Presentation is loading. Please wait.

Presentation is loading. Please wait.

Elizabeth Wharton Hall, Booth, Smith & Slover, P.C.

Similar presentations


Presentation on theme: "Elizabeth Wharton Hall, Booth, Smith & Slover, P.C."— Presentation transcript:

1 Walking the Health Care High Wire: Vulnerability & Breach Disclosure Requirements
Elizabeth Wharton Hall, Booth, Smith & Slover, P.C. 191 Peachtree Street N.E. Suite 2900 Atlanta, GA 30303

2 Data Breach & Vulnerability Disclosure Requirements in Health Care
The Game: Data Breach & Vulnerability Disclosure Requirements in Health Care

3 The Field: Federal & State
The Game Plan The Field: Federal & State Players & Playbook The Risks & Reward

4 The Field HHS – Health care information
FTC – Non-health care information States – Data Breach incl. health care

5 Suspension: Criminal Penalties Endorsement Deals: Reputation
The Stakes: The Paycheck: Fines Suspension: Criminal Penalties Endorsement Deals: Reputation

6 The Players Patients Providers Business Associates Researchers Vendors

7 Team Roster BA = Business Associate
PHI = Protected Health Information: individual, identifiable info. relating to the past, present or future health condition ePHI = electronic protected health information CE = covered entity

8 The Rules: Federal Conference
Federal Statutes: HIPAA Security Rule HITECH ACT

9 The League Rules: First Period
Security Regs. (45 C.F.R , 310, 312, and 316) Ensure confidentiality, integrity, and avail. of all ePHI the BA creates, receives, maintains or transmits; Protect against any reasonably anticipated threats or hazards to the security or integrity of such info.; Protect against any reasonably anticipated uses or disclosures of such info.; and Ensure compliance w/ entire workforce.

10 The League Rules: Second Period
Two Categories: Required or Addressable Addressable – assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity’s ePHI If not implementing – document why not reasonable & appropriate & implement an alternative if avail.

11 The League Rules: Third Period
Security Rule – 3 Components Physical, Administrative & Technical Physical Safeguards Facility Access Controls Workstation Use Workstation security Device & media controls

12 The League Rules: Third Period
Technical Safeguards Access Control Audit Controls (record and examine activity) Integrity (protect from improper alteration or destruction) Person or entity authentication Transmission security (not improperly modified, encryption)

13 The League Rules: Third Period
Administrative Safeguards Security management process Assigned security responsibility Workforce security Information access management Security awareness and training Security incident procedures Contingency plan Evaluation BA contracts

14 The League Rules: Overtime
Security management process Risk analysis Risk management

15 The League Rules: Shootout
HITECH BA, BA Agreements DOJ to investigate, if not then HHS/OCR (Office of Civil Rights), then AG Criminal Penalties – up to a year in prison Civil Penalties – 4 Tiers 2/17/11 Req’d to investigate “Willful Neglect” 2/17/12 “Whistleblower” (share in $ collected)

16 The League Rules: Federal Conference
Penalty Box - Four Tiers: Without knowledge: $100/violation; $25k cap Reasonable cause: $1k/violation; $100k cap Willful neglect: $10k/violation; $250k cap Willful neglect & not corrected: $50k; $1.5m cap

17 Federal Conference “Elevator” Cheat Sheet Reasonable Anticipated Encrypted or Indecipherable Limited Access No modification of data Policies & Procedures

18 The Playbook: Breach: Unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information “Compromises” – poses a significant risk of financial, reputational, or other harm to the individual NOT – unintentional, not accessed/read

19 The Playbook: Notification: Notification w/in 60 days
If more than 500 residents in an area: Must tell prominent media outlet, notify Secretary of HHS, HHS will post on website Written, delivered by mail or (if individual prefers) If no contact information, post notice on website, newspapers or broadcast media

20 The League Rules: Home Team Advantage
State Statutes: Not just health care – Data Breach 46 States & District of Columbia have enacted data breach notification statutes (National Conference of State Legislators, Oct. 2010) States without: AL, KY, NM, SD

21 The League Rules: Home Team Advantage
Reasonable – notification & steps to prevent Anticipated Encrypted Actual harm, disclosure v. breach Fraud Impact State Residents Location of business in state matter? * CA has 5 day notification requirement

22 California Civ. Code1798.80 – Home Team Advantage
(e) "Personal information" means any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to…..name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.

