Data Breaches in Healthcare: Responding to the Growing...

Data Breaches in Healthcare: Responding to the Growing Threat of Cyber Attacks Managing Risk, Responding to Breaches and OCR Investigations, Minimizing HIPAA Liability

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

WEDNESDAY, APRIL 1, 2015

Presenting a live 90-minute webinar with interactive Q&A

James B. Wieland, Principal, Ober Kaler, Baltimore

Edward G. Zacharias, Partner, McDermott Will & Emery, Boston

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-570-7602 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail [email protected] immediately so we can

address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

For CLE purposes, please let us know how many people are listening at your

location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of

attendees at your location

• Click the SEND button beside the box

If you have purchased Strafford CLE processing services, you must confirm your

participation by completing and submitting an Official Record of Attendance (CLE

Form).

You may obtain your CLE form by going to the program page and selecting the

appropriate form in the PROGRAM MATERIALS box at the top right corner.

If you'd like to purchase CLE credit processing, it is available for a fee. For

additional information about CLE credit processing, go to our website or call us at

1-800-926-7926 ext. 35.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

www.ober.com

James B. Wieland Ober|Kaler

410-230-7397

[email protected]

Data Breaches in Health Care: Responding to the Growing Threat of Cyber-Attacks

Strafford Publications Webinar April 1, 2015

www.ober.com

www.ober.com

Data Breach Risk Management Strategies: Risk Allocation in Business Associate Agreements

No one size fits all Business Associate Agreement

Simple form available on the OCR website may fit for simple relationships http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

Post-HITECH environment makes most relationships complex

Breach detection and responsibilities upon discovery

Possible vicarious liability of Covered Entity for Civil Monetary Penalties imposed on Business Associate if Business Associate is an agent under federal common law

– Test is power to give “interim instructions”

OCR can declare a service provider a Business Associate even if there is no Business Associate Agreement in place

6

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

www.ober.com

Risk Allocation in Business Associate Agreements

Current Due Diligence Issues

Does the Business Associate use a third party Data Center or the Cloud?

On-shore vs. Off- shore presence of PHI

Contractual Risk Controls

Initial and ongoing monitoring and right to audit

Questionnaire tied to representations and warranties

Indemnification

Third party certifications

AICPA Service Organization Control (SOC) Audit

Health Information Trust Alliance (HITRUST) Certification

Information Practices (Cyber liability) Insurance

7

www.ober.com


Current Breach issues:

Who provides Breach Notice

Who determines if an exemption applies

Who pays the direct costs of response

Providing notice

Credit monitoring insurance

“Security Incidents” as distinct from Breaches

Attempted or actual interference with information system

Pings, port scans, and other common events

8

www.ober.com


The battle of the forms – Business Associate Agreement terms now highly negotiable except for HIPAA mandated provisions

Are state breach laws included in the Business Associate responsibilities?

How are HIPAA mandated amendments handled?

How is responsibility for Sub-Contractor Business Associates handled?

– Permission to sub-contract

– Responsibility for sub-contractor’s actions

Reviewing Business Associate’s risk assessment and other security documentation

– Need to know vs confidentiality

– Can too much oversight help create an agency relationship

9

www.ober.com

HIPAA Compliance

Breach analysis was changed significantly by HITECH

Potential harm is irrelevant

Breaches are presumed absent exemption

Narrow statutory exemptions

Four factor test

Breaches of over 500 are automatically investigated

Enforcement is increasing, with funding from penalties

Despite HITECH Act amendments to penalty provisions, OCR emphasis is still on voluntary resolution

10

www.ober.com

State Law Compliance

All states, except three, plus Washington D.C., Puerto Rico and the U.S. Virgin Islands, have breach notification laws

Generally applies to unencrypted personal information; several states include paper records

Initial scope was name plus social security number, drivers license number or banking information

Notice to state agencies, typically Attorney General, is a common requirement

Trend is to broaden definition of personal information

Initially, to include medical information

Currently, leading edge adds on-line account access information and health insurance information

11

www.ober.com

State Law Compliance

Some states exempt entities covered by HIPAA or other regulatory schemes for data security

Florida leads the way, at least at present, in stringent requirements

30 day notification requirement for individuals and the state

Notice includes any services offered to individuals without charge, e.g. credit monitoring insurance

Along with a number of other states, statute requires reasonable security measures to avoid breaches

State of residence on affected individual governs

Note FTC actions as unfair or deceptive business practices after breaches, when a health care provider or other entity promises more security than it delivers on its on-line Privacy Practices.

