security & privacy topics to watch in 2016 · business associates • no real enforcement...
TRANSCRIPT
![Page 1: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/1.jpg)
Security & Privacy Topics to Watch in 2016
Kirk J. Nahra Wiley Rein LLP
Washington, D.C. 202.719.7335 [email protected] @kirkjnahrawork
(April 27, 2016)
![Page 2: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/2.jpg)
My Presentation
• Address some of the key hot topics for privacy and security in 2016
• Start with “inside HIPAA” issues • Move to issues that are “partially HIPAA,”
even if driven by other rules/laws • And then conclude with what’s “next to”
HIPAA
Page 2
![Page 3: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/3.jpg)
Inside HIPAA - Enforcement
• Remember the HHS OCR overall approach • Many thousands of complaints, limited official
enforcement actions on privacy or security. • Hundreds of complaints referred to DOJ for
criminal investigation • “Our first approach to dealing with any
complaint is to work for voluntary compliance. So far it's worked out pretty well." - (former) OCR Head
Page 3
![Page 4: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/4.jpg)
Enforcement – HITECH
• Expectation of new attitude from the new Administration
• Much higher penalties • New authority for State AGs • Criminal sanctions available against
employees • But not much new yet
Page 4
![Page 5: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/5.jpg)
Enforcement Issues – Criminal
• The Gibson case • Hospice Employee stole patient info, used it
to establish fake credit cards
Page 5
![Page 6: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/6.jpg)
Enforcement Issues – Criminal
• Lots of cases involving insiders mis-using data (not just an issue in health care)
• Celebrities, friends/family, non-friends • Identity theft and health care fraud • Selling records to plaintiffs’ personal injury
lawyers
Page 6
![Page 7: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/7.jpg)
Enforcement Issues – Civil
• $4.3 million penalty against Cignet Health Care in Maryland
• An enormous penalty, related to access violations AND a failure to cooperate with the investigation
• From published documents, Cignet (a) did not take its HIPAA responsibilities seriously AND (b) completely blew off the government investigation.
• Advice – don’t do that.
Page 7
![Page 8: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/8.jpg)
Inside HIPAA - OCR Enforcement Changes
• Despite press reports every time there is a new case, no meaningful increase to date
• Investigations are more thorough and more burdensome
• Increasing pressure to do more on both audits and investigations
• Still generally very reasonable
Page 8
![Page 9: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/9.jpg)
Enforcement
• Cases involving significant failures of compliance
• Cases involving repeated and/or uncorrected problems
• Particularly “noticeable” problems • High impact cases (?)
Page 9
![Page 10: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/10.jpg)
Recent Cases
• Feinstein Institute for Medical Research agreed to pay Office for Civil Rights (OCR) $3.9 million for security problems in research context
• North Memorial Health Care of Minnesota agreed to pay $1,550,000 to settle charges that it potentially violated HIPAA Privacy and Security Rules by failing to enter into a BAA with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.
• Two big cases, on back to back days (Old incidents) • Security failures are driving these settlements
Page 10
![Page 11: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/11.jpg)
Enforcement
• There is pressure to do more • Note – Many of the biggest breaches have
not resulted in enforcement (yet) • Remember – A security breach does not
mean a HIPAA violation • How does the FTC fit into any enforcement
pressure?
