OVERVIEW Why Does This Matter? Recent Data Breaches Recent Enforcement Actions Statistics & Recent Cases The Law – HITECH Act – FTC Act – State Data Breach Laws
WHY DOES THIS MATTER? Data breaches are costly Data breaches erode trust and create negative publicity With the passage of HITECH Act there is increased focus on healthcare data security Rush to convert to EHR to get stimulus incentives has come at the expense of data security 13.7% of all recent breaches occurred in the healthcare sector – popular target of hackers 41.5% of hospitals have 10 or more breaches a year
WHY DOES THIS MATTER? (2) Recent CNN Money Article – “Healthcare: A 'goldmine' for fraudsters” “We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.” Georgina Verdugo, the Director of OCR (2/22/11)
WHY DOES THIS MATTER? (3) March day instructor-led HIPAA Enforcement Training to help State Attorneys General and their staff use their new authority to enforce the HIPAA Privacy and Security Rules. The training course will aid State Attorneys General in investigating and seeking damages for HIPAA violations that affect residents of their states.
Recent Data Breaches Family Planning Council 4/8/11 - Announcement that a computer storage device containing the personal and medical records of about 70,000 patients was stolen in December and remains missing. Theft blamed on a former worker whose employment ended 12/28/10, the day the theft was discovered and reported to police. The former employee has an extensive criminal record, and has been in and out of prison for the last two decades on multiple convictions of theft and other offenses.
Recent Data Breaches Dental Practice 4/11/11- dentist left non-shredded PHI in a publically accessible trash can. Documents found by a man looking for scrap metal who called local news because he was concerned someone could use them to steal the patients’ information. Dentist said the documents were likely sitting in a box waiting to be shredded and that a new office assistant might have accidentally thrown them out with the trash.
Recent Breaches CVS 3/7/11- Philadelphia Federation of Teachers Health and Welfare Fund sued CVS alleging that its unauthorized disclosure of PHI was an unfair trade practice. CVS sent letters to physicians that listed their patients’ names, dates of birth and prescribed medications. The letters encouraged the physicians to prescribe drugs made by pharmaceutical manufacturers, who paid CVS to send them. This purported disclosure of PHI would violate the HIPAA Privacy Rule’s prohibitions against disclosing PHI for marketing purposes without an individual’s authorization.
Recent Enforcement Actions Cignet Health 2/22/11- HHS issued a notice of final determination finding that Cignet violated the HIPAA Privacy Rule, and imposed a fine of $4.3 million. First time HHS had imposed a civil monetary penalty for an entity’s violation of the HIPAA Privacy Rule. HHS determined that Cignet violated 41 patients’ rights by denying the patients' requests for access to their medical records between September 2008 and October Cignet refused to respond to demands to produce records; failed to cooperate with the investigation; and to produce records in response to a subpoena.
Recent Enforcement Actions Health Net Connecticut: (January 2010) – AG sued Health Net for failing to secure private patient medical records and financial information of 446,000 CT residents on 27.7 million scanned pages – First state AG action under HITECH Act – SAG criticized Health Net for its “unconscionable” delay of over 6 months to identify victims – Data was not encrypted or otherwise protected – Failure to supervise and train employees
Recent Enforcement Actions Health Net 7/10 Stipulated Judgment Health Net to pay $250,000 to the Connecticut General Fund with another $500,000 contingent payment to Connecticut if third party determines, before 11/30/11, that any data on the missing disk was accessed and misused or any claims are made on third party’s insurance policy linked to misuse of the lost disk drive.
