©Shipman&GoodwinLLP2016.Allrightsreserved.

WilliamJ.Roberts,Esq.

June15,2016

ManagingHIPAADataBreaches

Agenda•  WhataretheRisksofaBreach?

•  IdenPfyingInternalThreats•  IdenPfyingExternalThreats•  RespondingtoaDataBreach

2

DataBreachesbytheNumbers$6.5million–averagecostofadatabreach

11%-increaseincostbetween2014and2015

$217–averagecostperlostorstolenrecord

112million–numberofindividuals(U.S.only)affectedbyahealthcaredatabreachin2015

432million–numberofhackedaccounts(U.S.only)in2014

Sources:(1)2015CostofDataBreachStudy:UnitedStates,PonemonInsPtuteResearch;(2)DataBreachesInHealthcareTotaledOver112MillionRecordsIn2015,Forbes,12/31/2015

3

DataBreaches

•  BreachesareincreasinginsophisPcaPon,frequencyandseverity

•  HealthcareisaprimarytargetofbreachacPvityandissubjecttoheightenedgovernmentscruPnyandenforcement

•  Threatscanbecategorizedintwoways:u  External

u  Internal

4

IdenPfyingInternalThreats

•  Insiderthreatsaretwofold:u  “MaliciousInsider”–Wishtodoharmtocompany

Ø  Canbeemployeethegforpersonalorbusinessgain

Ø  Terminatedemployeestakingdata

Ø  Accessingdataoutsidescopeofemployment

Ø  Employeespurposelymisusingdata

5

IdenPfyingInternalThreats•  Insiderthreatsaretwofold:

u  “Careless”or“Negligent”InsiderØ  Noillwill,butthroughcarelessness,negligenceorlackoftraining,createsopeningsfordataloss

Ø  Study:“TheHumanFactorinDataProtecPon”(hhp://www.ponemon.org/local/upload/file/The_Human_Factor_in_data_ProtecPon_WP_FINAL.pdf)

Ø  EmployeesarelikelygreatestthreattoPHI

Ø  Includeslostfiles,laptops,mobiledevices

6

IdenPfyingExternalThreats

•  Externalthreatstaketwoforms–u  AnahackonyourinformaPonsystemsorthegofphysicalfiles,or

u  AnahempttotrickanemployeetodivulgesensiPveinformaPon

7

Cybersecurity–TheStats

Averageannualnumberofcybersecurityincidents:80to90million

Increaseincybersecurityincidentsfrom2014–2015:38%

Projectedglobalcostofcyberahacksin2019:2.1trillionUSdollars

hhp://expandedramblings.com/index.php/cybersecurity-staPsPcs/Source:

8

It’sPhishingSeason!•  “Phishing”isanahempttouseemailtotrickarecipientintodisclosingpersonalinformaPon,suchasfinancialaccountinformaPon

•  WeareseeingincreasedsophisPcaPonandvolumeofahempts

hhps://blog.cyveillance.com/cyveillance-phishing-report-top-targets-june-22-2015/

9

Masquerading•  “Masquerading”isascaminwhichtheperpetratorassumestheidenPtyofaknown,trustedcolleaguetotrickthecolleagueintotakingsomeacPon,ogensendingemployeeorfinancialdataorwiringfunds

10

ARansomforYourData•  AransomwareahackisoneinwhichaperpetratorassumescontrolofyourdataandwillnotreleaseitunPlpaymentismade(orthreatenstofurtherdiscloseitunlesspaymentismade)

•  Paymentisogenrequestedinbitcoin

11

You’veBeenHacked•  Hackingahemptsare

increasinglycommoninallindustrysectors

•  Healthcare,educaPon,government,retailandfinancearethemostpopulartargets

•  SmallenPPesarejustaslikely(ifnotmorelikely)tobetargetsaslarge,well-knowncorporaPons

Source:IndianapolisStar,12/15/14

12

RespondingtoaDataBreachDiscovery

InvesPgaPon

NoPficaPon(s)MiPgaPon

DamageControl

13

Discovery•  ReporPngStructure:

u  IncidentnoPficaPonpolicyu  Employee/stafftrainingu  Cultureoftransparency,notfearu  Considermockbreaches

•  Needtohaveabreachresponseplaninplacetoguideresponse.Consider:u  TheRightTeam:IT,compliance,HR,paPent/publicrelaPons,legalcounsel

u  Back-upsforeachkey,responsibleindividual(e.g.leave,vacaPon)