Page 11
![Page 12: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/12.jpg)
Breaches
• Too many breaches dealing with health care data • Unclear if there are really “more” breaches, but some
clearly involve more records • A “breach” does not mean the law was violated – most
reported breaches have not resulted in penalties or enforcement
• Compliance Tip – Make sure employees know where to go fast if there is a problem
Page 12
![Page 13: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/13.jpg)
Enforcement - Business Associates
• Now subject to full HIPAA enforcement regime
• Many BAs are not in reasonable compliance with HIPAA Security Rule, particularly on documentation
• Is it fair to think they would be? • Little consistency across BA universe –
compare your PBM to a local document shredder or small consulting firm
Page 13
![Page 14: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/14.jpg)
Business Associates
• No real enforcement involving business associates yet
• A real challenge for OCR – how to treat companies who deal with much more than health care
• And the enormous range of size/sophistication of these entities
• Enormous variations in actual contact with PHI
Page 14
![Page 15: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/15.jpg)
HIPAA Security Compliance
• Keep in mind how compliance with the HIPAA Security Rule works
• Risk assessment and risk management, along with policies and procedures
• Good security practices as a separate idea • Appropriate mitigation and risk assessment
for potential security breaches
Page 15
![Page 16: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/16.jpg)
HIPAA Compliance/Investigations
• Historically, HHS OCR has been very reasonable
• HOWEVER, primary difficulty with security breaches is that you are defending your practices after something has gone wrong
• Doesn’t mean you can’t do it, just a tougher burden
• This is where a company’s history and mitigation matters a lot
Page 16
![Page 17: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/17.jpg)
HIPAA Compliance/Investigations
• HHS OCR investigations typically will trail substantially behind everything else
• Publicity, notification decisions, law suits • Many of the most prominent security breaches in the
healthcare industry have never resulted in an HHS penalty or settlement
• How much of the notice rule is “shame” or pressure to have better practices to avoid notice?
Page 17
![Page 18: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/18.jpg)
HIPAA Compliance/CyberSecurity
• Also keep in mind that the HIPAA Security Rule focuses on PHI – data about patients or insureds
• Cybersecurity focuses on this data PLUS all the other data that you have and how your system works with others in the system
• So, in theory, you should have strong cyber practices if you comply with HIPAA and ensure that the HIPAA approach covers all of your activities.
• But lots of new activities and pressures in this area
Page 18
![Page 19: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/19.jpg)
HIPAA Compliance/Investigations
Expect: • Significant pressure to implement “tougher” security standards • Real pressure for broader encryption • Enforcement and adverse notice publicity to put real pressure on better practices • Both CEs and BAs have exposure in this area. • Pay close attention to problems faced by others – through enforcement, media reports and otherwise.
Page 19
![Page 20: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/20.jpg)
Enforcement – Audits
• Will we finally see the Phase 2 audit program in 2016? (Yes)
• What is the goal of this program? (Not clear) • We can expect that covered entities will do
reasonably well on the Privacy Rule and not as well (and maybe badly) on the Security Rule
• BAs – if included – likely will be bad at all of it.
Page 20
![Page 21: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/21.jpg)
Partially HIPAA
• Potential new legislation – 21st Century Cures • Major legislation, with small number of privacy
provisions (receiving almost no attention) • Current provisions could dramatically change research
rules • Also could allow pharma to buy PHI for “research” or
“pubic health” without payment limits • Will this open up HIPAA again?
Page 21
![Page 22: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/22.jpg)
Partially HIPAA
• Potential new legislation – 21st Century Cures • Major legislation, with small number of privacy
provisions (receiving almost no attention) • Current provisions could dramatically change research
rules • Also could allow pharma to buy PHI for “research” or
“public health” without payment limits • Will this open up HIPAA again?
Page 22
![Page 23: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/23.jpg)
Next to HIPAA
• What is “outside” of HIPAA is growing • Web sites gather and distribute healthcare
information - ranging from commercial web sites (e.g., Web MD) to patient support groups.
• Significant expansion of mobile applications directed to healthcare data or offered in connection with health information
• “Wearables”
Page 23
![Page 24: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/24.jpg)
More “next generation” issues
• An emerging (and related) issue - bringing “outside” HIPAA information “inside” HIPAA
• CEs are gathering all kinds of data about their patients/customers/insureds from outside the health care system and using it for “health care purposes”
Page 24
![Page 25: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/25.jpg)
Recent Headlines
• Bloomberg - “You may soon get a call from your doctor if you’ve let your gym membership lapse, made a habit of picking up candy bars at the check-out counter or begin shopping at plus-sized stores.”
• New York Times - Health plan prediction models using consumer data from data brokers (e.g., income, marital status, number of cars), to predict emergency room use and urgent care.
• Fortune - Employers Are Quietly Using Big Data to Track Employee Pregnancies.
Page 25
![Page 26: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/26.jpg)
What’s Next?
• The debate about “non-HIPAA” healthcare data is not going away
• Lots of pressure from many fronts to “do something” about this non-HIPAA health care data
• There is too much data being used by too many people in too many risky contexts
• Therefore . . .
