Potential Liability for HIPAA Violations: A Primer

Transcription

1 Potential Liability for HIPAA Violations: A Primer Wednesday, March 23, 2016 Presented By the IADC Medical Defense and Health Law Committee and In-House and Law Firm Management Committee Welcome! The Webinar will begin promptly at 12:00 pm CDT. Please read and follow the below instructions: For you information, this Webinar presentation is being recorded. If you have not already done so, please join the conference call. Mute your phone line. If you do not have a mute button or are on a cell phone, press *1 to mute your phone. If you are on a conference phone, please move all cellular or wireless devices away from the conference phone to avoid audio interference. If you have questions during the presentation, you may utilize the Q&A pod on the upper-right-hand side of your screen. You may type questions here and it will be sent to the presenter for response. If your question is not answered during the presentation, our presenter will answer questions at the end of the webinar. Visit the Files pod in the lower-right-hand corner of the screen if you would like to download a copy of this PowerPoint presentation.

2 Type your questions for presenters here in the Q&A Pod Click on the file name to download this Power Point or any referenced documents

3 IADC Webinars are made possible by a grant from The Foundation of the IADC. The Foundation of the IADC is dedicated to supporting the advancement of the civil justice system through educational opportunities like these Webinars. For more information on The Foundation, visit

4 Presenters Robert G. Smith, Jr. Lorance & Thompson, P.C. Houston, TX Cathy Bryant Texas Medical Liability Trust Austin, TX

5 Potential Liability for HIPAA Violations: A Primer This Webinar will be a nuts and bolts presentation regarding HIPAA and potential liability for HIPAA violations. The program will include a discussion of potential liability of law firms for HIPAA violations. For the purposes of the webinar, we will limit our discussion to federal law, HIPAA. It is important for attorneys to be aware of state specific laws where they practice; i.e. in Texas, law firms can be considered Covered Entities under the Texas Medical Privacy Act.

6

7 FBI Warns Law Firms 2009, the FBI first warned that law firms were the targets of hackers 2013 FBI repeated the warning We have hundreds of law firms that we see increasingly being targeted by hackers A complete set of medical records is more valuable than financial records and social security numbers Resale value of medical information used for Medical Identity Theft

8 80% of the Big Law Firms Hacked (law firms) are a treasure trove that is extremely attractive to criminals, foreign governments, adversaries and intelligence entities. American Bar Association Cybersecurity Legal Task For Law firms rank 7 th most vulnerable industry to malware encounters Cisco Systems 2015 Annual Security Report

9 Source: Modern Healthcare

10 HIPAA Overview HIPAA PRIVACY RULE HIPAA SECURITY RULE HIPAA BREACH NOTIFICATION RULE OMNIBUS RULE EFFECTIVE 2003 EFFECTIVE 2005 EFFECTIVE 2013 EFFECTIVE 2013 Rule Covers Protectd Helath Information in all forms: Verbal Written Electronic Rule Covers Protected Health Information in Electronic format only Rule Covers all breaches of protected heatlth information by a Covered Entity or a Business Assoicate Sweeping changes to HIPAA Patient Rights Business Associates directly responsible for HIPAA

11 HIPAA Who? Covered Entity Business Associate Definitions: 45 CFR Subcontractor

12 HIPAA What? Protected Health Information The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)." Individually identifiable health information is information, including demographic data, that relates to: the individual s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.

13 Breach A breach is, generally, an impermissible use or disclosure under the [HIPAA] Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised [aka Lo-Pro-Co ] based on a risk assessment of at least 4 factors

14 When is a Breach not a Breach? PHI that is unusable, unreadable or indecipherable to unauthorized persons through the use of a technology or methodology

15 Cost of a Breach COST OF NOTIFYING PATIENTS CREDIT MONITORING FORENSICS HEALTHCARE BREACH CAN COST $363 PER RECORD CALL CENTER LEGAL FEES PUBLIC RELATIONS/ CRISIS RESPONSE 5 th Annual Benchmark Study on Patient Privacy and Data Security The Ponemon Institute

16 OCR Process OCR OCR Intake & Review Possible Criminal Violation OCR Possible Privacy or Security Rule Violation RESOLUTION Violation did not occur after Entity complained about was not covered by the Privacy Rule Incident described does not violate the Privacy Rule Refer to DOJ Investigation Accepted by DOJ RESOLUTION OCR finds no violation OCR finds violation with voluntary compliance, corrective action or agreement OCR issues formal finding of violation Fines Penalties (CMP)

17 HIPAA Violations & Enforcement xxx HIPAA Violation Minimum Penalty Maximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA HIPAA violation due reasonable cause and not due willful neglect HIPAA violation due to willful neglect but violation corrected within the required time period HIPAA violation is due to willful neglect and is not corrected $100 per violation, with an annual maximum of $25,000 for repeat violations $1,000 per violation, with an annual maximum of $100, 000 for repeat violations $10,000 per violation, with an annual maximum of $250, 000 for repeat violations $50,000 per violation, with an annual maximum of $ 1.5 for repeat violations $50,00 per violation, with an annual maximum of $1.5 $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million

18 Review of OCR Investigations 10,783 23,731 34,514 BREACH REPORT OR COMPLAINT INVESTIGATIONS 1/3 rd WERE FOUND TO HAVE NO VIOLATION 2/3 rds HAD VIOLATIONS CORRECTIVE ACTION REQUIRED (69%) NO VIOLATION (31%)

19 Potential Liability Under HIPAA ABA Model Rules of Professional Conduct Lawyers are required to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. Reasonable efforts taking steps to prevent someone from hacking into a law firm s computer network staff posting client information on the Internet training

20 Potential Liability Under HIPAA A lawyer must also consider duties arising under HIPAA, for example, and other laws intended to protect data privacy. ignorance of technology is not a defense Lawyers must stay abreast of changes in the law and its practice, [and] need to have a basic understanding of the benefits and risks of relevant technology.

21 POTENTIAL LIABILTY FOR HIPAA VIOLATIONS: A PRIMER What Privacy and Security issues exist in firms related to PHI? 21

22 Paper 45 CFR (c) Standard: Safeguards -- Have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information Implementation specification: must reasonably safeguard PHI any intentional or unintentional use or disclosure must reasonably safeguard protected health information to limit incidental uses or disclosures 45 CFR Administrative Requirements

23 Password Basic Password Protection Protocols 1. Password length 2. Password complexity (Upper, Lower, Number and Special character) 3. Frequently changed Weak Passwords 2012, the must common passwords 1. Password , the most common passwords were: 1. Password 45 CFR & Technical Safeguard

24 PHI Dear Dr. Expert Witness Here are all the medical reports I need you to review in this bad case. Do you send s Dr. containing Expert Witness PHI Somewhere, USA or medical record attachments? Thanks, Unencrypted Attorney Is PHI sent encrypted or through a secure file sharing technology? Transmitting encrypted data can be accomplished efficiently and without appreciably slowing down the system. 45 CFR Technical Safeguard

25 Encryption Objections to Encryption It is not required by HIPAA. True; but if you don t encrypt you must show what you did to protect PHI equal to encryption It slows down my PC/laptop It is costs money Encryption is not a password or passcode! Encryption is the process of translating words or text into code which conceals the text. 45 CFR Technical Safeguard

26 The Problem with Unencrypted Devices August 2015 OCR Settlement with Cancer Care Group Laptop and backup media (unencrypted) was stolen from employee s vehicle 5500 records Cancer Care was in widespread noncompliance with the HIPAA Security Rule. Had not conducted an enterprise wide risk analysis Did not have written P&P specific to removal of hardware and electronic media Did not encrypt Encryption is a basic cyber risk management tool. Cyber liability insurance applications now ask about the use of encryption and can result in an endorsement excluding unencrypted portable devices.

27 BYOD Do you use your Personal Devices to store or access PHI? The use, or potentially, the loss or theft of smartphones and other devices. With the storage capacity of smartphones increasing, attorneys are storing more and more information on them, including , attachments and documents. The use of personal devices also makes it more difficult for firms to institute good security practices. Attorneys should take reasonable steps to safeguard the confidential information accessible on their mobile phones. 45 CFR & Administrative & Technical Safeguards For example, does the phone permit remote wiping of the information stored in the event that it is lost or stolen? Is it enabled?

28 Cloud Storage According to New York State Bar Association Committee on Professional Ethics Opinion 842, a lawyer in New York may use an online cloud computer data backup system to store client files so long as the lawyer takes reasonable care to protect the client s confidential information form unauthorized disclosure, which included the following three steps: 1. Ensuring that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and the provider will notify the lawyer if served with process regarding the production of client information; 2. Investigating the online data storage provider s security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances; and 3. Employing available technology to guard against reasonably foreseeable attempts to infiltrate stored data. 45 CFR , &

29 Unsecure Wi-Fi Unsecure Wi-Fi Wireless networks that can be freely accessed without a password. Attorneys spend a great deal of time away from the office, and attempt to get work done wherever they may find themselves. To get work done while on the road, attorneys may access the Internet while at the airport or other hotspot that has open access. 45 CFR Technical Safeguard

30 Unpatched/Outdated Software Vulnerabilities arise from running unpatched or outdated software. End of Life the vendor will no longer release security patches for the operating system. Any holes hackers find will be left unpatched and the software is now fundamentally unsecure. Windows 8 -- End of Life January 13, 2016 Internet Explorer End of Life January 12, 2016 Windows Server 2003 End of Life July 14, 2015 Windows XP End of Life April 4, CFR & Administrative & Technical Safeguard

31 Photo Copiers Hard Drives CBS News: Digital Photocopiers Loaded With Secrets April 19, 2010 Affinity Health Plans Reported Breach to HHS April, 2010 Settlement Agreement August, 2013 Settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780. Affinity impermissibly disclosed the protected health information of up to 344,579 individuals. Affinity returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. Affinity failed to incorporate the electronic protected health information stored in copier s hard drives in its analysis of risks and vulnerabilities as required by the Security Rule. Affinity failed to implement policies and procedures when returning the hard drives to its leasing agents. 45 CFR Physical Safeguard

32 POTENTIAL LIABILTY FOR HIPAA VIOLATIONS: A PRIMER What is the proper way to dispose of PHI? 32

33 NIST Publication r1 Sanitization and Disposal

34 Medical Records Radiology Regional Center in Florida notified patients of a possible healthcare data breach after some paper records were found on a street on December 19, ,063 individuals potentially affected. a small quantity of records fell onto the street while being transported by Lee County Solid Waste Division, which is responsible for the disposal of Radiology patient records. As a result of our numerous searches, we believe that virtually all of the records were retrieved. To ensure an incident like this does not happen again, we have taken steps to change how paper records are transported and destroyed, the statement explained. Lee County Solid Waste Division will no longer be responsible for transporting our records for disposal.

35 Law Firm Compliance Obligations The Omnibus Rule (2013) clarifies: Business Associates and their subcontractors are directly liable under HIPAA and must comply with some of the Privacy Rule, all of the Security Rule and Breach Notification. Limiting use and disclosure of PHI Impermissible use and disclosure of PHI Failing to provide breach notification Failing to provide access to a copy of ephi to the CE or individual Failing to account for disclosure of PHI Failing to disclose PHI to the Secretary of HHS related to an investigation about the BA HIPAA compliance Failing to comply with the requirements of the HIPAA Security Rule Failing to enter into a subcontractor BAA 35

36 Cyber Risk Management 36

37 A Caveat About Cyber Insurance Cyber insurance is not a substitute for a good cyber risk management program, as all losses may not be covered by an insurance policy. Increasing cyber risks and regulatory violations require cybersecurity to be integrated into your business risk. Complacency is not a risk management strategy! 37

38 The OCR s Roadmap Jocelyn Samuels: It is critical that entities take a comprehensive and thorough approach to assessing and addressing the risk to all of the protected health information they maintain. Have comprehensive policies and procedures for compliance with the HIPAA Rules, but also the P & P must be clearly communicated to and implemented by all workforce members.

39 Do You Know Where You PHI? Have RISK IDENTIFICATION Where do you create, maintain, transmit or store PHI/ePHI?

40 HIPAA Risk Assessment The first Implementation Specification of the Security Rule requires covered entities and business associates to conduct a security risk analysis The one unforgiveable in the eyes of the OCR is failure to conduct a risk assessment 40

41 POTENTIAL LIABILTY FOR HIPAA VIOLATIONS: A PRIMER TRAINING 45 CFR Administrative requirements. (b)(1) Standard: Training. must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. What employees need to be trained and how? 41

42 Educated Workforce Employee education is paramount See Something Say Something Federal as soon as possible Texas new employees must be trained within 90 days of employment 42

43 POTENTIAL LIABILTY FOR HIPAA VIOLATIONS: A PRIMER What written policies and procedures should a firm have? 43

44 Beware of P&P Templates should reflect what is actually done December 2014 Anchorage Community Mental Health Services OCR Settlement Agreement 2012 ephi was compromised due to malware compromising the security of its IT services $150,000 fine and adopt a plan of correction Organization had adopted sample P&P in 2005 but never followed them The breach was a direct result of failing to identity and address basic risks 44

45 Need Expert Guidance? As the forms of connected technology used by healthcare providers increases so will their cybersecurity risks. Therefore, providers will need assistance in mitigating the proliferation and diversity of their cyber risks, including help with their: IT Systems; Privacy, Security, & Breach Risk Assessments; Staff Privacy Training; and Risk Transfer (cyber insurance). 45

46 The Road to HIPAA Compliance 1. Appoint a Privacy and Security Officer 2. Conduct a Risk Assessment 3. Develop a Risk Management/Mitigation Plan for Risks Identified 4. Create or Update Policies and Procedures 5. Develop a BAA and Subcontractor BAA 6. Develop a Plan for Handling Breaches 7. Workforce Training 8. Consider Cyber Insurance YES COMPLIANCE NO

47 Questions for Presenters? Robert G. Smith, Jr. Lorance & Thompson, P.C. Houston, TX Cathy Bryant Texas Medical Liability Trust Austin, TX

48 Potential Liability for HIPAA Violations: A Primer Wednesday, March 23, 2016 Thank you for Participating! To access the PowerPoint presentation from this or any other IADC Webinar, visit our website under the Members Only Tab (you must be signed in) and click on Resources Past Webinar Materials, or contact Melisa Maisel Vanis at mmaisel@iadclaw.org.