potential liability for hipaa violations: a primer€¦ · hipaa $100 per violation, with an annual...

Potential Liability for HIPAA Violations: A PrimerWednesday, March 23, 2016

Presented By the IADC Medical Defense and Health Law Committee and

In-House and Law Firm Management Committee

Welcome! The Webinar will begin promptly at 12:00 pm CDT. Please read and follow the

below instructions:

• For you information, this Webinar presentation is being recorded.

• If you have not already done so, please join the conference call.

• Mute your phone line. If you do not have a mute button or are on a cell phone, press *1 to mute your

phone.

• If you are on a conference phone, please move all cellular or wireless devices away from the conference

phone to avoid audio interference.

• If you have questions during the presentation, you may utilize the Q&A pod on the upper-right-hand side

of your screen. You may type questions here and it will be sent to the presenter for response. If your

question is not answered during the presentation, our presenter will answer questions at the end of the

webinar.

• Visit the “Files” pod in the lower-right-hand corner of the screen if you would like to download a copy of

this PowerPoint presentation.

Type your questions for presenters here in the Q&A Pod

Click on the file name to download this Power Point or any referenced documents

IADC Webinars are made possible by a grant from The Foundation of the IADC.

The Foundation of the IADC is dedicated to supporting the advancement of the

civil justice system through educational opportunities like these Webinars. For more

information on The Foundation, visit www.iadcfoundation.org.

Presenters

Robert G. Smith, Jr. Lorance & Thompson, P.C.

Houston, TX

rgs@lorancethompson.com

Cathy Bryant Texas Medical Liability Trust

Austin, TX

cathy-bryant@tmlt.org

Potential Liability for HIPAA Violations: A Primer

This Webinar will be a nuts and bolts presentation

regarding HIPAA and potential liability for HIPAA

violations. The program will include a discussion of

potential liability of law firms for HIPAA violations.

For the purposes of the webinar, we will limit our

discussion to federal law, HIPAA. It is important for

attorneys to be aware of state specific laws where they

practice; i.e. in Texas, law firms can be considered

Covered Entities under the Texas Medical Privacy Act.

• 2009, the FBI first warned that law firms

were the targets of hackers

• 2013 FBI repeated the warning “We

have hundreds of law firms that we see

increasingly being targeted by hackers”

• A complete set of medical records is

more valuable than financial records

and social security numbers

• Resale value of medical information

used for Medical Identity Theft

FBI Warns Law Firms

“(law firms) are a treasure trove that is

extremely attractive to criminals, foreign

governments, adversaries and

intelligence entities.” American Bar Association Cybersecurity Legal

Task For

Law firms rank 7th most vulnerable

industry to “malware encounters”Cisco Systems – 2015 Annual Security Report

80% of the Big Law Firms Hacked

Source:

Modern Healthcare

HIPAA Overview

HIPAA PRIVACY

RULE

HIPAA SECURITY

RULE

HIPAA BREACH

NOTIFICATION

RULE

OMNIBUS RULE

EFFECTIVE 2003 EFFECTIVE 2005 EFFECTIVE 2013 EFFECTIVE 2013

Rule Covers

Protectd Helath

Information in all

forms:

• Verbal

• Written

• Electronic

Rule Covers

Protected Health

Information in

Electronic format

only

Rule Covers all

breaches of

protected heatlth

information by a

Covered Entity or a

Business Assoicate

Sweeping changes

to HIPAA

Patient Rights

Business

Associates directly

responsible for

HIPAA

HIPAA – Who?

Covered Entity

Business Associate

SubcontractorDefinitions:

45 CFR 160.103

HIPAA – What?

Protected Health InformationThe Privacy Rule protects all "individually identifiable health information"

held or transmitted by a covered entity or its business associate, in any

form or media, whether electronic, paper, or oral. The Privacy Rule calls

this information "protected health information (PHI)."

“Individually identifiable health information” is information, including

demographic data, that relates to:

• the individual’s past, present or future physical or mental health or

condition,

• the provision of health care to the individual, or

• the past, present, or future payment for the provision of health care to

the individual,

• and that identifies the individual or for which there is a reasonable

basis to believe it can be used to identify the individual.

Breach

“A breach is, generally, an impermissible use or disclosure under the [HIPAA] Privacy Rule that compromises the security or privacy of the protected health information.

