The Emerging Law of Data Security PENNSYLVANIA HOMECARE ASSOCIATION HEALTHCARE OVERVIEW Matthew Meade, Data Security & Privacy Group © Copyright 2010 Buchanan.

The Emerging Law of Data Security

PENNSYLVANIA HOMECARE ASSOCIATION

HEALTHCARE OVERVIEW

Matthew Meade, Data Security & Privacy Group

© Copyright 2010 Buchanan Ingersoll & Rooney

OVERVIEW

Why Does This Matter? Recent Data Breaches Recent Enforcement Actions Statistics & Recent Cases The Law

– HITECH Act– FTC Act– State Data Breach Laws

WHY DOES THIS MATTER?

Data breaches are costly Data breaches erode trust and create negative

publicity With the passage of HITECH Act there is increased

focus on healthcare data security Rush to convert to EHR to get stimulus incentives

has come at the expense of data security 13.7% of all recent breaches occurred in the

healthcare sector – popular target of hackers 41.5% of hospitals have 10 or more breaches a year

WHY DOES THIS MATTER? (2)

Recent CNN Money Article – “Healthcare: A 'goldmine' for fraudsters”

“We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement.  It is a covered entity’s responsibility to protect its patients’ health information.” Georgina Verdugo, the Director of OCR (2/22/11)

WHY DOES THIS MATTER? (3)

March 2011- 2-day instructor-led HIPAA Enforcement Training to help State Attorneys General and their staff use their new authority to enforce the HIPAA Privacy and Security Rules. The training course will aid State Attorneys General in investigating and seeking damages for HIPAA violations that affect residents of their states.

Recent Data BreachesFamily Planning Council

4/8/11 - Announcement that a computer storage device containing the personal and medical records of about 70,000 patients was stolen in December and remains missing.

Theft blamed on a former worker whose employment ended 12/28/10, the day the theft was discovered and reported to police.

The former employee has an extensive criminal record, and has been in and out of prison for the last two decades on multiple convictions of theft and other offenses.

Recent Data Breaches Dental Practice

4/11/11- dentist left non-shredded PHI in a publically accessible trash can.

Documents found by a man looking for scrap metal who called local news because he was concerned someone could use them to steal the patients’ information.

Dentist said the documents were likely sitting in a box waiting to be shredded and that a new office assistant might have accidentally thrown them out with the trash.

Recent Breaches CVS

3/7/11- Philadelphia Federation of Teachers Health and Welfare Fund sued CVS alleging that its unauthorized disclosure of PHI was an unfair trade practice.

  CVS sent letters to physicians that listed their patients’ names,

dates of birth and prescribed medications. The letters encouraged the physicians to prescribe drugs made by pharmaceutical manufacturers, who paid CVS to send them. 

This purported disclosure of PHI would violate the HIPAA Privacy Rule’s prohibitions against disclosing PHI for marketing purposes without an individual’s authorization.

Recent Enforcement Actions Cignet Health

2/22/11- HHS issued a notice of final determination finding that Cignet violated the HIPAA Privacy Rule, and imposed a fine of $4.3 million. First time HHS had imposed a civil monetary penalty for an entity’s violation of the HIPAA Privacy Rule.

HHS determined that Cignet violated 41 patients’ rights by denying the patients' requests for access to their medical records between September 2008 and October 2009.

Cignet refused to respond to demands to produce records; failed to cooperate with the investigation; and to produce records in response to a subpoena.

Recent Enforcement Actions Health Net

Connecticut: (January 2010)– AG sued Health Net for failing to secure private patient

medical records and financial information of 446,000 CT residents on 27.7 million scanned pages

– First state AG action under HITECH Act– SAG criticized Health Net for its “unconscionable” delay of

over 6 months to identify victims– Data was not encrypted or otherwise protected– Failure to supervise and train employees

Recent Enforcement ActionsHealth Net

7/10 Stipulated Judgment Health Net to pay $250,000 to the Connecticut General Fund with another $500,000 contingent payment to Connecticut if third party determines, before 11/30/11, that any data on the missing disk was accessed and misused or any claims are made on third party’s insurance policy linked to misuse of the lost disk drive.

Recent Enforcement ActionsHealth Net

Corrective Action Plan– 2 years of credit monitoring service– Enhancing existing security privacy program– Installation of technology to restrict the transfer of PHI and PI to removable

media– Encryption of all laptop hard drives and all desktop hard drives– Improved IT oversight, including the creation of a “Information Security

Analyst” assigned to each new IT project with assessment duties reporting directly to Health Net's Manager of Information Security.

