potential liability for hipaa violations: a primer€¦ · hipaa $100 per violation, with an annual...
TRANSCRIPT
Potential Liability for HIPAA Violations: A PrimerWednesday, March 23, 2016
Presented By the IADC Medical Defense and Health Law Committee and
In-House and Law Firm Management Committee
Welcome! The Webinar will begin promptly at 12:00 pm CDT. Please read and follow the
below instructions:
• For you information, this Webinar presentation is being recorded.
• If you have not already done so, please join the conference call.
• Mute your phone line. If you do not have a mute button or are on a cell phone, press *1 to mute your
phone.
• If you are on a conference phone, please move all cellular or wireless devices away from the conference
phone to avoid audio interference.
• If you have questions during the presentation, you may utilize the Q&A pod on the upper-right-hand side
of your screen. You may type questions here and it will be sent to the presenter for response. If your
question is not answered during the presentation, our presenter will answer questions at the end of the
webinar.
• Visit the “Files” pod in the lower-right-hand corner of the screen if you would like to download a copy of
this PowerPoint presentation.
Type your questions for presenters here in the Q&A Pod
Click on the file name to download this Power Point or any referenced documents
IADC Webinars are made possible by a grant from The Foundation of the IADC.
The Foundation of the IADC is dedicated to supporting the advancement of the
civil justice system through educational opportunities like these Webinars. For more
information on The Foundation, visit www.iadcfoundation.org.
Presenters
Robert G. Smith, Jr. Lorance & Thompson, P.C.
Houston, TX
Cathy Bryant Texas Medical Liability Trust
Austin, TX
Potential Liability for HIPAA Violations: A Primer
This Webinar will be a nuts and bolts presentation
regarding HIPAA and potential liability for HIPAA
violations. The program will include a discussion of
potential liability of law firms for HIPAA violations.
For the purposes of the webinar, we will limit our
discussion to federal law, HIPAA. It is important for
attorneys to be aware of state specific laws where they
practice; i.e. in Texas, law firms can be considered
Covered Entities under the Texas Medical Privacy Act.
• 2009, the FBI first warned that law firms
were the targets of hackers
• 2013 FBI repeated the warning “We
have hundreds of law firms that we see
increasingly being targeted by hackers”
• A complete set of medical records is
more valuable than financial records
and social security numbers
• Resale value of medical information
used for Medical Identity Theft
FBI Warns Law Firms
“(law firms) are a treasure trove that is
extremely attractive to criminals, foreign
governments, adversaries and
intelligence entities.” American Bar Association Cybersecurity Legal
Task For
Law firms rank 7th most vulnerable
industry to “malware encounters”Cisco Systems – 2015 Annual Security Report
80% of the Big Law Firms Hacked
Source:
Modern Healthcare
HIPAA Overview
HIPAA PRIVACY
RULE
HIPAA SECURITY
RULE
HIPAA BREACH
NOTIFICATION
RULE
OMNIBUS RULE
EFFECTIVE 2003 EFFECTIVE 2005 EFFECTIVE 2013 EFFECTIVE 2013
Rule Covers
Protectd Helath
Information in all
forms:
• Verbal
• Written
• Electronic
Rule Covers
Protected Health
Information in
Electronic format
only
Rule Covers all
breaches of
protected heatlth
information by a
Covered Entity or a
Business Assoicate
Sweeping changes
to HIPAA
Patient Rights
Business
Associates directly
responsible for
HIPAA
HIPAA – Who?
Covered Entity
Business Associate
SubcontractorDefinitions:
45 CFR 160.103
HIPAA – What?
Protected Health InformationThe Privacy Rule protects all "individually identifiable health information"
held or transmitted by a covered entity or its business associate, in any
form or media, whether electronic, paper, or oral. The Privacy Rule calls
this information "protected health information (PHI)."
“Individually identifiable health information” is information, including
demographic data, that relates to:
• the individual’s past, present or future physical or mental health or
condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to
the individual,
• and that identifies the individual or for which there is a reasonable
basis to believe it can be used to identify the individual.
Breach
“A breach is, generally, an impermissible use or disclosure under the [HIPAA] Privacy Rule that compromises the security or privacy of the protected health information.
An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate … demonstrates that there is a low probability that the protected health information has been compromised [aka “Lo-Pro-Co”] based on a risk assessment of at least 4 factors”
When is a Breach not a Breach?
