HIPAA Breach Notification Case Studies on What to Do and When to Report AHLA Physicians and Physician Organizations and Hospitals and Health Systems Law Institute February 9 and10, 2012 Colleen M. McClorey, Associate General Counsel University of Michigan, Health System Legal Office Elizabeth Callahan-Morris, Shareholder Hall Render HIPAA Breach Notification Rule OCR Interim Final Rule published Aug 24, 2009, effective Sept 23, 2009 Covered Entities (CEs) are required to notify individuals and HHS of breaches of unsecured protected health information (PHI). Business Associates (BAs) causing such breaches are required to notify CE of such breaches. Sanctions for failure to notify began Feb 22, 2010 Final Rule pending 2 1
Recent Breach Enforcement Actions Health System - $865,500 settlement for employees snooping into celebrity patients EMRs (July 2011) Hospital and affiliated physician organization - $1M settlement for failure to safeguard when employee left PHI containing SSNs and HIV/AIDS inform on subway train (Feb 2011) Recent Breach Enforcement Actions Pharmacy chain - $1M OCR settlement for improper disposal of PHI (July 2010) Health plan - $250,000 State of CT settlement for lost/stolen hard drive and notification delay; 1 st state AG enforcement case (July 2010) Multiple criminal prosecutions against individuals for HIPAA violations 2
Required Breach Notifications Breach notification is required when there is an acquisition, access, use, or disclosure not permitted by the HIPAA Privacy Rule of PHI that is unsecured, no exception applies, and it poses significant risk of financial, reputational, financial or other harm. 5 Step 1: Violation? Determine if acquisition, access, use or disclosure of PHI was in violation of HIPAA Privacy Rule. 6 3
Step 2: Unsecured PHI? Determine if PHI was "unsecured." Unsecured PHI is PHI not secured through use of technology or methodology that renders PHI unusable, unreadable, or indecipherable to unauthorized individuals, per HHS guidance. HHS guidance: encrypted or destroyed PHI per NIST standards is considered secured, and not subject to the breach notification rule. 7 Step 3: Exception? Determine if exception applies: Unintentional acquisition, access, or use of PHI by workforce member or other person under authority of CE or BA, if in good faith, within scope of authority, and PHI not further used or disclosed. Inadvertent disclosure of PHI by person authorized to access PHI to another such person at same CE, BA, or OHCA, and PHI not further used or disclosed. Disclosure of PHI to person not reasonably able to retain such information. 8 4
Step 4: Compromises the Security or Privacy? Determine if breach "compromises the security or privacy" of PHI. Determine whether it "poses a significant risk of financial, reputational, or other harm to the individual," per risk assessment. Note: If PHI contained no identifiers (none of the 16 direct identifiers per limited data set rule, plus no dates of birth or zips codes), then it automatically does not "compromise the security or privacy" of PHI. 9 Risk Assessment Factors Risk assessment should consider: Who impermissibly used PHI or to whom was PHI impermissibly disclosed What immediate steps were taken to mitigate impermissible use or disclosure? Whether PHI was returned before accessed for improper use. Type and amount of PHI Sensitivity of information contained in PHI 10 5
Breach Notification Rule Preamble on Risk Assessments For example, if a CE improperly discloses PHI that merely included the name of an individual and the fact that he received services from a hospital, then this would constitute a violation of the Privacy Rule, but it may not constitute a significant risk of financial or reputational harm to the individual. In contrast, if the information indicates the type of services that the individual received (such as oncology services), that the individual received services from a specialized facility (such as a substance abuse treatment program 8), or if the PHI includes information that increases the risk of identity theft (such as a social security number, account number, or mother s maiden name), then there is a higher likelihood that the impermissible use or disclosure compromised the security and privacy of the information. 11 OMB Memorandum M 07 16 Substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained. The effect of a breach of confidentiality or fiduciary responsibility, the potential for blackmail, the disclosure of private facts, mental pain and emotional distress, the disclosure of address information for victims of abuse, the potential for secondary uses of the information which could result in fear or uncertainty, or the unwarranted exposure leading to humiliation or loss of self-esteem. 12 6
Next Steps Devise a plan Appoint a project manager Determine applicable state and federal law requirements Submit notice of claim to insurance company Engage outside resources as needed for call center, breach notification mailings, and credit monitoring services 13 Next Steps Prepare breach notification letters in English and other languages as needed Prepare press release Update website Submit breach report to state and federal agencies Create or review call center scripts Train internal staff and external call center staff as needed 14 7
Case Studies Social media postings Lost thumb-drives Patient criminal background checks Newborn adoption solicitations Misdirected faxes and letters Business associate breaches 15 OCR Breach Report OCR breach report summaries http://www.hhs.gov/ocr/privacy/hipaa/administrative /breachnotificationrule/breachtool.html 16 8
Comments and Questions Colleen M. McClorey University of Michigan cmcclore@med.umich.edu Elizabeth Callahan-Morris Hall Render ecallahan@hallrender.com 248.457.7854 9