hipaa 2015 webinar

Polsinelli PC. In California, Polsinelli LLP

Preparing for a Data Breach and the Need for Cyber Liability Insurance

Erin Fleming DunlapKatie KenneyLisa Weixelman

real challenges. real answers. sm

Agenda

� Defining a Breach and Reporting Obligations� Preparing for a Breach� OCR Intake – What to Expect� The Cost of Non-Compliance � Need for Cyber Liability Insurance


Definition of a Breach under HIPAA

Breach of PHI

Impermissible acquisition, access, use, or disclosure of PHI that compromises the

security or privacy of the PHI

Three exceptions:1. Unintentional acquisition, access or use of protected health information (“PHI”) by an

individual under Covered Entity (“CE”) or Business Associate (“BA”) authority that is made in good faith and within the scope of the individual’s authority , and does not result in further unauthorized use or disclosure

2. Inadvertent disclosure by authorized individual to another authorized individual at the same CE or BA that does not result in further unauthorized use or disc losure

3. Disclosure of PHI where CE or BA has good faith belief that the unauthorized recipient would not reasonably have been able to retain the P HI


Is PHI Secured?

� CEs and BAs must report a “Breach” of “Unsecured” PHI.

� Threshold Issue: Is the PHI “secured” in accordance with OCR Guidance for rendering PHI “secure?” (Encryption!)� If yes, the safe harbor applies and notification is not

required.� If no, either (i) report; or (ii) conduct risk assessment

to determine whether there is a low probability that the PHI was compromised (unless an exception applies).


Presumption of Breach / Risk Assessment

� If the impermissible acquisition, access, use, or disclosure does not meet one of the exceptions to the definition of Breach or the safe harbor does not apply, it is presumed to be a reportable Breach.

� May overcome the presumption by showing a low probability that the PHI was compromised.

� To assess probability, a CE or BA must perform written risk assessment of the following factors:1. The nature and extent of the PHI involved, including the types of identifiers

and the likelihood of re-identification;2. The unauthorized person who used the PHI or to whom the disclosure was

made;3. Whether the PHI was actually acquired or viewed; and4. The extent to which the risk of PHI has been mitigated.


Breach Notification Requirements

� CE must notify affected individuals and Office for Civil Rights (“OCR”)

� BA must notify CE� Notice must contain:

– Description of Breach– Types of PHI involved– Steps the individual should take to protect him/herself – Steps the CE took to investigate, mitigate and protect from future

breaches– Contact information/procedure

� Timing and method of notification depends on number of individuals involved

OCR Guidance � When identifying affected individuals, CEs must cast a wide net!


Breach Notification Requirements

# People Type of Notice Timing of Notice

Less than 500 • Individuals—written notice by first class mail (or, if agree to e-mail, by e-mail)**

• OCR— through website: http://www.hhs.gov/ocr/privacy

• Individuals—without unreasonable delay, no more than 60 days after discovery

• OCR—by March 1st of calendar year after year of discovery

500 or more • Individuals—same as above• OCR—same as above• Media—provide notice in

prominent media outlets serving the State or jurisdiction [but only if more than 500]

• Individuals—same as above• OCR—contemporaneously with individual

notice• Media—without unreasonable delay, no

more than 60 days after discovery

NOTE: BA notifies CE without unreasonable delay, no more than 60 days after discovery (unless shorter time provided in BAA)


State Laws

Don’t forget about state data breach notification l aws!� Laws vary; look where the affected patient(s) reside� May only apply to (i) certain providers; (ii) computerized [unencrypted] data; or

(iii) certain personal information, e.g. social security numbers� Some exclude entities covered by HIPAA and/or provide compliance with HIPAA

is sufficient� Some require additional notification to the state attorney generalExample:

– California’s Health and Safety Code Section 1280.15: � Requires reporting of any unlawful or authorized access to, or use or

disclosure of, a patient’s medical information no later than 15 business days after detection

� May be fined up to $25,000 per patient *Patients can bring an action under Cal. Civ. Code Section 56.36 and recover $1000 nominal damages for unauthorized disclosure even if no economic loss/personal injury.

