![Page 1: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/1.jpg)
39 Offices in 19 Countries
What Keeps You Up atNight?
Issues of Fraud and Abuse ComplianceSeries
My Data’s Been Stolen: Now What?Part II
November 21, 2013
![Page 2: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/2.jpg)
2
Today’s Hosts
Thomas E. ZenoOf Counsel, Squire SandersT +1 513 361 [email protected]
Emily E. RootSenior Associate, Squire SandersT +1 614 365 [email protected]
![Page 3: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/3.jpg)
3
Review of Part I – September 19
• How to know a breach has occurred• Insider and outsider threats• Should you notify law enforcement?• What does HIPAA require about Business
Associates?
PowerPoint link:http://www.squiresanders.com/files/Event/14e2e0c3-5769-48e6-b68d-f87ef7d1ccff/Presentation/EventAttachment/2d7a653a-eb4a-4f27-bffd-0147fcdbecc4/My-Data's-Been-Stolen-Now-What-Part-I.pdf
Recording link:https://cc.readytalk.com/cc/playback/Playback.do?id=9466ij
![Page 4: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/4.jpg)
4
Today’s Speakers
Scott A. EdelsteinPartner, Squire SandersT +1 202 626 [email protected]
Thomas J. HibargerManaging Director, Stroz FriedbergT +1 202 464 [email protected]
![Page 5: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/5.jpg)
5
Today’s Agenda
• What more does HIPAA require?
• Data breach remediation
• Tips to prevent a breach
• Pre-planning for a breach
![Page 6: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/6.jpg)
6
HIPAA has Teeth
• HHS Office for Civil Rights (OCR)
• U.S. Department of Justice (DOJ)
• State Attorneys General
• Expanded role of FTC
![Page 7: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/7.jpg)
7
HIPAA Penalties and Enforcement
• Civil Penalties $100 per violation up to a maximum of $1.5 million per
year
• Criminal Penalties Up to $50,000; one year jail for wrongful disclosure
Up to $250,000; ten years jail if intent to sell, transfer oruse PHI for commercial advantage
• Applies to both Covered Entities and BusinessAssociates
![Page 8: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/8.jpg)
8
State Patient Privacy Lawsuits
• No HIPAA private right of actionPatients still can sue under state common law principles
– e.g., invasion of privacy
• HIPAA as standard of reasonableness?
![Page 9: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/9.jpg)
9
State Data Breach Notification Laws
![Page 10: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/10.jpg)
10
Other HIPAA Obligations
• Duty to mitigate
• Accounting of disclosures
• Review administrative, technical and physicalsafeguards
![Page 11: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/11.jpg)
11
Federal Data Breach Notification –General Rule
After discovering a breach of unsecured PHI, aCovered Entity must notify each individual whoseinformation was, or reasonably is believed tohave been, accessed, acquired, used, disclosed asa result
![Page 12: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/12.jpg)
12
Federal Data Breach Notification -Definitions
• “Unsecured PHI” Not rendered unusable, unreadable or indecipherable
– Encryption or destruction encouraged but not required
• “Breach”Unauthorized acquisition, access, use or disclosure of PHI
– Compromises the security or privacy of PHI.– Elimination of subjective standard (“significant risk of financial,
reputational, or other harm”)– New objective standard creates presumption of breach
unless CE/BA demonstrate low probability that PHI has beencompromised.
Exceptions– Certain unintentional or inadvertent disclosures– Good faith belief recipient reasonably would not retain data
![Page 13: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/13.jpg)
13
Federal Breach Notification – RiskAssessment to Determine Low Probability
• Nature and extent of PHI involved (e.g., types ofidentifiers and likelihood of re-identification)
• The unauthorized person who used PHI or towhom PHI was disclosed
• Whether PHI was actually acquired or viewed
• Extent to which the risk to PHI has beenmitigated
![Page 14: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/14.jpg)
14
Federal Data Breach Notification –Notification Obligations
• Notification required within 60 days of discovery Enforcement rule requires correction in 30 days
BA failing to notify CE can be penalized directly
State law may have shorter notice periods (e.g., Calif.)
• Notification: Briefly describe what happened and when
Describe types of unsecured PHI involved
Describe how individuals can protect themselves
Briefly describe investigation, mitigation and protection
Provide contact information
![Page 15: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/15.jpg)
15
Federal Data Breach Notification –Form of Notice
• Plain language
• Written Via mail (or electronic if individual agrees)
If deceased, next of kin or personal representative
Also telephone or other means if urgent
• Substitute notice if contact info insufficient < 10, alternative written, telephone or other means
> 10, either 90-day website posting or media notice
PLUS 90-day toll-free number
![Page 16: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/16.jpg)
16
Federal Data Breach Notification –Additional Required Notice
• Media Notification > 500 residents of State, notify prominent media outlets
Within 60 days of breach discovery
Same content as notice to individuals
• HHS Notification > 500, notify HHS at same time as individuals
< 500, maintain a breach log and notify HHS with 60
days after the end of calendar year
– Hospice of North Idaho settlement Dec. 2012
![Page 17: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/17.jpg)
17
Lessons Learned
• Encryption will prevent a lot of headaches
• OCR will have access to everything
• State AGs may become involved
• Media attention
• Enterprise embarrassment
• Consider cyber insurance
• May prompt litigation Between covered entities and business associates
– Who will pay costs associated with notification?
