View the Replay on YouTube - FairWarning, Inc....Be prepared for the AG’s Office to alert the press through a press release in case of substantial breach ... KPMG is conducting the

HIPAA Breach & Investigations: Managing State Attorneys General and HHS while Minimizing your Risk

FairWarning® Ready Executive Webinar Series April 30, 2013

View the Replay on YouTube

https://youtu.be/HJaMb5mV_Fw

Agenda

• Overview of the HHS Final “Omnibus” HIPAA Rules and How They Impact Enforcement

• How to approach an Attorney General’s Office regarding data breaches and strategies for addressing enforcement by those Offices

• Risk-prevention Efforts and Resources • Insights regarding the concept of a “breach rehearsal” including

testing an organization's ability to conduct a forensics search of audit logs for "root cause of a major breach"

Today’s Panel

Colin Zick Partner, Foley Hoag LLP [email protected]

Kurt J. Long FairWarning® Founder and CEO [email protected]

Kevin Conroy Counsel, Foley Hoag LLP [email protected]

mailto:[email protected]



© 2013 Foley Hoag LLP. All Rights Reserved. Managing Enforcement Risk | 4

Managing State Attorneys

General and HHS OCR

While Minimizing Your Risk

Colin J. Zick

Foley Hoag LLP

(617) 832-1275

[email protected]

PART I: Overview of the HHS Final “Omnibus”

HIPAA Rules and How They Impact Enforcement


Managing Enforcement Risk | 5 © 2013 Foley Hoag LLP. All Rights Reserved.

Overview of the New “Omnibus” HIPAA

Privacy and Security Regulations

In the 563 pages of the regulations and related regulatory comments, there are many substantive and technical changes. However, we distilled two major themes in these revisions:

Extension of HIPAA generally, and in particular the direct extension of HIPAA to business associates and their subcontractors, so that now the entire food chain that deals with PHI falls under HIPAA’s privacy and security regulations; and

Ramping up the regulations on data breach, including shifting of the burden on breach notification, so that it squarely now sits on the covered entity/business associate to prove a “low probability” that PHI will be compromised.

Both these changes impact how OCR will enforce the rules.

https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf


HHS OCR Review and Investigations

Requirement if possible violation from willful neglect; discretionary otherwise

Every complaint will be investigated preliminarily

HHS OCR may disclose PHI to other agencies on request

FTC, HHS OCR and DoJ are working together and can assist state AGs

Levels of penalties remain the same from prior interim final rule:

– $100-$50,000 – did not know

– $1000-$50,000 – reasonable cause

– $10,000-$50,000 -- willful neglect corrected

– $50,000 - willful neglect NOT corrected

“Reasonable cause” -- knew it was a violation but committed without willful neglect:

– Is this the “stupid mistake”?

“Willful neglect” standard remains the same: “conscious, intentional failure or

reckless indifference”


Breach Notification– New Rule Penalties The factors that are taken into account for imposing civil penalties have been revised to

include:

– “The number of individuals affected”;

– “The time period during which the violation occurred”;

– “Financial harm” to the affected individuals;

– “Harm to an [affected] individual’s reputation”;

– “Hinder[ing] an [affected] individual’s ability to obtain health care”.

In other words, breaches that impact more people over a longer time with resulting harm

will be punished more severely

A history of previous “indications of non-compliance” also will be factored into this HIPAA

civil penalty analysis. 45 C.F.R. § 160.408

Also notable is what these regulations did not do: they did not raise the cap on HIPAA

civil monetary penalties. It remains at $1.5 million, which is somewhat surprising, in light

of the increasing frequency and scope of breaches involving PHI, and the increasingly

large penalties the Office of Civil Rights has imposed for HIPAA privacy and security

violations.


Breach Notification– New Rule Penalties

Business associates (and subcontractors) may also be liable for the

increased penalties for noncompliance based on the level of culpability, up

to a maximum penalty of $1.5 million, as HHS OCR can:

– Receive and investigate complaints

– Submit reports to HHS OCR, cooperate with investigations

– Perform compliance reviews on them

– They must abide by whistleblower protections

Liability for CMPs by covered entity for business association agreements

and subcontractors is based on federal common law of agency law:

– Did the covered entity control or have the right to control or direct the agent’s conduct in

performing the contracted service?

– If there is a business associate agreement, isn’t the answer always “yes”?



General and HHS OCR


Part II: How to approach an Attorney

General’s Office regarding data breaches

and strategies for addressing

enforcement by those Offices

Kevin C. Conroy

Foley Hoag LLP

(617) 832-1145

[email protected]



State Enforcement of Data Breaches Nearly every State has a data breach law, which requires notice of a data breach to the

state’s Attorney General and sometimes other state officials

Notice required when:

– a breach of security; or

– personal information of resident compromised.

Notice generally must include:

– nature of the breach of security or the unauthorized access or use of personal information;

– number of affected residents; and

– steps the notifying entity is taking or plans to take, relating to the incident.

Some notices require:

– consumer’s right to obtain a police report;

– how a consumer requests a security freeze;

– information a consumer will need to provide to request a security freeze; and

– disclosure of fees associated with placing, lifting, or removing a security freeze.

Some state laws provide that if notice is properly provided under federal law, then have

complied with the notification provisions of state law


Attorneys General and Data Breaches

In early 2007, State AGs came together regarding investigation of TJX

massive data breach:

– Resolved in 2009 with 41 other states

– Included 45 million credit card numbers

– Breach leads to Mass. Data Breach Notification Law and many other state laws

– Although State AGs given authority to enforce data breaches, very few states given increased

resources to enforce

Recent increased attention by AGs on Data Breaches

– Under the federal HITECH Act of 2009, Attorneys General can obtain damages against a health

care provider on behalf of state residents

– This month National Association of Attorneys General Presidential Initiative focused on privacy and

data breach issues (led by MD AG Gansler)

– Many state AGs resolving high profile cases and gaining media attention

– California AG indicates she will focus on health care data breaches

– Some AGs (California, Connecticut, Indiana, Maryland) creating units/divisions to focus on data

breach issues


Massachusetts Attorney General Experience

Provides Lessons Nationally

Massachusetts AG’s Office averages approximately 700 data breach

notifications a year or two a day

– 82% of reported data breaches affected fewer than 100 people

– 4% of reported data breaches affected between 1,000 and 10,000 people

– 14% of reported data breaches affected more than 10,000 people

Although AG’s Office receives 700 data breach notifications a year, the

Office has only six resolved data breach matters (two in health care)

– An overwhelming majority of notices lead to no investigation by Office

– Office only has resources to investigate significant data breaches

AG’s Office would rather that you adequately address the breach than it

having to address the breach

Generally, consumer protection staff handling data breaches


Themes of AG Enforcement

Large number of consumers affected

Media attention prior to enforcement or notice

Entity that was the subject of the data breach had no data policy at all

Failure to encrypt data

Actions involving contractors/third party agreements where no control in

any way of contractors

With authority under federal law, more state AGs focusing on enforcement

in the health care area

Usually does not matter if there are no reports of unauthorized use of

information


Dealing with Attorney General’s Office

The Notice Letter to the AG’s Office is crucial

Goal: Show the AG’s Office you are adequately addressing data breach

Tips:

– Quickly and effectively learn the information about the breach

– If breach involves a possible crime (i.e. theft of laptop), contact law enforcement

– Address how and why the breach occurred

– Address that a comprehensive WISP exists that has all of the elements needed to satisfy state law

– Address whether WISP was followed

– If contractor is involved, address agreements with contractor that are in place and why contractor

needed access to the information (Do not assume that AG’s Office understands why you need to

share information with a contractor)

– Address efforts to provide notification to affected residents and discuss prompt and thorough notice

– Provide credit monitoring for affected residents

– Note in the letter that you have provided notice to both AG and other agencies responsible

– Media reports may force you to accelerate reporting of data breach


Dealing with Attorney General’s Office

If substantial breach, make decision about substitute notice early

Be prepared for the AG’s Office to alert the press through a press release in

case of substantial breach

Be cautious regarding what you tell the AG’s Office

– In most circumstances, there should be no need to call the AG’s Office

– Rely on the notice letter

If the AG’s Office decides to investigate, it will likely not resolve a matter

unless it conducts an investigation and reviews the WISP and other

documents

AG enforcement action likely to begin with Civil Investigative

Demand/Subpoena

AG enforcement will take longer than you think to resolve

AG’s Office will issue press release once case resolved



General and HHS OCR


Colin J. Zick

Foley Hoag LLP

(617) 832-1275

[email protected]

PART III: Risk-Prevention Efforts and Resources



HHS OCR HIPAA Audit Program Protocol:

What is it?

