Presented By:

Cybersecurity and Healthcare: The Key to Limiting Your Risk is Being Informed

February 26, 2015

HIPAA/HITECH:  Risks and Liabilities in an Increasing Enforcement Environment

Gregory M. Fliszar, J.D., Ph.D.

(215) 665-4737

gfliszar@cozen.com

Agenda

• HIPAA Refresher• HITECH Final Rule

– significant changes • Top HIPAA Issues • Healthcare Risks• Enforcement

Environment

2

What is HIPAA?

• The Health Insurance Portability And Accountability Act of 1996 (HIPAA)– Administrative Simplification

• Standards for health care electronic transactions and code sets

• Security of electronically stored and transmitted health information

• Privacy of individually identifiable health information

3

What is HIPAA?

• Privacy Rule – sets the standards for who may have access to PHI – applies to all forms of PHI whether electronic,

written or oral

• Security Rule – sets the standards for ensuring that only those who should have access to electronic PHI (ePHI) will actually have access– Only applies to PHI that is in electronic form

4

HIPAA Applicability

• Covered Entities– Health plans - including, for example:

• Group Health Plans (medical, dental and LTC plans)

• Health insurance issuers• Issuers of Flexible spending accounts

– Health care providers that transmit electronic information in connection with health claims transactions

– Health care clearinghouses

5

HIPAA Applicability

• Business Associates– a person or organization, other than a

member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information

– Examples include billing companies, attorneys, accountants, consultants, etc.

6

HIPAA Applicability

• HIPAA applies only to “Protected Health Information” (PHI)– Individually identifiable information– Received or created by a Covered Entity– Relating to a person’s past, present or

future health condition, treatment or payment

– Transmitted or stored by a Covered Entity in any form (including oral)

7

HIPAA General Rule

• PHI may not be disclosed without patient authorization unless the disclosure is otherwise permitted under HIPAA or required by law.

• Failure to comply = breach– Breach notification if unsecured PHI

8

HIPAA/HITECH Final Omnibus Rule

• Significant changes: Business Associates – Definition of business associate broadened

to include: (1) subcontractors of business associates and

(2) Health Information Organizations or other entities that provide data transmission services to a covered entity that require access to PHI on a routine basis

9

Business Associates

• Business Associates– HIPAA now applies to an enormous number

and variety of service providers to the health-care industry

– Downstream contractors included– Not limited to traditional health care

• Storage companies• Cloud providers

10

HIPAA/HITECH Final Omnibus Rule

– BAs now directly liable under HIPAA for violations of the Security Rule and for impermissible uses and disclosures of PHI under the Privacy Rule

– Significant compliance obligations– BAs subject to:

• HIPAA audits• Civil monetary penalties • Criminal sanctions

11

Business Associates

• HIPAA audits expected to resume in 2015 - BAs are expected to be prime targets– Many reported covered entity breaches involved Bas

• Business Associate Agreements are no longer boilerplate– Most include indemnification provisions requiring the BA to

indemnify the Covered Entity from all claims and expenses resulting from the acts or omissions of the BA or any of its subcontractors

– Many also require BA to pay costs of breach caused by BA/subcontractor

12

Business Associates

• Due to the enforcement and liability risks, BAs should take immediate steps to become HIPAA compliant

• Compliance steps should include, at a minimum:– Conducting a written security risk analysis– Designating a security officer– Implementing required security policies and

procedures

 

13

Business Associates

– Implementing technical security measures and facility access controls

– Conducting HIPAA training programs for staff and management

– Entering into business associates agreements with subcontractors

– Developing policies and procedures to provide breach notification to the covered entity upon discovering a privacy or security breach

14

HIPAA/HITECH Final Omnibus Rule

• Revised Definition of “Breach:”– Breach presumed unless:

• “LoProCo:” The CE or BA can demonstrate that there is a low probability that the PHI has been compromised based on:

– Nature and extent of the PHI involved (including the types of identifiers and the likelihood of re-identification;

– The unauthorized person who used the PHI or to whom the disclosure was made;

– Whether the PHI was actually acquired or viewed; and – The extent to which the risk to the PHI has been mitigated.