PHI that is unusable, unreadable or
indecipherable to unauthorized
persons through the use of a
technology or methodology
Cost of a Breach
5th Annual Benchmark Study on Patient Privacy and Data Security
The Ponemon Institute
PUBLIC
RELATIONS/
CRISIS RESPONSE
LEGAL FEES
FORENSICS
COST OF
NOTIFYING
PATIENTS
CREDIT
MONITORING
CALL CENTER
HEALTHCARE
BREACH CAN
COST $363PER RECORD
OCR Process
OCR
Intake &
Review
RESOLUTION
• Violation did not occur after 4.14.2003
• Entity complained about was not covered
by the Privacy Rule
• Incident described does not violate the
Privacy Rule
Accepted by
DOJPossible
Criminal
Violation RESOLUTION
• OCR finds no
violation
• OCR finds
violation with
voluntary
compliance,
corrective action
or agreement
• OCR issues
formal finding of
violation
• Fines
• Penalties
(CMP)
OCR Possible
Privacy or
Security Rule
Violation
Investigation
Refer to
DOJ
OCR
xxx
HIPAA Violations & Enforcement
HIPAA Violation Minimum Penalty Maximum Penalty
Individual did not know (and by
exercising reasonable
diligence would not have
known) that he/she violated
HIPAA
$100 per violation, with an annual
maximum of $25,000 for repeat
violations
$50,00 per violation,
with an annual
maximum of $1.5
HIPAA violation due
reasonable cause and not due
willful neglect
$1,000 per violation, with an annual
maximum of $100, 000 for repeat
violations
$50,000 per
violation, with an
annual maximum of
$1.5 million
HIPAA violation due to willful
neglect but violation corrected
within the required time period
$10,000 per violation, with an annual
maximum of $250, 000 for repeat
violations
$50,000 per
violation, with an
annual maximum of
$1.5 million
HIPAA violation is due to willful
neglect and is not corrected
$50,000 per violation, with an annual
maximum of $ 1.5 for repeat violations
$50,000 per
violation, with an
annual maximum of
$1.5 million
Review of OCR
Investigations
23,731
10,783
CORRECTIVE ACTION REQUIRED (69%) NO VIOLATION (31%)
34,514 BREACH REPORT OR COMPLAINT INVESTIGATIONS
1/3rd WERE FOUND TO HAVE NO VIOLATION
2/3rds HAD VIOLATIONS
ABA Model Rules of Professional Conduct
Lawyers are required “to make reasonable effortsto prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Reasonable efforts
taking steps to prevent someone from hacking into
a law firm’s computer network
staff posting client information on the Internet
training
Potential Liability Under HIPAA
A lawyer must also consider duties arising under HIPAA, for example, and other laws intended to protect data privacy.
“ignorance of technology is not a defense”
Lawyers must “stay abreast of changes in the law and its practice, [and] need to have a basic understanding of the benefits and risks of relevant technology.”
Potential Liability Under HIPAA
POTENTIAL LIABILTY FOR HIPAA VIOLATIONS: A PRIMER
What Privacy and
Security issues exist in
firms related to PHI?
21
Paper
45 CFR 164.530
Administrative Requirements
45 CFR 164.530 (c)
Standard: Safeguards -- Have in place
appropriate administrative, technical,
and physical safeguards to protect the
privacy of protected health information
Implementation specification:
• must reasonably safeguard PHI any
intentional or unintentional use or
disclosure
• must reasonably safeguard protected
health information to limit incidental
uses or disclosures
Basic Password Protection Protocols
1. Password length
2. Password complexity (Upper, Lower,
Number and Special character)
3. Frequently changed
Weak Passwords
2012, the must common passwords
1. Password
2. 123456
2015, the most common passwords were:
1. Password
2. 123456
Password
45 CFR 164.308 & 164.312
Technical Safeguard
Is PHI sent encrypted
or through a secure
file sharing
technology?
Transmitting
encrypted data can be
accomplished
efficiently and without
appreciably slowing
down the system.
Email PHI
Dr. Expert Witness
Somewhere, USA
Dear Dr. Expert
Witness
Here are all the
medical reports I
need you to review
in this bad case.
Thanks,
Unencrypted
Attorney
Do you send emails containing PHI
or medical record attachments?
45 CFR 164.312
Technical Safeguard
Encryption
• Encryption is not a password or passcode!
