“24” hipaa edition: a day in the life of a breach · “24” hipaa edition: a day in the life...

“24” HIPAA Edition: A Day in

the Life of a BreachSession 811

Jenny Corotis Barnes

Associate General Counsel

Ohio State University Wexner Medical Center (Columbus, Ohio)

Chanley Howell

Foley & Lardner (Jacksonville, Florida)

Jason D. Stevens

Assistant General Counsel

Novant Health (Charlotte, North Carolina)

• History of HIPAA

2

HIPAA

1996

Security Rule

and

Privacy Rule

2003

HITECH Act and

Stimulus

Package 2009

New Breach

Reporting

Increased

Enforcement and

Audits

Omnibus

Regulations

“The New Rule”

January 2013

3

4

Type of Breach

5

http://profitable-practice.softwareadvice.com/internet-isnt-to-blame-for-hipaa-

breaches-0913

Type of Breach

6

http://profitable-practice.softwareadvice.com/internet-isnt-to-blame-for-

hipaa-breaches-0913/

Medium of Breach

How are Breaches Discovered?

Compliance Reporting System

Communications direct to Privacy Officer

To Employee’s Manager

Self-report

Customer Service

Security

Office of Civil Rights

Patient letters to CEO, etc

--all investigated by Privacy Officer--7

No more “reputational harm” analysis

Disclosure is presumed to be a breach unless we demonstrate that there is a

low probability that the PHI has been compromised.

• 4 factors to consider to determine “compromised”

– Nature and extent of the identifiers involved

– The unauthorized person who used the PHI or to whom the disclosure

was made

– Whether the PHI was actually acquired or viewed

– The extent to which the risk to the PHI has been mitigated

• Other factors may be considered when necessary

8

Step 1: Investigate

Facts to Present to Potential Breach Committee

Consult

Audit

Interview

9

Step 2: Analyze the Potential Breach

10

Analyze the Potential Breach

Privacy Officer

IT Security Officer

Legal Privacy Officer of

other areas

Medical Information Administrative

Director

• Step-by-step analysis

• Trends

• Consistency

• Resolution Agreements

• Corrective Action

Recommendation

11

Step 3: Mitigation

• Attestation

• Process Review

• Policies & Procedures Review

• Re-Education

• Credit Protection

12

Step 4: Sanctions of Staff

• Privacy Office makes a

recommendation to HR

or Medical Staff

Administration

_________________

• Individual

• Manager

13

Step 5: Report Breach

Internal Summary Analysis

Example:

> 500 None

< 500

100 investigations involved over > 10,000 patients

10 Reportable Breaches involving 200 patients

Of the 10 reportable breaches

6 of the breaches involved corrective action

Of those 6

12 terminations / resignations15

It all adds up!

16

Know your Clients (and their unique

perspectives)

• Chief Executive Order

• Chief Information Officer

• Chief Information Security Officer

• Chief Privacy Officer

• Chief Marketing Officer

• Chief Compliance Officer

18

19

Tame HIPAA

Hypotheticals

*Small Scale

*Medium Scale

*Large Scale

20

•“Small Scale” Data

Breach Scenarios

21

1. E-mails sent to wrong person internally

22

2. After Visit Summary is given to wrong patient

23

4. Clinic Schedule can’t be found

24

5. Box of PHI is left on the shipping dock

25

6.Snooping

-staff member about to have surgery/just had surgery

-people of interest

-high profile traumas

-patient and staff various relationships

-“hallway” discussions of patients

26

5. Social Media• ER nurse posts a picture to Facebook about a 25 year old woman admitted to ER with stab

wounds and broken leg.

• Nursing student posts a photo showing her posing, smiling over a placenta in a tray, while

hold up the umbilical cord in her gloved hand

• ER nurse posts comment that she can’s stand taking care of the same “frequent flyer” drunk

one more time that the police brought in on off the street this evening

• Nurse posts picture of a patient’s tattoo

Complicating factors:

-de-identification

-patient posts first, or gives permission

-NLRB - “is it concerted activity”

27

•“Medium Scale” Data

Breach Scenarios

28

• As Assistant GC for University Hospital, you

have been receiving information about patient

complaints (during stay and after discharge).

According to the callers, patients have been

receiving calls from hospital representatives

offering transportation to outpatient therapy,

attorney services to accident victims, and

follow-up medical treatment.

