1 / 36

Health Insurance Portability and Accountability Act (HIPAA): Breach Notification Rule

Health Insurance Portability and Accountability Act (HIPAA): Breach Notification Rule. April 2019 Alissa Smith. Outline of Presentation. HIPAA Breach Notification Rule Overview Updates on OCR Enforcement Complaints Investigations Settlement Amounts Examples.

loe
Download Presentation

Health Insurance Portability and Accountability Act (HIPAA): Breach Notification Rule

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Health Insurance Portability and Accountability Act (HIPAA): Breach Notification Rule April 2019 Alissa Smith

  2. Outline of Presentation • HIPAA Breach Notification Rule Overview • Updates on OCR Enforcement • Complaints • Investigations • Settlement Amounts • Examples

  3. HIPAA Breach Notification Rule Breach: The access, acquisition, use or disclosure of unsecured PHI not permitted under the Privacy Rule that compromises the security or privacy of the PHI Unsecured PHI: PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of technology or methodology specified by HHS (e.g., encrypted, shredded).

  4. HIPAA Breach Notification Rule(cont’d) • A potential breach is presumed to be a “breach” (requiring breach notification) unless an exclusion applies or a 4-part risk assessment demonstrates that there is a low probability that the PHI has been compromised.

  5. HIPAA Breach Notification Rule: Exclusions • Three Exclusions • Good faith internal access • Good faith internal disclosure • External disclosure but good faith belief that person to whom disclosure was made would not reasonably have been able to retain the information

  6. HIPAA Breach Notification Rule: Risk Assessment • In order to determine a breach notification is not required, the covered entity must have addressed all four factors in the risk assessment and determined that the use/disclosure of the PHI poses a low probability that the PHI has been compromised. • OCR expects risk assessments to be thorough, completed in good faith, and for the conclusions reached to be reasonable. • Retain documentation of investigation, risk assessment and all notifications (6 years)

  7. HIPAA Breach Notification Rule:4-Part Risk Assessment • The nature and extent of the PHI involved (including the types of PHI, and the likelihood of re-identification); • The unauthorized person who used the PHI or to whom the disclosure was made; • Whether the PHI was actually acquired or viewed; and • The extent to which the risk to the PHI has been mitigated. After considering these factors, the CE must presume there is a “breach” requiring notification unless the analysis demonstrates that there is a low probability that the PHI has been compromised.

  8. Breach Notifications-the who, when, and how Small (lessthan 500 individuals) Large (500+ individuals) Affected individuals No later than 60 days after breach discovery Delivered by first-class mail Unless an individual agrees to email The Secretary of Health and Human Services No later than 60 calendar days after breach(es) were discovered The Media Breaches involving 500+ residents of a state or jurisdiction all prominent media outlets of the state or jurisdiction No later than 60 days after breach discoveries • Affected individuals • No later than 60 days after breach discovery • Delivered by first-class mail • Unless an individual agrees to email • The Secretary of Health and Human Services • No later than 60 calendar days after the end of the calendar year in which the breach(es) were discovered

  9. Breach Notification: Information • Notification Must be Detailed • a brief description of what happened, including the date of the Breach and the date of discovery of the Breach; • a description of the types of Unsecured PHI involved (without, however, including specific PHI); • any steps Individuals should take to prevent potential harm resulting from the Breach; • a brief description of what Covered Entity is doing (i) to investigate the Breach, (ii) to mitigate harm to Individuals and (iii) to protect against further Breaches; and • contact procedures for Individuals to ask questions or learn additional information, including a toll free telephone number, email address, website, or postal address.