– Requiring all “Business Associates” to execute HIPAA compliant Business Associate Agreements”.

– Enhanced training and awareness including holding an annual “Compliance Awareness Week” for all employees to “emphasize the importance of protecting the privacy and security of PHI.”

– Providing semi-annual updates to its initial status report to the Connecticut Attorney General

Recent Enforcement Actions Health Net

11/8/10 Connecticut Insurance Commissioner announced that Health Net had agreed to pay $375,000 in penalties for failing to safeguard the personal information of its members from misuse by third parties. 

The penalties were part of a settlement agreement reached with Health Net pursuant to which Health Net agreed to provide credit monitoring protection for two years to all affected members and providers in Connecticut. 

Health Net also agreed that the costs related to improvements in data and equipment security it made in response to the data breach will not be passed along to Health Net members.

Recent Enforcement Actions Mass General

2/24/11 HHS announces $1,000,000 Resolution Agreement for HIPAA violations that stemmed from the loss of hard copy patient records for 192 patients left on a subway in March 2009.  The records originated from Mass General’s Infectious Disease Associates outpatient practice and included sensitive records discussing patients’ treatments for HIV/AIDS. 

OCR determined that Mass General had “failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule.”

Corrective Action Plan which requires Mass General to:– develop and implement a set of policies and procedures to ensure PHI is protected when it is

removed from Mass General; – train employees on the policies and procedures; and – designate an internal monitor to conduct assessments of Mass General’s compliance with the

Corrective Action Plan and provide semi-annual reports to OCR for three years.

Statistics--Cost of a Stolen or Lost Employee Laptop

Average cost of a lost laptop is $49,246– Occurrence of data breach represents 80% of this cost

Average data breach cost of a lost laptop varies by industry– Services ($112,853); Financial Services ($71,820) and Healthcare

($67,873) suffer from the highest data breach costs Backup and encryption methods affect the average cost of a

lost laptop– Average cost is about $30,000 more when there is a full backup system

The backup makes it easier to confirm loss of sensitive or confidential data

– Encryption can reduce the cost of a lost laptop by more than $20,000

5 Leading Causes of Security Breaches

Negligent and intentional employee behavior Lost or stolen devices e.g., laptops System glitches Malicious or criminal attack Third party mistake

Recent CasesPacosa v. Kaiser Foundation

Physician assistant who took intermittent leave under the FMLA to care for his wife’s clinical depression. PA signed a number of confidentiality agreements, which prohibited him from accessing his own health records or those health records of his family or friends on Kaiser Permanente’s proprietary medical records system unless he had specific authorization from the patient and the access was approved. An additional confidentiality policy prohibited him, as an employee, from accessing any protected health information records except where related to his job.

Kaiser’s Compliance Department received a series of phone calls from wife, who informed it that PA had accessed her medical records without authorization and that he was using the information to obtain a restraining order against her.

Compliance Department’s investigation revealed access to wife’s records without authorization, and further access and editing of his daughter’s records as if he was the treating medical provider, all while he was on alleged FMLA leave. Fired for violating confidentiality policy

PA sued Kaiser, alleging multiple state and federal statutory violations, including that his termination interfered with his leave rights under the FMLA. Case dismissed--no issue of material fact that PA violated confidentiality policies, which was the reason for his termination rather than any FMLA violation.

Recent CasesIndictment

3/15/11 indictment of twelve defendants charged for their parts in an identity theft and bank fraud scheme has been unsealed. Two of the defendants, who worked for HIPAA-covered entities in Florida, and have also been charged with HIPAA violations.

office assistant with access to patients’ names, dates of birth, Social Security numbers, and medical information provided to others in fraud/ID theft ring.