Federal personal information protection statute has been proposed

12

www.ober.com

Insurance Coverage

Breach liabilities generally not covered by general liability or errors and omissions

Information practices insurance, commonly referred to as cyber liability is the trend

First party liability risk coverage

Data breach

Data restoration

Network extortion

Business interruption

13

www.ober.com

Insurance Coverage

Third party risk coverage

Privacy liability

Media liability

Network security

14

www.mwe.com

Boston Brussels Chicago Dallas Düsseldorf Frankfurt Houston London Los Angeles Miami Milan Munich New York Orange County Paris Rome Seoul Silicon Valley Washington, D.C.

Strategic alliance with MWE China Law Offices (Shanghai)

© 2015 McDermott Will & Emery. The following legal entities are collectively referred to as "McDermott Will & Emery," "McDermott" or "the Firm": McDermott Will & Emery LLP, McDermott Will & Emery AARPI, McDermott Will & Emery Belgium LLP, McDermott Will & Emery Rechtsanwälte Steuerberater LLP, McDermott Will & Emery Studio Legale Associato and McDermott Will & Emery UK LLP. These entities coordinate their activities through service agreements. This communication may be considered attorney advertising. Previous results are not a guarantee of future outcome.

Edward G. Zacharias

(617) 535-4018

[email protected]

April 1, 2015 – Strafford Live CLE Webinar

Data Breach Response & Responding

to an OCR Investigation

www.mwe.com




Data Breach Response

www.mwe.com 17

Definition of Breach

Interim final breach notification rule (IFR) adopted under the HITECH Act became effective 9/23/09

Final Omnibus Rule effective for breaches on or after 9/23/13

The IFR and Final Rule generally define “Breach” to mean the acquisition, access, use or disclosure of PHI in a manner not permitted by the HIPAA Privacy Standards which compromises the security or privacy of PHI

The IFR defines “compromises the security or privacy of PHI” to mean “poses a significant risk of financial, reputational or other harm to the individual”

OCR concluded that the risk of harm standard was applied inconsistently by CEs and BAs and led to under-reporting of unauthorized disclosures to individuals

www.mwe.com 18

Definition of Breach (cont’d)

Final Rule eliminated the risk of harm standard

A Breach is presumed unless CE or BA demonstrates that there is a “low probability” that the privacy of PHI has been compromised based on a risk assessment considering at least the following factors:

– The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification

– The unauthorized person who used the PHI or to whom the disclosure was made

– Whether the PHI was actually acquired or viewed

– The extent to which the risk to the PHI has been mitigated

The CE or BA has the burden to prove that an unauthorized disclosure is not a Breach

www.mwe.com 19

Definition of Breach (cont’d)

Risk assessment requires an analysis of whether there is more

than a “low probability” that PHI compromised

OCR intends that the Breach determination no longer turn on a

subjective assessment of the potential harm to an individual, but

OCR’s preamble discussion of the four required factors invites an

assessment of:

– Sensitivity of data

– Probability that the PHI could be used by an unauthorized recipient in a

manner adverse to the individual

– Number of Direct Identifiers and risk of re-identification

www.mwe.com 20

Breach Exceptions

Final Rule preserves following statutory exceptions:

– Unintentional use by workforce member in good faith, within scope of

authority and without further impermissible disclosures

– Inadvertent disclosures by a person authorized to access PHI to

another person authorized to access PHI at the same CE or BA and

without further impermissible disclosures

– Unauthorized recipient would not reasonably be able to retain PHI

Determine whether an exception applies before conducting

risk assessment

Factor # 1: PHI Involved

Factor # 1: The nature and extent of the PHI involved,

including the types of identifiers and the likelihood of re-

identification

Under this factor, CE/BA should consider:

– Amount and detail of clinical information

– Access to information about mental health conditions/services,

substance abuse, HIV/AIDs or other sexually transmitted diseases,

genetic test results or other sensitive Information

– Access to SSNs or other data creating a financial identity theft risk

– Access to health plan ID numbers or other information creating a

medical identity theft risk

www.mwe.com 21

Factor # 2: Unauthorized Recipient of PHI

Factor # 2: The unauthorized person who used the PHI or to

whom the disclosure was made

Under this factor, CE/BE should consider:

– Whether the recipient is workforce member of a CE or BA

– Whether the recipient has taken actions that demonstrate integrity

– Did the recipient access the PHI with criminal or other bad intent?

www.mwe.com 22

Factor # 3: Actual Access

Factor # 3: Whether the PHI was actually acquired or viewed


– Evidence of access in software audit logs

– Forensic analysis

– Was the envelope/package containing paper PHI opened?

www.mwe.com 23

Factor # 4: Risk Mitigation

Factor # 4: The extent to which the risk to the PHI has been

mitigated


– Whether equipment containing EPHI was recovered

– Whether paper PHI was recovered

– A security flaw promptly discovered and corrected

– Whether security controls mitigated the risk of unauthorized access

• Note passwords and screen saver locks after period of inactivity are

important, but provide weak security as compared to encryption

• Remote wipe capabilities

www.mwe.com 24

Factors Other Than Mandatory Factors

The four factors are not the exclusive list of factors that may

be considered

CE or BA may consider:

– Risk of financial identity theft

– Risk of medical identity theft

– Risk of embarrassment or reputational harm

– Whether PHI is already public

www.mwe.com 25

26

Who must be notified?

CE must notify

– Individuals to whom PHI relates (always)

– OCR (always)

– Prominent media outlets (depends)

BA must notify

– Covered Entity

Final Rule Preamble: “Covered entities and business

associates should consider which entity is in the best position

to provide notice to the individual”

– CE and BA and agree for BA to handle CE’s notification obligations

27

Notice periods

CEs must notify every individual affected by a breach of unsecured PHI without unreasonable delay and in no case later than 60 days after discovery of the breach

BA must notify CE of a Breach without unreasonable delay and in no case later than 60 days after discovery of the breach

60 days is an outer limit (be aware of shorter state law timeframes)

“If a BA is acting as an agent of a CE, then . . . the BA’s discovery

of the breach will be imputed to the CE.”

– i.e., CE required to notify within 60 days of when breach discovered by BA

28

When is breach discovered?

Breaches treated as “discovered” as of the first day the

breach is known to the CE or BA, or by exercising

reasonable diligence would have been known to the CE or

BA

Not when management and/or Privacy/Security Officer

knows:

– HITECH Act provides that breach treated as discovered by CE or BA

when ‘‘any person, other than the individual committing the breach,

that is an employee, officer, or other agent of such entity or associate’’

knows or should reasonably have known of the breach.

29

Notice by BA to CE

Notice by BA to CE must include, to the extent possible:

– Identification of each affected individual

– Any other available information that CE is required to include in notice

to individuals (discussed below)

• If information becomes available after initial notice to CE, BA must provide

such additional information to CE

30

Notice to affected individuals

Content of notice to affected individuals (to the extent possible):

– A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;

– A description of the types of unsecured PHI that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);

– Any steps individuals should take to protect themselves from potential harm resulting from the breach;

– A brief description of what CE is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches (free credit monitoring; reviewing P&P; retraining etc.); and

– Contact procedures for individuals to ask questions or learn additional information, which shall include a toll free telephone number, an e-mail address, web site, or postal address.

31


Plain language requirement

Form of notice

– First-class mail at the last known address

– Email (if the individual has previously agreed to electronic notice)

– If individual deceased, written notification by first-class mail to either

the next of kin or personal representative

– Substitute notice

32


Substitute notice when insufficient or out-of-date contact information

– If fewer than 10 individuals, alternative form of written notice, telephone, or other means.

– Ten or more individuals:

• Either: (1) conspicuous posting for 90 days on the home page of the CE web site; or (2) conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and

• Must include a toll-free phone number that remains active for at least 90 days where an individual can learn whether the individual’s unsecured protected health information may be included in the breach.

Notice in Urgent Circumstances

– Possible imminent misuse of unsecured PHI

– CE may provide information to individuals by telephone or other means, as appropriate, to be followed up by written notice

33

Notice to OCR

CE must notify OCR in the event of a breach

Less than 500 individuals affected

– Within 60 days following the end of the calendar year when breach is

discovered

500 or more individuals affected

– Contemporaneously with notice to individuals

Form of notice:

– Complete and submit OCR online notice form

– http://ocrnotifications.hhs.gov/

http://ocrnotifications.hhs.gov/

34

Media Notice

In the event that the Breach involves PHI from more than 500

individuals of a state or jurisdiction, the CE must also notify

prominent media outlets in the jurisdiction

– Citywide? Statewide?

– “Outlets” (at least two)

– Print and/or broadcast media

Must include same information as individual notices

Breach at BA, affecting more than 500 from multiple CEs

– 500 per CE, not in the aggregate

35

Mitigation / Remediation

Act quickly following discovery of breach

Promptly take steps to mitigate potential harm and to prevent

similar incident from happening in the future

– Technical (e.g., turning off application; add additional security)

– Non-Technical (e.g., law enforcement, private investigator, get data back)

– Employee disciplinary action

• Sanctions are a required Implementation Standard

– Post-incident review and modification of policies and procedures

– Additional training

Mitigation / Remediation, cont.

Goals of prompt mitigation

– Prevent or lessen harm to potentially affected individuals

– Prevent similar incidents from occurring in the future

• Proactive vs. reactive

– Quickly come into compliance with HIPAA Privacy,

Security and/or Breach Notification Standards

– Preparedness for potential OCR investigation

(demonstrated compliance)

www.mwe.com 36

37

Beach Preparedness / Be Proactive

Implement security breach response policies and procedures

– Expressly require that RA address at least the four enumerated factors

Thoroughly document risk assessment, particularly one finding a “low probability” that PHI was compromised

Train workforce on breach policies and procedures

CEs and BAs must have written sanctions policy and apply appropriate

sanctions against workforce members who fail to comply with policies and

procedures

Ensure Vendors have appropriate safeguards to prevent, detect and respond to breaches

Be nimble (“60 days is an outer limit” for HIPAA reporting) – State law!

Expect future OCR guidance on risk assessments

www.mwe.com




Responding to an OCR

Investigation

Complaint/Compliance Review Process

www.mwe.com 39

Source: OCR website: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/process/index.html

OCR Stated Approach to Enforcement

OCR first attempts to resolve non-compliance by obtaining:

– Voluntary compliance;

– Corrective action; and/or

– Resolution agreement.

Resolution Agreements: “These agreements are reserved to settle investigations with more serious outcomes” (23 to date)

Formal CMP enforcement process (only 1 to date)

– HHS administrative law judge hearing, in which OCR has burden of proof on liability issues and CE or BA has burden of proof on CMP quantum issues

– Appeal to HHS Departmental Appeals Board

– Appeal to U.S. Court of Appeals

www.mwe.com 40

OCR’s HIPAA Enforcement History

Between April 2003 and January 2015, of ~42,000 cases of

potential HIPAA violations over which OCR found it had

jurisdiction:

– In ~8,000 cases (19%), OCR intervened early with technical assistance

on compliance in place of an investigation

– In ~11,000 cases (26%), OCR found no violation had occurred

– OCR resolved the remaining ~23,000 cases (55%) through a

combination of demonstrated compliance, technical assistance, and

corrective action plans – without any monetary payments

– OCR has required monetary settlements in just 23 cases (0.06%)

– Only 1 formal Civil Monetary Penalty Action to Date

41

OCR Monetary Settlement History

www.mwe.com 42

OCR Enforcement Perspectives

Recent comments from OCR senior leadership and local representatives indicate OCR is now substantially toughening its enforcement positions

– “[C]ontinued enforcement is a critical component of OCR’s arsenal of tools” – Jocelyn Samual, OCR Dirctor.

Final Privacy Rule is 12 yrs old / Final Security Rule is 10 yrs old

Political Pressure

“[T]he overall record of [HIPAA] enforcement is simply not satisfactory” – Senator Al Franken, December 2011 Hearing before Senate Judiciary Subcommittee on Privacy, Technology, and Law.

“OCR did not meet [certain] Federal requirements critical to the oversight and enforcement of the Security Rule” (OIG Report, Nov. 2013)

Budgetary Considerations

– OCR level funded for 2015

– “[A]ny civil monetary penalty or monetary settlement collected with respect to an offense punishable under [HIPAA] . . . shall be transferred to the Office for Civil Rights of the Department of Health and Human Services to be used for purposes of enforcing [HIPAA]”. HITECH Act.

www.mwe.com 43

CMP Penalty Range

www.mwe.com 44

Violation Category Min. Per-Violation Penalty Max. Penalty for all Violations of an Identical

