380 likes | 394 Views
Walking the Health Care High Wire : Vulnerability & Breach Disclosure Requirements. Elizabeth Wharton ewharton@hbss.net Hall, Booth, Smith & Slover, P.C. 191 Peachtree Street N.E. Suite 2900 Atlanta, GA 30303 WWW.HBSS.NET. The Game:.
E N D
Walking the Health Care High Wire:Vulnerability & Breach Disclosure Requirements Elizabeth Wharton ewharton@hbss.net Hall, Booth, Smith & Slover, P.C. 191 Peachtree Street N.E. Suite 2900 Atlanta, GA 30303 WWW.HBSS.NET
The Game: Data Breach & Vulnerability Disclosure Requirements in Health Care
The Game Plan The Field: Federal & State Players & Playbook The Risks & Reward
HHS – Health care information FTC – Non-health care information States – Data Breach incl. health care The Field
The Stakes: The Paycheck: Fines Suspension: Criminal Penalties Endorsement Deals: Reputation
The Players Patients Providers Business Associates Researchers Vendors
Team Roster BA = Business Associate PHI = Protected Health Information: individual, identifiable info. relating to the past, present or future health condition ePHI = electronic protected health information CE = covered entity
The Rules: Federal Conference Federal Statutes: HIPAA Security Rule HITECH ACT
The League Rules: First Period Security Regs.(45 C.F.R. 164.308, 310, 312, and 316) Ensure confidentiality, integrity, and avail. of all ePHI the BA creates, receives, maintains or transmits; Protect against any reasonably anticipated threats or hazards to the security or integrity of such info.; Protect against any reasonably anticipated uses or disclosures of such info.; and Ensure compliance w/ entire workforce.
The League Rules: Second Period Two Categories: Required or Addressable Addressable – assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity’s ePHI If not implementing – document why not reasonable & appropriate & implement an alternative if avail.
The League Rules: Third Period Security Rule – 3 Components Physical, Administrative & Technical Physical Safeguards Facility Access Controls Workstation Use Workstation security Device & media controls
The League Rules: Third Period Technical Safeguards Access Control Audit Controls (record and examine activity) Integrity (protect from improper alteration or destruction) Person or entity authentication Transmission security (not improperly modified, encryption)
The League Rules: Third Period Administrative Safeguards Security management process Assigned security responsibility Workforce security Information access management Security awareness and training Security incident procedures Contingency plan Evaluation BA contracts
The League Rules: Overtime Security management process Risk analysis Risk management
The League Rules: Shootout HITECH BA, BA Agreements DOJ to investigate, if not then HHS/OCR (Office of Civil Rights), then AG Criminal Penalties – up to a year in prison Civil Penalties – 4 Tiers 2/17/11 Req’d to investigate “Willful Neglect” 2/17/12 “Whistleblower” (share in $ collected)
The League Rules: Federal Conference Penalty Box - Four Tiers: Without knowledge: $100/violation; $25k cap Reasonable cause: $1k/violation; $100k cap Willful neglect: $10k/violation; $250k cap Willful neglect & not corrected: $50k; $1.5m cap
Federal Conference “Elevator” Cheat Sheet Reasonable Anticipated Encrypted or Indecipherable Limited Access No modification of data Policies & Procedures
The Playbook: Breach: Unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information “Compromises” – poses a significant risk of financial, reputational, or other harm to the individual NOT – unintentional, not accessed/read
The Playbook: Notification: Notification w/in 60 days If more than 500 residents in an area: Must tell prominent media outlet, notify Secretary of HHS, HHS will post on website Written, delivered by mail or e-mail (if individual prefers) If no contact information, post notice on website, newspapers or broadcast media
The League Rules: Home Team Advantage State Statutes: Not just health care – Data Breach 46 States & District of Columbia have enacted data breach notification statutes (National Conference of State Legislators, Oct. 2010) States without: AL, KY, NM, SD
The League Rules: Home Team Advantage Reasonable – notification & steps to prevent Anticipated Encrypted Actual harm, disclosure v. breach Fraud Impact State Residents Location of business in state matter? * CA has 5 day notification requirement
Home Team Advantage California Civ. Code1798.80 – (e) "Personal information" means any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to…..name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
Home Team Advantage California – per article 1/10/11, by Doug Pollack on idExperts In mid-2010, CDPH announced that it imposed $675,000 in fines to six hospitals Only 244 patients involved Later in 2010, CDPH fined an additional eight facilities for a "failure to prevent unauthorized access to confidential patient medical information.” Fines totaled $792,500. The majority had breached the privacy of only one to ten patients in each incident.
Home Team Advantage Connecticut – Sec. 36a-701b. "breach of security" means unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable;
Home Team Advantage Connecticut – Sec. 36a-701b. (b) Any person who conducts business in this state, and who, in the ordinary course of such person's business, owns, licenses or maintains computerized data that includes personal information, shall disclose any breach of security following the discovery of the breach to any resident of this state whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person through such breach of security.
Home Team Advantage Connecticut – Sec. 36a-701b. (c) Any person that maintains computerized data that includes personal information that the person does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following its discovery, if the personal information was, or is reasonably believed to have been accessed by an unauthorized person.
Home Team Advantage Massachusetts Data Privacy Law 201 CMR 17 (Effective March 1, 2010) Misuse of personal data by both individuals and companies and third party providers that store, collect or use personal information, including name, social security, driver's license number or financial information on Massachusetts residents - regardless of whether those organizations are based in or have offices in the state.
Home Team Advantage Mississippi – Effective July 1, 2011 a) "Breach of security" means unauthorized acquisition of electronic files, media, databases or computerized data containing personal information of any resident of this state when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable;
Home Team Advantage Mississippi – Notification The disclosure shall be made without unreasonable delay after investigation. Not required if the person reasonably determines that the breach will not likely result in harm to the affected individuals.
Home Team Advantage Mississippi – Notification Maintains data which includes personal … notify the owner or licensee … of any breach of the security of the data as soon as practicable following its discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person for fraudulent purposes. Method of Notice capped if over $5k cost, then e-mail ok
Home Team Advantage Vermont- 9 V.S.A. § 2435. Notice of security breaches The notice shall be clear and conspicuous. The notice shall include: (A) The incident in general terms. (B) The type of personal information (C) The general acts of the business to from further unauthorized access or acquisition. (D) A toll-free telephone number to call for further information (E) Advice that directs the consumer to remain vigilant by reviewing account statements and monitoring free credit reports.
2 Minute Drill: Formal Policies & Procedures Assessment & Audit Reasonably AnticipateBreach or Disclosure? Maintaining the data? Actual v. Anticipated disclosure?
Highlight Reel Connecticut – SOCT v. Health Net Feb. 2010, CT Attorney General first to file Health Net charged after a computer disk drive, containing personal information of 500k CT individuals (1.5m nationwide), stolen and the company failed to take appropriate actions Data wasn’t encrypted, failed to promptly notify Case Settled: $250k, action plan & monitoring
Highlight Reel Indiana – WellPoint, Inc. 32,000 Indiana residents State Law – required to notify within reasonable time First learned data possibly accessible via its website on Feb. 22, 2010 and again on March 8, 2010 Began notifying customers on June 18th
Highlight Reel Vermont – Health Net Similar issues with CT case Impacted 552 Vermont residents Brought under both federal (HIPAA/HITECH) & state (Data Breach & Consumer Fraud) $55k fine
Season Preview: iPad Apps – FDA approves applications Assessment – Vulnerability Disclosure Programs Reasonable – Higher Level Who to report to? CYA
The Field: Federal & State HIPAA, HITECH, State Data Breach Players & Playbook CE, BA, State Resident The Risks & Reward Reasonable Assessment, Penalties
Hall, Booth, Smith & Slover, P.C. 191 Peachtree Street N.E. Suite 2900 Atlanta, GA 30303 WWW.HBSS.NET