“24” hipaa edition: a day in the life of a breach · “24” hipaa edition: a day in the life...
TRANSCRIPT
“24” HIPAA Edition: A Day in
the Life of a BreachSession 811
Jenny Corotis Barnes
Associate General Counsel
Ohio State University Wexner Medical Center (Columbus, Ohio)
Chanley Howell
Foley & Lardner (Jacksonville, Florida)
Jason D. Stevens
Assistant General Counsel
Novant Health (Charlotte, North Carolina)
• History of HIPAA
2
HIPAA
1996
Security Rule
and
Privacy Rule
2003
HITECH Act and
Stimulus
Package 2009
New Breach
Reporting
Increased
Enforcement and
Audits
Omnibus
Regulations
“The New Rule”
January 2013
3
4
Type of Breach
5
http://profitable-practice.softwareadvice.com/internet-isnt-to-blame-for-hipaa-
breaches-0913
Type of Breach
6
http://profitable-practice.softwareadvice.com/internet-isnt-to-blame-for-
hipaa-breaches-0913/
Medium of Breach
How are Breaches Discovered?
Compliance Reporting System
Communications direct to Privacy Officer
To Employee’s Manager
Self-report
Customer Service
Security
Office of Civil Rights
Patient letters to CEO, etc
--all investigated by Privacy Officer--7
No more “reputational harm” analysis
Disclosure is presumed to be a breach unless we demonstrate that there is a
low probability that the PHI has been compromised.
• 4 factors to consider to determine “compromised”
– Nature and extent of the identifiers involved
– The unauthorized person who used the PHI or to whom the disclosure
was made
– Whether the PHI was actually acquired or viewed
– The extent to which the risk to the PHI has been mitigated
• Other factors may be considered when necessary
8
Step 1: Investigate
Facts to Present to Potential Breach Committee
Consult
Audit
Interview
9
Step 2: Analyze the Potential Breach
10
Analyze the Potential Breach
Privacy Officer
IT Security Officer
Legal Privacy Officer of
other areas
Medical Information Administrative
Director
• Step-by-step analysis
• Trends
• Consistency
• Resolution Agreements
• Corrective Action
Recommendation
11
Step 3: Mitigation
• Attestation
• Process Review
• Policies & Procedures Review
• Re-Education
• Credit Protection
12
Step 4: Sanctions of Staff
• Privacy Office makes a
recommendation to HR
or Medical Staff
Administration
_________________
• Individual
• Manager
13
Step 5: Report Breach
Internal Summary Analysis
Example:
> 500 None
< 500
100 investigations involved over > 10,000 patients
10 Reportable Breaches involving 200 patients
Of the 10 reportable breaches
6 of the breaches involved corrective action
Of those 6
12 terminations / resignations15
It all adds up!
16
Know your Clients (and their unique
perspectives)
• Chief Executive Order
• Chief Information Officer
• Chief Information Security Officer
• Chief Privacy Officer
• Chief Marketing Officer
• Chief Compliance Officer
18
19
Tame HIPAA
Hypotheticals
*Small Scale
*Medium Scale
*Large Scale
20
•“Small Scale” Data
Breach Scenarios
21
1. E-mails sent to wrong person internally
22
2. After Visit Summary is given to wrong patient
23
4. Clinic Schedule can’t be found
24
5. Box of PHI is left on the shipping dock
25
6.Snooping
-staff member about to have surgery/just had surgery
-people of interest
-high profile traumas
-patient and staff various relationships
-“hallway” discussions of patients
26
5. Social Media• ER nurse posts a picture to Facebook about a 25 year old woman admitted to ER with stab
wounds and broken leg.
• Nursing student posts a photo showing her posing, smiling over a placenta in a tray, while
hold up the umbilical cord in her gloved hand
• ER nurse posts comment that she can’s stand taking care of the same “frequent flyer” drunk
one more time that the police brought in on off the street this evening
• Nurse posts picture of a patient’s tattoo
Complicating factors:
-de-identification
-patient posts first, or gives permission
-NLRB - “is it concerted activity”
27
•“Medium Scale” Data
Breach Scenarios
28
• As Assistant GC for University Hospital, you
have been receiving information about patient
complaints (during stay and after discharge).
