1 / 34

Data Breaches - Overview of HIPAA, HITECH and State Law Issues

Data Breaches - Overview of HIPAA, HITECH and State Law Issues. Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP. Today’s Focus:. Overview of Data Breaches HIPAA/HITECH Considerations State Data Security Laws Case Studies & Prevention Strategies. What is a Data Breach ?.

onella
Download Presentation

Data Breaches - Overview of HIPAA, HITECH and State Law Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Breaches - Overview of HIPAA, HITECH and State Law Issues Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP

  2. Today’s Focus: • Overview of Data Breaches • HIPAA/HITECH Considerations • State Data Security Laws • Case Studies & Prevention Strategies

  3. What is a Data Breach? • Generally, a data breach is: • unauthorized • acquisition, access, use, or disclosure • of confidential information • Protected Health Information • Other confidential information

  4. Common Data Breaches • Hacking/IT incident • Improper PHI Disposal • Loss of Electronic Device • Theft – Laptop, Hard Disks, Portable Electronic Devices, • Unauthorized Access (e.g., employee improperly accesses data)

  5. Data Breaches • Health Net - Lost data servers (2011) • Massachusetts General – Documents containing PHI of 192 patients left on train (2011) • Mills-Peninsula Medical Center, California– Mailroom employee stole medical records of approximately 1,500 patients (2011) • Beth Israel Deaconess Medical Center, Boston– Computer with virus transmitted data files of over 2,000 patients to an unknown location after computer service vendor failed to restore security setting on a computer (2011)

  6. Statistics: Healthcare Providers • 2010 OCR Data: • 207 reports to OCR of data breaches impacting 500 or more individuals • 5.4 million individuals affected by these large breaches • Over 25,000 reports to OCR of smaller data breaches (that occurred during 2010) • More than 50,000 individuals impacted by these smaller breaches • No provider is too big or too small to experience a data breach

  7. Cost of Data Breach • The average cost of data breach in the healthcare sector = estimated at over $300 per record • In 2010, the average cost was $345 per compromised record, up from an average cost of $301 in 2009 • (Ponemon Institute, “U.S. Cost of a Data Breach,” (2010))

  8. Consequences of a Data Breach • Statutory violations and related fines and penalties (HIPAA/HITECH, state laws, FTCrules) • Reputational harm • Substantial costs in response and defense • Contractual obligations • Government investigation • Private lawsuits

  9. Background: HIPAA • HIPAA requires covered entities (and now their business associates) to comply with privacy and security standards to protect PHI • “Covered entities” = health care providers, health plans and clearinghouses • “PHI” is individually identifiable health information (e.g., medical information, demographic information, billing information) • Privacy standards– Designed to protect individuals’ PHI by mandating covered entities comply with certain requirements related to the use and disclosure of PHI • Security standards– Designed to protect electronic PHI by mandating certain physical, technical and administrative safeguards

  10. Background: HIPAA & HITECH • HIPAA requires covered entities (and business associates) to comply with privacy and security standards to protect PHI • HITECH Act (Health Information Technology for Economic and Clinical Health Act of 2009): • Strengthened and expanded HIPAA • Rationale = Concerns for patient privacy and identity theft • Among other things, established mandatory notification requirements for breaches of unsecured PHI

  11. HITECH Breach Notification: Basic Rules Covered entities must provide notice if: There is a “Breach,” and The Breach involves “Unsecured PHI” Notice must be provided to: Affected patients DHHS Media (in some cases) Business associates must notify covered entities if a “Breach” occurs

  12. Has there been a Breach of Unsecured PHI? • 4 Prong Analysis: • Step 1: Has there been an acquisition, access, use or disclosure of PHI in a manner not permitted under the HIPAA Privacy Regulations • Step 2: Did the incident involve Unsecured PHI • “Unsecured PHI” is: • PHI that has not been secured using an HHS approved method to make PHI unusable, unreadable or indecipherable to unauthorized individuals • Only 2 HHS approved methods to date: • Destruction • Encryption

  13. Has there been a Breach of Unsecured PHI? • Step 3: Did the incident compromise the security or privacy of PHI in a way that creates significant risk of financial, reputational, or other harm to the affected individual? • Nature and type of PHI? • Who used or obtained PHI? • Mitigation? • Other relevant factors? • Step 4: Does the incident falls within an exclusion • Unintentional use of PHI by employee in good faith within the scope of authority • Inadvertent disclosure of PHI among persons authorized to access PHI at covered entity/business associate • Good faith belief that unauthorized person who received PHI would not reasonably have been able to retain PHI

  14. Notification to Affected Individuals • Required for all Breaches of Unsecured PHI • Without unreasonable delay • In no event more than 60 days after discovery of Breach • In writing, by mail or if individual has agreed, by e-mail

  15. Notification to Affected Individuals Must Include: • Description of the Breach • Description of the types of PHI involved in the Breach • Steps affected individuals should take to protect themselves from potential harm • Brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches • Contact information for the covered entity • If substitute notice provided via web posting or major print or broadcast media, toll-free number for individuals to contact the covered entity to determine if their PHI was involved

  16. What if there is insufficient or out-of-date contact information for affected individuals? • For 10 or more individuals, substitute individual notice by either posting the notice on the home page of its web site or by providing the notice in major print or broadcast media where the affected individuals likely reside. • For fewer than 10 individuals, covered entity may provide substitute individual notice by an alternative form via written, telephone, or other means.