In January 2015, a federal breach notification law was proposed!


Preparing for a Breach

� Develop and publicize clear policies and procedures for workforce members to follow after discovery of a Breach (or suspected Breach)

� Train workforce on policies � who to contact after a Breach is discovered and method of contact

� Identify committee of stakeholders to convene after a Breach (should be high-level personnel to preserve attorney-client privilege and to command attention/action)



� Know your obligations/coverage under any applicable insurance policy

� Consider proactively identifying and contracting with vendors to assist with the following:– Call center support– Patient notification letter mailings– Outside counsel (to maintain attorney-client privilege)– Forensic evidence services



� If you are a Covered Entity…– Closely evaluate your BA relationships:

�Ensure BAAs provide adequate protection (e.g., cost of notification / indemnification)

�BAA should clearly identify the BA’s obligations in the event of a Breach (including who specifically BA must notify and the timing and method of notice)

�Consider requiring breach insurance



� If you are a Business Associate… – Closely evaluate your BAAs to ensure:

�You have appropriate coverage if you agreed to obtain breach insurance

�You are aware of your obligations should a Breach occur on your watch

�You know who to notify at the CE (and internally) if a Breach occurs


Office for Civil Rights Breach Intake

� 500+ Breach Report Intake:– 500+ reports are reviewed by OCR on a daily

basis– Each day, reports are disseminated to the

pertinent region based on the location of the CE; investigators then verify the information with the CE and report back to headquarters

– All 500+ breach reports are investigated by OCR and displayed publicly on the website


Office for Civil Rights Breach Intake

� Under 500 Breach Report Intake:– OCR reviews the under-500 breach reports

and makes them available to regional investigators on a monthly basis

– Unlike 500+ reports, under-500 reports are opened at the region’s discretion on a case by case basis

– Regions may analyze less than 500 reports for egregious incidents and/or trends when determining if a case will be investigated


The Cost of Non-Compliance

� OCR can levy civil money penalties up to $1.5 million per year against providers for noncompliance for violations of an identical requirements

� OCR can also refer possible criminal violations of HIPAA to the DOJ

� State Attorneys General haveauthority to bring civil actions on behalf of state residents for HIPAA violations


Civil Monetary Penalties

Violation CategoryPenalty Range for Each

Violation

Maximum Penalty for all Violations of an

Identical Provision in a Calendar Year

Entity did not know (and, by exercising reasonable diligence, would not have known) that it violated the applicable provision.

$100 to $50,000 $1,500,000

Violation is due to reasonable cause and not to willful neglect. $1,000 to $50,000 $1,500,000

Violation is due to willful neglect and was corrected during the 30-day period beginning on the first date the entity knew, or, by exercising reasonable diligence, would have known that the violation occurred.

$10,000 to $50,000 $1,500,000

Violation is due to willful neglect and was not corrected during the 30-day period beginning on the first date the entity knew, or, by exercising reasonable diligence, would have known that the violation occurred.

At least $50,000 $1,500,000

16


The Cost of Non-Compliance

� As of May 2015 � OCR had received over 115,929 complaints, initiated 1,216 compliance reviews and resolved 94% (108,370) of these cases [over 23,5680 required corrective action]

� Enforcement is on the rise!! – 2004 to 2013

� # of complaints received by OCR has doubled

� # of OCR total resolutions has almost tripled

� OCR may initiate compliance review after:� individual complaints

� self-reported breaches

� audits


Recent Settlements/Enforcement Actions

� St. Elizabeth’s Medical Center– Compliant to OCR alleging workforce members were using an internet-

based document sharing application to store documents – At least 498 individuals affected– Agreed to pay $218,400 and adopt corrective action plan (CAP)

