RISK TRACK. Privacy and Data Protection

Transcription

1 RISK TRACK Privacy and Data Protection Presenters Marti Arvin Chief Compliance Officer UCLA Health Sciences Phone: Marti Arvin is the Chief Compliance Officer for UCLA Health Sciences. Previously, Marti served as the privacy officer for the University of Louisville for five years with oversight of privacy at the university level. She is an attorney with extensive experience in compliance and privacy. Prior to her position with the University of Louisville, Ms. Arvin was the Privacy and Compliance Officer for the University of Pittsburgh Physicians. Before that she held the same position at Indiana University School of Medicine. Ms. Arvin is an attorney. Before establishing herself in compliance and privacy, she practiced law with the Indiana Attorney General s Office handling federal civil rights and employment law cases. She has written and lectured extensively on compliance and privacy issues. She is on the Board of Directors for the Health Care Compliance Association, a member of the Compliance Certification Board, and chair of the Health Care Compliance Association s Compliance Focus Group on Privacy. She is a faculty member of the HCCA Basic, Advanced and Research Compliance Academies. She is on the faculty of the Society for Corporate Compliance and Ethics Compliance Academy. She is the recipient of the 2007 Health Care Compliance Association s Third Annual Compliance Professional s Compliance and Ethics Award. 2 1

2 Presenters George B. Breen Shareholder EpsteinBeckerGreen th Street, NW Washington, DC Phone: George B. Breen is a Shareholder of Epstein Becker & Green, P.C. and a member of its Health Care and Life Sciences and Litigation practices. A litigator for over 20 years, Mr. Breen is co-chair of the firm s Litigation and Government Investigations practice group. Mr. Breen routinely represents clients in connection with matters brought by the U.S. Department of Justice, the Department of Health and Human Services Office of the Inspector General, State Attorneys General and other state and federal agencies. He also counsels clients on, and litigates, privacy, security and data breach matters. Mr. Breen speaks and writes frequently on issues related to trial practice and privacy and security issues. He is Peer Review Rated "AV" by the Martindale-Hubbell Law Directory and earlier this year, he was named an "Outstanding Healthcare Litigator" by Nightingale's Healthcare News in its January 2010 Special Report. 3 AGENDA Overview, background and what the future might hold Best practices in risk program development Managing privacy and data risks 4 2

3 Overview and Background Evolution over the past 10 years National Landscape Global Landscape Pending federal legislation Recent case law 5 STATE REPORTING REQUIREMENTS 6 3

4 Since 2003 California 1 st state to create data breach law in 2003 ChoicePoint breach draws country s attention In less than 5 years, 44 additional states adopt breach laws. Currently only Alabama, Kentucky, Mississippi, New Mexico, and South Dakota do not have statutes specifically addressing data security incidents. 7 State Law Basics Notification requirement based on residence of affected consumers/patients, not the company. States differ on requiring notice if based solely on acquisition of data or if harm from acquisition is reasonably likely. A limited number of states specifically protect medical Information; expected to grow. Many states require pre-breach preventative procedures. 8 4

5 Available at Red Acquisition Based Black Risk Based Green -- None State Security Breach Notification Regulations 9 State Law Differences Many states have similar laws, however key differences can significantly impact response strategies. Reporting to AG, civil penalties, private rights of action. Personal Information - the definition of personal information protected by statute can vary significantly. How and when must you report 10 5

6 Federal Computer Security Laws Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of American Recovery and Reinvestment Act of 2009 on February 17. Breach Reporting (HIPAA and PHRs); Standards for protection of PHI; Modifications to HIPAA Gramm- Leach-Bliley Act (P.L , 15 USC Chpt. 94, 6801 et seq.) Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 (P.L , Title II, 2102(a), 18 USC 1030, as amended) Health Insurance Portability and Accountability Act of 1996, (P.L , Title II, Subtitle F, Sec. 262, 42 USC 1320d et seq.) Sarbanes- Oxley Act of 2002 (P.L , 404) 11 HITECH Act Extends the reach of the HIPAA Privacy and Security Rules to business associates (BAs) Responds to concerns that a wide variety of organizations maintain and transmit PHI, but are not regulated by HIPAA Limits certain uses and disclosures of PHI Increases individuals' rights with respect to PHI maintained in EHRs Increases enforcement of, and penalties for, HIPAA violations Imposes breach notification requirements on covered entities (CEs) and BAs 12 6

