Anatomy of a Health Care Data Breach (a.k.a. Breaches, Breaches, and More Breaches) Presented by: Allyson Jones Labban, Esq. 300 N. Greene Street, Ste. 1400 Greensboro, NC 27401 T: 336.378.5200 E: allyson.labban@smithmoorelaw.com
HEALTH CARE DATA BREACHES EQUALED 44% OF ALL BREACHES IN 2013 Source: Identity Theft Resource Center, courtesy of ClearData.com
This is the 1 st time the health care sector topped this list. Source: Identity Theft Resource Center, courtesy of ClearData.com
Personal health information (PHI) is worth roughly 50x more than credit card or Social Security numbers. Source: Identity Theft Resource Center, courtesy of ClearData.com
Annual Cost of Health Data Breaches is estimated at $5.6 Billion Source: Identity Theft Resource Center, courtesy of ClearData.com
To date, approximately 945 data-breach incidents have been reported where PHI was compromised. Source: ClearData.com
Overview Definitions To Be or Not to Be A Breach HITECH Exceptions Reality Check: Different Breaches Get Different Treatment Q&A
DEFINITIONS
Definitions Unsecured PHI : PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of encryption technologies or methods of physical destruction approved by HHS Approved technologies/destruction methods: 74 Fed. Reg. 42742
Definitions Breach : The acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under the HIPAA privacy rule (45 C.F.R. 164.500, et seq.) That compromises the security or privacy of the PHI
TO BE OR NOT TO BE A BREACH
Breach or Not? Don t assume every use/disclosure is a breach Use/disclosure is not a breach: PHI is properly encrypted/destroyed; Use/disclosure is permitted by HIPAA; HITECH exception applies; Privacy/security of the data is not compromised
BREACH = HIPAA VIOLATION BUT HIPAA VIOLATION = BREACH
HITECH EXCEPTIONS
HITECH Exceptions Three narrowly construed exceptions If an acquisition, access, use, or disclosure fits within an exception, it is not a breach, even if information was unsecured PHI and the disclosure is not permitted under HIPAA NOTE: This is a departure from the order set forth in the regulation
Mark Strozier (Creative Commons license), www.flickr.com/photos/r80o/1583552/
HITECH Exceptions Exception 1: Unintentional access to, or acquisition or use of, PHI: By a workforce member for the covered entity or BA Acting in good faith Within the course and scope of duties If the access, acquisition, or use does not result in any further impermissible use or disclosure
HITECH Exceptions Exception 2: Inadvertent disclosure of PHI From one workforce member at the covered entity or BA to another at the same covered entity or BA Where both workforce members are authorized to access the information If the access, acquisition, or use does not result in any further use or disclosure in a manner not permitted by HIPAA
HITECH Exceptions Exception 3: Unauthorized disclosure to an unauthorized person of PHI: Where there is a reasonable good faith belief That the unauthorized recipient would not reasonably have been able to retain the information
REALITY CHECK: DIFFERENT BREACHES GET DIFFERENT TREATMENT
Responses to Breaches Private Lawsuit Government Investigation Even Worse
Private Lawsuit No private cause of action under HIPAA HIPAA as standard of care In the alternative, negligent infliction of emotional distress, violation of state medical confidentiality, etc.
OCR Investigation Must be able to answer (and provide documentation in support) these eight questions: 1) Do you have appropriate safeguards in place? Provide internal HIPAA policies 2) Any prior complaints re: failure to safeguard PHI? Provide dates of complaints and how resolved 3) Was your staff trained properly? Provide documentation/evidence of training
OCR Investigation 4) Did you make an effort to mitigate? Provide evidence of mitigation 5) What is your detailed response to the complaint? 6) List evidence, including contact information for witnesses, to support response to #5
OCR Investigation 7) Additional points or suggestions to resolve the matter. 8) Number of patients served this year and, if applicable, number of inpatient beds at facility.
It Could Be Worse
Much Worse
Much, Much Worse
Dear Patient, We are writing to inform you of a recent incident involving disclosure of your personal information from XXXXXXXXXXXXXXXX. This letter is to advise you of the incident and the steps we have taken in response to the discovery. At this time, we are not aware of any misuse or further disclosure of your information. Description of the Incident and Information Involved On March 26, 2013, an email was sent to a magazine publisher, who was a business partner, relating to referral sources for XXXXXXXX. The email contained an attached spreadsheet that inadvertently contained additional worksheets with limited patient information. At the time, the sender requested, and was given what we believed to be, a reasonable assurance that the information was deleted and never accessed or used by the recipient. On December 13, 2013, we learned of the disclosure via a news article discussing a pending lawsuit with the same business partner. The article mentioned that this publisher had patient information. It appeared that the information was not deleted, despite what the publisher told us in March. The information did not include social security number, date of birth, credit card information, address or phone number. It did, however, include the date you first visited XXXXXXXXXX, your first and last name, and a column for HIV status that noted P or N for some patients and was left blank for others. We are obligated to tell you about this unfortunate incident, but we would like you to know that we are doing everything possible to make sure that your information is not made available to any other parties. Our Investigation and How We Are Responding to the Incident We take privacy and security of your personal health information very seriously. Upon discovery of this incident, we initiated an internal investigation. We have concluded from our internal investigation that although the information was inadvertently disclosed, we do not believe it was further used or disclosed for inappropriate purposes. The lawsuit is still pending, but destruction and non-disclosure of the patient names involved will be an essential requirement in any resolution of the civil action. We are also taking every action allowed through the courts to prevent any use or disclosure of the information during the negotiations of the settlement.
In response to the original incident, we had already taken the following actions based on the belief that the data was destroyed: Reviewed and updated all email policies to specifically address the actions that should be taken to obtain reasonable assurances in the event of an inadvertent disclosure of protected health information (PHI). Implemented a new practice management system that tracks the referral information directly in the application, thereby removing the need to keep any data on referrals in a spreadsheet application. In response to the discovery, we have taken the following actions: Provided additional training to our staff on acceptable uses and disclosure of patient information. Added a policy specifically defining very limited situations that would be considered reasonable assurances of destruction in any future inadvertent disclosures of PHI, even from trusted business partners. Added processes and training for staff members to check spreadsheets for hidden data and additional worksheets within a file before sharing with anyone. Terminated our relationship with the publisher involved. Notified the appropriate federal agencies about the situation. What Steps You Can Take to Protect Yourself Due to the limited nature of the data involved, we do not believe you are at risk for identity theft. As soon as we have more information about the destruction of the data, we will let you know. We deeply regret that this incident has occurred and apologize for the concern that this incident may have caused you. If you have any questions, please contact our privacy official, YYYYYYYYYYY, at ZZZZZZZZ. Sincerely,
Q&A