IAPP Privacy Academy September 30 October 2, 2013 HEALTHCARE BREACH TRIAGE Theodore P. Augustinos EDWARDS WILDMAN PALMER LLP Kenneth P. Mortensen CVS/CAREMARK 2013 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP
Agenda 1. Emerging legal and regulatory requirements in responding to a Healthcare Data Breach 2. Forensic Challenges specific to Breaches involving PHI 3. Other Issues of Interest to Healthcare Providers and BAs 4. Triage Tips for Healthcare Breaches 2
1. Emerging legal and regulatory requirements in responding to a Healthcare Data Breach Sources of Healthcare Data Breach Obligations Health Insurance Protection and Accountability Act of 1996 (HIPAA) Regulatory authority and enforcement by Department of Health and Human Services (HHS) Privacy, Security and Breach Notification requirements Privacy Rule Security Rule Applies to Protected Health Information (PHI) and Covered Entities (CEs) 3
1. Emerging legal and regulatory requirements in responding to a Healthcare Data Breach (cont.) Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) Amended HIPAA and extends the Privacy and Security Rules to Business Associates (BAs) Before HITECH, BAs were contractually liable to CEs but had no primary statutory liability to federal government. Imposes breach notification requirements on CEs and BAs Increases enforcement of, and penalties for, violations of privacy and security of PHI Granted enforcement power over HIPAA violations to state Attorneys General Tiered approach to civil monetary penalties for violations 4
1. Emerging legal and regulatory requirements in responding to a Healthcare Data Breach (cont.) Final Omnibus Rule Final Regulations implementing HITECH, effective March 26, 2013 with compliance date of September 23, 2013. Changed Harm Threshold for breach notification Under Interim Rule, there is a simple harm threshold: a reportable breach involves the compromise of privacy or security of PHI that presents significant risk of financial, reputational, or other harm. Under this subjective rule, no reportable breach unless there is a determination of significant risk. The Final Omnibus Rule turns this threshold around... 5
1. Emerging legal and regulatory requirements in responding to a Healthcare Data Breach (cont.) Final Omnibus Rule (cont.) The Final Omnibus Rule presumes breaches are reportable without an affirmative determination of low probability of PHI compromise after considering (and documenting) four specific factors: nature and extent of the PHI involved; the person who obtained the unauthorized access and whether under independent obligation to protect confidentiality; after forensic analysis, whether PHI actually acquired or accessed; and extent to which risk has been mitigated, such as confidentiality agreement signed by the recipient. 6
1. Emerging legal and regulatory requirements in responding to a Healthcare Data Breach (cont.) Final Omnibus Rule (cont.) Increase potential penalties to maximum $1.5 million per violation Other provisions increase patient rights to privacy Confirms CEs ability to delegate notification to BAs But, also makes CEs liable for BAs acting as CEs agents 7
1. Emerging legal and regulatory requirements in responding to a Healthcare Data Breach (cont.) State Law Requires state-by-state analysis Some states (e.g., CA) include medical or health information in their breach notification requirements Additional requirements for licensees Even bigger challenges are present when both PHI and PI are part of the same incident multiple versions of notification letters, including to present different offers of remediation, may be required to meet differing state and HIPAA breach notice requirements 8
1. Emerging legal and regulatory requirements in responding to a Healthcare Data Breach (cont.) US Enforcement Trends -- 2012 June 2012 - $1.7M settlement with Alaska Department of Health and Social Services Loss of unencrypted hard drive Lack of policies and procedures September 2012 - $1.5M settlement with healthcare provider Theft of unencrypted laptop January 2013: First HIPAA breach settlement where unencrypted laptop stolen from hospice lacking policies and procedures impacted fewer than 500 patients 9
1. Emerging legal and regulatory requirements in responding to a Healthcare Data Breach (cont.) US Enforcement Trends -- 2013 May 2013 - $400,000 settlement with Idaho State University for 2011 breach of ephi of 17,500 individuals treated at ISU clinic. Alleged lack of security assessment and measures due to disabled firewall. July 2013 - WellPoint pays $1.7M settlement for exposing ephi on Internet. OCR cited deficiencies in web-based application that resulted in exposure of over 600,000 individuals. OCR press release referenced future liability of BAs as well. August 2013 Affinity Health Plan pays $1.2M for exposing PHI of approximately 344,000 individuals when returning leased copiers without erasing hard drives. 10
1. Emerging legal and regulatory requirements in responding to a Healthcare Data Breach (cont.) State-Level Enforcement Trends New York on May 28, 2013 -- NY DFS sent 308 Letters to over 30 of the largest insurers in NY, including numerous health insurers. Requires production of: Information on any cyber attacks the company has been subject to in the past three years The cyber security safeguards the company has put in place The company s information technology management policies The amount of funds and other resources dedicated to cyber security at the company The company s governance and internal control policies related to cyber security 11
2. Forensic Challenges specific to Breaches involving PHI Control over Location of Data -- In addition to issues related to authorized Cloud and Outsourcing... Challenges in developing and enforcing policies Cultural issues Restricting and securing: Equipment Cloud usage Access to data Access Logging Especially important for shared access facilities 12
2. Forensic Challenges specific to Breaches involving PHI (cont.) Photographic and Videographic Media Determining scope of compromised PHI in any form or medium Limitations on search tools and capabilities for PHI Cloud and other Outsourcing Considerations Security Verification Location control Investigations 13
3. Other Issues of Interest to Healthcare Providers and BAs What happens when there s a breach involving Health Insurance Exchanges (HIX)? Proposed Rule published June 19 Breach would be defined broadly Per applicable agreements, Federally-Facilitated Exchange (FFEs) (including associated non-exchange entities) and State Exchanges would have to report breaches to HHS within one hour The proposed rule states that an 'incident' would mean the act of violating an explicit or implied security policy, which includes attempts [either failed or successful] to gain unauthorized access to a system or its data, unwanted disruption or denial of service, the unauthorized use of a system for the processing or storage of data; and changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent. 14
3. Other Issues of Interest to Healthcare Providers and BAs (cont.) More about Business Associates Perform functions or activities on behalf of Covered Entities Includes claims processors, legal, accounting, actuarial, etc. if they receive PHI BA Agreements required of CE to contractually extend privacy and security standards to BAs Standard provisions of BA Agreements Obligations and activities of BA uses and disclosures of PHI, reporting, access, etc. Permitted uses and disclosures Return or destruction of PHI upon termination Before HITECH, BAs were contractually liable to CEs but had no primary statutory liability to federal government. Penalty for violation of contractual obligations was damages resulting from contractual breach. 15
3. Other Issues of Interest to Healthcare Providers and BAs (cont.) Sub-BAs HITECH extended security obligations to sub-bas, as well as direct Increased pressure on contractual provisions related to sub- BAs, including required reps, warranties, indemnifications, inspection and audit rights, and notice requirements. 16
4. Triage Tips for Healthcare Breaches Preparedness -- Keep a Full cart In the ER and surgical theaters, all the potentially necessary drugs are kept in the cart at all times. Equipment is assembled, maintained and ready. Staff is organized, trained and on call. Approach your potential, future Breach the same way. Do No Harm Get the full team up to speed Stat! Don t Over-react React too Quickly Make decisions with all necessary information Follow Procedures and Protocol 17
4. Triage Tips for Healthcare Breaches (cont.) Next Steps for Advance Preparation Assess your Data What is it? Where is it? Who has access? Do you have more than you need? Assess your Policies, Procedures and Safeguards Can t Set it and Forget it Review Vendor Management Process and Vendors Due Diligence BA Agreements Sub-BA Freshen Incident Response Plan and Preparedness Consider a table top Do more Training AM 23437175v2 18