14

InvesPgaPon

•  ThecoveredenPtymustinvesPgatethereportofthebreachwithoutdelayu  Ahorney-clientprivilegeisvitaltoprotectyourinterests

u  Haveexternalresourceslined-upaheadofPme:PR,forensicIT,lawenforcementcontacts,externalcounsel

u  OnlyinvolvethenecessaryparPes–confidenPalityisimportant

15

NoPficaPontoIndividuals•  Rule:CoveredenPPesmustnoPfyaffectedindividualsfollowingthe

discoveryofabreachofunsecuredprotectedhealthinformaPonu  NoPcemustbewrihenandsentbyfirst-classmail,oralternaPvely,by

e-mailiftheaffectedindividualhasagreedtoreceivesuchnoPceselectronically

u  NoPcemustbeprovidedwithoutunreasonabledelayandinnocaselaterthan60daysfollowingdiscovery

u  NoPcemustinclude,totheextentpossible,abriefdescripPonofthebreach,adescripPonofthetypesofinformaPonthatwereinvolvedinthebreach,thestepsaffectedindividualsshouldtaketoprotectthemselvesfrompotenPalharm,abriefdescripPonofwhatthecoveredenPtyisdoingtoinvesPgatethebreach,miPgatetheharm,andpreventfurtherbreaches,aswellascontactinformaPon

16

NoPficaPontoIndividuals•  Consider:

u  DevelopcommunicaPonlines–tollfreenumber,email,postaladdress

u  Whowillrespondtoinquiries?Internalresourcessufficientorcallcenterneeded?

u  FAQsu  Languageanddisabilityconcerns?u  Minors?u  Decedents?u  CanyouhandlethecommunicaPonsin-house?

17

SubsPtuteNoPce•  Rule:Insufficientorout-of-datecontactinformaPonfor:u  10ormoreindividuals-thecoveredenPtymustprovidesubsPtutenoPcebyeitherposPngthenoPceonthehomepageofitswebsiteforatleast90daysorbyprovidingthenoPceinmajorprintorbroadcastmediawheretheaffectedindividualslikelyreside

Ø  mustincludeatoll-freephonenumberthatremainsacPveforatleast90dayswhereindividualscanlearniftheirinformaPonwasinvolvedinthebreach

u  Fewerthan10individuals-thecoveredenPtymayprovidesubsPtutenoPcebyanalternaPveformofwrihennoPce,bytelephone,orothermeans

18

NoPficaPontotheMedia•  Rule:CoveredenPPesthatexperienceabreachaffecPngmorethan500

residentsofastateorjurisdicPonare,inaddiPontonoPfyingtheaffectedindividuals,requiredtoprovidenoPcetoprominentmediaoutlets

u  Ogenintheformofapressrelease

u  Withoutunreasonabledelayandinnocaselaterthan60daysfollowingdiscovery

u  MustincludethesameinformaPonrequiredfortheindividualnoPce

•  Consider:u  PRprofessionalassistance

u  Mediatalkingpoints

u  Mediapointperson–whospeaksforyourorganizaPon(andwhodoesnot)

u  Controllingthemessage/coordinaPngwithemployees

u  Becognizantofmedialeaks/stealthinquiries

19

NoPficaPontoHHS•  Rule:CoveredenPPesmustnoPfyHHSbysubmisngabreachreportformonlineu  500ormoreindividuals,coveredenPPesmustnoPfyHHSwithoutunreasonabledelayandinnocaselaterthan60daysfollowingabreach

u  Fewerthan500individuals,thecoveredenPtymaynoPfyHHSofsuchbreachesonanannualbasis,duetoHHSnolaterthan60daysagertheendofthecalendaryearinwhichthebreachesarediscovered

•  Consider:u  Accuracyisvitalu  Summarystatementmayhavesignificantconsequences

20

OtherNoPficaPonObligaPons?•  Dependinguponyoursector,contractualarrangementsorlocaPon,considerthefollowingaddiPonalnoPficaPonsthatmaybenecessary:u  StateAhorneyGeneral(s)u  Stateregulatoryagencies(e.g.DepartmentsofHealth,InsuranceorConsumerProtecPon)

u  Businesspartners(e.g.HIEs,affiliates)u  DepartmentsofEducaPon(stateandfederal)u  PoliPcalstakeholders(esp.ifgovernmentalenPty)u  Funders(looktogrants,donors)u  Employees(e.g.email,IntranetposPng)