� Cornell Prescription Pharmacy– Media notified OCR regarding disposal of unsecured documents

containing PHI in an unlocked, open container– 1,610 individuals affected– Agreed to pay $125,000 and adopt CAP

� Anchorage Community Mental Health Services – Self-report to OCR when malware compromised security of IT system– 2,743 individuals affected– Agreed to pay $150,000 and adopt a CAP

*Underscores vulnerability of unpatched and unsupported software



� Parkview Health System– Compliant to OCR (by retiring physician) that employees left 71

boxes of medical records on his driveway

– 5,000-8,000 individuals affected

– Agreed to pay $800,000 and adopt a CAP

� New York and Presbyterian Hospital & Columbia University � *Largest HIPAA settlement to date!

– Joint self-report to OCR when shared server was deactivated and PHI was accessible via internet search engines

– 6,800 individuals affected

– Agreed to pay $4.8 million (NYP = $3.3 million/CU = $1.5 million) and CAP



STOLEN LAPTOP CASES: Concentra Health Services [agreed to pay $1,725,220]

QCA Health Plan, Inc. [agreed to pay $250,000]

**For details on enforcement actions (press releases and resolutions agreements) �

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html


State Actions On the Rise

� No private right of action under HIPAA(NOTE: Under HITECH, individuals will share in monetary assessments at some point; ANPRM to be issued in 2015)

� HOWEVER, individuals are finding more success through state common law claims– 2014 examples:

� Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 314 Conn. 433 (2014)

� Walgreen Co. v. Hinchy , 21 N.E. 3d 99 (Ind. Ct. App. 2014)


Byrne v. Avery Center for Obstetrics & Gynecology

� Facts: – Released plaintiff’s medical records to her child’s dad

pursuant to subpoena– Failed to notify plaintiff of subpoena– Plaintiff previously told provider not to release records

� Allegations:1. Breach of contract by violation of privacy policy2. Negligence in failing to use proper and reasonable care in

protecting her medical records3. Negligent misrepresentation that the plaintiff’s health

information would be protected in accordance w/ the law4. Negligent infliction of emotional distress.


Byrne v. Avery Center for Obstetrics & Gynecology

� Connecticut Supreme Court:– Issue: Whether HIPAA preempted plaintiff’s state law

negligence claims?� Holding :

– No preemption– HIPAA may be used to inform standard of care applicable

in negligence claims

The availability of private rights of action in state court “do not preclude, conflict with, or complicate health care providers’ compliance with

HIPAA” and instead are beneficial as they “establish[] another disincentive to wrongfully disclose a patient’s health care record.”


Walgreen Co. v. Hinchy

� Facts: Pharmacist viewed the plaintiff’s prescription records and divulged information contained therein to the plaintiff’s ex-boyfriend

� Allegations against pharmacist:

1. Negligence and professional malpractice

2. Invasion of privacy based on intrusion

3. Invasion of privacy based on public disclosure of private facts

� Allegations against Walgreens:

1. Liability for claims filed against the pharmacist under the theory of respondeat superior

2. Negligent training

3. Negligent supervision

4. Negligent retention

5. Negligence based on professional malpractice


Walgreen Co. v. Hinchy

� Trial Court:– Claims of negligent training and privacy by intrusion did

not survive summary judgment– Jury verdict = $1.8 million

� Appellate Court:– Question: Whether respondeat superior applied?– Holding: Walgreens was vicariously liable for pharmacist’s

actions� Pharmacist violated duty of confidentiality owed to

plaintiff� Pharmacist’s actions were within the scope of

employment


Cyber Insurance

The costs associated with a data breach are signifi cant!– According to Ponemon Institute (2015):

� $398 = Per capita health care data breach cost (overall mean of $154)

� $2 million = Average cost of healthcare data breach over two years

� $5.6 billion = Annual potential cost of data breaches industry wide

� Over 100% = Increase in criminal attacks on healthcare systems since 2010 *Prime target!