Provision in a Year

Tier 1: The entity did not know (and,

by exercising reasonable diligence,

would not have known) that it violated the applicable provision

$100

42 U.S.C. § 1320d-5(a)(3)(A)

45 C.F.R. § 160.404(b)(2)(i)(A)

$25,000 Under HITECH Act

42 U.S.C. § 1320d-5(a)(3)(A)

- - - - - - - - - - - - - - - - - - - - -

$1,500,000 Under HHS Regulations

45 C.F.R. § 160.404(b)(2)(i)(B)

Tier 2: Violation is due to reasonable cause and not to willful neglect

$1,000

42 U.S.C. § 1320d-5(a)(3)(B)

45 C.F.R. § 160.404(b)(2)(ii)(A)


42 U.S.C. § 1320d-5(a)(3)(B)

- - - - - - - - - - - - - - - - - - - - -


45 C.F.R. § 160.404(b)(2)(ii)(B)

Tier 3: Violation is due to willful

neglect and is corrected within 30

days of when the entity knew or by

exercising reasonable diligence

would have known that the violation occurred

$10,000

42 U.S.C. § 1320d-5(a)(3)(C)

45 C.F.R. § 160.404(b)(2)(iii)(A)


42 U.S.C. § 1320d-5(a)(3)(C)

- - - - - - - - - - - - - - - - - - - - -


45 C.F.R. § 160.404(b)(2)(iii)(B)

Tier 4: Violation is due to willful

neglect and is not corrected within 30

days of when the entity knew or by

exercising reasonable diligence

would have known that the violation occurred

$50,000

42 U.S.C. § 1320d-5(a)(3)(D)

45 C.F.R. § 160.404(b)(2)(iv)(A)

$1,500,000 Under HITECH Act

42 U.S.C. § 1320d-5(a)(3)(D)

- - - - - - - - - - - - - - - - - - - - -


45 C.F.R. § 160.404(b)(2)(iv)(B)

Steps to Maximize Chance of Good

Outcome

1. Be proactive

– Conduct/update comprehensive risk analysis

– Implement risk management plan based on risk analysis findings

– Develop, maintain, and periodically assess strong privacy, security,

and breach response policies and procedures

– Adequately train employees and document training

– Follow and enforce the P&Ps once in place

– Encourage employees to promptly and accurately report potential

breaches to appropriate internal officers

45


Outcome, ctd.

2. Investigate breach reports promptly

– Quickly determine basic facts, even if more time will be required to nail

down all details

– Promptly take steps to mitigate potential harm and to prevent similar

incident from happening in the future

– Regulators want to be notified sooner rather than later (60 days is an

outer limit)

– Regulators often do not understand intra- or inter-organizational

communications challenges

46


Outcome, ctd.

3. Communicate early and often

– Make sure regulators hear about a potential breach first from you—not

from the media, a whistle-blower, or an impacted patient

– Consider informally give regulator basic facts, with caveat that

investigation is ongoing, facts may ultimately prove to be different, etc.

– Allows entity to establish rapport with regulator

• Want regulator to view as responsible and cooperative actor with patients’

best interests in mind

– Gives entity more control over message

47


Outcome, ctd.

4. Communicate effectively

– Choose a single spokesperson, whether that be an in-house lawyer,

outside counsel, or someone else

– Stick with that spokesperson unless there is a good reason to change

– Be prepared to show concrete steps taken to improve safeguards

(“lessons learned”) before being required to do so through a

negotiated settlement

48


Outcome, ctd.

5. Be cooperative wherever possible with your regulators,

but analyze critically

– Regulators’ interpretation of law is not always supported

– Regulators do not want to bring an enforcement action and lose

– Regulators are repeat players who will be impacted by negative court

or ALJ decisions interpreting ambiguous laws and regulations

– Do not be afraid to politely, but firmly, push back on regulators’

theories

• Best done through outside counsel

49

So What Do I Do When I Get a Post-

Breach Inquiry from OCR?

Acknowledge receipt and tell OCR that an appropriate person will respond promptly

Quickly report it to the appropriate officer in the organization

Involve in-house or outside counsel experienced in dealing with OCR investigations

– Work with counsel to come up with response and communications plan (internal and external)

Start collecting requested information quickly—don’t wait for stated deadline

– Document all steps taken to do so

– Note privilege context of collected documents

50

So What Do I Do When I Get a Post-

Breach Inquiry from OCR, ctd.?

Keep original file of all documents collected, including

privileged documents

– Offer privilege log before preparing—regulator may not want

Other than legitimate privilege assertions, be forthcoming

– Avoid splitting hairs wherever possible

– Perceived “cover up” usually leads to worse outcome than underlying

incident would have

Respond within deadline or, alternatively, proactively seek

extension

51

Data Breaches in Healthcare: Responding to the Growing...

Documents

Transcript of Data Breaches in Healthcare: Responding to the Growing...