  10. HIPAA Enforcement • HHS OCR interprets and enforces the Privacy Rule, Security Rule and Breach Notification Rule • Civil Penalties Up to $1.5M/violation • Criminal Penalties Up to $250K and 10yrs prison • No Private Right of Action (Note, state privacy laws and data breach notification laws may include private rights of action) • Liability for Actions of Business Associates • Approximately 20% of PHI data breaches have been caused by Business Associates

  11. State Data Privacy and Breach Notification Laws • In addition to HIPAA, almost all states across the country have adopted various laws that require breach notification, privacy and confidentiality standards, and impose additional penalties. • Iowa Personal Information Security Breach Notification (715C) • Iowa Mental Health Information Privacy Law (228) • Iowa HIV/AIDS Test Information Privacy Law (141A) • Iowa and Federal Substance Abuse Treatment Records Privacy Law (125)

  12. Current State of Affairs • External threats at all time high- hacking, ransomware • Internal threats are the largest source of risk for covered entities – snooping, social media, phishing attacks • More individual complaints • OCR enforcement posture more aggressive • OCR widening review of small breaches • Settlement amounts are increasing

  13. Statistics-2019 • Between April 2003-July 2017, the ORC has: • Since the implementation of the Privacy Rule in April 2003: • 184,614 HIPAA complaint cases/potential breaches have been reported • OCR Initiated over 928 compliance reviews on its own • OCR Resolved 199,485 complaint cases (98%) • Investigated/resolved 26,621 cases by requiring changes through corrective action or providing technical assistance • Referred 717 referrals to the DOJ for criminal sanctions • Reached settlements (called Resolution Agreements) with 62 entities since 2009, totaling $96,581,582 • Almost all Settlements are a result of an initial breach notification • Almost all Settlements include a 2 to 3-year corrective action plan

  14. OCR Concluded 2018 with All-Time Record Year for HIPAA Enforcement – • February 7, 2019 press release: OCR has concluded an all-time record year in HIPAA enforcement activity.  In 2018, OCR settled 10 cases and secured one judgment, together totaling $28.7 million. This total surpassed the previous record of $23.5 million from 2016 by 22 percent.  In addition, OCR also achieved the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc., representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016.

  15. Statistics-2019 • Since the beginning of 2019, 71 large-scale (500 or more) breaches have been reported to the OCR • Breaches are categorized by following: • Type • (Theft, loss, etc.) • Location • (Desktop, portable device, email, etc.) • Entity • (Health Plan or Health Provider)

  16. Statistics

  17. Statistics

  18. Statistics

  19. Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • University of Texas MD Anderson Cancer Center (Summary Judgement issued July 18, 2018) • Three separate breaches occurred between April 2012 and December 2013 • The first breach involved the theft of an unencrypted laptop that contained the ePHI of 29,021 individuals • The second and third breaches were both losses of unencrypted USB devices that contained ePHI for 5,862 • Resolution Agreement Amount: $4.3 million

  20. Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Boston Medical Center, Brigham and Women’s Hospital and Massachusetts General Hospital (September 2018) • At the three separate medical centers, PHI was compromised by inviting documentary film crews from ABC into the premises without first obtaining authorization from patients. • Collectively, the medical centers paid around $990,000 • Boston Medical Center: $100,000 • Brigham and Women’s Hospital: $384,000 • Massachusetts General Hospital: $515,000 • Length of CAPs • Boston Medical Center: 2 years • Brigham and Women’s Health: unspecified • Massachusetts General Hospital: 1 year

  21. Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Anthem, Inc. (October 15, 2018) • In Marcy 2015, Anthem, an independent licensee of the Blue Cross and Blue Shield Association, reported that their IT system had been attacked “via an undetected continuous and targeted cyberattack” • Between December 2, 2014 and January 27, 2015, the ePHI of almost 79 million individuals had been stolen • Making this the largest health data breach in US history • Resolution Agreement Amount: $16,000,000 • Length of CAPs: 2 years

  22. Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Allergy Associates of Hartford, PC (AAH) (November 26, 2018) • In February 2015, a doctor working for AAH spoke with a local television reporter about a dispute with a patient • The patient had alleged that AAH had turned away the patient because the use of her service animal • During the conversation, the doctor “impermissibly disclosed the PHI” of the patient • Resolution Agreement Amount: $125,000 • Length of CAPs: 2 years