An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate … demonstrates that there is a low probability that the protected health information has been compromised [aka “Lo-Pro-Co”] based on a risk assessment of at least 4 factors”

When is a Breach not a Breach?

PHI that is unusable, unreadable or

indecipherable to unauthorized

persons through the use of a

technology or methodology

Cost of a Breach

5th Annual Benchmark Study on Patient Privacy and Data Security

The Ponemon Institute

PUBLIC

RELATIONS/

CRISIS RESPONSE

LEGAL FEES

FORENSICS

COST OF

NOTIFYING

PATIENTS

CREDIT

MONITORING

CALL CENTER

HEALTHCARE

BREACH CAN

COST $363PER RECORD

OCR Process

OCR

Intake &

Review

RESOLUTION

• Violation did not occur after 4.14.2003

• Entity complained about was not covered

by the Privacy Rule

• Incident described does not violate the

Privacy Rule

Accepted by

DOJPossible

Criminal

Violation RESOLUTION

• OCR finds no

violation

• OCR finds

violation with

voluntary

compliance,

corrective action

or agreement

• OCR issues

formal finding of

violation

• Fines

• Penalties

(CMP)

OCR Possible

Privacy or

Security Rule

Violation

Investigation

Refer to

DOJ

OCR

xxx

HIPAA Violations & Enforcement

HIPAA Violation Minimum Penalty Maximum Penalty

Individual did not know (and by

exercising reasonable

diligence would not have

known) that he/she violated

HIPAA

$100 per violation, with an annual

maximum of $25,000 for repeat

violations

$50,00 per violation,

with an annual

maximum of $1.5

HIPAA violation due

reasonable cause and not due

willful neglect

$1,000 per violation, with an annual

maximum of $100, 000 for repeat

violations

$50,000 per

violation, with an

annual maximum of

$1.5 million

HIPAA violation due to willful

neglect but violation corrected

within the required time period

$10,000 per violation, with an annual

maximum of $250, 000 for repeat

violations

$50,000 per

violation, with an

annual maximum of

$1.5 million

HIPAA violation is due to willful

neglect and is not corrected

$50,000 per violation, with an annual

maximum of $ 1.5 for repeat violations

$50,000 per

violation, with an

annual maximum of

$1.5 million

Review of OCR

Investigations

23,731

10,783

CORRECTIVE ACTION REQUIRED (69%) NO VIOLATION (31%)

34,514 BREACH REPORT OR COMPLAINT INVESTIGATIONS

1/3rd WERE FOUND TO HAVE NO VIOLATION

2/3rds HAD VIOLATIONS

ABA Model Rules of Professional Conduct

Lawyers are required “to make reasonable effortsto prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

Reasonable efforts

taking steps to prevent someone from hacking into

a law firm’s computer network

staff posting client information on the Internet

training

Potential Liability Under HIPAA

A lawyer must also consider duties arising under HIPAA, for example, and other laws intended to protect data privacy.

“ignorance of technology is not a defense”

Lawyers must “stay abreast of changes in the law and its practice, [and] need to have a basic understanding of the benefits and risks of relevant technology.”

Potential Liability Under HIPAA

POTENTIAL LIABILTY FOR HIPAA VIOLATIONS: A PRIMER

What Privacy and

Security issues exist in

firms related to PHI?

21

Paper

45 CFR 164.530

Administrative Requirements

45 CFR 164.530 (c)

Standard: Safeguards -- Have in place

appropriate administrative, technical,

and physical safeguards to protect the

privacy of protected health information

Implementation specification:

• must reasonably safeguard PHI any

intentional or unintentional use or

disclosure

• must reasonably safeguard protected

health information to limit incidental

uses or disclosures

Basic Password Protection Protocols

1. Password length

2. Password complexity (Upper, Lower,

Number and Special character)

3. Frequently changed

Weak Passwords

2012, the must common passwords

1. Password

2. 123456

2015, the most common passwords were:

1. Password

2. 123456

Password

45 CFR 164.308 & 164.312

Technical Safeguard

Is PHI sent encrypted

or through a secure

file sharing

technology?

Transmitting

encrypted data can be

accomplished

efficiently and without

appreciably slowing

down the system.

Email PHI

Dr. Expert Witness

Somewhere, USA

Dear Dr. Expert

Witness

Here are all the

medical reports I

need you to review

in this bad case.

Thanks,

Unencrypted

Attorney

Do you send emails containing PHI

or medical record attachments?

45 CFR 164.312

Technical Safeguard

Encryption

• Encryption is not a password or passcode!

• Encryption is the process of translating words or text into “code” which conceals the text.

Objections to Encryption

• It is not “required” by HIPAA.

True; but if you don’t encrypt

you must show what you did to

protect PHI equal to encryption

• It slows down my PC/laptop …

• It is costs money

45 CFR 164.312

Technical Safeguard

The Problem with Unencrypted Devices

August 2015 OCR Settlement with

Cancer Care Group

Laptop and backup media (unencrypted) was

stolen from employee’s vehicle

5500 records

Cancer Care was “in widespread non-

compliance with the HIPAA Security Rule.”

Had not conducted an enterprise wide risk analysis

Did not have written P&P specific to removal of

hardware and electronic media

Did not encrypt

Encryption is a basic cyber risk management tool.

Cyber liability insurance applications now ask about the use of

encryption – and can result in an endorsement excluding unencrypted

portable devices.

Do you use your Personal Devices to store or access

PHI?

BYOD

• The use, or potentially, the loss or theft of

smartphones and other devices.

• With the storage capacity of smartphones

increasing, attorneys are storing more and

more information on them, including email,

email attachments and documents.

• The use of personal devices also makes it

more difficult for firms to institute good

security practices.

• Attorneys should take “reasonable steps” to

safeguard the confidential information

accessible on their mobile phones.

For example, does the phone permit remote

wiping of the information stored in the event that

it is lost or stolen? Is it enabled?45 CFR 164.308 & 164.312

Administrative & Technical

Safeguards

According to New York State Bar Association

Committee on Professional Ethics Opinion 842, a

lawyer in New York may use an online “cloud”

computer data backup system to store client files

so long as the lawyer takes “reasonable care” to

protect the client’s confidential information form

unauthorized disclosure, which included the

following three steps:

Cloud Storage

1. Ensuring that the online data storage provider

has an enforceable obligation to preserve

confidentiality and security, and the provider will

notify the lawyer if served with process regarding

the production of client information;

2. Investigating the online data storage provider’s

security measures, policies, recoverability

methods, and other procedures to determine if

they are adequate under the circumstances; and

3. Employing available technology to guard against

reasonably foreseeable attempts to infiltrate

stored data.

45 CFR 164.310, 164.312 &

164.314

Unsecure Wi-Fi• Wireless networks that can be freely accessed without a

password.

• Attorneys spend a great deal of time away from the

office, and attempt to get work done wherever they may

find themselves.

• To get work done while on the road, attorneys may

access the Internet while at the airport or other hotspot

that has open access.

Unsecure Wi-Fi

45 CFR 164.312

Technical Safeguard

Vulnerabilities arise from running unpatched or outdated

software.

End of Life – the vendor will no longer release security

patches for the operating system. Any holes hackers find

will be left unpatched and the software is now

fundamentally unsecure.

Windows 8 -- End of Life January 13, 2016

Internet Explorer – End of Life January 12, 2016

Windows Server 2003 – End of Life July 14, 2015

Windows XP – End of Life April 4, 2014

Unpatched/Outdated Software

45 CFR 164.308 & 164.312

Administrative & Technical

Safeguard

CBS News: Digital Photocopiers Loaded With SecretsApril 19, 2010

Affinity Health Plans

Reported Breach to HHS April, 2010Settlement Agreement August, 2013

Settle potential violations of the HIPAA Privacy and Security

Rules for $1,215,780.

Affinity impermissibly disclosed the protected health

information of up to 344,579 individuals.

Affinity returned multiple photocopiers to a leasing agent

without erasing the data contained on the copier hard drives.

Affinity failed to incorporate the electronic protected health

information stored in copier’s hard drives in its analysis of

risks and vulnerabilities as required by the Security Rule.

Affinity failed to implement policies and procedures when

returning the hard drives to its leasing agents.

Photo Copiers – Hard Drives

45 CFR 164.310

Physical Safeguard

POTENTIAL LIABILTY FOR HIPAA VIOLATIONS: A PRIMER

What is the proper way

to dispose of PHI?

32

Sanitization and Disposal

NIST Publication 800-88 r1

Medical Records

Radiology Regional Center in Florida notified patients of a

possible healthcare data breach after some paper records

were found on a street on December 19, 2015. 483,063 individuals potentially affected.

“a small quantity of records” fell onto the street while being

transported by Lee County Solid Waste Division, which is

responsible for the disposal of Radiology patient records.

“As a result of our numerous searches, we believe that

virtually all of the records were retrieved.

To ensure an incident like this does not happen again, we

have taken steps to change how paper records are

transported and destroyed,” the statement explained. “Lee

County Solid Waste Division will no longer be responsible for

transporting our records for disposal.”

The Omnibus Rule (2013) clarifies:

Law Firm Compliance Obligations

Business Associates and their subcontractors

are directly liable under HIPAA and must comply

with some of the Privacy Rule, all of the Security

Rule and Breach Notification.

• Limiting use and disclosure of

PHI

• Impermissible use and

disclosure of PHI

• Failing to provide breach

notification

• Failing to provide access to a

copy of ePHI to the CE or

individual

• Failing to account for disclosure

of PHI

• Failing to disclose PHI to the

Secretary of HHS related to an

investigation about the BA

HIPAA compliance

• Failing to comply with the

requirements of the HIPAA

Security Rule

• Failing to enter into a

subcontractor BAA

35

Cyber Risk Management

36

A Caveat About Cyber Insurance

Cyber insurance is not a substitute for a good cyber risk management program, as all losses may not be covered by an insurance policy.

Increasing cyber risks and regulatory violations require cybersecurity to be integrated into your business risk.

Complacency is not a risk management strategy!

37

The OCR’s “Roadmap”

Jocelyn Samuels:“It is critical that entities take

a comprehensive and

thorough approach to

assessing and addressing the

risk to all of the protected

health information they

maintain.”

“Have comprehensive policies

and procedures for

compliance with the HIPAA

Rules, but also the

P & P must be clearly

communicated to and

implemented by all workforce

members.”

Do You Know Where You PHI? Have

RISK IDENTIFICATIONWhere do you create, maintain,

transmit or store PHI/ePHI?

HIPAA Risk Assessment

The first Implementation

Specification of the Security

Rule requires covered entities

and business associates to

conduct a security risk

analysis

“The one unforgiveable in the eyes of the OCR is failure to

conduct a risk assessment”

40

POTENTIAL LIABILTY FOR HIPAA VIOLATIONS: A PRIMER 45 CFR§164.530

Administrative requirements. (b)(1) Standard: Training.• must train all members of its

workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.

TRAINING

What employees need to be trained and how?

41

Educated Workforce

Employee education is paramount

“See Something – Say Something”

• Federal – as soon as possible

• Texas – new employees must be trained

within 90 days of employment

42

POTENTIAL LIABILTY FOR HIPAA VIOLATIONS: A PRIMER

What written policies and

procedures should a firm

have?

43

Beware of P&P Templates – should reflect what is

actually done December 2014 Anchorage Community

Mental Health Services OCR

Settlement Agreement

2012 ePHI was compromised due to

malware compromising the security of

its IT services

$150,000 fine and adopt a plan of

correction

Organization had adopted sample P&P

in 2005 but never followed them

The breach was a direct result of failing

to identity and address basic risks

44

Need Expert Guidance?

As the forms of connected technology used

by healthcare providers increases—so will

their cybersecurity risks.

Therefore, providers will need assistance in

mitigating the proliferation and diversity of

their cyber risks, including help with their:

• IT Systems;

• Privacy, Security, & Breach Risk

Assessments;

• Staff Privacy Training; and

• Risk Transfer (cyber insurance).

45

The Road to HIPAA Compliance

COMPLIANCE

YES NO

1. Appoint a Privacy and Security Officer

2. Conduct a Risk Assessment

3. Develop a Risk

Management/Mitigation Plan for

Risks Identified

4. Create or Update Policies and

Procedures

5. Develop a BAA and Subcontractor BAA

6. Develop a Plan for Handling Breaches

7. Workforce Training

8. Consider Cyber Insurance

Questions for Presenters?

Robert G. Smith, Jr. Lorance & Thompson, P.C.

Houston, TX

rgs@lorancethompson.com

Cathy Bryant Texas Medical Liability Trust

Austin, TX

cathy-bryant@tmlt.org

Potential Liability for HIPAA

Violations: A Primer

Wednesday, March 23, 2016

Thank you for Participating!

To access the PowerPoint presentation from this or any other IADC

Webinar, visit our website under the Members Only Tab (you must be

signed in) and click on “Resources” “Past Webinar Materials,” or

contact Melisa Maisel Vanis at mmaisel@iadclaw.org.