How to mitigate risks, liabilities and costs of data breach of health information by third parties

Similar documents
Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data

Determining Whether You Are a Business Associate

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

Privacy and Data Breach Protection Modular application form

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Cyber, Data Risk and Media Insurance Application form

HIPAA Final Omnibus Rule Playbook for Business Associates

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

HIPAA Final Omnibus Rule Playbook

AFTER THE OMNIBUS RULE

HEALTHCARE BREACH TRIAGE

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Healthcare Data Breaches: Handle with Care.

HIPAA Compliance Guide

March 1. HIPAA Privacy Policy

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

RIGHT TO ACCESS AND SECURITY RISK ANALYSIS. K a t h r y n A y e r s W i c k e n h a u s e r, M B A, C H P C, C H T S

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

Business Associate Risk

ACC Compliance and Ethics Committee Presentation February 19, 2013

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

HIPAA Compliance Under the Magnifying Glass

ARE YOU HIP WITH HIPAA?

View the Replay on YouTube. HIPAA Enforcement 2.0: Minimizing Exposure with Affirmative Defense

To: Our Clients and Friends January 25, 2013

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

OMNIBUS RULE ARRIVES

RISK ANALYSIS VERSUS RISK ASSESSMENT:

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

Cyber Risk Mitigation

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

HIPAA OMNIBUS FINAL RULE

HIPAA Security How secure and compliant are you from this 5 letter word?

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

2016 Business Associate Workforce Member HIPAA Training Handbook

Be Careful What You Wish For: The Final Rule Is Out

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

The Privacy Rule. Health insurance Portability & Accountability Act

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HIPAA Omnibus Rule Compliance

It s as AWESOME as You Think It Is!

Highlights of the Omnibus HIPAA/HITECH Final Rule

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

Interpreters Associates Inc. Division of Intérpretes Brasil

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

"HIPAA RULES AND COMPLIANCE"

HHS, Office for Civil Rights. IAPP October 11, 2012

HIPAA Compliance for Business Associates ISBA Health Law Symposium October 10, 2017

Compliance Steps for the Final HIPAA Rule

6/7/2018. HIPAA Compliance Simplified. HHS Wall of Shame. Marc Haskelson, President Compliancy Group

1 Security 101 for Covered Entities

503 SURVIVING A HIPAA BREACH INVESTIGATION

LEGAL ISSUES IN HEALTH IT SECURITY

Building a Program to Manage the Vendor Management Lifecycle

HIPAA Background and History

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA Overview Health Insurance Portability and Accountability Act. Premier Senior Marketing, Inc

HIPAA: Impact on Corporate Compliance

CYBER AND INFORMATION SECURITY COVERAGE APPLICATION

Understanding Cyber Risk in the Dental Office. Melissa Moore Sanchez, CIC

RIMS Cyber Presentation

HIPAA Basic Training for Health & Welfare Plan Administrators

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Business Associate Agreement

H E A L T H C A R E L A W U P D A T E

Cybersecurity Insurance: The Catalyst We've Been Waiting For

Cybersecurity Insurance: New Risks and New Challenges

HIPAA and Lawyers: Your stakes have just been raised

NETWORK PARTICIPATION AGREEMENT

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

Completing the Journey through the World of Compliance. Session # COM6, March 5, 2018 Gabriel L. Imperato, Managing Partner Broad and Cassel

FINANCIER DATA PROTECTION & PRIVACY LAWS ANNUAL REVIEW ONLINE CONTENT DECEMBER 2016 R E P R I N T F I N A N C I E R W O R L D W I D E.

CYBER LIABILITY REINSURANCE SOLUTIONS

INFORMATION AND CYBER SECURITY POLICY V1.1

Electronic Commerce and Cyber Risk

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

Fifth National HIPAA Summit West

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

Outline. Outline. What is HIPAA? I. What is HIPAA? II. Why Should You Care? III. What Should You Do Now? I. What is HIPAA? II. Why Should You Care?

How to Cut Down on Security Risks:

MEMORANDUM. Kirk J. Nahra, or

New HIPAA Rules and Implications for the Industry January 29, 2013

NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES KURTIN PLLC COMPLIANCE SOLUTION: UPDATE January 3, I. Executive Summary.

Meaningful Use Requirement for HIPAA Security Risk Assessment

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

PRIVACY AND CYBER SECURITY

Emma Eccles Jones College of Education & Human Services. Title: Business Associate Agreements

Not All Breaches Are Created Equal. Nicholas L. Cramer Director of Data Breach Response

HEALTHCARE INDUSTRY SESSION CYBER IND 011

HIPAA & The Medical Practice

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

Transcription:

How to mitigate risks, liabilities and costs of data breach of health information by third parties April 17, 2012 ID Experts Webinar www.idexpertscorp.com

Rick Kam President and Co-Founder richard.kam@idexpertscorp.com Ellen M. Giblin Privacy Counsel egiblin@ashcroftlawfirm.com 2

Key Take Aways Relevance of the PHI Report on valuing PHI Top threats and risks to PHI Risk mitigation using third party agreements Evolving regulatory environment Steps to mitigate risk 3

The PHI Project REQUIRED: Enhanced programs for safeguarding Protected Health Information (PHI) WHY: Increased number and frequency of data breaches WHO: Guardians of the trust forming the foundation of the health care delivery system SOLUTION: Information and tools to develop a compelling business case fore requesting investments and resources to ensure PHI privacy and security 4

What s Happening? The number of organizations handling PHI is expanding The adoption of ephi has increased the information flow risks The rewards of medical ID theft have surged 5

The Ramifications For the first time in history, it is possible to: Improperly disclose PHI of millions of individuals in a matter of seconds, Steal health information from a virtual location, and Breach PHI in a manner that makes it impossible to restore. 6

