Medical Data Security Beyond HIPAA: Practical Solutions for Red Flags and Security Breaches. April 3, 2009

Similar documents
PRODUCER ANNUITY SUITABILITY TRAINING REQUIREMENTS BY STATE As of September 11, 2017

Older consumers and student loan debt by state

Comparative Revenues and Revenue Forecasts Prepared By: Bureau of Legislative Research Fiscal Services Division State of Arkansas

2016 Workers compensation premium index rates

The Lincoln National Life Insurance Company Term Portfolio

Fiduciary Tax Returns

Property Tax Relief in New England

Uniform Consent to Service of Process

TCJA and the States Responding to SALT Limits

ehealth, Inc Fall Cost Report for Individual and Family Policyholders

State Trust Fund Solvency

RLI TRANSPORTATION A Division of RLI Insurance Company 2970 Clairmont Road, Suite 1000 Atlanta, GA Phone: Fax:

Eye on the South Carolina Housing Market presented at 2008 HBA of South Carolina State Convention August 1, 2008

Local Anesthesia Administration by Dental Hygienists State Chart

The Acquisition of Regions Insurance Group. April 6, 2018

Cost and Coverage Implications of the ACA Medicaid Expansion: National and State by State Analysis

Florida 1/1/2016 Workers Compensation Rate Filing

Streamlined Sales Tax Governing Board and Business Advisory Council Update

State Treatment of Social Security Treatment of Pension Income Other Income Tax Breaks Property Tax Breaks

The State Tax Implications of Federal Tax Reform Legislation

Taxing Investment Income in the States New Hampshire Fiscal Policy Institute 2 nd Annual Budget and Policy Conference Concord, NH January 23, 2015

SIGNIFICANT PROVISIONS OF STATE UNEMPLOYMENT INSURANCE LAWS JANUARY 2008

States and Medicaid Provider Taxes or Fees

Just The Facts: On The Ground SIF Utilization

Tax Breaks for Elderly Taxpayers in the States in 2016

Report to Congressional Defense Committees

EXHIBIT "A" Requirements for Cardholder Agreement. Electronic Funds Transfers Policy Your Rights and Responsibilities

2018 National Electric Rate Study

Tax Freedom Day 2018 is April 19th

Insured Deposit Program. Updated 03/31/2017

2016 GEHA. dental. FEDVIP Plans. let life happen. gehadental.com

2017 Supplemental Tax Information

Desjardins Bank ATIRAcredit Serenity Mastercard

Yolanda K. Kodrzycki New England Public Policy Center Federal Reserve Bank of Boston

Unemployment Insurance Benefit Adequacy: How many? How much? How Long?

2018 ADDENDUM INSTRUCTIONS

Age of Insured Discount

Obamacare in Pictures

Insured Deposit Program Updated 10/17/2016

Oregon: Where Taxes Are Low, Fees Are High and Revenue Is Slightly Below Average

Q INVESTOR PRESENTATION. May 4, 2018

Patient Protection and. Affordable Care Act: The Impact on Employers

SCHIP: Let the Discussions Begin

Introducing LiveHealth Online

Who s Above the Social Security Payroll Tax Cap? BY NICOLE WOO, JANELLE JONES, AND JOHN SCHMITT*

Section 4(f) That was then this is now. Recent developments in Section 4(f) compliance

Percent of Employees Waiving Coverage 27.0% 30.6% 29.1% 23.4% 24.9%

Charles Gullickson (Penn Treaty/ANIC Task Force Chair), Richard Klipstein (NOLHGA)

State Budget Cuts Presentation to the Pennsylvania Senate Government Management & Cost Study Commission March 22,2010

Charts with Analysis: Tax Tax Type: Sales and Use Tax Topic: Cash for Clunkers Payments

State and Local Sales Tax Revenue Losses from E-Commerce: Estimates as of July 2004

Please print using blue or black ink. Please keep a copy for your records and send completed form to the following address.

PRODUCTS CURRENTLY AVAILABLE FOR SALE. Marquis SP

Patient Protection & Affordable Care Act

Long-Term Care Education Requirements Prior to Selling

Obamacare in Pictures. Visualizing the Effects of the Patient Protection and Affordable Care Act

POC State Guide. All State Reference Guide

Massachusetts Budget and Policy Center

Long-Term Care Education Requirements Prior to Selling

Medicare Alert: Temporary Member Access

Q4 AND FULL-YEAR 2017 INVESTOR PRESENTATION. February 23, 2018

State of the Automotive Finance Market

Medicaid Funding and Policies Is There a Medicaid Crisis? A Financial Diagnosis for State and Local Government

IRA Distribution Form

Real Gross Domestic Product

Tax Freedom Day 2019 is April 16th

Premium Savings Program Broker Training

IRA Distribution Request Instructions and Form

Zions Bank Economic Overview

The Entry, Performance, and Viability of De Novo Banks

Black Knight Mortgage Monitor

MEMORANDUM. SUBJECT: Benchmarks for the Second Half of 2008 & 12 Months Ending 12/31/08

The Affordable Care Act (ACA)

Alternative Paths to Medicaid Expansion

Getting Better Value for the Healthcare Dollar. National Conference of State Legislators Fall Forum November 30, 2011.

Q Investor Presentation. November 2, 2018

Domestic violence funding reduced from $1,253,000 to $1,000,000. $53,000 to fund elder law hotline eliminated.

WELLCARE WINS BID IN EVERY REGION FOR 2007 AND INTRODUCES CLASSIC PLAN WITH LOWER PLAN PREMIUMS

Application Trade Credit Insurance Multi Buyer

NOTICE OF FEDERAL AND STATE TAX INFORMATION FOR PSA PLAN PAYMENTS YOUR ROLLOVER OPTIONS

Financial Capability Conference Ramsey Alwin, Senior Director, Economic Security October 26, 2012

Schedule of Commissions

A Blue Cross and Blue Shield Association Presentation

COMPARISON OF ABA MODEL RULE FOR REGISTRATION OF IN-HOUSE COUNSEL WITH STATE VERSIONS

Federal Tax Reform Impact on 2019 Legislative Sessions: GILTI

Indexed Universal Life Caps

50% are at or over 48, 50% are at or under 48 years of age (median) Cancer/Tumor registrars taking the survey ranged in age from 22 to 69

Credit Suisse 2012 Healthcare Conference November 14, 2012

Texas Economic Outlook: Cruising in Third Gear

Language Assistance Services

SPECIAL REPORT INCOME RECOGNITION. STATE TAX IMPACT. Generally, states use federal gross income,

PLEASE NOTE: Required American Equity specific Product Training must be completed PRIOR to soliciting an Application to A

Aviva Announcing Changes to Products and Annuity Rates

The Challenging but Promising Environment for LTC Insurance. Susan Coronel, America s Health Insurance Plans

General Program Summary. Austin Resolutions 1250 South Capital of Texas Highway Building 3, Suite 500 Austin, TX (800)

Jefferies 2012 Global Healthcare Conference June 4, 2012

How to Assist Beneficiaries Impacted by Aetna/Coventry 2015 Part D Plans

Language Assistance Services

CONTINGENT COVERAGES AVAILABLE FOR AUTO LESSORS

Frequently Asked Questions on Durable Medical Equipment, Prosthetics, Orthotics, and Supplies (DMEPOS) 2015 Medicare Payment Final Rules (CMS-1614-F)

Transcription:

Medical Data Security Beyond HIPAA: Practical Solutions for Red Flags and Security Breaches April 3, 2009 Jon A. Neiditz Cynthia B. Hutto Ross E. Sallade Eli A. Poliakoff Nelson Mullins Healthcare Information Management Initiative

Why are We Here? Big Changes in Healthcare Information Security Healthcare providers are encountering: "Red Flags" requirements; Security breach notification laws (all around the country) now in the Carolinas; New and difficult Breach Notification provisions specific to healthcare in the National Stimulus Package (ARRA); For example, Business Associates are now covered by the HIPAA Security Rule rather than just contractual provisions PCI DSS and other private standards. 2