Page 26
![Page 27: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/27.jpg)
Tentative Predictions
3 Main Options • Something specific for this non-HIPAA health care data • Something that covers all health care data (a “general” HIPAA) • A broader overall privacy law (with or without a HIPAA carve-out)
Page 27
![Page 28: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/28.jpg)
De-Identification Issues
• Lots of discussion and debate about the de-identification standards
• Some guidance has been issued, with more likely to come
• Lots of publicity about “re-identification” concerns, but no situation where HIPAA de-identified data has been re-identified
Page 28
![Page 29: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/29.jpg)
De-Identification Issues
• HIPAA standard remains the “gold standard” in terms of detail and effectiveness
• Growth in “non-HIPAA” health care data presents significant complications for de-identification standards
• Growing ability to gather and analyze data from broader variety of sources
• Ongoing challenges to ensure appropriate de-identification with differing data standards
Page 29
![Page 30: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/30.jpg)
De-Identification Issues
• Should the de-identification rules change? • Have the principles kept pace with technology?
(A key but somewhat disingenuous issue for “privacy advocates”)
• Is it “too easy” to re-identify individuals? • How does “big data” affect de-identification or re-
identification? • Compliance Challenge – How is this issue relevant to
your company?
Page 30
![Page 31: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/31.jpg)
Breach Litigation
• More and more cases being brought after breaches
• Plaintiffs’ class action bar is not letting this issue go
• But they are facing ongoing challenges in making these cases stick
• “Standing” and actual injury are real sticking points
Page 31
![Page 32: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/32.jpg)
Smith v. Chase Manhattan Bank
• Facts of the case • What do you think of the result? • Why are we talking about this case? • “The ‘harm’ at the heart of this purported class
action is that class members were merely offered products and services which they were free to decline. This does not qualify as actual harm.”
Page 32
![Page 33: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/33.jpg)
Maglio v. Advocate Health and Hospitals Corporation
• Facts of the case • For the healthcare industry, what are the key
issues here? • Relevance of allegation that “hospital failed to
meet its obligation to abide by the best practices and industry standards concerning the security of personal information and the computers associated therewith.”
Page 33
![Page 34: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/34.jpg)
Maglio v. Advocate Health and Hospitals Corporation
• “Plaintiffs did not allege that their personal information was used in any unauthorized manner as a result of the burglary, but they claimed that they face an increased risk of identity theft and/or identity fraud.”
• Implications of this decision for health care companies (and others)
• Relevance of HIPAA to this case?
Page 34
![Page 35: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/35.jpg)
Maglio v. Advocate Health and Hospitals Corporation
• “plaintiffs’ allegations of injury are clearly speculative, and therefore plaintiffs lack standing to bring suit. Their claims that they face an increased risk of, for example, identity theft are purely speculative and conclusory, as no such identity theft has occurred to any of the plaintiffs. Thus, their allegations fail to show a distinct and palpable injury.”
Page 35
![Page 36: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/36.jpg)
Maglio v. Advocate Health and Hospitals Corporation
• Plaintiffs further argue that the medical information at issue here warrants a finding that the harm is implicit. They urge that an actual injury occurs when a medical professional fails to keep a patient’s medical information private. Such information is, they assert, inherently personal and particularized to the individual. We reject plaintiffs’ argument.
Page 36
![Page 37: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/37.jpg)
Northwestern Memorial Hospital v. John Ashcroft
• Facts of the case • Discussion of the HIPAA standard for
subpoenas • What do you think of the result?
Page 37
![Page 38: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/38.jpg)
Northwestern Memorial Hospital v. John Ashcroft
• “even if there were no possibility that a patient’s identity might be learned from a redacted medical record, there would be an invasion of privacy.”
Page 38
![Page 39: Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving business associates yet • A real challenge for OCR – how to treat companies](https://reader035.vdocument.in/reader035/viewer/2022070915/5fb58d960ee2db0f0569209a/html5/thumbnails/39.jpg)
Questions?
For further information, contact: • Kirk J. Nahra
Wiley Rein LLP 202.719.7335 [email protected] @kirkjnahrawork
• Subscribe (for free) to Privacy in Focus - http://www.wileyrein.com/publications.cfm?sp=newsletters
Page 39