Breach Notification and Enforcement Update

Transcription

1 Breach Notification and Enforcement Update Presented to the Seattle Western Pension & Benefits Council June 16, 2015 Sarah Brown Investigator U.S. Department of Health and Human Services Office for Civil Rights

2 Formerly a part of the U.S. Department of Health, Education and Welfare (HEW) Health & Human Services created in 1980 HHS includes numerous sub-agencies such as: CMS, FDA, NIH, CDC, and IHS 2

3 Part of the U.S. Department of Health and Human Services Enforces a number of civil rights laws as they relate to recipients of Federal financial assistance from HHS Enforces the HIPAA Privacy, Security, and Breach Notification Rules 3

4 Ten regional offices Headquarters in D.C. 4

5 Complaint Investigations Compliance Reviews Voluntary Resolution Agreements ($) Formal Enforcement Audits Outreach and Public Education Policy Development 5

6 Title VI of the Civil Rights Act of 1964 Section 504 of the Rehabilitation Act of 1973 Title II of the Americans with Disabilities Act of 1990 The Age Discrimination Act of 1975 Section 1557 of the Affordable Care Act HIPAA Privacy, Security, and Breach Notification Rules 6

7 Privacy Rule (2003) - Subpart E Relates to uses and disclosures of PHI, permissive rule with exceptions, consumer rights 45 CFR Security Rule (2005) - Subpart C Applies to e-phi, expansion of Privacy Rule section 530(c) (administrative, physical and technical safeguards) 45 CFR Breach Notification (2009 and 2013) Subpart D Notification in the event of a breach of PHI 45 CFR

8 Created new subpart to HIPAA Effective September interim final rule Expanded in March final rule Covered Entities have an affirmative obligation to notify individuals, HHS, and sometimes the media, in cases of breach of unsecured protected health information (PHI) 8

9 What is a breach? Acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the Privacy Rule] which compromises the security or privacy of the protected health information. Presumption of breach unless a covered entity or business associate can demonstrate a low probability that PHI has been compromised based on at least the following factors: Nature and extent of PHI The person who used or received the PHI Whether PHI was actually viewed or acquired Extent risk has been mitigated 9

10 Exclusions to Breach 1. Unintentional acquisition, access or use of PHI by workforce member or business associate acting within their scope of duty and made in good faith. 2. Inadvertent disclosure by a person authorized to access PHI to another workforce member, business associate or other authorized affiliate within the same covered entity and the information received is not further used or disclosed by the recipient. 3. Covered entity or business associate have a good faith reason to believe the recipient could not reasonably have been able to retain the information. 10

11 1. PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals. 2. Acceptable methods of securing PHI include encryption and destruction. 3. Loss or compromise of PHI which has been encrypted or properly destroyed does not trigger the duty to notify or report. 11

12 A covered entity must notify each affected individual following the discovery of a breach of unsecured PHI. The obligation to notify applies to those breaches that the covered entity knows about or should have known about if exercising reasonable diligence. 12

13 Means that covered entities can be liable for failing to provide notice to individuals in situations where they did not know of a breach but would have known if they exercised reasonable diligence. Employees of a covered entity are considered agents of the organization and any knowledge an employee has will be attributed to the covered entity (except where the employee is the person committing the breach). Because of this standard, covered entities need to have reasonable systems in place to discover breaches including training of staff on prompt reporting of any known breaches. 13

14 Notice must be provided to the individual without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. 60 days is an outer limit, if the covered entity has completed its assessment and confirmed the breach within 20 days, it must notify individuals then rather than waiting an additional 40 days. 14

15 Description of what happened and dates, if known; Description of the types of unsecured PHI involved in the breach; Any steps individuals should take to protect themselves; Description of what the covered entity is doing to investigate and mitigate harm; and Contact information for individuals to learn more, which must include a toll-free telephone number, address, website, or postal address. 15

16 If insufficient contact information for ten or more, the following applies: 1. Conspicuous posting for 90 days on home page of covered entity s website or posting in print or broadcast media where affected individuals may reside; and 2. Include a toll-free number that remains active for at least 90 days where individuals can learn whether they were affected by the breach. This is not the same as media notice and cannot be fulfilled by issuing a press release unless the media actually publishes the story 16

17 For a breach involving 500 or more residents of a state or jurisdiction, the covered entity must notify prominent media outlets serving the state in addition to written notice to individuals. Must be done without unreasonable delay, no later than 60 days after discovery of breach. Content of the notification to media is the same as that which was given to individuals. 17

18 If a breach involves 500 or more individuals, the covered entity must report to OCR at the same time that it notifies individuals. If a breach involves less than 500 individuals, the covered entity can make an annual reporting to OCR of breaches that were discovered throughout the past year. Reporting by covered entities is done via OCR s website. This data is collected for reporting to Congress and notification to OCR regional offices. 18

19 Notification and Reporting Flowchart Impermissible use or disclosure of PHI? Anything to rebut presumption of breach? Number of individuals involved < Annual report to OCR Report to OCR w/in 60 days Notice to individual(s) w/in 60 days Notice to individuals w/in 60 days < 10 Can t find some Individuals? 10 Are all 500+ in the same state or jurisdiction? Attempt to contact by alternate means If deceased, no need Post notice to website or purchase media w/ toll-free number available for 90 days Notify prominent media outlet serving the state or jx. w/in 60 days 19

20 Web portal Over 500 Breaches Compliance Review automatically opened Under 500 Breaches Discretionary 20

21 Lost or stolen devices Hacking Loss of large amount of paper records Security Rule Risk analysis and risk management Device and Media controls Encryption Transmission Security 21

22 Efforts at voluntary corrective action are unsuccessful Findings are egregious Still considered informal settlement Generally includes Resolution Amount Corrective Action Plan Monitoring Period 22

23 Anchorage Community Mental Health ($50K) E-PHI exfiltrated due to phishing. Failure to update IT resources was a contributing factor. A major issue is the failure to conduct risk analysis. Skagit County ($215K) E-PHI inadvertently placed in public area of website. A major issue was the failure to conduct a risk analysis, no breach notification, no policies. Alaska DHSS ($1.7M) Portable storage device stolen from vehicle - symptomatic of widespread compliance failures Failure to conduct risk analysis, inadequate training and controls for portable devices. 23

24 Idaho State University ($400K) Failure to engage firewall after routine maintenance resulting in hacking. Failure to conduct risk analysis. Hospice of North Idaho ($50K) Stolen unencrypted laptop. Failure to conduct risk analysis and insufficient device and media controls for an organization that has a mostly mobile workforce. QCA Health Plan ($250K) Lost laptop, failure to conduct risk analysis. 24

25 The breach itself is not the reason for a violation finding it s usually the underlying lack of compliance. Pay attention to the Security Rule Risk analysis and risk management Maintain IT resources diligently Encrypt when possible or employ equivalent alternative measures Keep track of portable devices 25

26 26