– Security incident versus breach
– Enforcement of agreements with offshore BAs
By affected individuals
![Page 18: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/18.jpg)
18
Key Steps
• Organize your network data
• Update Policies and Procedures
• Develop a Response Plan
• Perform a Risk Assessment
![Page 19: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/19.jpg)
19
Organize Your Network Data
• Map your critical assets
• Record backup schedules and inventories
• Update user lists
• Centralize logging functions
![Page 20: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/20.jpg)
20
Update Policies and Procedures
• Conform them to HIPAA Security and PrivacyAudit Protocols
• Account for New Technology Text Messaging
Social Media
BYOD
Cloud Computing
![Page 21: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/21.jpg)
21
BYOD – Bring Your Own Device
http://blogs.wsj.com/riskandcompliance/2013/09/26/hospitals-allowing-byod-face-complications-with-new-hipaa-rule/
• Consider the risk implications of BYOD vs. convenience• Where is the perimeter of your network and who controls
it?• ePHI transmitted via emails, texts, attached documents• ePHI must be secured in transit and at rest - container• iOS vs. Android
![Page 22: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/22.jpg)
22
Develop a Response Plan
• Management endorsement
• Contact lists
• Legal analysis and timeline
• Categories of adverse events
• Facilities and equipment list
• Outreach plan
• An effective team
![Page 23: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/23.jpg)
23
The Cloud
• OCR Guidance that Cloud providers areBusiness Associates
![Page 24: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/24.jpg)
24
Develop a Response Plan – Effective Team
![Page 25: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/25.jpg)
25
Communication
• Other Key Constituents
Team Members
− Outside & in-house counsel
− Compliance, HR, IT
− Business managers, public affairs
− Experts
Board/CEO, Executives
Employees
Shareholders
Unaffected Patients, Providers, or Customers
![Page 26: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/26.jpg)
26
Perform a Risk Assessment
• The HIPAA Security Rule requires it
• HHS auditors report it as one of the mostcommon compliance failures
![Page 27: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/27.jpg)
27
Preservation
• Unhook infected machines
Do NOT poke around
Insert clean and patched machines
• Call experts to image infected machines
• Save off log files
• Pull needed backup(s) out of rotation
• Save keycard data and surveillance tapes
• Start real-time packet capture
• Force password changes
![Page 28: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/28.jpg)
28
Breach Timeline
![Page 29: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/29.jpg)
29
Mitigating Your Risks
Simple steps to reduce risk ofcompromising your data and systems
• Encrypt data – in motion and at rest
• Install software security patches
• Train employees to avoid security threats
• Robust passwords; changed; no default passwords
• Use multi-factor authentication for remote access Employees from outside the office
Sensitive on-line accounts such as financial and cloudstorage of patient data
• Terminate dormant user accounts
• Use up-to-date virus scanning software
• Periodically audit compliance with data security
rules
![Page 30: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/30.jpg)
30
Mitigating Your Risks
• Don’t store data you don’t need
• Know where your data is
• Use internal network walls toprotect sensitive data
• Train employees to spot andreport anomalies
• Monitor logs in your system todetect anomalies
Simple steps to reduce the damage if/whena compromise occurs
![Page 31: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/31.jpg)
31
Mitigating Your Risks
Steps for reducing insider cybercrimeand data breach risk
• Create written employee conduct policies
Include social media use policies
• Restrict internet sites able to exfiltrate sensitive data
• Create tiered access to sensitive information
Not everyone needs access to everything
• Check background of employees with access tosensitive information
• Restrict use of external storage devices
![Page 32: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/32.jpg)
32
Mitigating Your Risks
Steps for reducing insider cybercrime anddata breach risk (con’t)
• Implement employee exit procedures
Acknowledgement of post-employment obligations
Termination of account access
• Dual controls for access to certain sensitive data
![Page 33: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/33.jpg)
33
Mitigating Your Risks
Reducing the risk of employee negligence
• Good risk management of malicious conduct
• Encryption
• Don’t store data unnecessarily
• Encryption
• Data security policies and audits
• Encryption
• Employee training
• Audit compliance with data security rules
![Page 34: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/34.jpg)
34
Tips for Avoiding Data Breaches
• Conduct random security audits
• Perform random reviews of access logs
• Have strong physical safeguards for areas wherepaper records are stored and used
• Don't store PHI on laptop hard drive or desktop
• Address administrative and physical safeguardsclearly for storage devices and removable media
![Page 35: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/35.jpg)
35
Hypothetical
A Business Associate contracted to send invoicesto patients experiences a computer error whichmismatches the patient’s name and addressresulting in 200 bills sent to the wrong address.Eighty bills were returned unopened.
![Page 36: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/36.jpg)
36
Stay Alert
![Page 37: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/37.jpg)
37
Thank You for Joining Our Webinar
Questions?
![Page 38: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/38.jpg)
38
Thank You for Joining Our Webinar
Contact us with other topics, questions or issues:
• Scott Edelstein: [email protected]
• Tom Hibarger: [email protected]
• Tom Zeno: [email protected]
• Emily Root: [email protected]
![Page 39: What Keeps You Up at Night? - Squire Patton Boggs/media/files/... · 16 Federal Data Breach Notification – Additional Required Notice • Media Notification > 500 residents of](https://reader035.vdocuments.mx/reader035/viewer/2022071018/5fd1bfdb011af075626edf97/html5/thumbnails/39.jpg)
39 Offices in 19 Countries
What Keeps You Up atNight?
Issues of Fraud and Abuse ComplianceSeries