• Encryption is the process of translating words or text into “code” which conceals the text.
Objections to Encryption
• It is not “required” by HIPAA.
True; but if you don’t encrypt
you must show what you did to
protect PHI equal to encryption
• It slows down my PC/laptop …
• It is costs money
45 CFR 164.312
Technical Safeguard
The Problem with Unencrypted Devices
August 2015 OCR Settlement with
Cancer Care Group
Laptop and backup media (unencrypted) was
stolen from employee’s vehicle
5500 records
Cancer Care was “in widespread non-
compliance with the HIPAA Security Rule.”
Had not conducted an enterprise wide risk analysis
Did not have written P&P specific to removal of
hardware and electronic media
Did not encrypt
Encryption is a basic cyber risk management tool.
Cyber liability insurance applications now ask about the use of
encryption – and can result in an endorsement excluding unencrypted
portable devices.
Do you use your Personal Devices to store or access
PHI?
BYOD
• The use, or potentially, the loss or theft of
smartphones and other devices.
• With the storage capacity of smartphones
increasing, attorneys are storing more and
more information on them, including email,
email attachments and documents.
• The use of personal devices also makes it
more difficult for firms to institute good
security practices.
• Attorneys should take “reasonable steps” to
safeguard the confidential information
accessible on their mobile phones.
For example, does the phone permit remote
wiping of the information stored in the event that
it is lost or stolen? Is it enabled?45 CFR 164.308 & 164.312
Administrative & Technical
Safeguards
According to New York State Bar Association
Committee on Professional Ethics Opinion 842, a
lawyer in New York may use an online “cloud”
computer data backup system to store client files
so long as the lawyer takes “reasonable care” to
protect the client’s confidential information form
unauthorized disclosure, which included the
following three steps:
Cloud Storage
1. Ensuring that the online data storage provider
has an enforceable obligation to preserve
confidentiality and security, and the provider will
notify the lawyer if served with process regarding
the production of client information;
2. Investigating the online data storage provider’s
security measures, policies, recoverability
methods, and other procedures to determine if
they are adequate under the circumstances; and
3. Employing available technology to guard against
reasonably foreseeable attempts to infiltrate
stored data.
45 CFR 164.310, 164.312 &
164.314
Unsecure Wi-Fi• Wireless networks that can be freely accessed without a
password.
• Attorneys spend a great deal of time away from the
office, and attempt to get work done wherever they may
find themselves.
• To get work done while on the road, attorneys may
access the Internet while at the airport or other hotspot
that has open access.
Unsecure Wi-Fi
45 CFR 164.312
Technical Safeguard
Vulnerabilities arise from running unpatched or outdated
software.
End of Life – the vendor will no longer release security
patches for the operating system. Any holes hackers find
will be left unpatched and the software is now
fundamentally unsecure.
Windows 8 -- End of Life January 13, 2016
Internet Explorer – End of Life January 12, 2016
Windows Server 2003 – End of Life July 14, 2015
Windows XP – End of Life April 4, 2014
Unpatched/Outdated Software
45 CFR 164.308 & 164.312
Administrative & Technical
Safeguard
CBS News: Digital Photocopiers Loaded With SecretsApril 19, 2010
Affinity Health Plans
Reported Breach to HHS April, 2010Settlement Agreement August, 2013
Settle potential violations of the HIPAA Privacy and Security
Rules for $1,215,780.
Affinity impermissibly disclosed the protected health
information of up to 344,579 individuals.
Affinity returned multiple photocopiers to a leasing agent
without erasing the data contained on the copier hard drives.
Affinity failed to incorporate the electronic protected health
information stored in copier’s hard drives in its analysis of
risks and vulnerabilities as required by the Security Rule.
Affinity failed to implement policies and procedures when
returning the hard drives to its leasing agents.
Photo Copiers – Hard Drives
45 CFR 164.310
Physical Safeguard
POTENTIAL LIABILTY FOR HIPAA VIOLATIONS: A PRIMER
What is the proper way
to dispose of PHI?
32
Sanitization and Disposal
NIST Publication 800-88 r1
Medical Records
Radiology Regional Center in Florida notified patients of a
possible healthcare data breach after some paper records
were found on a street on December 19, 2015. 483,063 individuals potentially affected.