� Financial exposure � forensic examination, notification of third parties, call centers, credit or identity monitoring, public relations, legal defense, regulatory proceedings, fines and penalties, business interruption, computer data loss and restoration.


Cyber Insurance

� What is cyber insurance ?– Provides coverage to companies when they experience a data breach.– Three fundamental coverage types

� Liability for loss or data breach� Remediation costs to respond to the breach� Coverage for fines and penalties

– First party liability policies versus third party liability policies– Liability policies may cover various costs incurred with a breach related

to:� Notification & call centers� Credit monitoring� Public relations� Legal defense� Regulatory proceedings, fines, and penalties


Selecting The Right Cyber Policy


Selecting the Right Cyber Policy

� In selecting policies:1. Determine how much insurance is needed and how

much risk the company can afford to purchase� A health care entity with $25 million in revenue can generally obtain a

$1 million policy with a premium of $12,900

2. Review the types of coverage provided3. Know what triggers the policy (e.g., will coverage be

triggered in the event of a stolen or lost unencrypted laptop?)

4. Know what types of data are covered (e.g., how is sensitive data defined?)

5. What does the policy exclude (e.g., may exclude claims related to failure to maintain or update security)

6. Find out if you can select vendors and/or counsel



� When applying for coverage:– Carefully review and complete the application,

which may include risk control self-assessments and reps regarding due diligence on third-party vendors

– Try to negotiate the scope of the coverage and exclusions

– Understand your entity’s compliance obligations � what are the minimum required practices for information security?



IN THE NEWS…Columbia Casualty v. Cottage Health System� Insurance company seeks declaratory judgment that it owes no coverage

and reimbursement of monies already paid (under reservation of rights) in defense and $4.13 million settlement of class action

� Insurance company alleges that the health system failed to implement procedures and risk controls identified in the insurance application; thus, exclusion applies and coverage is precluded.

See also Travelers Property Casualty Company of America, et al. v. Federal Recovery Services, Inc.� Court held no duty to defend� Travelers agreed to pay “sums that [insured] must pay as ‘damages’

because of loss … caused by an ‘errors and omissions wrongful act’….” � “To trigger Travelers’ duty to defend, there must be allegations in the

[underlying] action that sound in negligence.”


Questions?

� Feel free to contact us for more information:– Erin Fleming Dunlap: [email protected]– Katie Kenney: [email protected]– Lisa Weixelman: [email protected]

Follow us on: Twitter: @polsinelliLinkedIn: https://www.linkedin.com/company/polsinelli?trk=company_logoSlideShare: http://www.slideshare.net/Polsinelli_PC


Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Nothing herein should be relied upon or used without consulting a lawyer to consider your specific circumstances, possible changes to applicable laws, rules and regulations and other legal issues. Receipt of this material does not establish an attorney-client relationship.

Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee futureresults; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements. © 2015 Polsinelli PC. In California, Polsinelli LLP.

Polsinelli is a registered mark of Polsinelli PC

Polsinelli is an Am Law 100 firm with more than 750 attorneys in 18 offices, serving corporations, institutions, entrepreneurs and individuals nationally. Ranked in the top five percent of law firms for client service and top five percent of firms for innovating new and valuable services*, the firm has risen more than 100 spots in Am Law’s annual firm ranking over the past six years. Polsinelli attorneys provide practical legal counsel infused with business insight, and focus on healthcare, financial services, real estate, life sciences and technology, and business litigation. Polsinelli attorneys have depth of experience in 100 service areas and 70 industries. The firm can be found online at www.polsinelli.com. Polsinelli PC. In California, Polsinelli LLP.

*BTI Client Service A-Team 2015 and BTI Brand Elite 2015

hipaa 2015 webinar

Law

disclosure of phi

risk of phi

breach of unsecured

real challenges

real answers

definition of breach

data breach

reportable breach