  17. Notification to HHS: • Submit report electronically via HHS web site • If a breach affects 500 or more individuals = notify the Secretary without unreasonable delay and no later than 60 days following a breach • If breach affects fewer than 500 individuals = notify HHS no later than 60 days after the end of the calendar year in which the breach occurred • Expect an investigation

  18. Notification to Media: • Required only for Breaches affecting more than 500 residents of a state or jurisdiction, covered entity is required to provide notice to prominent media outlets serving that State or jurisdiction (e.g., press release) • Media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach • Must include the same information required for the individual notice

  19. Notification by Business Associates: • Business associates must notify the Covered Entity if a Breach occurs. • Without unreasonable delay and in no event more than 60 days after discovery of Breach • Notification should include: • the identification of each individual affected by the Breach • any information required to be provided by the covered entity in its notification to affected individuals

  20. State Data Security Laws • Personal Information • Electronic (few states cover paper records) • In unencrypted form • Accessed by or improperly disclosed to • An unauthorized person • Data breach = state data security law must be considered

  21. What is Personal Information? • “Personal Information”: • Individual’s name and one of the following: • Social security number • Account Number • State identification/driver’s license number • Credit card number • Definitions vary by state • Includes PHI, employee data, consumer data

  22. Obligations Triggered by Breach • State Data Security Laws Require: • Notice to affected state residents • Notice to Attorney General • Notice to consumer agencies • Requirements vary by state • Challenge = multi-state breach

  23. Which States Have Enacted Data Security Laws? • Enacted by 46 states, including Missouri and Illinois • Only Kentucky, New Mexico, Alabama and South Dakota don’t have these laws • Requirements vary by state

  24. Missouri Data Security Law • R.S.Mo. § 407.1500 • "Breach of security" = unauthorized access to or acquisition of unencrypted computerized personal information that compromises the security, confidentiality or integrity of such information • “Personal information“ = first name and last name in combination with any one of the following: • Social Security number • Driver's license number or other unique identification number • Financial account number, credit card or debit card number in combination with security code or password • Unique electronic identifier or routing code, in combination with security code or password • Medical or health insurance information

  25. Missouri Data Security Law • Requires notice to Missouri residents of a breach of security of personal information • Notice must be made without unreasonable delay • Content of notice is statutorily prescribed • If over 1000 residents involved = must notify Missouri Attorney General and consumer reporting agencies

  26. Missouri Data Security Law • Risk of Harm Test • Notification not required if, after investigation or consultation with law enforcement, it is determined that a risk of identity theft or other fraud to any consumer is not reasonably likely due to the breach • Determination not to notify must be documented and maintained for five years • Willful and knowing violation of law = AG action for damages, up to $150,000 per security breach

  27. Case Studies • Stolen laptop • Unauthorized access by employees • Data files sent to incorrect recipient • Facebook • Faxes sent without permission • Medical records in trash • Garage sale

  28. Prevention Strategies • Maintain solid HIPAA privacy and security compliance program • Establish strong contracts with Business Associates • Minimize unsecured PHI • Follow proper data destruction practices • Educate your staff

  29. HIPAA Privacy and Security Compliance Program • Effective HIPAA privacy and security policies, procedures and training = key to protecting against data breaches • Winter 2011 - OCR to begin HIPAA privacy and security audits (administered by KPMG) of covered entities • Audits will focus on HIPAA privacy and security compliance • Corrective actions/fines may result if noncompliance found

  30. Strong Contracts With Business Associates • Issues to consider: • Time frame for notifying covered entity of breach • Requirements related to investigating breach • Financial responsibility related to breach notification • Cost of notice letters, technical expert and legal costs • Indemnification

  31. Minimize Unsecured PHI/Follow Proper Data Destruction Practices Minimize PHI and other personal information collected and retained Encryption To avoid being “Unsecured PHI,” PHI must be encrypted using process tested by the National Institute of Standards and Technology Destruction Paper, film or other hard copy media Must be shredded so PHI can’t be read or reconstructed Redaction is not enough!

  32. Educate Your Staff • Educate staff about data security and data breach obligations • Periodic refresher training • Establish and monitor access control • Penalties for improper access to PHI/other confidential data • Assign responsibility in the event of a breach

  33. Practical Lessons • If an incident happens, take prompt action • Determine if a breach occurred • Technical expert analysis may be required • Take prompt mitigation steps • Provide required notices • Timing of notices is essential • Cooperate with any governmental investigation • Cignet Health $4.3M penalty - $3M due to failure to cooperate with authorities

  34. Questions/Comments • If you have any questions, please contact: • Milada R. Goturi • mgoturi@thompsoncoburn.com • P: 314.552.6057F: 314.552.7057 • M: 314.602.6057 • Tonya M. Oliver • toliver@thompsoncoburn.com • P: 314.552.6119F: 314.552.7119 • M: 314.602.6119

More Related