Health Insurance Portability and Accountability Act (HIPAA): Breach - - PowerPoint PPT Presentation

Health Insurance Portability and Accountability Act (HIPAA): Breach Notification Rule

April 2019 Alissa Smith

1

Outline of Presentation

• HIPAA Breach Notification Rule Overview
• Updates on OCR Enforcement

– Complaints – Investigations – Settlement Amounts

• Examples

2

HIPAA Breach Notification Rule

Breach: The access, acquisition, use or disclosure of unsecured PHI not permitted under the Privacy Rule that compromises the security or privacy of the PHI Unsecured PHI: PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of technology or methodology specified by HHS (e.g., encrypted, shredded).

3

HIPAA Breach Notification Rule (cont’d)

• A potential breach is presumed to be a

“breach” (requiring breach notification) unless an exclusion applies or a 4-part risk assessment demonstrates that there is a low probability that the PHI has been compromised.

4

HIPAA Breach Notification Rule: Exclusions

• Three Exclusions

– Good faith internal access – Good faith internal disclosure – External disclosure but good faith belief that person to whom disclosure was made would not reasonably have been able to retain the information

5

HIPAA Breach Notification Rule: Risk Assessment

• In order to determine a breach notification is not

required, the covered entity must have addressed all four factors in the risk assessment and determined that the use/disclosure of the PHI poses a low probability that the PHI has been compromised.

• OCR expects risk assessments to be thorough,

completed in good faith, and for the conclusions reached to be reasonable.

• Retain documentation of investigation, risk

assessment and all notifications (6 years)

6

HIPAA Breach Notification Rule: 4-Part Risk Assessment

1. The nature and extent of the PHI involved (including the types of PHI, and the likelihood of re-identification); 2. The unauthorized person who used the PHI or to whom the disclosure was made; 3. Whether the PHI was actually acquired or viewed; and 4. The extent to which the risk to the PHI has been mitigated. After considering these factors, the CE must presume there is a “breach” requiring notification unless the analysis demonstrates that there is a low probability that the PHI has been compromised.

7

Breach Notifications-the who, when, and how

Small (less than 500 individuals)

• Affected individuals

– No later than 60 days after breach discovery – Delivered by first-class mail

• Unless an individual

agrees to email

• The Secretary of Health

and Human Services – No later than 60 calendar days after the end of the calendar year in which the breach(es) were discovered Large (500+ individuals)

• Affected individuals

– No later than 60 days after breach discovery – Delivered by first-class mail

• Unless an individual agrees to

email

• The Secretary of Health and Human

Services – No later than 60 calendar days after breach(es) were discovered

• The Media

– Breaches involving 500+ residents of a state or jurisdiction all prominent media outlets of the state or jurisdiction – No later than 60 days after breach discoveries

8

Breach Notification: Information

• Notification Must be Detailed

– a brief description of what happened, including the date of the Breach and the date of discovery of the Breach; – a description of the types of Unsecured PHI involved (without, however, including specific PHI); – any steps Individuals should take to prevent potential harm resulting from the Breach; – a brief description of what Covered Entity is doing (i) to investigate the Breach, (ii) to mitigate harm to Individuals and (iii) to protect against further Breaches; and – contact procedures for Individuals to ask questions or learn additional information, including a toll free telephone number, email address, website, or postal address.

9

HIPAA Enforcement

• HHS OCR interprets and enforces the Privacy Rule,

Security Rule and Breach Notification Rule

• Civil Penalties Up to $1.5M/violation
• Criminal Penalties Up to $250K and 10yrs prison
• No Private Right of Action (Note, state privacy laws

and data breach notification laws may include private rights of action)

• Liability for Actions of Business Associates

– Approximately 20% of PHI data breaches have been caused by Business Associates

10

State Data Privacy and Breach Notification Laws

• In addition to HIPAA, almost all states across the

country have adopted various laws that require breach notification, privacy and confidentiality standards, and impose additional penalties.

– Iowa Personal Information Security Breach Notification (715C) – Iowa Mental Health Information Privacy Law (228) – Iowa HIV/AIDS Test Information Privacy Law (141A) – Iowa and Federal Substance Abuse Treatment Records Privacy Law (125)

11

Current State of Affairs

• External threats at all time high- hacking,

ransomware

• Internal threats are the largest source of risk for

covered entities – snooping, social media, phishing attacks

• More individual complaints
• OCR enforcement posture more aggressive
• OCR widening review of small breaches
• Settlement amounts are increasing

12

Statistics-2019

• Between April 2003-July 2017, the ORC has:
• Since the implementation of the Privacy Rule in April

2003:

– 184,614 HIPAA complaint cases/potential breaches have been reported

• OCR Initiated over 928 compliance reviews on its own

– OCR Resolved 199,485 complaint cases (98%)

• Investigated/resolved 26,621 cases by requiring changes

through corrective action or providing technical assistance

• Referred 717 referrals to the DOJ for criminal sanctions
• Reached settlements (called Resolution Agreements)

with 62 entities since 2009, totaling $96,581,582

– Almost all Settlements are a result of an initial breach notification – Almost all Settlements include a 2 to 3-year corrective action plan

13

• OCR Concluded 2018 with All-Time Record Year for

HIPAA Enforcement –

– February 7, 2019 press release: OCR has concluded an all- time record year in HIPAA enforcement activity. In 2018, OCR settled 10 cases and secured one judgment, together totaling $28.7 million. This total surpassed the previous record of $23.5 million from 2016 by 22 percent. In addition, OCR also achieved the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc., representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016.