21

ThoughtsonBABreaches

•  AtPmes,abreachiscausedbyoroccursatyourbusinessassociate.Whenplanningforandrespondingtosuchabreach,consider:u  BAAreporPng,cooperaPon,miPgaPonandliabilityissues–istheBAAyourfriendorfoe?

u  WhoshouldnoPfy?

u  Controlofmessaging

22

MiPgaPon•  Rule:AcoveredenPtymusttakereasonablestepstomiPgateharmtoindividualscausedbythebreachu  HIPAAislightonspecificsbutstatelawsarenowmandaPngcertainmeasures

•  Consider:u  WhatinformaPoncanyouprovidetoaffectedparPes?

u  Creditmonitoring–when?Requiredbylaw?

u  Creditcounseling,idenPtythegrecoveryservices

u  IdenPtytheginsurance

23

DamageControl

•  Adatabreachmayinflictsignificantfinancial,operaPonalandreputaPonalcostsonacompany.Employeemoraleandconfidencemayalsosuffer.Developaplanfor:u  RespondingtoquesPonsandconcernsfromcurrentandformeremployees,paPentsorcustomers

u  Handlinginquiriesfromrelevantbusinesspartners

u  Managingthecompany’sreputaPoninthebusinessandconsumercommuniPes

24

LegalRisks

•  LawsuitsCanandWillComefromSixSources:u  Consumers

u  Insurers

u  FinancialInsPtuPons

u  Shareholders

u  Employees

u  Government

25

GovernmentEnforcement

•  AHIPAAbreachmayresultinenforcementacPonsfromstateahorneygeneralsandtheHHSOfficeforCivilRights(OCR)

•  Insomeinstances,otherenforcementagencies,includingconsumerprotecPon,health,educaPonorinsurancedepartments,mayhavejurisdicPonu  Key–aHIPAAbreachogenviolatesotherstateandfederallaws,meaningmoreopportuniPesforenforcement

26

LegalRisksandGovernmentEnforcement

•  Needtoprepareforthefollowingfrom“DayOne”:u  OCRinvesPgaPonandenforcementacPonu  AhorneyGeneralinvesPgaPonandenforcementacPon

u  LawsuitsfrompaPents,customers,businesspartners

•  Everythingyoudofrompreparingforthebreachtoyourresponsetoitisinprepara7onfortheseenforcementac7onsandlawsuits

27

PenalPes•  Recentchangestothelawhavesignificantlyincreasedthe

penalPesforviolaPngHIPAA:

u  FourPersofcivilmonetarypenalPesrangingfrom$100/perviolaPonto$1.5million/perviolaPon

u  CriminalpenalPes:upto$250,000infinesandupto10yearsinprison

•  BoththecoveredenPtyandindividualemployeescanbepenalizedforviolaPngHIPAA

•  BreachesmayalsoresultincostlyconsentordersorcorrecPveacPonplans,lawsuitsandaddiPonalpenalPesstateenforcementacPons

28

LearnfromOthers

•  In2014,NewYork-PresbyterianHospitalandColumbiaUniversityenteredintosehlementfor$4.8MforfailingtosecurepaPentinfo

•  Gov’tconcludedcompanies:Ø  Lackedtechnicalsafeguards

Ø  Failedtoconductaccurateriskanalyses

Ø  FailedtodevelopadequateriskmanagementplanstoaddresspotenPalsecuritythreats

29

Ques8ons+ContactInforma8on

WilliamJ.Roberts,ChairPrivacy+DataProtecPon

Tel:860-251-5051wroberts@goodwin.com Source:TheNewYorker,Sept.8,2015

“Bad news, captain. The ship’s computer has been sharing all our personal data with the Romulans.”

30

© 2007-2016 31

855-85-HIPAA www.compliancygroup.com

Need Help With HIPAA Compliance?

§  The Guard •  Total Compliance Solution •  Simple •  Cost-effective •  Compliance with Confidence

§  Support - We work with you •  Compliance Coaching •  HIPAA Hotline •  Education •  Culture of Compliance

§  Contact Us •  855 85 HIPAA (855-854-4722) •  www.CompliancyGroup.com

Incident Management

Audits SRA (Security Risk

Assessment), Administrative, Privacy

Remediation Plans

Policies, Procedures & Training

Business Associate

Management

Document Version

Employee Attestation &

Tracking