23 California – per article 1/10/11, by Doug Pollack on idExperts
Home Team Advantage California – per article 1/10/11, by Doug Pollack on idExperts In mid-2010, CDPH announced that it imposed $675,000 in fines to six hospitals Only 244 patients involved Later in 2010, CDPH fined an additional eight facilities for a "failure to prevent unauthorized access to confidential patient medical information.” Fines totaled $792,500. The majority had breached the privacy of only one to ten patients in each incident.

24 Connecticut – Sec. 36a-701b. Home Team Advantage
"breach of security" means unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable;

25 Connecticut – Sec. 36a-701b. Home Team Advantage
(b) Any person who conducts business in this state, and who, in the ordinary course of such person's business, owns, licenses or maintains computerized data that includes personal information, shall disclose any breach of security following the discovery of the breach to any resident of this state whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person through such breach of security.

26 Connecticut – Sec. 36a-701b. Home Team Advantage
 (c) Any person that maintains computerized data that includes personal information that the person does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following its discovery, if the personal information was, or is reasonably believed to have been accessed by an unauthorized person.

27 Massachusetts Data Privacy Law 201 CMR 17 (Effective March 1, 2010)
Home Team Advantage Massachusetts Data Privacy Law 201 CMR 17 (Effective March 1, 2010) Misuse of personal data by both individuals and companies and third party providers that store, collect or use personal information, including name, social security, driver's license number or financial information on Massachusetts residents - regardless of whether those organizations are based in or have offices in the state.

28 Mississippi – Effective July 1, 2011
Home Team Advantage Mississippi – Effective July 1, 2011 a)  "Breach of security" means unauthorized acquisition of electronic files, media, databases or computerized data containing personal information of any resident of this state when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable;

29 Mississippi – Notification
Home Team Advantage Mississippi – Notification The disclosure shall be made without unreasonable delay after investigation.  Not required if the person reasonably determines that the breach will not likely result in harm to the affected individuals.

30 Mississippi – Notification
Home Team Advantage Mississippi – Notification Maintains data which includes personal … notify the owner or licensee … of any breach of the security of the data as soon as practicable following its discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person for fraudulent purposes. Method of Notice capped if over $5k cost, then ok

31 Home Team Advantage Vermont- 9 V.S.A. § Notice of security breaches The notice shall be clear and conspicuous. The notice shall include: (A) The incident in general terms. (B) The type of personal information (C) The general acts of the business to from further unauthorized access or acquisition. (D) A toll-free telephone number to call for further information (E) Advice that directs the consumer to remain vigilant by reviewing account statements and monitoring free credit reports.

32 Formal Policies & Procedures Assessment & Audit
2 Minute Drill: Formal Policies & Procedures Assessment & Audit Reasonably Anticipate Breach or Disclosure? Maintaining the data? Actual v. Anticipated disclosure?

33 Connecticut – SOCT v. Health Net
Highlight Reel Connecticut – SOCT v. Health Net Feb. 2010, CT Attorney General first to file Health Net charged after a computer disk drive, containing personal information of 500k CT individuals (1.5m nationwide), stolen and the company failed to take appropriate actions Data wasn’t encrypted, failed to promptly notify Case Settled: $250k, action plan & monitoring

34 Indiana – WellPoint, Inc.
Highlight Reel Indiana – WellPoint, Inc. 32,000 Indiana residents State Law – required to notify within reasonable time First learned data possibly accessible via its website on Feb. 22, 2010 and again on March 8, 2010 Began notifying customers on June 18th

35 Vermont – Health Net Highlight Reel Similar issues with CT case
Impacted 552 Vermont residents Brought under both federal (HIPAA/HITECH) & state (Data Breach & Consumer Fraud) $55k fine

36 Season Preview: iPad Apps – FDA approves applications Assessment – Vulnerability Disclosure Programs Reasonable – Higher Level Who to report to? CYA

37 The Field: Federal & State
HIPAA, HITECH, State Data Breach Players & Playbook CE, BA, State Resident The Risks & Reward Reasonable Assessment, Penalties

38 Hall, Booth, Smith & Slover, P.C.
191 Peachtree Street N.E. Suite 2900 Atlanta, GA 30303


Download ppt "Elizabeth Wharton Hall, Booth, Smith & Slover, P.C."

Similar presentations


Ads by Google