Red Flags Rule Background FACTA (2003) modified the Fair Credit Reporting Act FCRA primarily addresses background checks, patient credit checks and financial underwriting. Many provisions designed to address identity theft Red Flags Regulations Proposed Rule (2006) FTC, FDIC, Treasury, Federal Reserve, NCUA Final Rule (2007) 3

Red Flags Rule Background (Cont'd) Compliance Deadline (November 2008) FTC compliance deadline for 'Red Flags' component delayed to May 1, 2009 FTC: healthcare providers, including institutions, practices, non profits and governmental entities are not exempt "Hospital" sign in FTC's Red Flags Guide Address Discrepancy Rules: compliance deadline not delayed 4

Red Flags and Medical Identity Theft Unique concerns and threats Patient safety Patient financial considerations Patient insurance ramifications Provider liability considerations HIPAA's limitations 5

Red Flags Rule Components Identity Theft ("Red Flags Rule") Card Issuer Duties N/A for most of this audience Address Discrepancy Rule 6

Identity Theft "Red Flags Rule" "Red Flag" is a pattern, practice or specific activity that indicates the possible existence of identity theft Applies to a creditor that offers or maintains covered accounts Creditor: Regularly extends, renews, or continues credit or regularly arranges for extension of credit Credit = right granted to defer payment 7

Identity Theft "Red Flags Rule" "Covered Accounts" Account offered or maintained primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions OR Account offered or maintained for which there is a reasonably foreseeable risk of identity theft to customers, or to the safety and soundness of your entity. Account = continuing relationship to obtain a product or service for personal, family, household or business purposes. Evaluate risk to you and your customer 8

Red Flags Rule Requirements Written Identity Theft Prevention Program Substantive Requirements "Reasonable Policies and Procedures" to: Identify relevant Red Flags and incorporate into Program Detect Red Flags that have been incorporated into Program Respond to detected Red Flags to prevent and mitigate identify theft Ensure Program is periodically updated» Program tailored to risks faced by organization 9

Red Flags Rule Requirements (cont'd) Administrative Requirements Board approval Involve Board or senior management in development and implementation Train Staff to implement Program Appropriate oversight Consider and incorporate as appropriate Guidelines provided in Appendix A and Supplement A to FTC Rules 10

Red Flags Rule Penalties for Noncompliance Patient objections FTC enforcement actions/civil penalties Possible state tort claims 11

Practical Tips and Lessons Learned Incorporate into existing HIPAA/IT Security Program Identify Red Flags "areas" in the healthcare environment: generally areas of significant authentication risk, such as patient intake, identification confirmation, medical and billing records and collections Verify identity of persons opening accounts consistent with EMTALA 12

Practical Tips and Lessons Learned (cont'd) Isolated accounts or relationships Oversee service provider arrangements Appropriate risk management Identify appropriate responses to Red Flags: from records correction to police notification Educate staff and administration 13

Red Flags Program in Practice 1. Have your HIPAA Security and Privacy officials identify relevant patterns, practices, and specific forms of activity that should be treated as Identity Theft Red Flags in your operation. 2. Develop and adopt policies and procedures to detect Red Flags in areas such as patient intake, medical records and collections, as well as general policies concerning patient identification, verifying the validity of address change requests, etc. 3. Develop and adopt policies and procedures for incident response, such as monitoring patient medical and financial records for evidence of identity theft, contacting the patient, calling law enforcement, changing passwords, etc. 14

Red Flags Program in Practice (cont'd) 4. Have the Board or a committee of the Board adopt the program. 5. Make sure identity theft risks involving your vendors are addressed (including by assuring that they have their own Red Flags initiatives). 6. Update the program periodically based on lessons learned. 15

Address Discrepancy Rule Users of "consumer reports" Notice of Address Discrepancy Reasonable Policies and Procedures: Reasonable belief that report relates to consumer for whom report is requested Furnishing confirmed address for consumer subject to Notice of Address Discrepancy 16

AK Security Breach Notification Requirements Security Breach Notification Bill(s) Introduced Security Breach Notification Legislation Enacted No Security Breach Notification Bills Introduced CA WA OR NV ID UT MT WY CO ND SD SD NE KS MN IA MO WI IL IN MI KY OH WV NY PA NJ MD DE VA DC VT NH MA CT RI ME AZ NM OK AR MS AL TN GA SC NC HI TX LA FL * 17