Why Steal PHI? Physician ID numbers are used to fraudulently bill for services Patient ID information is lent to friends or relatives in need of services Patient ID numbers are sold on the black market Medicare fraud estimate? $60B/year Majority of clinical fraud? Obtain prescription narcotics for illegitimate use ~5% of clinical fraud: Free health care Patient ID Information: $50/record Social Security number: $1 Average Payout for defrauding a health care organization: $20,000 Regular ID theft? $2,000 7

Top Elements Threatening PHI Security Human Malicious Insider Non-Malicious Insider Outsider State-Sponsored Cyber Crime Evolving Stakeholders BAs and Subcontractors Cloud Providers Virtual Physician s Office Methods Lost / Stolen Media Intrusion Dissemination of Data Mobile Devices Wireless Devices 8

The PHIve Method Conduct Risk Assessment Determine Security Readiness Score Assess the Relevance of a Cost Determine the Impact Calculated the Total Cost of a Breach 9

Sample Case Study Unintentional, Business Associate, 845,000 records, Clinical fraud resulting in 1 death, financial fraud, NYC Estimated Total Impact Grand Total of Breach Costs $26,493,617 Annual Revenue of Entity $241,836,404 % of Cost to Annual Revenue 11% Impact Score Severe 10

How Much to Invest? How much would a data breach cost? Given current safeguards and controls, how often can an organization expect to experience a data breach? What investments can be made to reduce the frequency of a data breach? What are the associated annual savings of a delayed data breach? Which enhancement program costs less than the annual savings but still delivers on the reduced frequency of a breach? 11

Vendor Risk Ecosystem Managing and Mitigating Vendors in the Risk Ecosystem 12

Evolving Regulatory and Enforcement Environment Healthcare organizations, or covered entities under HIPAA, are legally responsible for the protected health information (PHI) they hold. Because of the HITECH Act, that responsibility now carries downstream to their business associates claims processing, administration, data analysis, billing, benefits management and could potentially extend to subcontractors. 13

Evolving Regulatory and Enforcement Environment The Department of Health and Human Services Office for Civil Rights (OCR) recently has deepened its enforcement to include business associates (BA). And the recent Minnesota Attorney General s action against Accretive Health is evidence that states are also stepping up their scrutiny of business associates using their authority under the HITECH Act. 14

Business Associates Integral to the Risk Management Ecosystem That s not without cause. Business associates are the second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon Institute. In fact, Leon Rodriguez, director of the OCR, notes that 63 percent of the people affected by OCR-reported data breaches were the result of security lapses at a business associate. 15

Key Steps to Minimize Vendor Risk The OCR s extended scrutiny is putting pressure on covered entities to more proactively and frequently measure business associates HITECH compliance. To keep them in check, covered entities would do well to ask some important questions of, or about, their business associates: 16

Step One: Assess the Criticality of Service How critical is the business associate to my organization? Is it operationally critical or tied to my brand? Is there a viable alternative? Using a metric of sorts to weigh the importance versus the risks of a business associate can be helpful. For instance, an electronic health records systems provider may be a higher risk because of the amount of sensitive data it processes, yet replacing the system may not be feasible. 17

Step Two: Contractual Safeguards Do I have an updated agreement in place with each business associate, one that evolves to meet changing privacy and security needs? Some reasons to update may include changes in types of services provided; change in policies and procedures based on annual review or simulations; or data breaches or environmental changes. 18

Step Three: Due Diligence What security standards does the BA comply with? Does the business associate conduct employee training, annual risk assessment and/or risk analysis according to HIPAA privacy, security and breach notification rules? Can it provide you a copy of their most recent assessment, risk mitigation plan, and progress report? Does it have a privacy and compliance official? 19

Step Three: Due Diligence Has the business associate had privacy or security incidents with other covered entities? Request to talk to other covered entities services to find out about the BA s practices regarding the incident and how it was handled. This can be a predictor of future events and any impact on your organization. 20

Step Four: Operationalize the BA Contract Does the business associate have an incident detection and management process? How does the business associate detect incidents, and what will trigger it to notify the covered entity? How soon must that BA notify you in the event of an incident? Is it enough time to conduct an incident assessment and meet the breach response obligations according to federal and state(s) laws? 21

Step Four: Operationalize the BA Contract What are the contractual obligations or indemnity provisions if there is an incident? Covered entities are responsible for the breaches caused by their business associates, including notification costs. Given the increased enforcement and expensive notification and remediation procedures, however, business associates should assume some financial liability. More importantly, is the business associate able to bear the indemnity costs, either through their own resources, cyber insurance, or other form of security? 22

Step Four: Operationalize the BA Contract What are the legal and contractual requirements for offshore business associates and sub-contractors? These third-party providers are not subject to HIPAA privacy and security regulations. Covered entities or business associates contracting with foreign third parties should include any requirements for safeguarding PHI within the agreements, and not depend on foreign law. 23

Step Five: Minimize the Risk What about termination clauses? Do you have a clear set of guidelines under which you will terminate a business associate agreement? Can you monitor for these guidelines, and can the BA provide you necessary information for making this decision? 24

Step Six: Manage the Risk Ecosystem Covered entities bear an enormous burden for safeguarding the PHI in their care. The further that sensitive data goes downstream, the more difficult it can be to protect it. But with increasing enforcement on the federal and state levels, covered entities have the right and obligation to insist on evidence of compliance from their business associates, and as much as possible, their sub-contractors. 25

Questions & Answers Rick Kam ID Experts President & Co-Founder richard.kam@idexpertscorp.com Ellen M. Giblin Ashcroft Law Firm Privacy Counsel egiblin@ashcroftlawfirm.com 800-298-7558 617-573-9400 26

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback