audits (targeting business associates and group health plans)
– An updated audit protocol
• Fines for those who ignore requirements or identified problems
• Administrative follow-up for those who make a good faith effort to
comply and promptly address identified problems
• An expectation that regulated entities know the rules by now
• Continued focus on mobile devices
• Continued focus on the right to access PHI
• New, expanded accounting
What We Expect from the Office for Civil Rights in the Near Future
44
Responding to Data Breaches
45
• Notice must be provided in the event of an “unauthorized acquisition,
access, use or disclosure” of PHI that is “unsecured” (i.e., a “breach”)
• PHI is “secure” (and the HITECH breach-notice rules are not triggered)
if the PHI is encrypted or destroyed in the manner prescribed by HHS
Breach Notification Rule
46
• Prior law
–No obligation to notify individuals or HHS of a breach of the privacy
or security rules
–CEs (but not BAs) were obliged to mitigate harm caused by a
breach, which may have included notification
• HITECH added two sets of notice rules
–CEs and BAs
–Personal health record (PHR) vendors and related entities (non-
CEs)
Breach Notification Rule
47
• HITECH creates breach reporting requirements for covered entities and
business associates
• Breaches of “Unsecured PHI” must be reported to affected individuals
and to the federal government (the Department of Health and Human
Services Office of Civil Rights)
–“Unsecured PHI” is PHI that has not be secured in accordance with
federal standards (encrypted or destroyed)
• A loss of Unsecured PHI that does not present a risk of financial,
reputational or other harm may not be a reportable breach
Breach Notification Rule
48
• Secured PHI means PHI that has been rendered “unusable,
unreadable, or indecipherable to unauthorized individuals”
• HHS issued guidance on April 17, 2009, identifying two acceptable
methods for securing PHI—encryption (electronic) and destruction
(electronic and paper)
Clarifications in Aug. 24, 2009 Interim rule
–Redaction of paper-based PHI does not qualify
–Encryption keys must be stored separately
• Intended to be exhaustive, not illustrative
• Use acts as a “safe harbor”
• HHS will likely issue further guidance
Encryption/Destruction
49
• Applies generally to covered entities and business associates, but
–Business associate is required to notify covered entity, not affected
individuals (unless the covered entity delegates this responsibility)
–Notice must be provided without unreasonable delay…in no case
later than 60 days following discovery of the breach
• "discovery" is when the covered entity knew or "should have
known" about the breach
• Per OCR: 60 days is the outer limit for reporting. In most cases,
reporting at the latter end of the 60-day time frame will violate
the rule
Breach Notification Rule
50
• Business associate and subcontractor knowledge of a breach is
imputed to the covered entity and starts the 60-day clock ticking
• Business associate must have breach notice policies and procedures
consistent with these requirements.
• As a practical matter, the workforce must PROMPTLY report breaches
and even suspected breaches
Breach Notification Rule
51
• Business associates must immediately report known or suspected
breaches of PHI to covered entities (so that covered entities may report
within the 60 day time frame)
• Speed is key
• Be sure to report even SUSPECTED breaches
–Business associate agreements may impose specific reporting time
frames. Some may require reporting by within 24-48 hours of the
breach.
–Covered entities typically require business associates to cover the
costs of their breaches (mitigation, such as credit monitoring, notice
to affected individuals, fines, attorney fees, settlements, claims,
class action lawsuits…)
Breach Reporting – Business Associate Obligations
52
• The unauthorized acquisition, access use or disclosure of protected
health information in violation of the Privacy Rule is presumed to be a
reportable breach unless
–The covered entity or business associate demonstrates there is a
low probability that the information has been compromised based on
a risk assessment of certain factors, or
– The breach fits within certain exceptions
• Covered entities must ensure that their policies incorporate and apply
this new standard
What Constitutes a Breach?
53
• Exception if unauthorized person could not have reasonably retained
the PHI
• Exceptions for unintentional acquisition, access, or use
–By workforce member or authorized person
–Made in good faith/within scope of authority
–Does not result in further use or disclosure
What's Not a Breach?
54
• The proposed rule provided a "harm standard" for the identification of
reportable breaches
• The Omnibus Rule creates an objective, four-factor test for determining
whether or not PHI has been compromised
–Nature and extent of the PHI involved
–Unauthorized person who used the PHI or to whom disclosure was
made
–Whether the PHI was actually acquired or viewed
–The extent to which the risk to PHI has been mitigated
• Under the Omnibus Rule, there is a presumption of reportable breach
New Breach Notification Analysis
55
• Revise breach notification policies and procedures and breach
response plans
–Final rule eliminates “harm threshold” provision
– Instead, assess probability that PHI has been compromised
–Make sure that procedures ensure timely notification of regulators
and affected individuals
Breach Notification – Policies and Procedures
56
• Written notice to the individual (or next of kin if the individual is deceased) at the last known address by first-class mail
• For insufficient or out-of-date contact information, or in the case of 10 or more individuals with insufficient contact information, conspicuous posting (for 90 days) on the CEs home page or conspicuous notice in major print or broadcast media
• Where there is a possibility of imminent misuse of the unsecured PHI, additional notice by telephone or other methods
Notice to Individuals
57
• Notice to prominent media outlets within the State or jurisdiction is required if a breach of unsecured PHI affects or is reasonably believed to affect more than 500 residents of that State or jurisdiction
Notice to the Media
58
• Notice to HHS by CEs immediately for breaches involving more than 500 individuals and annually for all other breaches
• Posting on HHS Web site of a list that identifies each covered entity involved in a breach in which the unsecured PHI of more than 500 individuals is acquired or disclosed
Notice to and by HHS
59
• The Office of Civil Rights and US Attorney enforce the civil and criminal
provisions of HIPAA and HITECH
• HITECH gave state attorneys general the authority to enforce HIPAA
• Under HITECH, the Office of Civil Rights will be allowed to retain a
portion of the fines that it collects from violators
–This may be why we are seeing 7-figure fines from OCR.
• HITECH enforcement is designed to be a public, embarrassing,
process. See, the OCR “wall of shame”:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationru
le/breachtool.html
Enforcement
60
• HHS audited CEs only in response to complaints
• HITECH directs HHS to conduct periodic audits of CEs and BAs, even
if no complaint has been filed
• Where a preliminary investigation indicates “willful neglect”
– An audit is required, and
– Penalties must be imposed for willful neglect
Enforcement – Enhanced Audits
61
• State Attorneys General are authorized to bring a civil action for HIPAA
violations to enjoin violations and seek damages
–Damages calculated by multiplying number of violations by $100,
not to exceed $25,000. Court may award costs and reasonable
attorneys’ fees to State
–State action may not be brought during pendency of Federal action
Enforcement – State AGs
62
• Individuals to recover portion of HHS civil penalty or monetary
settlements
• HHS is directed to report to Congress regarding complaints filed and
their disposition (will be made available to the public)
Enforcement – Individuals
63
• Penalties range from $100 to $50,000 per violation, depending on the
level of culpability
• $1.5 million cap per calendar year for multiple violations of identical
provisions
• Criminal penalties of up to 10 years’ imprisonment
• Willful neglect is at the top of the scale
• Even where there is merely a possibility of a violation due to willful
neglect, the Department of Health and Human Services (“HHS”) can
impose civil monetary penalties without exhausting informal resolution
options
New Penalty-Based System
64
• Tier 1: $100 per violation, not to exceed $25,000
• Tier 2: If due to “reasonable cause” but not willful neglect, at least $1,000/violation, not to exceed $100,000
• Tier 3: If due to willful neglect and corrected in 30 days, at least $10,000/violation, not to exceed $250,000
• Tier 4: If due to willful neglect and is not corrected in 30 days, at least $50,000/violation, not to exceed $1.5 million
Annual Penalties
65
• A server containing PHI of 780,000 patients was hacked into and PHI was
stolen for one month until the breach was discovered and the server was shut
down.
• An Atlanta health care company misplaced 10 backup disks for more than
315,000 surgical patients treated between 1990 and 2007. About 228,000 of the
files included patient Social Security numbers, names, surgery dates,
diagnoses and procedure codes.
• A South Carolina Department of Health and Human Services employee
compiled data on more than 228,000 people and sent it to a private email
account. About 22,600 people had their Medicaid ID numbers stolen (linked to
Social Security numbers). Patient names, addresses and birth dates were also
stolen. He was charged with five counts of violating medical confidentiality laws
and one count of disclosure of confidential information.
Big Breaches of 2012
66
2 USC 1320d-5(d)(2)(c):
Reduction of Damages — In assessing damages under subparagraph
(A), the court may consider the factors the Secretary may consider in
determining the amount of a civil money penalty under subsection (a)
under the HIPAA privacy regulations.
Mitigation of Damages
67
• Who impermissibly used/received the PHI?
– Was it another covered entity or federal agency (less risk), or someone
without separate privacy obligations?
• Can you take immediate steps to mitigate (e.g., obtain recipient’s
assurances that the info will not be further disclosed or will be
destroyed)?
• Was information returned without being opened or accessed (forensic
analysis would be required on laptops, etc.)
Factors Considered in Reducing Damages
68
• Greater Risk of Harm:
• Name of individual, along with sensitive service types or provider types: – Oncology services
– Substance abuse treatment
– AIDS treatment
– Abortion clinic
– Plastic surgery
• Name of individual, along with information that increases risk of identity theft: – SSN
– Credit card info
– Mother’s maiden name
• Lesser Risk of Harm:
• Name of individual and fact that he/she received services from a particular
hospital as long as service type was not disclosed or sensitive and no financial
info.
Factors Considered in Reducing Damages
69
• 46 states have adopted them
• The laws generally protect “personal information” or name, first initial
and last name, coupled with social security, credit card or financial
account number or state issued identification number (including
Medicare/Medicaid number)
• The breach or loss of “personal information” triggers state reporting
obligations
• These reporting obligations apply in addition to HIPAA reporting
obligations
State Data Security Laws
70
The challenge:
• State laws impose separate security and sometimes contracting
requirements (use more stringent requirements)
• Breach reporting time frames vary widely
• Breach reporting requirements vary widely
• Compliance can be extremely complex for organizations operating in
multiple states or serving individuals from multiple states
State Data Security Laws
71
Visit our blogs!
www.healthlawpolicymatters.com
www.privacyandsecuritymatters.com
72