Recent Enforcement Actions Health Net Corrective Action Plan – 2 years of credit monitoring service – Enhancing existing security privacy program – Installation of technology to restrict the transfer of PHI and PI to removable media – Encryption of all laptop hard drives and all desktop hard drives – Improved IT oversight, including the creation of a “Information Security Analyst” assigned to each new IT project with assessment duties reporting directly to Health Net's Manager of Information Security. – Requiring all “Business Associates” to execute HIPAA compliant Business Associate Agreements”. – Enhanced training and awareness including holding an annual “Compliance Awareness Week” for all employees to “emphasize the importance of protecting the privacy and security of PHI.” – Providing semi-annual updates to its initial status report to the Connecticut Attorney General
Recent Enforcement Actions Health Net 11/8/10 Connecticut Insurance Commissioner announced that Health Net had agreed to pay $375,000 in penalties for failing to safeguard the personal information of its members from misuse by third parties. The penalties were part of a settlement agreement reached with Health Net pursuant to which Health Net agreed to provide credit monitoring protection for two years to all affected members and providers in Connecticut. Health Net also agreed that the costs related to improvements in data and equipment security it made in response to the data breach will not be passed along to Health Net members.
Recent Enforcement Actions Mass General 2/24/11 HHS announces $1,000,000 Resolution Agreement for HIPAA violations that stemmed from the loss of hard copy patient records for 192 patients left on a subway in March The records originated from Mass General’s Infectious Disease Associates outpatient practice and included sensitive records discussing patients’ treatments for HIV/AIDS. OCR determined that Mass General had “failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule.” Corrective Action Plan which requires Mass General to: – develop and implement a set of policies and procedures to ensure PHI is protected when it is removed from Mass General; – train employees on the policies and procedures; and – designate an internal monitor to conduct assessments of Mass General’s compliance with the Corrective Action Plan and provide semi-annual reports to OCR for three years.
Statistics--Cost of a Stolen or Lost Employee Laptop Average cost of a lost laptop is $49,246 – Occurrence of data breach represents 80% of this cost Average data breach cost of a lost laptop varies by industry – Services ($112,853); Financial Services ($71,820) and Healthcare ($67,873) suffer from the highest data breach costs Backup and encryption methods affect the average cost of a lost laptop – Average cost is about $30,000 more when there is a full backup system The backup makes it easier to confirm loss of sensitive or confidential data – Encryption can reduce the cost of a lost laptop by more than $20,000
5 Leading Causes of Security Breaches Negligent and intentional employee behavior Lost or stolen devices e.g., laptops System glitches Malicious or criminal attack Third party mistake
Recent Cases Pacosa v. Kaiser Foundation Physician assistant who took intermittent leave under the FMLA to care for his wife’s clinical depression. PA signed a number of confidentiality agreements, which prohibited him from accessing his own health records or those health records of his family or friends on Kaiser Permanente’s proprietary medical records system unless he had specific authorization from the patient and the access was approved. An additional confidentiality policy prohibited him, as an employee, from accessing any protected health information records except where related to his job. Kaiser’s Compliance Department received a series of phone calls from wife, who informed it that PA had accessed her medical records without authorization and that he was using the information to obtain a restraining order against her. Compliance Department’s investigation revealed access to wife’s records without authorization, and further access and editing of his daughter’s records as if he was the treating medical provider, all while he was on alleged FMLA leave. Fired for violating confidentiality policy PA sued Kaiser, alleging multiple state and federal statutory violations, including that his termination interfered with his leave rights under the FMLA. Case dismissed--no issue of material fact that PA violated confidentiality policies, which was the reason for his termination rather than any FMLA violation.
Recent Cases Indictment 3/15/11 indictment of twelve defendants charged for their parts in an identity theft and bank fraud scheme has been unsealed. Two of the defendants, who worked for HIPAA-covered entities in Florida, and have also been charged with HIPAA violations. office assistant with access to patients’ names, dates of birth, Social Security numbers, and medical information provided to others in fraud/ID theft ring.
