1 / 48

Privacy Issues for Employers and Health Plans

Join our webinar to learn about HIPAA compliance and privacy requirements for employers and health plans. Protect yourself and your employees' health information. Visit our website for more information.

Download Presentation

Privacy Issues for Employers and Health Plans

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. This UBA Employer Webinar Series is brought to you by United Benefit Advisorsin conjunction with Jackson Lewis For a copy of the following presentation, please visit our website at www.UBAbenefits.com. Go to the Wisdom tab and then to the HR webinar series page.

  2. Presented by: Lilly Moon moonl@jacksonlewis.com April 14, 2015 United Benefits Advisors: Privacy Issues for Employers and Health Plans

  3. About the Firm Represents management exclusively in every aspect of employment, benefits, labor, and immigration law and related litigation Over 780 attorneys in 54 locations nationwide Current caseload of over 6,500 litigations and approximately 550 class actions Founding member of L&E Global

  4. HIPAA – A Brief Refresher • What is HIPAA? • Are you a covered entity? • What plans are covered? • Basic principles under HIPAA: • Covered Entities that possess . . . • individually identifiable information related to an individual’s health care, or provision or payment for health care. . . • cannot be used or disclosed except under specified circumstances, and must be safeguarded.

  5. HIPAA – A Brief Refresher • What is protected health information? • Information created or received by covered entity or employer • Relating to individual’s past, present or future • Physical or mental health or condition or • Provision of health care or • Payment for health care • That does or reasonably could identify the individual • Genetic Information under GINA

  6. HIPAA – A Brief Refresher • What is NOT Protected Health Information? • Medical information collected or maintained in connection with employer obligations under law (wearing your “employer hat”) • FMLA, ADA , Sick Leave Requests • Occupational Injury • Disability Insurance Eligibility • Drug Screening Results • Workplace Medical Surveillance • Fitness-For-Duty Tests • Focus on WHY employer acquired the information

  7. HIPAAFully insured v. Self funded • What do plans (plan sponsors) need to consider when addressing compliance with HIPAA privacy and security? • Fully insured plan exception v. self-funded plans • Privacy rules • Security rules

  8. HIPAAPrivacy Rule Compliance • What are the key requirements under the HIPAA privacy rule? • Appoint Privacy Officer • Amend the health plan for plan sponsor access, and obtain plan sponsor certification • Adopt written policies including: • Safeguards to protect PHI • Accommodating individuals’ rights including access, amendments, accounting for disclosures, restrictions, etc. • Record retention and documentation • Complaints and sanctions

  9. HIPAAPrivacy Rule Compliance • What are the key requirements under the HIPAA privacy rule? (ctd.) • Identify and contract with business associates (and their sub-contractors—discussion ahead!) • Distribute notice of privacy practices • Train employees as reasonably necessary to ensure compliance • Maintain plan for responding to breaches of unsecured PHI • Periodically review and document compliance efforts

  10. HIPAASecurity Rule Compliance • What are the key requirements under the HIPAA security rule? • Security rule applies to electronic PHI only • PHI that is computer based, e.g., created, received, stored or maintained, processed and/or transmitted in electronic media • Electronic media includes computers, laptops, disks, memory stick, PDAs, servers, networks, dial-modems, e-mail, web-sites, etc. • Security - means to ensure the confidentiality, integrity, and availability of PHI that the covered entity creates, receives, maintains, or transmits through applicable administrative, physical and technical standards.

  11. HIPAASecurity Rule Compliance • What are the key requirements under the HIPAA security rule? (ctd.) Administrative Safeguards • Security Management Process • Risk analysis (R) • Risk management (R) • Sanction policy (R) • Information system activity review (R) • Assign Security Responsibility

  12. HIPAASecurity Rule Compliance • What are the key requirements under the HIPAA security rule? (ctd.) • Workforce Security • Authorization or supervision of workforce (A) • Workforce clearance procedure (A) • Termination procedures (A) • Information Access Management • Access authorization (A) • Access establishment and modification (A)

  13. HIPAASecurity Rule Compliance • What are the key requirements under the HIPAA security rule? (ctd.) • Security Awareness and Training • Security reminders (A) • Protection from malicious software (A) • Log-in management (A) • Password protection (A) • Security Incident Procedures • Response and reporting (R)

  14. HIPAASecurity Rule Compliance • What are the key requirements under the HIPAA security rule? (ctd.) • Contingency Plan • Data backup plan (R) • Disaster recovery plan (R) • Emergency mode operation plan (R) • Testing and revision procedures (A) • Application and data critically analysis (A) • Evaluation • Business Associates • Written agreement (R)

  15. HIPAASecurity Rule Compliance • What are the key requirements under the HIPAA security rule? (ctd.) Physical Safeguards • Facility Access Controls • Contingency operations (A) • Facility security plan (A) • Access control and validation procedures (A) • Maintenance records (A) • Workstation Use • Workstation Security

  16. HIPAASecurity Rule Compliance • What are the key requirements under the HIPAA security rule? (ctd.) • Device and Medical Controls • Disposal (R) • Media re-use (R) • Accountability (A) • Data back-up and storage (A)

  17. HIPAASecurity Rule Compliance • What are the key requirements under the HIPAA security rule? (ctd.) Technical Safeguards • Access Control • Unique user identification (R) • Emergency access procedure (R) • Automatic log-off (A) • Encryption and decryption (A) • Audit Controls • Integrity • Authenticate ePHI (A)

  18. HIPAASecurity Rule Compliance • What are the key requirements under the HIPAA security rule? (ctd.) • Person or Entity Authentication • Transmission Security • Integrity controls (A) • Encryption (A)

  19. HIPAA Breach Notification • What are the key features of the breach notification rule under HIPAA? • Applies to covered entities and business associates • Final regulations confirm covered entities still have obligation to provide notification • Covered entities may delegate that responsibility to business associates by contract • Triggered for unsecured PHI

  20. HIPAA Breach Notification • What are the key features of the breach notification rule under HIPAA? • No risk of harm standard, CEs and BAs must consider following factors to determine if there is a breach • nature and extent PHI involved, including the types of identifiers and the likelihood of re-identification; • the unauthorized person who used the PHI or to whom the disclosure was made; • whether the PHI was actually acquired or viewed; and • the extent to which the risk to the PHI has been mitigated.

  21. HIPAA Breach Notification • What are the key features of the breach notification rule under HIPAA? • Generally follows the format of 46 state laws with some key distinctions: • Absent law enforcement delay, must provide notice without unreasonable delay but not later than 60 days following discovery • Notify Secretary of HHS via website • Immediately for breaches affecting 500 or more individuals • Within 60 days of end of calendar year in which breach occurred for breaches affecting fewer than 500 individuals • Conspicuously post notice on CE’s website or place notice in major print or broadcast media for breaches involving 10 or more individuals for whom there is insufficient contact information

  22. HIPAA Business Associates • The BA Relationship • BAs are subject to most of the privacy rules, and virtually all of the security rules, directly • Subcontractors of BAs are considered BAs • An entity is a BA if it meets the regulatory definition, regardless of whether a BAA is in place • Final regulations make clear that entities that maintain PHI for CEs (even if they do not access it) are likely BAs – e.g., cloud service providers, records storage companies.

  23. HIPAA Business Associates • When are BAs directly liable under HIPAA? • Final regulations make clear that BAs are directly liable for: • uses and disclosures of PHI not permitted under HIPAA; • a failure to provide breach notification to the CE; • a failure to provide access to a copy of electronic PHI to the CE, the individual, or the individual’s designee; • a failure to disclose PHI to the Secretary of Health and Human Services to investigate or determine the BA’s compliance with the HIPAA privacy and security rules; • a failure to provide an accounting of disclosures; and • a failure to comply with the HIPAA security rules.. • But not other portions of privacy rule, such as notice requirement

  24. Business Associate Agreements • What key issues need to be addressed in our BAAs? • OCR provides sample provisions: • http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html • Caution: • Address agency issue to minimize liability for acts/omissions of BA • Give attention to state law protections for personal information as BAs often also have access to this kind of information. See, e.g., CA, TX, MD, MA, and others • Outline process for investigating/handling security incidents/breaches • Consider indemnification provisions

  25. Electronic Monitoring • Communications, Location and Actions of Employees and Others: • E-mail, text messages, keylogging, telephone, GPS; • Call recording/monitoring; • Video monitoring; • Duty to monitor? • Notice requirements – e.g., CT and DE; • Expectation of privacy generally.

