Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

Transcription

1 Containing the Outbreak: HIPAA Implications of a Data Breach Orlando, Florida Jason S. Rimes 2013 Lowndes, Drosdick, Doster, Kantor & Reed, P.A. All Rights Reserved

2 Protected Health Information Defined as individually identifiable health information that is transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or medium

3 Unsecured Protected Health Information Defined as protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of HHS

4 What Constitutes a Breach of Unsecured PHI? Previous Standard (2009 Interim Omnibus Rule): Acquisition, access, use or disclosure of protected health information in a manner not permitted under the privacy rule which compromises the security or privacy of the protected health information Italicized portion defined to mean that the acquisition, access use or disclosure poses a significant risk of financial, reputational or other harm to the individual

5 What Constitutes a Breach of Unsecured PHI? New Standard (2013 Final Omnibus Rule): Any acquisition, access, use or disclosure of protected health information in a manner not permitted under the privacy rule is presumed to be a breach, unless the covered entity can demonstrate that there is a low probability that the protected health information has been compromised based on a four-factor risk assessment

6 Risk Assessment: Factor Number 1 The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification º Sensitive health information º Information of interest to financial/identity thieves º Ability to link identity to information

7 Risk Assessment: Factor Number 2 The unauthorized person who used the protected health information or to whom disclosure was made º Is the recipient subject to HIPAA or confidentiality requirements? º Theft vs. inadvertent disclosure to an innocent party

8 Risk Assessment: Factor Number 3 Whether the protected health information was actually acquired or viewed º Can your IT department determine whether the PHI was accessed?

9 Risk Assessment: Factor Number 4 The extent to which the risk to the protected health information has been mitigated º Collect any retrievable information º Enter into confidentiality agreements with recipients

10 Parties to Notify in the Event of a Breach Each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used or disclosed as a result of such breach The Secretary of Health and Human Services; and Prominent media outlets of a State or jurisdiction in the event of breach involving more than 500 residents of such State or jurisdiction.

11 Notification Requirements Must be given without unreasonable delay, but in no event later than 60 days after discovery Must be in plain language Notice must include: º Description of the breach, including dates of breach and discovery º Description of the types of information involved º Steps individuals should take to protect themselves from harm º Description of steps being taken to mitigate harm and prevent future breaches º Contact procedures, including a toll-free number, address, web site or postal address

12 Prevention: The Legacy (Data) We Leave Behind Orlando, Florida Courtney M. Dunn Registered Patent Attorney, Senior Associate 2011 Lowndes, Drosdick, Doster, Kantor & Reed, P.A. All Rights Reserved

13 The Problem Disposing of electronic equipment without destroying the data on the equipment.

14 Recent Case Affinity Health Plan Affinity returned a number of photocopiers to its leasing company CBS purchased one of the copiers at a wholesale warehouse CBS found medical records on the copier s hard drive CBS notified Affinity (March 17, 2013) Affinity filed a breach report with the U.S. Dept. of Health and Human Services An estimated 344,579 may have had personal and medical data compromised Affinity sent breach notice to all those potentially affected (April 5, 2103) CBS returned the copier s hard drive to Affinity (April 8, 2013)

15 Recent Case Affinity Health Plan Affinity reaches a resolution with the U.S. Dept. of Health and Human Services (August 7, 2013) º Fine - $1,215,780 º Within 5 days - use best efforts to retrieve all copier hard drives that remain in their leasing company s possession. º Within 30 days - Conduct comprehensive risk analysis of all electronic equipment owned, controlled, or leased; develop plan to address and mitigate risk

16 Data Privacy Laws Duty to protect personal information of an individual

17 Data Privacy Laws Whose information must a company protect? Employees Clients Customers Job Applicants Consultants Independent Contractors Anyone whose personal data is acquires

18 Data Privacy Laws What types of information must a company protect? Medical (HIPAA) Genetic (GINA) Consumer Credit (FACTA) Personally identifiable Information

19 Legal Implications Civil Liability º e.g. HIPAA $100 to $50,000+ per violation annual cap $1.5M º e.g. FACTA Employees identities stolen due to knowing violations statutory minimum - up to $1,000 plus punitive damages and attorney fees plus Actions brought by FTC - up to $2,500 per employee Additional amounts for state actions Criminial Liability º For egregious acts or acts committed knowingly º e.g. HIPAA Knowingly obtain or disclose identifiable health information - $50,000 and up to 1 year imprisonment Involves false pretenses - $100,000 and up to 5 years imprisonment Intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm - $250,000 and up to 10 years imprisonment

20 What should you do? Remove all data Keep logs of activity done to remove data Set security policy for disposal of electronic equipment and data removal

21 What should you do? (Copiers) FTC Brochure Copier Data Security v/documents/bus43- copier-data-security

22 What should you do? (Copiers) Include copier-specific policies in your organization s security policies Have IT staff manage copiers When you lease or buy, make sure security features are available: º Ability to encrypt or reformat data stored on hard drive Deleting or overwriting is not enough º Ability to password protect hard drive º Ability to retain ownership of all hard drives º Have leasing company agree to overwrite hard drive

23 What should you do? (Copiers) For all in-service copiers º Overwrite entire hard drive at least once per month º Ensure networked copiers are secure from outside attack At end of service/end of life º Have the hard drive removed and returned by the leasing company s technicians º Overwrite the hard drive (or have the leasing company s technicians do so) º For a leased machine, do not attempt to remove a hard drive yourself as it can render the machine inoperable.