“a small quantity of records” fell onto the street while being
transported by Lee County Solid Waste Division, which is
responsible for the disposal of Radiology patient records.
“As a result of our numerous searches, we believe that
virtually all of the records were retrieved.
To ensure an incident like this does not happen again, we
have taken steps to change how paper records are
transported and destroyed,” the statement explained. “Lee
County Solid Waste Division will no longer be responsible for
transporting our records for disposal.”
The Omnibus Rule (2013) clarifies:
Law Firm Compliance Obligations
Business Associates and their subcontractors
are directly liable under HIPAA and must comply
with some of the Privacy Rule, all of the Security
Rule and Breach Notification.
• Limiting use and disclosure of
PHI
• Impermissible use and
disclosure of PHI
• Failing to provide breach
notification
• Failing to provide access to a
copy of ePHI to the CE or
individual
• Failing to account for disclosure
of PHI
• Failing to disclose PHI to the
Secretary of HHS related to an
investigation about the BA
HIPAA compliance
• Failing to comply with the
requirements of the HIPAA
Security Rule
• Failing to enter into a
subcontractor BAA
35
Cyber Risk Management
36
A Caveat About Cyber Insurance
Cyber insurance is not a substitute for a good cyber risk management program, as all losses may not be covered by an insurance policy.
Increasing cyber risks and regulatory violations require cybersecurity to be integrated into your business risk.
Complacency is not a risk management strategy!
37
The OCR’s “Roadmap”
Jocelyn Samuels:“It is critical that entities take
a comprehensive and
thorough approach to
assessing and addressing the
risk to all of the protected
health information they
maintain.”
“Have comprehensive policies
and procedures for
compliance with the HIPAA
Rules, but also the
P & P must be clearly
communicated to and
implemented by all workforce
members.”
Do You Know Where You PHI? Have
RISK IDENTIFICATIONWhere do you create, maintain,
transmit or store PHI/ePHI?
HIPAA Risk Assessment
The first Implementation
Specification of the Security
Rule requires covered entities
and business associates to
conduct a security risk
analysis
“The one unforgiveable in the eyes of the OCR is failure to
conduct a risk assessment”
40
POTENTIAL LIABILTY FOR HIPAA VIOLATIONS: A PRIMER 45 CFR§164.530
Administrative requirements. (b)(1) Standard: Training.• must train all members of its
workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.
TRAINING
What employees need to be trained and how?
41
Educated Workforce
Employee education is paramount
“See Something – Say Something”
• Federal – as soon as possible
• Texas – new employees must be trained
within 90 days of employment
42
POTENTIAL LIABILTY FOR HIPAA VIOLATIONS: A PRIMER
What written policies and
procedures should a firm
have?
43
Beware of P&P Templates – should reflect what is
actually done December 2014 Anchorage Community
Mental Health Services OCR
Settlement Agreement
2012 ePHI was compromised due to
malware compromising the security of
its IT services
$150,000 fine and adopt a plan of
correction
Organization had adopted sample P&P
in 2005 but never followed them
The breach was a direct result of failing
to identity and address basic risks
44
Need Expert Guidance?
As the forms of connected technology used
by healthcare providers increases—so will
their cybersecurity risks.
Therefore, providers will need assistance in
mitigating the proliferation and diversity of
their cyber risks, including help with their:
• IT Systems;
• Privacy, Security, & Breach Risk
Assessments;
• Staff Privacy Training; and
• Risk Transfer (cyber insurance).
45
The Road to HIPAA Compliance
COMPLIANCE
YES NO
1. Appoint a Privacy and Security Officer
2. Conduct a Risk Assessment
3. Develop a Risk
Management/Mitigation Plan for
Risks Identified
4. Create or Update Policies and
Procedures
5. Develop a BAA and Subcontractor BAA
6. Develop a Plan for Handling Breaches
7. Workforce Training
8. Consider Cyber Insurance
Questions for Presenters?
Robert G. Smith, Jr. Lorance & Thompson, P.C.
Houston, TX
Cathy Bryant Texas Medical Liability Trust
Austin, TX
Potential Liability for HIPAA
Violations: A Primer
Wednesday, March 23, 2016
Thank you for Participating!
To access the PowerPoint presentation from this or any other IADC
Webinar, visit our website under the Members Only Tab (you must be
signed in) and click on “Resources” “Past Webinar Materials,” or
contact Melisa Maisel Vanis at [email protected].