7 Examples of Early Enforcement Efforts: Providence Health & Services On July 16, 2008, Providence entered into a resolution agreement with OCR whereby it agreed to pay $100,000 and implement a detailed Corrective Action Plan (CAP) to settle complaint stemming from its loss of unencrypted backup media and laptops in 2005 and 2006 The CAP requires: Revising policies and procedures regarding physical and technical safeguards (e.g., encryption) governing off-site transport and storage of electronic media containing patient information, subject to HHS approval; Training workforce members on the safeguards; Conducting audits and site visits of facilities; and Submitting compliance reports to HHS for a period of three years. * Pre-ARRA penalty caps kept settlement low, starting place for OCR negotiations will be higher in future 13 Examples of Early Enforcement Efforts: CVS Pharmacy January 16, 2009, CVS accepted $2,250,000 penalty and Corrective Action Plan (CAP) to settle complaint stemming from its practice of disposing of old prescriptions and prescription bottles The CAP requires: Revising and distributing its policies and procedures regarding disposal of protected health information; Sanctioning workers that do not follow the policies and procedures; Training workforce members on these new requirements; Conducting internal monitoring; Engaging a qualified, independent third-party assessor to conduct assessments of CVS compliance with the requirements of the CAP and render reports to HHS; New internal reporting procedures requiring workers to report all violations of these new privacy policies and procedures; and Submitting compliance reports to HHS for a period of three years. Subsequently, OCR issued PHI Disposal FAQs 14 7

8 Current Enforcement Efforts: Rite-Aid Pharmacy July 27, 2010, Rite-Aid agreed to pay $1,000,000 to HHS and enter into a Corrective Action Plan (CAP) to settle a complaint stemming from its practice of disposing of prescriptions and labeled pill bottles. In a coordinated action, Rite Aid also signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act The CAP requires: Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them; Training workforce members on these new requirements; Conducting internal monitoring; Engaging a qualified, independent third-party assessor to conduct assessments of Rite- Aid s compliance with the requirements of the CAP and render reports to HHS; Rite Aid has also agreed to external, independent assessments of its pharmacy stores compliance with the FTC consent order. The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years. 15 New Enforcement Authority under HITECH State Attorneys General Under new section to HIPAA - 42 USC 1320d-5(d)): State Attorneys General can bring civil actions in federal court on behalf of state residents threatened or adversely affected by a violation of the HIPAA Privacy or Security Rules. Available remedies and sanctions: injunctive relief; statutory damages of $100 per violation, not to exceed $25,000; and attorneys fees and costs. State Attorneys General are required to serve prior written notice on the Secretary of HHS, where feasible, in which case HHS can intervene in the action. If HHS brings prior action, it preempts an identical state action to enforce HIPAA. However, State Attorneys General remain able to bring actions under their own state laws that are not in conflict with HIPAA. 16 8

9 Post-HITECH: First Reported State Enforcement - CT v. Health Net Complaint Allegations: May Health Net learns of lost portable disc drive with financial and PHI information of approx. 446,000 current and former CT enrollees. November 2009 Health Net notifies CT enrollees. January CT AG files suit: 3 Causes of Action Pled: 1. Failure to comply with HIPAA. 2. Violation of CT Unfair Trade Practices Act. 3. Civil Penalties for Willful Violation of CT Unfair Trade Practices Act. Relief Sought: Injunctive relief under HIPAA and CT State law; Statutory damages for HIPAA violations, including costs and attorneys fees under HITECH; State CMPs (up to $5,000 per willful violation) and attorneys fees and costs under CT State law. 17 CT v. Health Net Stipulated Judgment Parties agree to entry of Stipulated Judgment on July 7, 2010 Judgment provides for: Guaranteed Payment of $250, to the State of Connecticut, with a contingent obligation to pay $500, if certain events occur Institution of a Corrective Action Plan which requires HealthNet to: encrypt all laptops and desktops train employees on encryption, storage and removable media annual employee training provide 2 years of Identity Theft Protection for affected members at HealthNet's expense If any member experiences identity theft, to provide services to restore the member's identity at no cost to member Stipulated Judgment reflects that HealthNet had incurred $7 million in costs in connection with the data breach 18 9

10 Other Enforcers Efforts Kaiser Permanente Northern California - January 2010 Medical records for about 15,500 N. California patients were compromised An external hard drive was stolen from an employee's car Employee was authorized to use medical records data, but should not have used an external drive AG has begun an investigation and will likely fine Kaiser for the breach Potential costs and fines are estimated at around $2 million Blue Cross/Blue Shield Tennessee - October hard drives were stolen from a training facility The hard drives contained audio and video files with identifying information for nearly 1M members The plan is notifying members about the data theft and is offering no-cost credit monitoring to individuals The plan has hired 700+ contractors and employees to help determine what data was contained on the hard drives Costs already more than $7M, and the plan will incur more as identity protection services are offered The plan notified AGs in 32 states about the breach 19 Proposed Modifications to HIPAA under the HITECH Act New regulations proposed by DHHS on 7/8/10. Highlights: Business Associates Have Direct Liability The standards, requirements, and implementation specifications of some of the HIPAA Rules now directly apply to business associates. Business associates can be held civilly and criminally liable for penalties for violations of those requirements. Subcontractors are Deemed Business Associates Subcontractors of a covered entity s business associates are also considered business associates to the extent that they require access to PHI. Existing Business Associate Agreements Must be Updated - New Provisions Business Associate must report breaches of unsecured PHI to the covered entity Business Associate will be compliant with the applicable provisions of the Security Rule Business Associate will enter into business associate agreements with its subcontractors Note: Covered Entity still directly liable for certain violations of HIPAA even if the violation is the fault of the business associate. Additions to Notice of Privacy Practices and Ability to Request Restriction of Use of PHI Effective Date - January 7,

11 What Does the Future Hold: Previous Legislative Efforts July 2009: "The Personal Data Privacy and Security Act" Would set notification requirements and tighter criminal penalties for identity theft and willful concealment of a breach Would require businesses to implement preventive security standards to guard against threats to their databases January 2009: "The Data Breach Notification Act" Would authorize the attorney general to bring civil actions against firms that failed to notify people whose personal information had been compromised Would extend notification requirements to government agencies 21 What Does the Future Hold: Pending Legislation: On July 14, 2010 the "2010 Data Security Act" was introduced in Congress. The bill would apply to: 1. all businesses regulated by Gramm-Leach-Bliley 2. businesses covered by the Fair Credit Reporting Act 3. businesses that maintain or communicate sensitive account or personal information in providing services to covered financial entities The bill would pre-empt the 46 different state laws on data security The bill would only require notification to consumers of breaches of security when harm was reasonably likely -- not automatically after any breach 22 11

12 International Laws Canada Canada s Personal Information Protection and Electronic Documents Act Europe European Union Data Protection Directive (Directive 95/46/EC, enacted in 1995) Charter of Fundamental Rights of the European Union ( respect for private and family life and right to protection of personal data ) Asia Pacific Region Japanese Act on the Protection of Personal Information APEC Privacy Framework 23 US versus International The United States approaches privacy on a sectored basis, while other countries address it more comprehensively European Union adopted a Data Protection Directive in 1995 (Directive 95/46/EC of 24 October 1995) that provides broad powers to individuals to protect personally identifiable information EU s Charter of Fundamental Rights recognizes respect for private and family life and a right to protection of personal data as fundamental Discord between the United States sectored approach and that of other countries leads to business challenges 24 12

13 Canada Canada s Personal Information Protection and Electronic Documents Act includes privacy principles; provincial laws in Canada supplement that federal statute 25 Europe EU s Directive 95/46/EC on data protection requires legitimacy, data quality, proportionality, notice to persons whose data are collected, rights of information, access and rectification 26 13

14 Asia Pacific Region Japan s Personal Information Protection Act requires measures necessary and appropriate for preventing the unauthorized disclosure, loss or destruction of handled Personal Data Asia-Pacific Economic Cooperation countries developed APEC Privacy Framework 27 APEC Privacy Principles Preventing harm protection designed to prevent misuse of personal information Notice privacy statements Collection limitation collect only what s relevant to purpose of collection Use of information only for purposes of collection and related purposes as a rule Choice individuals should have clear choice regarding collection, use and disclosure of their information Integrity of information accurate, complete Security safeguards protect against risks Access and correction empower individuals Accountability personal information controller 28 14

15 Some global considerations Outsourcing Even of you don t have global operations do you outsource to another country? Sharing information You might not be able to share the same information globally that you can share nationally 29 Best Practices for Risk Program Development Be prepared Establish a process Know the right questions to ask for your organization and industry 30 15

16 Generic risk assessment questions for your consideration What data do you collect and maintain on? Customers Employees Others What format is the data in? Electronic Paper 31 Generic risk assessment questions for your consideration What laws and regulations apply to the collection and storage of data? State Federal International What laws and regulations govern the compromise of the data? State Federal International 32 16

17 Generic risk assessment questions for your consideration How is data electronic data stored? Behind a firewall encrypted Where is the data stored? Physically Electronically Geographically 33 Generic risk assessment questions for your consideration Do you require unique user names and passwords for systems containing restricted information? What are the means by which restricted information is accessed? Within your secure system Via the web Via VPN 34 17

18 Generic risk assessment questions for your consideration Who in your organization has access to the data? How is the level of access controlled? Physically electronically Who external to your organization has access to the data? Clients Vendors 35 Generic risk assessment questions for your consideration What policies and procedures exist regarding privacy and information security? What training and education is in place for workforce members? What background checks are done on personnel with key position related to privacy and information security? 36 18

