HIPAA and HITECH: New Rules, Trends and Traps for the Unwary Elizabeth Tosaris, Partner October 22, 2015 Atlanta Austin Boston Chicago Dallas Hartford Hong Kong Houston Istanbul London Los Angeles Miami Morristown New Orleans New York Orange County Providence Sacramento San Francisco Stamford Tokyo Washington DC West Palm Beach 2015 Locke Lord LLP Agenda Overview of Law Business Associate Agreements Preparing for OCR Audits 2 1
Definitions Covered Entity (CE) Business Associate (BA) Business Associate Agreement (BAA) 3 Definitions, Cont d. PHI: Protected Health Information (individualized), includes any patient name, mailing or email address phone number SS # any other individually identifiable health information PHI is not de-identified health information Limited circumstances where PHI can be disclosed 4 2
HIPAA Privacy Rule Security Rule Breach Notification Rule Business Associate Requirements 5 HITECH Act Focused on exchange of ephi Widens the scope of privacy and security protections available under HIPAA Increased penalties Requires periodic HHS audits 6 3
Exceptions CFR 164.512 Reporting Requirements To Dept. of Ins. and other regulators Court proceedings Other 7 On Beyond HIPAA and HITECH Versions of the privacy model law adopted in the 1980s State versions of HIPAA Common law causes of action? 8 4
9 Many ways to breach privacy 10 5
Definition of Breach Federal v. state law definitions HIPAA definition at 45 CFR 164.402 Four prong test When it occurs 11 Breach Notification Rule Who to tell When to tell What to tell Penalties for violation of breach notification rule 12 6
The Basics of Being a BA Subject to certain federal privacy and security rules May have a downstream subcontractor who is also a BA Direct liability for breach Reporting duties in event of breach Subject to HHS audits 13 Violations By a Business Associate A CE is liable for violations by a business associate acting as an agent Federal common law of agency applies and a BA is an agent of a CE if: CE controls BA; or CE delegates its duty to BA 14 7
Violations By a Business Associate Facts and Circumstances Test will apply Right to Control Degree of Control Specialized Expertise 15 OCR Authority OCR may initiate investigations following breach or complaint OCR may bring enforcement actions OCR reports its oversight and enforcement activities to Congress 16 8
OCR Investigations- Resolutions Public Fine & Corrective Action Paucity of breach settlements with BA s 17 Penalties After HITECH Intent Did not know or could not have known Reasonable Cause and not Willful Neglect Willful Neglect, but Promptly Corrected Willful Neglect, Not Promptly Corrected Minimum Per Incident At least $100 - $50,000 Annual Cap for All violations of Identical Provision $ 1.5 million $1,000 - $50,000 $ 1.5 million $10,000-$50,000 $ 1.5 million $50,000 $1.5 million 18 9
Discretion and Factors in Setting the Penalty Nature and extent of the violation (including the number of individuals affected and the duration of the violation). Nature and extent of the harm (including reputational harm). History of prior compliance. Financial condition of the BA or CE. Such other matters as justice may require. Factors can be mitigating or aggravating. Penalties can be waived so long is violation does not arise out of willful neglect. 19 Why would you sign a BAA? Insured is a covered entity Insurer is a BA To get the business 20 10
Required Provisions in BAA s Template on HHS Website Mandatory Topics Security Standards (45 C.F.R. 164.306) Administrative Safeguards (45 C.F.R. 164. 308) Physical Safeguards (45 C.F.R. 164.310) Technical Safeguards (45 C.F.R. 164.312) Organizational Requirements (45 C.F.R. 164.314) Policies and Procedures (45 C.F.R. 164.316) Notification to the Secretary (45 C.F.R. 164.410) General Rules; Uses and Disclosures of PHI (45 C.F.R. 164.502) Organizational Requirements; Uses and Disclosures (45 C.F.R. 164.504) 21 Key Issues With Insureds: What information is governed by BAA? Does BAA govern traditional insurance functions? With your BA s What will you pay if your BA breaches 22 11
BA Obligations Limits on Use of PHI Accounting for Disclosures BA must comply with the Security Rule in its entirety. Duty to disclose breach BA must cure violations by a subcontractor BA. 23 Tips for BAA s Limited scope Only sign if you have to Be sure your systems are compliant Who else will you need to check? 24 12
BAA terms to Consider Responsibility for Determining Breach Responsibility for Breach Notification Timing of Notification to CE Naming person to contact in event of breach 25 BAA terms to Consider, Cont d. Indemnity provisions/cost Apportionment Termination Provisions Insurance requirements Other applicable state laws CE s right to audit Compliance with CE s Policies 26 13
Preparing for OCR Audits Generally more security than privacy findings HHS is authorized to audit BA s No OCR Audits of BA s completed yet 27 What does OCR Audit for? Audit protocols evolve Privacy Rule requirements Security Rule requirements Requirements for the Breach Notification Rule. 28 14
Ongoing Security Program A good idea for any BA May be subject of an OCR audit May be required under BAA 29 Before an Incident Conduct a Risk Assessment Strong IT system security flexible and fast White hat penetration experts rules on byod security measures around routine access Diligently monitored/ability to know if there is an attack 30 15
Before an Incident, cont d Physical Security Training of Personnel Active monitoring by Board/CEO Relationships with vendors Purchase Cyberinsurance Purchase Access to Credit Monitoring Develop Plan in case of attack 31 During an Incident Execute the Plan for a Breach Alert necessary individuals Understand scope of breach asap Preserve evidence Minimize damage Document efforts to address Send required notifications Involve relevant law enforcement and intelligence agencies 32 16
A Word about Security Logs Reporting party Date of incident Affected company and business area Summary of facts Affected individual(s) State(s) of residence Electronic or paper data Exposed personal information Description of incident Legal analysis Risk of harm Actions taken Breach/no breach Additional notes 33 After a Breach Make sure breach is repaired Analysis of response to incident Repair reputational harm Address law suits 34 17
Conclusion/Q&A Elizabeth Tosaris, Esq. San Francisco 415 318 8817 etosaris@lockelord.com Attorney Advertising. Locke Lord LLP disclaims all liability whatsoever in relation to any materials or information provided. This presentation is provided solely for educational and informational purposes. It is not intended to constitute legal advice or to create an attorney-client relationship. If you wish to secure legal advice specific to your enterprise and circumstances in connection with any of the topics addressed we encourage you to engage counsel of your choice. 2015 Locke Lord LLP 35 18