Some Important First State Law Questions in Dealing with Breaches Acquisition (or access) vs. harm All businesses vs. exclusions for privacy regulated entities or only information brokers Non electronic data included? Personal information: The original California list vs. adding additional elements How soon notification must take place Report to authorities required? Law enforcement coordination exception? Pre breach measures required? Civil/criminal penalties and/or private right of action 18

Law Driven Business Crisis, Not Regulation, Drives Security B2C organizations like yours may lose 20% to 30% of their customers that receive breach notices from them: Only 8% of consumers who receive a security breach notification did not blame organization that sent the notice (usually the owner or licensee ) Over 40% said they might discontinue their relationship Another 19% said that they had already done so Source: Ponemon Institute Surveys, 2005 and 2008 (30% is 2008 number) Much higher percentage of employee breaches are notice triggering More SSNs More financial information 19

Be Savvy About the Security Breach Industry Many forensics firms, PR firms and credit bureaus offer products that bundle breach related services Be very careful about listening to any vendor that has a financial interest in notification or other services Make sure you get a quick, independent, expert read on legal requirements and whether and how notice should be given The great majority of breaches are not notice triggering and may be addressed very quickly and inexpensively When breaches are notice triggering, the quality of the communication matters Do not be misled about the value of notification or of credit monitoring to your customers and employees Do not assume insurance coverage addresses your risks 20

South Carolina's Breach Law Effective 7/1/09 Notice is triggered only when illegal use has occurred or is reasonably likely to occur or use of the information creates a material risk of harm In addition to the usual elements of notice triggering information (name + SSN, driver's license #, account number + PIN), includes: other numbers or information which may be used to access a person's financial accounts or numbers or information issued by a governmental or regulatory entity that will uniquely identify an individual Exception for primary/functional regulator notification MAY exempt notification for patient but not employee breaches under ARRA Pre breach measures include rules on disclosure of SSNs and secure destruction requirement Notice must take place in the most expedient time and manner possible and without unreasonable delay Private right of action Must inform Consumer Protection Division of Dept. of Consumer Affairs & all national Consumer Reporting Agencies if notifying 1,000+ persons 21

North Carolina's Breach Law Illegal use/harm threshold the same as SC Breach of paper documents clearly included In addition to usual elements of notice triggering information includes: checking or savings account # credit or debit card #, PIN, digital signature, biometric data, fingerprint or passwords Notice triggering information also includes electronic ID #, email names or addresses, parent s maiden name or any other #s if they permit access to financial resources Pre breach measure requirement excludes entities covered by GLBA, FCRA and HIPAA Private right of action if injured Report to Consumer Protection Division of Attorney General s Office and Consumer Reporting Agencies if notifying 1,000+ persons 22

ARRA 2009 Breach notification obligations turning on "unsecured PHI" Paper and even oral breaches (apparently) included Exceptions 60 day outside limit for notifications, but should be more prompt in the absence of justification DHHS must be notified for breaches involving more than 500 people Expansion of HIPAA Security to all business associates Secretary of DHHS to issue annual guidance on technical safeguards Enforcement by state AGs, more stringent remedies and shift in burden of proof 23

Other Trends and Requirements State social security number protection, use and disclosure laws have also spread like wildfire (including to GA, NC and SC), and impact your employee side where HIPAA did not Secure destruction laws, including that FACTA Disposal Rule and state laws (including in GA, NC and SC) govern the destruction of both paper documents and electronic data containing personal information Watch for more specific and possibly nontechnology neutral refinements of "secured" or "encryption" under ARRA 24

Questions? Nelson Mullins Riley & Scarborough LLP Jon A. Neiditz 404.322.6139 jon.neiditz@nelsonmullins.com Cynthia B. Hutto 843.720.4307 cindy.hutto@nelsonmullins.com Ross E. Sallade 919.329.3875 ross.sallade@nelsonmullins.com Eli A. Poliakoff 843.534.4122 eli.poliakoff@nelsonmullins.com 25

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback