HIPAA Compliance in the Event of a Data Breach

Transcription

1 HIPAA Compliance in the Event of a Data Breach November 5, 2015 Lucie Huger Officer, Greensfelder, Hemker & Gale, P.C.

2 Information is the New Oil! Hospitals are collecting and storing mass amounts of data on a regular basis. This data may include information about patients, employees and business operations. This data has value to the hospitals producing/collecting it, to their competitors and to unknown third parties.

3 Everywhere With the popularity of social media; conducting business on personal devices; and outsourcing certain business functions to third parties, data breaches are becoming more prevalent.

4 Possible Outcomes Affecting Operations Resulting From A Breach Loss of customers Damage to reputation Compliance obligations Government investigations (federal and state) Civil litigation

5 Common Causes of Data Breaches Negligence Malicious or criminal attacks (hacking or theft of electronic devices) Corporate espionage/malfeasance

6 Data Breach Trends Involving Health Care Providers With the Omnibus Rule standard of Low-Pro-Co, there are more reportable breaches and more breaches affecting 500 or more individuals. An increase in malicious hacker activity. Hackers are not interested in health information as much as financial information. This includes patient billing information and employee payroll information. Whistleblower activity. Employees are aware of violations and are contacting OCR. State Attorneys General involvement in enforcement activities. Civil litigation with HIPAA as the standard of care in negligence and breach of fiduciary duty cases. Breaches attributed to third party vendors or their subcontractors.

7 HIPAA Compliance in the Event of a Data Breach 1. Notify those within your organization of the incident who need to know: Not every incident constitutes a breach that would lawfully require notification. Internal communications could be discoverable, so be careful what you say and how you say it. Note the date and time of the discovery of the incident.

8 HIPAA Compliance in the Event of a Data Breach 2. Assemble a response team, both internal and external: The team should consist of: Key stakeholders Legal counsel: since civil litigation is possible, an attorney knowledgeable in breach issues can help to keep the process of working through a breach protected by privilege Forensic IT firm Communications expert

9 HIPAA Compliance in the Event of a Data Breach 3. Investigate the incident: What type of data is involved, what are the circumstances involved, how may persons are affected. Carefully plan/strategize the investigation before you begin. Keep language of the investigation easy to understand. Interviews may be appropriate. Document the steps and findings. Involve law enforcement, as appropriate. Involve insurers, as appropriate.

10 HIPAA Compliance in the Event of a Data Breach 4. Determine whether the incident constitutes a reportable breach: Perform a risk assessment and determine whether an exception may apply.

11 HIPAA Compliance in the Event of a Data Breach 5. Contain the breach and mitigate harm, to the extent possible. Is it possible to retrieve the lost/stolen device? Is it possible to wipe the data from the lost/stolen device? Is it possible to arrange for the return of the data erroneously disclosed? Is it possible to enter into a nondisclosure agreement/attestation for return of data?

12 6. Notify HIPAA Compliance in the Event Affected persons of a Data Breach It takes time to find up to date addresses Government Department of Health and Human Services Media As required under federal or state law State law requirements

13 HIPAA Compliance in the Event 7. Respond to inquiries. of a Data Breach Do you need to establish a toll free number for inquiries? Do you need to establish a call center? Have you established a triage team to address unique customer concerns? Have you established a system for addressing press inquiries?

14 HIPAA Compliance in the Event of a Data Breach 8. Improve processes and update your policies in order to avoid future data breaches. Have you considered a third party audit to review your hospital s policies/compliance efforts as well as its technical infrastructure?

15 OCR Lessons Learned as reported by OCR to Congress on May 20, Risk Analysis and Risk Management. Ensure the organization s security risk analysis and risk management plan are thorough, having identified and addressed the potential risks and vulnerabilities to all ephi in the environment, regardless of location or media. This includes, for example, ephi on computer hard drives, digital copiers and other equipment with hard drives, USB drives, laptop computers, mobile phones, and other portable devices, and ephi transmitted across networks. 15

16 OCR Lessons Learned as reported by OCR to Congress on May 20, Security Evaluation. Conduct a security evaluation when there are operational changes, such as facility or office moves or renovations, that could affect the security of PHI, and ensure that appropriate physical and technical safeguards remain in place during the changes to protect the information when stored or when in transit from one location to another. In addition, conduct appropriate technical evaluations where there are technical upgrades for software, hardware, and websites or other changes to information systems to ensure PHI will not be at risk when the changes are implemented. 16

17 OCR Lessons Learned as reported by OCR to Congress on May 20, Security and Control of Portable Electronic Devices. Ensure PHI that is stored and transported on portable electronic devices is properly safeguarded, including through encryption where appropriate. Have clear policies and procedures that govern the receipt and removal of portable electronic devices and media containing PHI from a facility, as well as that provide how such devices and the information on them should be secured when off-site. 17

18 OCR Lessons Learned as reported by OCR to Congress on May 20, Proper Disposal. Implement clear policies and procedures for the proper disposal of PHI in all forms. For electronic devices and equipment that store PHI, ensure the device or equipment is purged or wiped thoroughly before it is recycled, discarded, or transferred to a third party, such as a leasing agent. 18

19 OCR Lessons Learned as reported by OCR to Congress on May 20, Physical Access Controls. Ensure physical safeguards are in place to limit access to facilities and workstations that maintain PHI. 19

20 OCR Lessons Learned as reported by OCR to Congress on May 20, Training. Ensure employees are trained on the organization s privacy and security policies and procedures, including the appropriate uses and disclosures of PHI, and the safeguards that should be implemented to protect the information from improper uses and disclosures; and ensure employees are aware of the sanctions and other consequences for failure to follow the organization s policies and procedures. 20

21 Which Data Breaches are being Litigated? Probability of a lawsuit is positively correlated with the number of records lost. Probability of a lawsuit is positively correlated with the presence of actual harm (financial loss, emotional distress) and negatively correlated with credit monitoring being offered. Lawsuits are more likely to occur from breaches caused by improper disclosure of information, as opposed to a computer hack, for example. Probability of a lawsuit is positively correlated with the compromise of personal information requiring a heightened level of protection by individuals affected. Romanosky, S., Hoffman, D., Acquisti, A. (2013). Empirical Analysis of Data Breach Litigation. iconference 2013 Proceedings

22 OCR Actions CMPs: Generally, settlement amounts with OCR have ranged between $35,000 to $2.5 million. In 2011, the OCR issued a $4.3 million CMP to Cignet Health. The largest portion of the CMP ($3 million) was due to Cignet Health s refusal to cooperate in OCR s investigation. In 2014, the OCR issued a $4.8 million CMP to New York-Presbyterian Hospital and Columbia University. New York-Presbyterian Hospital will pay $3.3 million and Columbia University will pay $1.5 million.

23 Cyber Liability Insurance Elements to Consider: First party costs: (1) notifications; (2) forensic costs; (3) legal advice; (4) call center; (5) credit monitoring; (6) PR; (7) administrative costs. Generally, this is on a reimbursement basis- the insurer will pay the client back. It is important to have enough money in the plan to cover this. HIPAA fines/ penalties. Often these are capped at $250,000. Sometimes this is excluded, so watch out. Civil litigation: look at the definition of the word claim. In this definition, administrative costs for OCR investigations should be included. This should include legal defense and settlements.

24 Lucie F. Huger 314/