  26. Social Media Considerations Employee participation in blogs, social networks. Employer-sponsored social media. Clear policies, procedures, and monitoring needed (internal and external). At least 16 states (Including New Jersey) regulate requesting passwords or access to social media accounts.

  27. Federal Trade Commission • January 15, 2015 Chairman of the FTC, Edith Ramirez, announces consumer privacy is a “top priority:” • Protection of personal information; • Must take “reasonable” security measures to protect consumer data. • Federal Trade Commission Act: • Prohibits unfair and deceptive trade practices; • Marketing and advertising (website privacy statements/policies); • Safeguard consumer data. • POTUS: Prosperity and job creation dependent on “digital economy:” • Sharing information to ensure cybersecurity; • Legislation for a single, strong national data breach standard; • Consumer privacy Bill of Rights: privacy balanced with innovation; • Child and student privacy.

  28. Avoiding and Managing Data Breaches Data Privacy in U.S. Generally not prescriptive Not one-size-fits-all Important to understand business Law changes regularly

  29. Data Privacy Law • No one federal law in the U.S. • Law governed by sector/industry • States generally have one or more of the following: • Affirmative obligations to safeguard individual private data based on its risk to an individual were it released. (e.g., CA, CT, IL (biometric information), MA, MI, TX) • Various Social Security number protections • Data destruction requirements • Data breach notification (47 states plus some cities. KY newest state to adopt)

  30. Key Driver of Laws Continues • Law is fluid • Identity Theft Tops 2013 FTC Consumer Complaint List • 14th Year in a row • Consumers lost $1.6 billion to electronic fraud in 2013 • Breach not necessarily ID theft • Can be a “bet the company” issue • Average cost of data breach to a company is $3 million ++ • This is bank robbery without the horses and trains • One of few laws were the victim becomes the Defendant in a lawsuit.

  31. Risk Assessment • Risk Assessment-Basic Concepts: • Employee versus customer data; • Personal data versus business data; • Focus is on preventing identity theft, but protections against monitoring and general principles of personal privacy remain and are growing – see “Big Data” and “IoT”; • Be mindful that because no generally applicable and comprehensive federal scheme exists, managing state laws can be critical.

  32. Risk Assessment • Risk Assessment-What should we be doing? • “How” and “What” of Information/Data. • Strong IT group/support. • Assess: • Standards for handling credit card or payment data; • Safeguards for other customer personal information; • Safeguards for employee/relative personal information. • Review vendor agreements - What data/information/protections. • Assess with WISP in mind: (i) documented risk assessment, (ii) administrative physical and technical safeguards/policies, (iii) data breach response plan, (iv) employee training.

  33. What Is a Data Breach? • Unauthorized use of, or access to, records or data containing personal information • Personal Information (PI) typically includes • First name (or first initial) andlast name in combination with: • Social Security Number • Drivers License or State identification number • Account number or credit or debit card number in combination with access or security code • Biometric Information (e.g. NC, NE, IA, WI) • Medical Information (e.g. AR, CA, DE, MO, TX, VA) • What type of PI do you have? • Employees • Customers • Vendors

  34. How Does a Data Breach Occur? The lost laptop/bag. Inadvertent access. Data inadvertently put in the “garbage.” Theft/intentional acts, hacking, phishing attacks other intrusions. Inadvertent email attachment(s). Stressed software applications. Rogue employees. Remote access. Wireless networks. Peer to peer networks. Vendors.

  35. What is the cost? • Notice to consumers • Some states require notice only to state residents • Balancing test-- RISK OF HARM • Some states require notice to all • Some states no balancing test but there are sometimes ways to backdoor one. • Regulatory action • Remediation • Reputational Harm

  36. Other Key Costs • Private Cause of Action • Some states permit – AK, CA, LA, MD, MN, NH, NC, SC, TN, VA, WA • Always regular tort law (intrusion into seclusion, public disclosure of private facts, false light, appropriation of name/likeness). • All of the causes of action depend on the ability to show harm. • Fines, Penalties, Settlements: • State Attorney Generals • Vary By State • Multipliers: Michigan permits civil fines of not more than $250 per failure (each person), with a maximum of $750,000. • Length of notification delay: Florida imposes fines when notification is not provided within the statute’s mandated time frame (45 days). Calculate the fine as $1,000 per day for the first 30 days, and $50,000 for each 30 day period thereafter with a maximum fine of $500,000. • Health and Human Services (HIPAA) • Penalties and settlements in the millions of dollars