The OCR HIPAA Audit program analyzes processes,

controls, and policies of selected covered entities pursuant

to the HITECH Act audit mandate. OCR established a

comprehensive audit protocol that contains the requirements

to be assessed through these performance audits.

The entire audit protocol is organized around modules,

representing separate elements of privacy, security, and

breach notification. The combination of these multiple

requirements may vary based on the type of covered entity

selected for review.



What does it cover?

The audit protocol covers Privacy Rule requirements for:

– (1) notice of privacy practices for PHI

– (2) rights to request privacy protection for PHI

– (3) access of individuals to PHI

– (4) administrative requirements

– (5) uses and disclosures of PHI

– (6) amendment of PHI, and

– (7) accounting of disclosures.

The protocol covers Security Rule requirements for administrative,

physical, and technical safeguards

The protocol covers requirements for the Breach Notification Rule



What’s happening?

KPMG is conducting the audits on behalf of HHS OCR

115 HIPAA audits completed

OCR is reviewing the results of its pilot HIPAA

compliance audit program:

– a more streamlined audit process is promised;

– but also an expanded pool of organizations to be audited in an

ongoing, permanent program


Key Issues Identified in Audits

Privacy: – Records of deceased

– Personal representatives

– Business associate agreements

– Disclosures to courts and government entities

– Verification of identity

Security – Monitoring authorized users

– Contingency planning

– Authentication and integrity

– Media reuse and destruction

– Risk assessments

– Granting or modifying user access


How to Manage the Risk of Audit or Violation?

Develop and maintain an effective compliance

program

Education and training

Discipline for violations

Self-audit


RESOURSES

OCR: http://www.hhs.gov/ocr/privacy

Audit protocol:

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/prot

ocol.html

My blog: http://www.securityprivacyandthelaw.com

http://www.hhs.gov/ocr/privacy

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html



http://www.securityprivacyandthelaw.com/

HIPAA Breach & Investigations: Managing State Attorneys General and HHS while Minimizing your Risk

FairWarning® Ready Executive Webinar Series April 30, 2013

Defining Moment

• According to the “The Risk of Insider Fraud, Second Annual Study”, released by the Ponemon Institute in February 2013:

– It takes an organization an average of 87 days to determine that insider fraud has occurred and 105 days to determine root cause

– With only one‐third of the cases being closed with actionable evidence the data implies that the organizations, as well as patients and providers are vulnerable to repeat offenses

Identity Theft Scenario: Mid-size health system that has 4 hospitals & 10 clinics in the South Eastern US

• ePHI was stolen over a period of time by an employee with authorized access on

the EHR System • The employee collaborated with a regional crime ring where the identities were

further sold for use in medical identity theft, creation of false tax returns, and to generate credit cards for fraudulent use

• The incident is ultimately reported by the media as details of a crime ring come to light

• Initial reports from the media indicate that a large number of innocent victims may have been impacted

• Within moments of the media release, the health system is flooded with calls from potential victims, other media outlets, and regulators. Enforcement officials are not far behind.

Importance of Forensics

• Pressure to determine root cause and scope quickly • Encourage and use both internal and external tip sources • Review of audit logs across systems for suspicious

behavior by unauthorized and authorized users • Volume of log data may cause delays • Manual approach is suspect to interpretation errors, and

contributes greatly to inaccurate communications • Confidence killer that sets the stage for future doubt

How to prepare now

• Create a crisis management team & seek management buy-in • Identify specific processes for how the crisis management team will

work together at the time of a breach • Identify & align a PR point of contact & develop a media plan • Evaluate what IT resources are needed to conduct a forensics

investigation of a breach • Make sure access is readily available to the audit logs of all major

systems that contain ePHI • Rehearse all of the above & test process to respond to root cause

analysis

Fully rehearse your breach response processes including forensics

Contact Information

Colin Zick Partner, Foley Hoag LLP [email protected]

Kurt J. Long FairWarning® Founder and CEO [email protected]

Kevin Conroy Counsel, Foley Hoag LLP [email protected]




http://www.linkedin.com/company/fairwarning-inc?trk=hb_tab_compy_id_295671

https://www.facebook.com/FairWarningInc

https://twitter.com/fairwarninginc

http://www.youtube.com/fairwarninginc

View the Replay on YouTube - FairWarning, Inc....Be prepared for the AG’s Office to alert the press through a press release in case of substantial breach ... KPMG is conducting the

Documents