  23. Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Advanced Care Hospitalists PL (ACH) (December 4, 2018) • Between November 2011 and June 2012, ACH engaged the services of a representative of a Florida-based company called “Doctor’s First Choice Billings, Inc.” (First Choice) • In February of 2014, a local hospital alerted ACH that patient PHI, including DOB and SSNs were able to be seen on First Choice’s website • After ACH self-reported, believing only 400 individuals were affected, the OIG discovered that not only were there an additional 8,855 more patients’ PHI disclosed, but ACH had never entered into a BAA with First Choice • Finally, the representative working with ACH had not belonged to First Choice, but was using First Choice’s name and website without the owner’s knowledge. • Resolution Agreement Amount: $500,000 • Length of CAPs: 2 years

  24. Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Pagosa Springs Medical Center (PSMC) (December 11, 2018) • A former employee of PSMC had continued access to PSMC’s web-based scheduling calendar, allowing the former employee access to the ePHI of 557 individuals • Resolution Agreement Amount: $114,500 • Length of CAPs: 2 years

  25. Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Cottage Health (December 2018) • Two separate breaches affecting over 62,500 individuals • The first breach occurred in December 2013 • The configuration of Cottage Health’s server allow access to patient ePHI without requiring a username or password, allowing anyone with access to Cottage Health’s server had access to patient PHI • The second breach occurred in December 2015 • Cottage Health’s server was “misconfigured following an IT response to a troubleshooting ticket, exposing unsecured ePHI over the internet” • Resolution Agreement Amount: $3,000,000 • Length of CAPs: 3 years

  26. Personal Lawsuits • HIPAA does not provide for a private right of action for plaintiffs. • Violations are subject only to enforcement actions by OCR or SAG on behalf of plaintiffs. • BUT • Courts in some states have allowed plaintiffs to use HIPAA as a standard of care/legal duty in state law tort negligence actions against healthcare providers for privacy violations • Claims have included losses/injuries from slander/defamation, financial, reputational, negligent infliction of emotional distress • E.g.: Connecticut, New York, Massachusetts, Missouri, West Virginia, Tennessee, Minnesota, and North Carolina.

  27. Data Breach Litigation Trends • The most common cause of data breaches in the healthcare setting are: • (1) Hacking and IT incidents; and • (2) Unauthorized access and disclosure incidents. • Why? • On the black market, the value of a social security number or credit card is only worth pennies. The value of a full medical record is between $500-$1,000. • Medical Record can be used for submitting fraudulent insurance claims, obtaining prescription drugs, and blackmail.

  28. Data Breach Litigation Trends, Cont. • No comprehensive national rules or legislation in place for litigation for breaches. • Federal Level • Claims brought under section 5(a) of the Federal Trade Commission Act for engaging in “unfair” or “deceptive” trade practices. • E.g., FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602 (D.N.J. 2014); Fed. Trade Comm’n v. D-Link Sys., No. 3:17-cv-00039-JD (N.D. Cal. Sept. 19, 2017). • State Level • Attorneys General bring suites for violations of state-specific data breach laws; extensions of unfair consumer practices or unfair trade practices statutes. • Note: Iowa Code 715C (“Personal Information Security Breach Protection”) specifically exempts from HIPAA compliant entities.

  29. Class Action Lawsuits: • On November 25, 2018, a plaintiff going by the name Jane Doe filed a class action lawsuit against UnityPoint Health (UPH) • The complaint cites 2 UPH data breaches related to patient records • 1 in 2017 involving 16,429 individuals • 1 in 2018 involving 1.4 million individuals • These breaches divulged the following PHI: • Contact information such as: names, phone numbers, email address, etc. • Billing information such as: insurance information, Medicare numbers, billing numbers, etc. • Health information such as: diagnoses, lab results, medications, etc. • Complaints include: • Invasion of Privacy • Negligent Training and Supervision • Negligence • Breach of Contract • This is the first class action lawsuit of its kind to be filed in the state of Iowa • Amount being sought: $5,000,000

  30. Class Action Lawsuits: • In February 2019, Community Health Systems (CHS) settled a class action lawsuit that affected 4.5 million individuals • In August 2014, that a “group originating from China used highly sophisticated malware and technology to attack” in a cyberattack against CHS • Under the terms of the settlement, individuals are eligible to receive $250 • With individuals who had to pay for out-of-pocket losses attributable to actual identity fraud and/or identity theft that allegedly occurred as a result” of the breach are eligible to claim up to $5,000 • Settlement Amount: $3.1 million

  31. Lessons to be Learned: Preventing Breaches • The exposure of PHI can be technical (unencrypted devices) and non-technical (loss of papers/property containing PHI)- resources should be applied to prevent both • There is no substitute for customized, implemented HIPAA policies and procedures, with frequent training of staff to mitigate risk from the inside • Business grade IT security is critical to mitigate risk from outside threats • Ongoing implementation of risk assessments is critical to update responses as business and technology evolves • Screen and monitor BAs (there are more than 7M BAs in the US)

  32. Lessons to be Learned: Responding to Breaches • Analyze potential breaches in good faith. 45 CFR 400 • Hire counsel and consultants if needed to evaluate the issues • Use breach response team to ensure multiple perspectives; follow breach response policies and protocol (e.g., forms, 2-person interviews, when to hired outside experts, attorney-client privilege considerations) • Review applicable contracts (e.g., BAAs) to determine other terms which may govern breach response/notice/indemnification • Ensure a process is provided for individuals to make complaints regarding HIPAA. 45 CFR 164.530(d) • Ensure appropriate sanctions are applied to workforce members who fail to comply. 45 CFR 164.530 (e) • Do not intimidate or retaliate against any person who files a complaint, testifies or assists in an OCR investigation or proceeding, or who opposes any act or practice that is unlawful under HIPAA. 45 CFR 160.316 • Mitigate any harmful effects (to the extent practicable) (e.g., credit monitoring) 45 CFR 164.530 (e) • Report all breaches timely in accordance with HIPAA’s Breach Notification Rule. 45 CFR 400 • Report breaches as required under applicable state law

  33. Lessons to be Learned: Responding to Breaches (cont’d) • Review and update policies if needed to ensure non-compliance will not happen in the future (and to be prepared in the event of an investigation) • Retrain staff if needed to prevent non-compliance; prepare key staff about what to expect in the event of an investigation • Where are policies; what do policies say; who are internal privacy and security officers • Have policies, procedures, breach risk assessments, security risk analysis, investigation materials, copies of breach notifications, and other compliance documentation organized and ready in case of an investigation

  34. HIPAA Breaches: What Are My Resources? • Office for Civil Rights Website with Breach Notification Toolkit: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html • Office for Civil Rights Database of all Large Breaches: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf • OCR Ransomware Fact Sheet: https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf • OCR Publishes Quarterly Cybersecurity Newsletters: https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-spring-2019/index.html • HIPAA Privacy and Security Policies and Procedures and Officers

  35. Real World Example • Mat-Su Borough, Alaska: • Zero Day, Advanced Persistent Threat Ransomware Attack • Malware in a link clicked on by an employee May 3, 2018 • Dormant until July 24, 2018, and then a “crypto locker” was launched to lock/encrypt data files • Infected all IT systems connected to the network (computers, phones, faxes, printers, copiers) • Resorted to using typewriters, handwritten forms • Reported to the FBI and shipped all computers, etc. to be cleaned • Decided Not to Pay the Ransom due to strong back up system • IT analysts could not determine whether attackers accessed PHI • Is it a breach?

  36. Questions? Alissa Smith Partner Dorsey & Whitney, LLP smith.alissa@dorsey.com (515) 699-3267

More Related