HITECH Act of 2009 Health Information Technology for Economic and Clinical Health Act (enacted as part of stimulus bill in February 2009)
HITECH Act Regulations Codified at 45 CFR pts 160, 164 Applies to HIPAA covered entities and their business associates Effective date 9/23/09 2/22/10-HHS can impose sanctions for non- compliance
HITECH Highlights HIPAA covered entities must provide affected individuals with notice of a breach of their unsecured PHI within 60 days Covered entity must evaluate the risk of harm of the breach before providing notice Notice must include a brief description of the event, the PHI involved and the steps to take to protect from future harm
HITECH Highlights (2) If breach involves more than 500 individuals covered entity must notify the media as well as HHS If breach involves less than 500 individuals must be reported to HHS annually As of 4/13/11 257reported incidents to HHS of incidents involving more than 500 people
Breach Under the HITECH Act Unauthorized acquisition, access, use or disclosure of unsecured PHI in a manner not permitted by the Privacy Rule Compromises the security or privacy of the PHI Poses a significant risk of financial, reputational or other harm
What is Secured PHI HIPAA security rule encryption standard Hard copy PHI must be shredded so that it is unreadable or cannot be reconstructed Encryption under the HHS guidance is a safe harbor and no notice would be required in the event of unauthorized access Redaction NOT ACCEPTABLE
Not a breach under HITECH Act Unintentional good faith acquisition, access or use of PHI (e.g. nurse mistakenly sends a billing employee an with patients’ PHI); Inadvertent disclosure of PHI from authorized person to another authorized person; Unauthorized disclosures in which recipient would not have reasonably been able to retain PHI; Access to secured PHI; Use or disclosure of deidentified information.
Risk of Harm Threshold Poses a significant risk of financial, reputational or other harm to the individual Must conduct a written risk assessment – Who used PHI and to whom was PHI disclosed – Type, amount and sensitivity of the PHI involved – Whether the covered entity has taken immediate steps to mitigate – Whether PHI was returned prior to access
HHS Issues Breach Notice Form The on-line form includes all of the elements required by the HITECH Act and the related HHS breach regulations. The form also requires covered entities to include contact information for a business associate (where the breach occurred at or by the business associate), the type of breach, the location of the breach, safeguards in place prior to the breach, and the date(s) individual notifications were provided.
Notice under the HITECH Act 60 days begins on notice when breach is discovered or should have been discovered through the exercise of reasonable diligence If breach is discovered by an agent of a CE it is considered discovered by CE
Administrative Requirements Training Policies and procedures to detect, discover and report breaches Complaint process
Notice by Business Associates BA is responsible for notifying CE WITHOUT UNREASONABLE DELAY AND W/I 60 DAYS OF DISCOVERY Agreements with BA’s should have clear requirement for immediate notice
FTC Breach Notification Rule Effective date 9/24/09 -- Enforcement 2/22/10 The FTC final rule applies to vendors of personal health records, PHR- related entities, third-party service providers and non-profits. HIPAA covered entities and business associates are excluded from the definition of PHR vendor and PHR-related entities. Requires PHR vendors and PHR-related entities to notify consumers w/i 60 days following discovery of a breach involving unsecured identifiable health information that is in a personal health record. Rule requires notice to the FTC within 10 business days of discovery of a breach involving 500 or more consumers. Notice of smaller breaches can be provided to the agency on an annual basis.
FTC Rule-PHR-Related Entities Offer products and services through a PHR vendor’s website Offer products and services through the websites of HIPAA covered entities that offer individuals’ PHRs Access information in PHRs or send information to a PHRs Examples include web-based apps that manage meds and websites offering personalized health checklists
FTC Rule No risk of harm threshold Unlike HITECH regs -- even if breach presents a minimal risk of harm the vendor is still required to give notice
Client Recommendations under HITECH and FTC Regulations Possible modification of business associate contracts to ensure: – prompt notice of breaches – costs covered by BA for required notices Develop Incident Response Plan Create Training Module Review document retention policies
Breach Notification Laws As of May 17, 2010, forty-six (46) states and the District of Columbia and Puerto Rico have enacted security breach notification laws Only AL, KY, NM and SD without breach laws
State Laws on Health Information & Privacy Health information addressed in state breach laws: – 6 states currently require notification for breaches of health information: California Arkansas New Hampshire Missouri Texas Virginia – Biometric information: Wisconsin (Wis. Stat. § (2008)) and Nebraska (R.R.S. Neb. § ) expanded their breach laws to include a narrower category of health-related information: biometric information including DNA and fingerprints