19 Generic risk assessment questions for your consideration What areas have the external regulatory bodies been focusing on for your industry segment? Recent cases Recent regulatory actions 37 Risk Management Specifically Breach Handling Be prepared Do your legal research Establish a process Identify potential external resources early 38 19

20 Be Prepared Establish a process to identify who should be notified when a potential breach occurs Work with you internal bulk mailing to understand the process if they need to become involved. Know your legal obligations 39 Legal Obligations What laws apply? Are they based on industry or type of organization? What data elements must be involved? What timeframe are you dealing with? Does more than on law potentially apply? State Federal International 40 20

21 Pre-planning You might considered establishing a database that allows you to track the types of potential breaches you had and whether you were required to notify Particularly helpful if you are required to report breaches to regulators at set intervals 41 Pre-planning You should also consider whether you want have a retainer contract with a company that helps handle breaches. Many of them will allow a contract without payment unless services are used or nominal payment in retainer for possible future use 42 21

22 Pre-planning Think about the use of legal counsel Do you have internal expertise Do you want to do some due diligence before a breach occurs 43 Some Thoughts on Litigation Planning and Compliance Considerations 1. Be proactive; have a plan in place before a breach occurs. 2. Preparation for a data breach ought to be part of your compliance program. 3. Have an incident response team in place -- integrate legal and IT expertise -- what should your internal investigation should capture 4. Establish guidelines for communicating with outside parties; draft an incident response notice in advance. 5. Assume at the outset that there will be a lawsuit, or some form of government investigation, and act accordingly. 6. Create documents with the expectation that they will become exhibits in a lawsuit or enforcement action against you. 7. Do not assume that notification within the time period set out in the statute or regulation is sufficient. 8. Remember, you are preparing your defense as you respond to the breach

23 QUESTIONS 45 Contact Information GEORGE B. BREEN MARTI ARVIN

24 APPENDIX The following slides are for your information only and will not be discussed in the presentation. 47 HITECH: Breach In the event of a breach of unsecured PHI, a Covered Entity must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, breached. A breach is defined as the acquisition, access, use, or disclosure of PHI in a manner that violates the Privacy Rule or Security Rule and which compromises the security or privacy of the [PHI]. Unsecured PHI is PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary

25 HITECH: Reporting Standard Statute: unauthorized acquisition, use or disclosure which compromises the security, privacy or integrity (of PHI) Exceptions where inadvertent disclosure to or by workforce, BA or organized health care arrangement participant Regulation: does the breach compromise the security or privacy of the PHI and pose a significant risk of financial, reputational, or other harm to the individual 49 HITECH: Risk of Harm Standard The risk of harm standard requires that a Covered Entity undertake some form of risk assessment in the event of a breach, and based upon the assessment, determine in good faith whether it is necessary to notify the individual of the breach. The preamble to the Breach Notification Rules specifically references a 2007 Memorandum (M-07-16) issued by the Office of Management and Budget for examples of the types of factors that may need to be taken into account in determining whether an impermissible use or disclosure presents a significant risk of harm to the individual

26 HITECH: Notice Requirements Notice must be made to the affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. A breach is considered to be discovered by the entity as of the first day on which the breach is known to the entity, or should have been known to the entity if it had exercised reasonable due diligence. 51 Notice Requirements (cont ) The notice must: If the breach of unsecured PHI involves more than 500 residents of a state, the Covered Entity must notify media outlets within that state. The Covered Entity must also notify the Secretary of any breach involving 500 or more people. If the breach occurs at or through a Business Associate, the Business Associate must notify the Covered Entity of the breach within 60 days of discovering the breach so that the Covered Entity is able to comply with its breach reporting obligations

27 HITECTH: Civil Penalties Penalties for violations are tiered (1) Did Not Know...$100 $50,000 per violation Calendar year total for violation of identical provision $1,500,000 (2) Reasonable Cause...$1,000 $50,000 per violation Calendar year total for violation of identical provision $1,500,000 (3) Willful Neglect Corrected...$10,000 $50,000 per violation Calendar year total for violation of identical provision $1,500,000 (4) Willful Neglect Not Corrected $50,000 $1,500,000 (same calendar year total as above) 53 HITECH: Criminal Penalties HIPAA criminal penalties extended beyond CEs to: BAs BA (and CE) employees and agents Unauthorized individuals who obtain or disclose PHI maintained by CE (or BA) 54 27

28 HITECH: Criminal Penalties $50,000 and/or 1 year imprisonment For knowing violation $100,000 and/or 5 years imprisonment For violation committed under false pretenses $250,000 and/or 10 years imprisonment For violation committed with intent to sell, transfer or use PHI for commercial advantage, personal gain, or malicious harm 55 28