HITECH Act of 2009

Health Information Technology for Economic and Clinical Health Act (enacted as part of stimulus bill in February 2009)

HITECH Act Regulations

Codified at 45 CFR pts 160, 164 Applies to HIPAA covered entities and their

business associates Effective date 9/23/09 2/22/10-HHS can impose sanctions for non-

compliance

HITECH Highlights

HIPAA covered entities must provide affected individuals with notice of a breach of their unsecured PHI within 60 days

Covered entity must evaluate the risk of harm of the breach before providing notice

Notice must include a brief description of the event, the PHI involved and the steps to take to protect from future harm

HITECH Highlights (2)

If breach involves more than 500 individuals covered entity must notify the media as well as HHS

If breach involves less than 500 individuals must be reported to HHS annually

As of 4/13/11 257reported incidents to HHS of incidents involving more than 500 people

Breach Under the HITECH Act

Unauthorized acquisition, access, use or disclosure of unsecured PHI in a manner not permitted by the Privacy Rule

Compromises the security or privacy of the PHI

Poses a significant risk of financial, reputational or other harm

What is Secured PHI

HIPAA security rule encryption standard Hard copy PHI must be shredded so that it is

unreadable or cannot be reconstructed Encryption under the HHS guidance is a safe

harbor and no notice would be required in the event of unauthorized access

Redaction NOT ACCEPTABLE

Not a breach under HITECH Act

Unintentional good faith acquisition, access or use of PHI (e.g. nurse mistakenly sends a billing employee an email with patients’ PHI);

Inadvertent disclosure of PHI from authorized person to another authorized person;

Unauthorized disclosures in which recipient would not have reasonably been able to retain PHI;

Access to secured PHI; Use or disclosure of deidentified information.

Risk of Harm Threshold

Poses a significant risk of financial, reputational or other harm to the individual

Must conduct a written risk assessment– Who used PHI and to whom was PHI disclosed– Type, amount and sensitivity of the PHI involved– Whether the covered entity has taken immediate

steps to mitigate– Whether PHI was returned prior to access

HHS Issues Breach Notice Form

http://transparency.cit.nih.gov/breach/index.cfm The on-line form includes all of the elements

required by the HITECH Act and the related HHS breach regulations. The form also requires covered entities to include contact information for a business associate (where the breach occurred at or by the business associate), the type of breach, the location of the breach, safeguards in place prior to the breach, and the date(s) individual notifications were provided.

Notice under the HITECH Act

60 days begins on notice when breach is discovered or should have been discovered through the exercise of reasonable diligence

If breach is discovered by an agent of a CE it is considered discovered by CE

Administrative Requirements

Training Policies and procedures to detect, discover

and report breaches Complaint process

Notice by Business Associates

BA is responsible for notifying CE WITHOUT UNREASONABLE DELAY AND

W/I 60 DAYS OF DISCOVERY Agreements with BA’s should have clear

requirement for immediate notice

FTC Breach Notification Rule

Effective date 9/24/09 -- Enforcement 2/22/10 The FTC final rule applies to vendors of personal health records, PHR-

related entities, third-party service providers and non-profits.  HIPAA covered entities and business associates are excluded from

the definition of PHR vendor and PHR-related entities. Requires PHR vendors and PHR-related entities to notify consumers

w/i 60 days following discovery of a breach involving unsecured identifiable health information that is in a personal health record.

Rule requires notice to the FTC within 10 business days of discovery of a breach involving 500 or more consumers. Notice of smaller breaches can be provided to the agency on an annual basis.

FTC Rule-PHR-Related Entities

Offer products and services through a PHR vendor’s website

Offer products and services through the websites of HIPAA covered entities that offer individuals’ PHRs

Access information in PHRs or send information to a PHRs

Examples include web-based apps that manage meds and websites offering personalized health checklists

FTC Rule

No risk of harm threshold Unlike HITECH regs -- even if breach

presents a minimal risk of harm the vendor is still required to give notice

Client Recommendations under HITECH and FTC Regulations

Possible modification of business associate contracts to ensure:– prompt notice of breaches– costs covered by BA for required notices

Develop Incident Response Plan Create Training Module Review document retention policies

Breach Notification Laws

As of May 17, 2010, forty-six (46) states and the District of Columbia and Puerto Rico have enacted security breach notification laws

Only AL, KY, NM and SD without breach laws

State Laws on Health Information & Privacy

Health information addressed in state breach laws:– 6 states currently require notification for breaches of health information:

California Arkansas New Hampshire Missouri Texas Virginia

– Biometric information: Wisconsin (Wis. Stat. § 134.98 (2008)) and Nebraska (R.R.S. Neb. § 87-802)

expanded their breach laws to include a narrower category of health-related information: biometric information including DNA and fingerprints

QUESTIONS???

Matthew H. Meade 412 562 5271 [email protected]