29

• The patients then found out that the people

calling were not in fact hospital

representatives, but claiming to be with a

different company or part of an apparent

scam.

• How would you go about investigating what

happened?

30

• Who within the hospital would you include on

the team?

• Would you bring in outside consultants or

possibly even law enforcement?

31

• University Hospital has been struggling

financially over the past several years.

• The financial difficulties have resulted in salary

freezes, salary cuts and layoffs.

• Your IT security department advises it has had

no evidence of hacking or outside intrusion

into the hospital’s network.

32

• Current ER registrar and recently terminated

ER registrar involved

• Accessed over 250 different patient records

• Social Security number, date of birth, address,

telephone number, injuries and treatment

received in ER

33

• Solicitations for follow up medical treatment

• Solicitations from attorneys attempting to

represent the patient

• Offers to provide transportation to outpatient

therapy

• Billings by “medical mills”

34

• What would you consider and evaluate in

determining:

– Hospital’s notification obligations

– Hospital’s potential liability to patients

– Ways to mitigate the potential risks of claims

against the hospital

– Lessons learned to avoid and mitigate similar

occurrences in the future?

35

•“Large Scale” Data

Breach Scenario

36

• Integrated Healthcare System– AmeriHealth is an integrated healthcare system with

hospitals and ambulatory physician clinics; the system has recently acquired a chain of skilled nursing facilities (SNF).

– Prior to being acquired by AmeriHealth, the SNF operator outsourced its billing services to Health Billing, which provides third party direct bill services to its clients’ payors.

– AmeriHealth plans to move the SNF billing to its revenue cycle center, but on an interim basis, AmeriHealth is still using Health Billing.

37

• Hypothetical (continued)

– AmeriHealth has a Business Associate Agreement

in place with Health Billing; the BAA complies with

the 2013 HITECH amendments.

– When AmeriHealth acquired the SNFs, it

integrated many of the administrative functions,

and as a result, 250 SNF employees were

terminated (most with severance).

38

• Recently, dozens of family members of SNF patients have started calling AmeriHealth, questioning AmeriHealth’s data sharing practices. In each instance, the caller relays that he/she has been repeatedly contacted by DME companies – which press for approval to send out new CPAP equipment to the SNF patients. As an added convenience, the companies even indicate they already have credit card information on file.

39

• The CEO of AmeriHealth calls you to his office.

What do you do?

• What else would you want to know?

• Also, consider:

– (What is the CIO thinking?)

– (What is the Chief Marketing Officer thinking?)

– (What is the Compliance Officer thinking?)

40

• Considerations at this juncture:

– Cyberliability insurance – and reporting

responsibilities.

– Preparing for possible media attention.

– Consistent messaging to patients/callers.

– Investigation – consider Attorney/Client Privilege

as your IT teams try to determine if there is a

problem.

41

• Additional facts:

– Dan Adkins was the Chief Information Security Officer (CISO) at SNF. His position was eliminated.

– Out of pure retaliation, Dan (whose system access to the SNF system was not terminated) shared his password information with Lora Anderson, a friend of his who works at Health Billing.

– Armed with the password information, Lora remotely logged into the SNF system and captured patient demographic data which she merged with billing data (from her employer).

42

• Armed with this additional information, what

do you do?

• What else would you want to know?

• Also, consider:

– (What is the CIO thinking?)

– (What is the Chief Marketing Officer thinking?)

– (What is the Compliance Officer thinking?)

43

• Considerations at this Juncture:

– Update Cyberliability carrier.

– Engage outside counsel (along with cyber carrier).

– Familiarize yourself with additional coverage

under insurance policies (data breach response

coverage).

– Media relations – transparency is best,

AmeriHealth is the victim.

44

• Considerations at this Juncture (continued):

– Understand the data breach reporting

requirements.

• HIPAA

• State reporting requirements

– Consider FTC Section 5 enforcement possibility.

– Consider litigation hold obligations.

– Review potential criminal charges against Dan and

Lora.

45

• Recommendations and Best Practices

46

• Questions?

– Jenny Corotis Barnes - jenny.barnes@osumc.edu

– Chanley Howell - chowell@foley.com

– Jason D. Stevens – jdstevens@novanthealth.org

47