According to the callers, patients have been
receiving calls from hospital representatives
offering transportation to outpatient therapy,
attorney services to accident victims, and
follow-up medical treatment.
29
• The patients then found out that the people
calling were not in fact hospital
representatives, but claiming to be with a
different company or part of an apparent
scam.
• How would you go about investigating what
happened?
30
• Who within the hospital would you include on
the team?
• Would you bring in outside consultants or
possibly even law enforcement?
31
• University Hospital has been struggling
financially over the past several years.
• The financial difficulties have resulted in salary
freezes, salary cuts and layoffs.
• Your IT security department advises it has had
no evidence of hacking or outside intrusion
into the hospital’s network.
32
• Current ER registrar and recently terminated
ER registrar involved
• Accessed over 250 different patient records
• Social Security number, date of birth, address,
telephone number, injuries and treatment
received in ER
33
• Solicitations for follow up medical treatment
• Solicitations from attorneys attempting to
represent the patient
• Offers to provide transportation to outpatient
therapy
• Billings by “medical mills”
34
• What would you consider and evaluate in
determining:
– Hospital’s notification obligations
– Hospital’s potential liability to patients
– Ways to mitigate the potential risks of claims
against the hospital
– Lessons learned to avoid and mitigate similar
occurrences in the future?
35
•“Large Scale” Data
Breach Scenario
36
• Integrated Healthcare System– AmeriHealth is an integrated healthcare system with
hospitals and ambulatory physician clinics; the system has recently acquired a chain of skilled nursing facilities (SNF).
– Prior to being acquired by AmeriHealth, the SNF operator outsourced its billing services to Health Billing, which provides third party direct bill services to its clients’ payors.
– AmeriHealth plans to move the SNF billing to its revenue cycle center, but on an interim basis, AmeriHealth is still using Health Billing.
37
• Hypothetical (continued)
– AmeriHealth has a Business Associate Agreement
in place with Health Billing; the BAA complies with
the 2013 HITECH amendments.
– When AmeriHealth acquired the SNFs, it
integrated many of the administrative functions,
and as a result, 250 SNF employees were
terminated (most with severance).
38
• Recently, dozens of family members of SNF patients have started calling AmeriHealth, questioning AmeriHealth’s data sharing practices. In each instance, the caller relays that he/she has been repeatedly contacted by DME companies – which press for approval to send out new CPAP equipment to the SNF patients. As an added convenience, the companies even indicate they already have credit card information on file.
39
• The CEO of AmeriHealth calls you to his office.
What do you do?
• What else would you want to know?
• Also, consider:
– (What is the CIO thinking?)
– (What is the Chief Marketing Officer thinking?)
– (What is the Compliance Officer thinking?)
40
• Considerations at this juncture:
– Cyberliability insurance – and reporting
responsibilities.
– Preparing for possible media attention.
– Consistent messaging to patients/callers.
– Investigation – consider Attorney/Client Privilege
as your IT teams try to determine if there is a
problem.
41
• Additional facts:
– Dan Adkins was the Chief Information Security Officer (CISO) at SNF. His position was eliminated.
– Out of pure retaliation, Dan (whose system access to the SNF system was not terminated) shared his password information with Lora Anderson, a friend of his who works at Health Billing.
– Armed with the password information, Lora remotely logged into the SNF system and captured patient demographic data which she merged with billing data (from her employer).
42
• Armed with this additional information, what
do you do?
• What else would you want to know?
• Also, consider:
– (What is the CIO thinking?)
– (What is the Chief Marketing Officer thinking?)
– (What is the Compliance Officer thinking?)
43
• Considerations at this Juncture:
– Update Cyberliability carrier.
– Engage outside counsel (along with cyber carrier).
– Familiarize yourself with additional coverage
under insurance policies (data breach response
coverage).
– Media relations – transparency is best,
AmeriHealth is the victim.
44
• Considerations at this Juncture (continued):
– Understand the data breach reporting
requirements.
• HIPAA
• State reporting requirements
– Consider FTC Section 5 enforcement possibility.
– Consider litigation hold obligations.
– Review potential criminal charges against Dan and
Lora.
45
• Recommendations and Best Practices
46
• Questions?
– Jenny Corotis Barnes - [email protected]
– Chanley Howell - [email protected]
– Jason D. Stevens – [email protected]
47