© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon, Esq. Karilynn Bayus, Esq. Saul Ewing LLP March 31, 2015

© Copyright 2014 Saul Ewing LLP Why are we here today? HIPAA Privacy and Security Rule Overview Understand the HIPAA Breach Rule Learn lessons from HIPAA Breaches in the News 2

© Copyright 2014 Saul Ewing LLP HIPAA What Is This About? 3

© Copyright 2014 Saul Ewing LLP Breaches in the News This is not a movie This is a real issue  1 billion data records compromised in

© Copyright 2014 Saul Ewing LLP 2014 Year in Review 1,023,108,267 records breached in ,541 breach incidents 78% increase in breached records from 2013 Source: 2014 Breach Level Index 5

© Copyright 2014 Saul Ewing LLP Breaches in the News Affects every sector of the economy 6

© Copyright 2014 Saul Ewing LLP Breaches in the News Education 7

© Copyright 2014 Saul Ewing LLP Breaches in the News Healthcare 8

© Copyright 2014 Saul Ewing LLP HIPAA Overview The Health Insurance Portability and Accountability Act of 1996 (P.L ) (HIPAA). In 2009 Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act as part of the American Recovery and Reinvestment Act of 2009, which made changes to HIPAA, including a new breach notification requirement The HITECH final rule has been in effect since September 23,

© Copyright 2014 Saul Ewing LLP Administrative “Simplification” 10 Privacy Standards Electronic Transactions and Code Sets Standards Security Standards Breach Notification Enforcement Provisions

© Copyright 2014 Saul Ewing LLP What is the Privacy Rule? The Privacy Rule sets national standards to protect the privacy of individuals’ “protected health information” and applies to “covered entities” 11

© Copyright 2014 Saul Ewing LLP Individually Identifiable Health Information Individually Identifiable Health Information (IIHI) is the health information that identifies an individual or there is a reasonable basis to believe it could be used to identify an individual. “Health Information” is any information (including genetic), whether oral or recorded in any form or medium, that: 12

© Copyright 2014 Saul Ewing LLP Individually Identifiable Health Information (cont’d)  Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and  Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. 13

© Copyright 2014 Saul Ewing LLP Protected Health Information The focus of the Privacy Rule is Protected Health Information (PHI). PHI is IIHI that is transmitted or maintained in electronic or any other form or medium, with limited exceptions. 14

© Copyright 2014 Saul Ewing LLP Applicability Health Care Providers that transmit health information in electronic form in connection with a covered transaction Health Plans Health Care Clearinghouses 15 Privacy Rule applies to covered entities:

© Copyright 2014 Saul Ewing LLP Uses and Disclosures of PHI General Rule: Covered entities may not use or disclose PHI except as permitted by the Privacy Rules When PHI is to be disclosed for purposes of Treatment Payment Health Care Operations An individual’s consent is not required 16

© Copyright 2014 Saul Ewing LLP PHI and Research PHI may be used or disclosed for research without a patient’s authorization if the waiver of an authorization has been approved by an IRB or privacy board. Otherwise, a patient’s authorization is required for use or disclosure of PHI for a research study. 17

© Copyright 2014 Saul Ewing LLP My University and HIPAA How does my university fit in? Are we a covered entity? Are we a business Associate? What documentation do we have in place? 18

© Copyright 2014 Saul Ewing LLP HIPAA Security Rule Standards  9 Administrative Safeguard Standards  12 Required Implementation Specifications  11 Addressable Implementation Specifications  4 Physical Safeguard Standards  4 Required Implementation Specifications  6 Addressable Implementation Specifications  5 Technical Safeguard Standards  4 Required Implementation Specifications  5 Addressable Implementation Specifications 19

© Copyright 2014 Saul Ewing LLP 9 Administrative Safeguard Standards  Security Management Process  Assigned Security Responsibility  Workforce Security  Information Access Management  Security Awareness and Training  Security Incident Procedures  Contingency Plan  Evaluation  Business Associate Contracts and Other Arrangements 14

© Copyright 2014 Saul Ewing LLP 4 Physical Safeguard Standards  Facility Access Controls  Workstation Use  Workstation Security  Device and Media Controls 21

© Copyright 2014 Saul Ewing LLP 5 Technical Safeguard Standards  Access Control  Audit Controls  Integrity  Person or Entity Authentication  Transmission Security 22

© Copyright 2014 Saul Ewing LLP We think there was a breach…. What do we need to do? 23

© Copyright 2014 Saul Ewing LLP Breach Notification: General Rule Covered entities are required to report breaches of unsecured PHI to the individuals involved, the Secretary of HHS and possibly the media. 24

© Copyright 2014 Saul Ewing LLP Breach Definition  A “breach” is an acquisition, access, use or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI.  Three exclusions: ● Good faith, unintentional acquisition, access or use by a workforce member that does not result in further use or disclosure; ● Inadvertent disclosure by authorized person to another authorized person and info is not further used or disclosed; ● Disclosure by which info could not be reasonably retained. 25

© Copyright 2014 Saul Ewing LLP Risk Assessments Risk Assessments must include at least the following factors: (1) Nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification; (2) Unauthorized person who used the PHI or to whom the disclosure was made; (3) Whether PHI was actually acquired or viewed; and (4) The extent to which the risk to the PHI has been mitigated. 26

© Copyright 2014 Saul Ewing LLP Notification Requirements  Always to the individual(s) affected – without unreasonable delay and no later than 60 days  Always to Secretary – timing depends on whether more than 500 individuals If less than 500 individuals, must keep a log of breaches and report to HHS within 60 days of the end of a calendar year  To the media if more than 500 residents of a State or jurisdiction affected – without unreasonable delay and no later than 60 days 27

© Copyright 2014 Saul Ewing LLP Recent HIPAA Resolution Agreements – University Related New York and Presbyterian Hospital and Columbia University paid HHS $4.8 million for failing to secure electronic PHI on their network (May 2014) Idaho State University paid HHS $400,000 for unsecured PHI caused by the disabling of fire wall protections at servers maintained by the University (May 2013) 28

© Copyright 2014 Saul Ewing LLP How To Respond If There Is A Breach Hit the ground running Gather evidence Disclose and inform Customer/Patient relations Media strategy Source: IT Governance USA Blog 29

© Copyright 2014 Saul Ewing LLP Hypothetical Scenarios 30

© Copyright 2014 Saul Ewing LLP Takeaways Make sure e-PHI is secured and risk assessments are regularly performed Know your institution’s policies and procedures for reporting breaches Err on the side of caution Do not make system changes without confirmation on the effect of security of e-PHI 31

© Copyright 2014 Saul Ewing LLP Thank you! 32