– Focus on the risk to the data, instead of risk of harm to the individual

15

Top HIPAA Issues

• Security Breaches– Covered Entity responsible for BA breaches– Everyone will eventually experience a

breach: be prepared – Conduct a risk assessment, implement

policies and do training– Encryption is a safe harbor– Don’t forget state identity theft reporting

requirements– Paper is still a big risk

16

Top HIPAA Issues

• Mobile Devices/BYOD– Develop a strategy– Encryption, Encryption, Encryption !!!– FTC may jump in with regulations

17

Healthcare Risks

• Healthcare information is now a HIGH priority target for cybercriminals

• A complete health record is worth at least 10x more than credit card information on the black market

• Health care records include a treasure trove of personal information– Identity theft– Filing false insurance claims– Obtaining prescription medications

18

Healthcare Risks

• Security protections currently in place in the healthcare industry tend to lag behind those in the banking and financial sector

• Health information seen as “low hanging fruit”

• FBI warned in August 2014 that hackers were possibly seeking PHI

19

Anthem

• On February 4, 2015 Anthem disclosed that it was the victim of a “very sophisticated” cyberattack

• Exposed the birthdates, social security numbers, medical ID numbers, street and email addresses and employee data of 80 million customers and employees

• Data was not encrypted in its database

20

Anthem

• Hack believed to have begun with phishing e-mails sent to a handful of its employees

• The e-mails were used to trick the individuals into visiting malicious websites or executing malware

21

Anthem

• FBI investigating the breach• HHS Office of Inspector General

working with law enforcement• State Attorney Generals looking into the

breach• Numerous class action and individual

lawsuits filed in several states• Reputational Harm: Anthem = Breach

22

HIPAA Enforcement

• HIPAA enforcement has changed dramatically since 2011 as evidenced by some recent high-profile and high-penalty enforcement actions taken by OCR– HITECH increased monetary penalties available for HIPAA

violations

• CEs and BAs must also be on the alert for actions by state Attorney Generals, potential class action lawsuits, OCR’s HIPAA audit program, and even FTC investigations

23

OCR Enforcement

• Skagit County, WA (March 2014)– First settlement with a county government– For 2 weeks Skagit County disclosed the ePHI

of 1,581 individuals by providing access to the ePHI on its public server

– Failed to provide notification to all of the individuals whose ePHI had been compromised

– Failed to have sufficient policies and procedures in place

– Paid $215,000 and entered into a three-year corrective action plan (“CAP”)

24

OCR Enforcement

• Concerta Health Services

• QCA Health Plan, Inc. of Arkansas (April 2014)– Stolen, unencrypted

laptops– Concerta paid

$1,725,220 plus CAP– QCA paid $ 250,000

plus CAP

25

OCR Enforcement

• Anchorage Community Mental Health Services (December 2014)– Breach of unsecured ePHI that affected 2,743

individuals. – Breach resulted from malware compromising the

security of ACMHS’ information technology resources.

– Failed to conduct a thorough risk assessment and implement reasonable and appropriate security policies and procedures.

– $150,000 and entered into a 2 year CAP

26

Lessons Learned

• Appropriate Safeguards can prevent breaches:– Evaluate the risk to e-PHI when at rest on

removable media, mobile devices and computer hard drives – Conduct a RISK ANALYSIS

– Take reasonable and appropriate measures to safeguard e-PHI – policies and procedures

– Encrypt data stored on portable/moveable devices & media

– Consider appropriate data backup– Train workforce members on how to effectively

safeguard data and report security incidents

27

HHS HIPAA Audits – Phase 2

• Primarily internally staffed• Selected entities will receive notification and

data requests• Entities will be asked to identify their BAs and

provide their current contact information• Will select BA audit subjects • Significant noncompliance can lead to a

formal investigation by OCR– Backdoor enforcement tool

28

FTC Enforcement

• LabMD– FTC used general security enforcement

approach– Wanted monitoring for 20 years

• Mobile applications• FTC reviewing potential rules for mobile

devices and applications• Health care is part of this review

29

State Attorney General Enforcement

• State Attorney Generals have started to exercise the authority granted by HITECH to bring civil actions on behalf of state residents for violations of HIPAA

• Connecticut, Vermont, Massachusetts, Minnesota AGs have brought actions under HIPAA• Minnesota went against a BA• Many looking into Anthem breach

30

Data Breach Class Actions

• Examples:– Tenet Health – settled a 17 year old breach case

for $32.5 million in October 2014. – AvMed settled a class action for $3 million last

October where 2 unencrypted laptops contained AvMed health plan member PHI

– Community Health System – faces a class action brought over the data breach that it reported on August 18 (4.5 million customers affected)

– Anthem

31

Employer Liability

• Walgreens– Indiana jury awarded $1.44 million to a

Walgreen’s customer due to allegations that a Walgreen’s pharmacist improperly used and disclosed the customer’s prescription information

– Rogue employee in a love triangle– HIPAA used as standard of care– Walgreens found 80% liable– Upheld on appeal

32

Recommendations

• CEs and BAs must:• conduct thorough risk assessments and

appropriately update the same • develop and update robust HIPAA policies and

procedures – including use of encryption• conduct ongoing HIPAA training and awareness

programs with all staff• make sure agreements are in place with all BAs

and subcontractors having access to PHI• emphasis should be on the risks, use and

safeguards of portable electronic devices, which are frequently at the center of a data breach

33

34

Questions

Presented By:

Gregory M. Fliszar, J.D., Ph.D.Philadelphiagfliszar@cozen.com

35