  37. Risk Assessments Regulators require them of financial, health and other “critical infrastructure” businesses Can create a defense in the event of a breach –think “Ellerth/Farragher” New regulatory actions say Board of Directors can be liable if it does not intentionally accept or reject residual risk Risk assessments are not pleasant for clients. We often find +100 failures to meet ISO standards. But, as with a colonoscopy, better to detect the problem when it is treatable than find it when it is too late. Have taught clients how to monetize their risk assessment.

  38. Data Breach Preparedness: “What should we do?” Involve key stakeholders. Understand your organizational risks, including vendors. Educate all employees as appropriate. Identify outside support – forensic investigators, legal counsel, media relations, fulfillment and call center services. Develop high-level plan, have sample communications ready, conduct “breach drills.”

  39. Handling Data Breaches • 3 critical phases: • Discovery; • Notification and response process (if needed); • Review and evaluate to avoid future incidents. • *TIME MATTERS.*

  40. Handling Data Breaches • Discovery: stop the bleeding…first steps: • Dust off your breach response plan — hopefully you have one; • Immediately alert data breach response team, counsel, and insurance carrier, if applicable; • Take steps to secure information systems; • What happened? (is this a breach?); • Coordinate with law enforcement, as needed; • Identify key person to monitor and drive team progress; • Involve top management, public relations; • Make preliminary assessments and consider preliminary actions, notices; • Consider implementing litigation hold.

  41. Handling Data Breaches • Notification and response: • Who must be notified? • What should notice say/who approves? • Some states have content requirements. • When and How to deliver notice? • Is credit monitoring service required? • Call center/script. • Returned mail & substitute notice provisions. • Responding to inquiries. • Document, document, document.

  42. Handling Data Breaches • Review and assess: • Why did the breach occur? • Amend and implement updated policies and procedures as appropriate, such as training; • Document post-breach considerations and remedial steps taken, if any; • Document why breach not reported (see, e.g., FL, HIPAA). • Other Key Features: • Private cause of action: • Some states permit — AK, CA, LA, MD, MN, NH, NC, SC, TN, VA, WA. • Fines, penalties, settlements. • Published notices.

  43. Vendor Management • Think about: • The industry(ies): • Healthcare, professional (accounting, law), finance, insurance, retail, government . . . • The information vendor handles: • SSN, DL #s, credit card, medical . . . • Where services are performed - What laws apply. • How critical data security is to reputation. • Technology at play.

  44. Vendor Contracts • Confidentiality • The Vendor shall maintain any Protected Information in confidence to be used solely for purposes of performing the [services] under this Agreement. • Compliance with Applicable Law • The Vendor shall comply in all respects with all international, federal, state and local privacy and data security laws, regulations and ordinances (“Government Regulations”) relating to the access, creation, maintenance, use, processing, disclosure, retention or destruction of all Protected Information to which such Government Regulations apply.

  45. Vendor Contracts • Safeguards • The Vendor shall use appropriate safeguards to prevent any access, use or disclosure of Protected Information other than as permitted under this Agreement, which shall include but not be limited to administrative, physical and technical safeguards as necessary and appropriate to protect the confidentiality, integrity and availability of Protected Information. • Breach • Vendor agrees to immediately report to the Company any “Breach of Protected Information” which refers to any and all incidents of unauthorized access, acquisition, use, modification, disclosure or destruction of Protected Information by Vendor, its employees, agents, subcontractors, or affiliates, that is known to Vendor and whether or not harm is likely to result.

  46. Cyber Insurance It’s the greatest, happiest, best invention of the last 10 years Indemnification and cyber insurance The market What it covers and what it doesn’t cover

  47. Questions? Workplace law. In four time zones and 47 major locations coast to coast.

  48. Thank you for your participation in the UBA Employer Webinar Series If your question was not answered during the webinar or if you have a follow-up question, you can email the presenters today or tomorrow at: UBAwebinars@jacksonlewis.com www.UBAbenefits.com www.jacksonlewis.com To obtain a recording of this presentation, or to register for future presentations, contact your local UBA Partner Firm.

More Related