Download
1 / 36
360 likes | 581 Vues
Health Insurance Portability and Accountability Act (HIPAA): Breach Notification Rule. April 2019 Alissa Smith. Outline of Presentation. HIPAA Breach Notification Rule Overview Updates on OCR Enforcement Complaints Investigations Settlement Amounts Examples.
E N D
Health Insurance Portability and Accountability Act (HIPAA): Breach Notification Rule April 2019 Alissa Smith
Outline of Presentation • HIPAA Breach Notification Rule Overview • Updates on OCR Enforcement • Complaints • Investigations • Settlement Amounts • Examples
HIPAA Breach Notification Rule Breach: The access, acquisition, use or disclosure of unsecured PHI not permitted under the Privacy Rule that compromises the security or privacy of the PHI Unsecured PHI: PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of technology or methodology specified by HHS (e.g., encrypted, shredded).
HIPAA Breach Notification Rule(cont’d) • A potential breach is presumed to be a “breach” (requiring breach notification) unless an exclusion applies or a 4-part risk assessment demonstrates that there is a low probability that the PHI has been compromised.
HIPAA Breach Notification Rule: Exclusions • Three Exclusions • Good faith internal access • Good faith internal disclosure • External disclosure but good faith belief that person to whom disclosure was made would not reasonably have been able to retain the information
HIPAA Breach Notification Rule: Risk Assessment • In order to determine a breach notification is not required, the covered entity must have addressed all four factors in the risk assessment and determined that the use/disclosure of the PHI poses a low probability that the PHI has been compromised. • OCR expects risk assessments to be thorough, completed in good faith, and for the conclusions reached to be reasonable. • Retain documentation of investigation, risk assessment and all notifications (6 years)
HIPAA Breach Notification Rule:4-Part Risk Assessment • The nature and extent of the PHI involved (including the types of PHI, and the likelihood of re-identification); • The unauthorized person who used the PHI or to whom the disclosure was made; • Whether the PHI was actually acquired or viewed; and • The extent to which the risk to the PHI has been mitigated. After considering these factors, the CE must presume there is a “breach” requiring notification unless the analysis demonstrates that there is a low probability that the PHI has been compromised.
Breach Notifications-the who, when, and how Small (lessthan 500 individuals) Large (500+ individuals) Affected individuals No later than 60 days after breach discovery Delivered by first-class mail Unless an individual agrees to email The Secretary of Health and Human Services No later than 60 calendar days after breach(es) were discovered The Media Breaches involving 500+ residents of a state or jurisdiction all prominent media outlets of the state or jurisdiction No later than 60 days after breach discoveries • Affected individuals • No later than 60 days after breach discovery • Delivered by first-class mail • Unless an individual agrees to email • The Secretary of Health and Human Services • No later than 60 calendar days after the end of the calendar year in which the breach(es) were discovered
Breach Notification: Information • Notification Must be Detailed • a brief description of what happened, including the date of the Breach and the date of discovery of the Breach; • a description of the types of Unsecured PHI involved (without, however, including specific PHI); • any steps Individuals should take to prevent potential harm resulting from the Breach; • a brief description of what Covered Entity is doing (i) to investigate the Breach, (ii) to mitigate harm to Individuals and (iii) to protect against further Breaches; and • contact procedures for Individuals to ask questions or learn additional information, including a toll free telephone number, email address, website, or postal address.
HIPAA Enforcement • HHS OCR interprets and enforces the Privacy Rule, Security Rule and Breach Notification Rule • Civil Penalties Up to $1.5M/violation • Criminal Penalties Up to $250K and 10yrs prison • No Private Right of Action (Note, state privacy laws and data breach notification laws may include private rights of action) • Liability for Actions of Business Associates • Approximately 20% of PHI data breaches have been caused by Business Associates
State Data Privacy and Breach Notification Laws • In addition to HIPAA, almost all states across the country have adopted various laws that require breach notification, privacy and confidentiality standards, and impose additional penalties. • Iowa Personal Information Security Breach Notification (715C) • Iowa Mental Health Information Privacy Law (228) • Iowa HIV/AIDS Test Information Privacy Law (141A) • Iowa and Federal Substance Abuse Treatment Records Privacy Law (125)
Current State of Affairs • External threats at all time high- hacking, ransomware • Internal threats are the largest source of risk for covered entities – snooping, social media, phishing attacks • More individual complaints • OCR enforcement posture more aggressive • OCR widening review of small breaches • Settlement amounts are increasing
Statistics-2019 • Between April 2003-July 2017, the ORC has: • Since the implementation of the Privacy Rule in April 2003: • 184,614 HIPAA complaint cases/potential breaches have been reported • OCR Initiated over 928 compliance reviews on its own • OCR Resolved 199,485 complaint cases (98%) • Investigated/resolved 26,621 cases by requiring changes through corrective action or providing technical assistance • Referred 717 referrals to the DOJ for criminal sanctions • Reached settlements (called Resolution Agreements) with 62 entities since 2009, totaling $96,581,582 • Almost all Settlements are a result of an initial breach notification • Almost all Settlements include a 2 to 3-year corrective action plan
OCR Concluded 2018 with All-Time Record Year for HIPAA Enforcement – • February 7, 2019 press release: OCR has concluded an all-time record year in HIPAA enforcement activity. In 2018, OCR settled 10 cases and secured one judgment, together totaling $28.7 million. This total surpassed the previous record of $23.5 million from 2016 by 22 percent. In addition, OCR also achieved the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc., representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016.
Statistics-2019 • Since the beginning of 2019, 71 large-scale (500 or more) breaches have been reported to the OCR • Breaches are categorized by following: • Type • (Theft, loss, etc.) • Location • (Desktop, portable device, email, etc.) • Entity • (Health Plan or Health Provider)
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • University of Texas MD Anderson Cancer Center (Summary Judgement issued July 18, 2018) • Three separate breaches occurred between April 2012 and December 2013 • The first breach involved the theft of an unencrypted laptop that contained the ePHI of 29,021 individuals • The second and third breaches were both losses of unencrypted USB devices that contained ePHI for 5,862 • Resolution Agreement Amount: $4.3 million
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Boston Medical Center, Brigham and Women’s Hospital and Massachusetts General Hospital (September 2018) • At the three separate medical centers, PHI was compromised by inviting documentary film crews from ABC into the premises without first obtaining authorization from patients. • Collectively, the medical centers paid around $990,000 • Boston Medical Center: $100,000 • Brigham and Women’s Hospital: $384,000 • Massachusetts General Hospital: $515,000 • Length of CAPs • Boston Medical Center: 2 years • Brigham and Women’s Health: unspecified • Massachusetts General Hospital: 1 year
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Anthem, Inc. (October 15, 2018) • In Marcy 2015, Anthem, an independent licensee of the Blue Cross and Blue Shield Association, reported that their IT system had been attacked “via an undetected continuous and targeted cyberattack” • Between December 2, 2014 and January 27, 2015, the ePHI of almost 79 million individuals had been stolen • Making this the largest health data breach in US history • Resolution Agreement Amount: $16,000,000 • Length of CAPs: 2 years
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Allergy Associates of Hartford, PC (AAH) (November 26, 2018) • In February 2015, a doctor working for AAH spoke with a local television reporter about a dispute with a patient • The patient had alleged that AAH had turned away the patient because the use of her service animal • During the conversation, the doctor “impermissibly disclosed the PHI” of the patient • Resolution Agreement Amount: $125,000 • Length of CAPs: 2 years
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Advanced Care Hospitalists PL (ACH) (December 4, 2018) • Between November 2011 and June 2012, ACH engaged the services of a representative of a Florida-based company called “Doctor’s First Choice Billings, Inc.” (First Choice) • In February of 2014, a local hospital alerted ACH that patient PHI, including DOB and SSNs were able to be seen on First Choice’s website • After ACH self-reported, believing only 400 individuals were affected, the OIG discovered that not only were there an additional 8,855 more patients’ PHI disclosed, but ACH had never entered into a BAA with First Choice • Finally, the representative working with ACH had not belonged to First Choice, but was using First Choice’s name and website without the owner’s knowledge. • Resolution Agreement Amount: $500,000 • Length of CAPs: 2 years
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Pagosa Springs Medical Center (PSMC) (December 11, 2018) • A former employee of PSMC had continued access to PSMC’s web-based scheduling calendar, allowing the former employee access to the ePHI of 557 individuals • Resolution Agreement Amount: $114,500 • Length of CAPs: 2 years
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Cottage Health (December 2018) • Two separate breaches affecting over 62,500 individuals • The first breach occurred in December 2013 • The configuration of Cottage Health’s server allow access to patient ePHI without requiring a username or password, allowing anyone with access to Cottage Health’s server had access to patient PHI • The second breach occurred in December 2015 • Cottage Health’s server was “misconfigured following an IT response to a troubleshooting ticket, exposing unsecured ePHI over the internet” • Resolution Agreement Amount: $3,000,000 • Length of CAPs: 3 years
Personal Lawsuits • HIPAA does not provide for a private right of action for plaintiffs. • Violations are subject only to enforcement actions by OCR or SAG on behalf of plaintiffs. • BUT • Courts in some states have allowed plaintiffs to use HIPAA as a standard of care/legal duty in state law tort negligence actions against healthcare providers for privacy violations • Claims have included losses/injuries from slander/defamation, financial, reputational, negligent infliction of emotional distress • E.g.: Connecticut, New York, Massachusetts, Missouri, West Virginia, Tennessee, Minnesota, and North Carolina.
Data Breach Litigation Trends • The most common cause of data breaches in the healthcare setting are: • (1) Hacking and IT incidents; and • (2) Unauthorized access and disclosure incidents. • Why? • On the black market, the value of a social security number or credit card is only worth pennies. The value of a full medical record is between $500-$1,000. • Medical Record can be used for submitting fraudulent insurance claims, obtaining prescription drugs, and blackmail.
Data Breach Litigation Trends, Cont. • No comprehensive national rules or legislation in place for litigation for breaches. • Federal Level • Claims brought under section 5(a) of the Federal Trade Commission Act for engaging in “unfair” or “deceptive” trade practices. • E.g., FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602 (D.N.J. 2014); Fed. Trade Comm’n v. D-Link Sys., No. 3:17-cv-00039-JD (N.D. Cal. Sept. 19, 2017). • State Level • Attorneys General bring suites for violations of state-specific data breach laws; extensions of unfair consumer practices or unfair trade practices statutes. • Note: Iowa Code 715C (“Personal Information Security Breach Protection”) specifically exempts from HIPAA compliant entities.
Class Action Lawsuits: • On November 25, 2018, a plaintiff going by the name Jane Doe filed a class action lawsuit against UnityPoint Health (UPH) • The complaint cites 2 UPH data breaches related to patient records • 1 in 2017 involving 16,429 individuals • 1 in 2018 involving 1.4 million individuals • These breaches divulged the following PHI: • Contact information such as: names, phone numbers, email address, etc. • Billing information such as: insurance information, Medicare numbers, billing numbers, etc. • Health information such as: diagnoses, lab results, medications, etc. • Complaints include: • Invasion of Privacy • Negligent Training and Supervision • Negligence • Breach of Contract • This is the first class action lawsuit of its kind to be filed in the state of Iowa • Amount being sought: $5,000,000
Class Action Lawsuits: • In February 2019, Community Health Systems (CHS) settled a class action lawsuit that affected 4.5 million individuals • In August 2014, that a “group originating from China used highly sophisticated malware and technology to attack” in a cyberattack against CHS • Under the terms of the settlement, individuals are eligible to receive $250 • With individuals who had to pay for out-of-pocket losses attributable to actual identity fraud and/or identity theft that allegedly occurred as a result” of the breach are eligible to claim up to $5,000 • Settlement Amount: $3.1 million
Lessons to be Learned: Preventing Breaches • The exposure of PHI can be technical (unencrypted devices) and non-technical (loss of papers/property containing PHI)- resources should be applied to prevent both • There is no substitute for customized, implemented HIPAA policies and procedures, with frequent training of staff to mitigate risk from the inside • Business grade IT security is critical to mitigate risk from outside threats • Ongoing implementation of risk assessments is critical to update responses as business and technology evolves • Screen and monitor BAs (there are more than 7M BAs in the US)
Lessons to be Learned: Responding to Breaches • Analyze potential breaches in good faith. 45 CFR 400 • Hire counsel and consultants if needed to evaluate the issues • Use breach response team to ensure multiple perspectives; follow breach response policies and protocol (e.g., forms, 2-person interviews, when to hired outside experts, attorney-client privilege considerations) • Review applicable contracts (e.g., BAAs) to determine other terms which may govern breach response/notice/indemnification • Ensure a process is provided for individuals to make complaints regarding HIPAA. 45 CFR 164.530(d) • Ensure appropriate sanctions are applied to workforce members who fail to comply. 45 CFR 164.530 (e) • Do not intimidate or retaliate against any person who files a complaint, testifies or assists in an OCR investigation or proceeding, or who opposes any act or practice that is unlawful under HIPAA. 45 CFR 160.316 • Mitigate any harmful effects (to the extent practicable) (e.g., credit monitoring) 45 CFR 164.530 (e) • Report all breaches timely in accordance with HIPAA’s Breach Notification Rule. 45 CFR 400 • Report breaches as required under applicable state law
Lessons to be Learned: Responding to Breaches (cont’d) • Review and update policies if needed to ensure non-compliance will not happen in the future (and to be prepared in the event of an investigation) • Retrain staff if needed to prevent non-compliance; prepare key staff about what to expect in the event of an investigation • Where are policies; what do policies say; who are internal privacy and security officers • Have policies, procedures, breach risk assessments, security risk analysis, investigation materials, copies of breach notifications, and other compliance documentation organized and ready in case of an investigation
HIPAA Breaches: What Are My Resources? • Office for Civil Rights Website with Breach Notification Toolkit: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html • Office for Civil Rights Database of all Large Breaches: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf • OCR Ransomware Fact Sheet: https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf • OCR Publishes Quarterly Cybersecurity Newsletters: https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-spring-2019/index.html • HIPAA Privacy and Security Policies and Procedures and Officers
Real World Example • Mat-Su Borough, Alaska: • Zero Day, Advanced Persistent Threat Ransomware Attack • Malware in a link clicked on by an employee May 3, 2018 • Dormant until July 24, 2018, and then a “crypto locker” was launched to lock/encrypt data files • Infected all IT systems connected to the network (computers, phones, faxes, printers, copiers) • Resorted to using typewriters, handwritten forms • Reported to the FBI and shipped all computers, etc. to be cleaned • Decided Not to Pay the Ransom due to strong back up system • IT analysts could not determine whether attackers accessed PHI • Is it a breach?
Questions? Alissa Smith Partner Dorsey & Whitney, LLP smith.alissa@dorsey.com (515) 699-3267