14

Statistics-2019

• Since the beginning of 2019, 71 large-scale (500 or

more) breaches have been reported to the OCR

• Breaches are categorized by following:

– Type

• (Theft, loss, etc.)

– Location

• (Desktop, portable device, email, etc.)

– Entity

• (Health Plan or Health Provider)

15

Statistics

14% 62% 1% 0% 23% 0%

Type of Breach

Theft Hacking/IT Incident Improper Disposal Loss Unauthorized Access/Disclosure Unknown/Other

16

Statistics

9% 9% 5% 20% 25% 25% 1% 6%

Location of Breach

Desktop Laptop Paper/Films Electronic Medical Record Network Server Email Other Portable Electroic Device Other

17

Statistics

23% 0% 77%

Type of Covered Entity

Health Plan Healthcare Clearing House Healthcare Provider

18

Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example:

• University of Texas MD Anderson Cancer Center

(Summary Judgement issued July 18, 2018)

• Three separate breaches occurred between April

2012 and December 2013

– The first breach involved the theft of an unencrypted laptop that contained the ePHI of 29,021 individuals – The second and third breaches were both losses of unencrypted USB devices that contained ePHI for 5,862

• Resolution Agreement Amount: $4.3 million

19

Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example:

• Boston Medical Center, Brigham and Women’s Hospital

and Massachusetts General Hospital (September 2018)

• At the three separate medical centers, PHI was

compromised by inviting documentary film crews from ABC into the premises without first obtaining authorization from patients.

• Collectively, the medical centers paid around $990,000

– Boston Medical Center: $100,000 – Brigham and Women’s Hospital: $384,000 – Massachusetts General Hospital: $515,000

• Length of CAPs

– Boston Medical Center: 2 years – Brigham and Women’s Health: unspecified – Massachusetts General Hospital: 1 year

20

Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example:

• Anthem, Inc. (October 15, 2018)
• In Marcy 2015, Anthem, an independent licensee of

the Blue Cross and Blue Shield Association, reported that their IT system had been attacked “via an undetected continuous and targeted cyberattack”

– Between December 2, 2014 and January 27, 2015, the ePHI

• f almost 79 million individuals had been stolen
• Making this the largest health data breach in US history
• Resolution Agreement Amount: $16,000,000
• Length of CAPs: 2 years

21

Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example:

• Allergy Associates of Hartford, PC (AAH) (November

26, 2018)

• In February 2015, a doctor working for AAH spoke

with a local television reporter about a dispute with a patient

– The patient had alleged that AAH had turned away the patient because the use of her service animal – During the conversation, the doctor “impermissibly disclosed the PHI” of the patient

• Resolution Agreement Amount: $125,000
• Length of CAPs: 2 years

22

Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example:

• Advanced Care Hospitalists PL (ACH) (December 4, 2018)
• Between November 2011 and June 2012, ACH engaged

the services of a representative of a Florida-based company called “Doctor’s First Choice Billings, Inc.” (First Choice)

– In February of 2014, a local hospital alerted ACH that patient PHI, including DOB and SSNs were able to be seen on First Choice’s website – After ACH self-reported, believing only 400 individuals were affected, the OIG discovered that not only were there an additional 8,855 more patients’ PHI disclosed, but ACH had never entered into a BAA with First Choice – Finally, the representative working with ACH had not belonged to First Choice, but was using First Choice’s name and website without the owner’s knowledge.

• Resolution Agreement Amount: $500,000
• Length of CAPs: 2 years

23

Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example:

• Pagosa Springs Medical Center (PSMC) (December

11, 2018)

• A former employee of PSMC had continued access

to PSMC’s web-based scheduling calendar, allowing the former employee access to the ePHI of 557 individuals

• Resolution Agreement Amount: $114,500
• Length of CAPs: 2 years

24

Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example:

• Cottage Health (December 2018)
• Two separate breaches affecting over 62,500 individuals
• The first breach occurred in December 2013

– The configuration of Cottage Health’s server allow access to patient ePHI without requiring a username or password, allowing anyone with access to Cottage Health’s server had access to patient PHI

• The second breach occurred in December 2015

– Cottage Health’s server was “misconfigured following an IT response to a troubleshooting ticket, exposing unsecured ePHI

• ver the internet”
• Resolution Agreement Amount: $3,000,000
• Length of CAPs: 3 years

25

Personal Lawsuits

• HIPAA does not provide for a private right of action

for plaintiffs.

• Violations are subject only to enforcement actions

by OCR or SAG on behalf of plaintiffs.

• BUT

– Courts in some states have allowed plaintiffs to use HIPAA as a standard of care/legal duty in state law tort negligence actions against healthcare providers for privacy violations – Claims have included losses/injuries from slander/defamation, financial, reputational, negligent infliction of emotional distress – E.g.: Connecticut, New York, Massachusetts, Missouri, West Virginia, Tennessee, Minnesota, and North Carolina.

26

Data Breach Litigation Trends

• The most common cause of data breaches in the

healthcare setting are:

– (1) Hacking and IT incidents; and – (2) Unauthorized access and disclosure incidents.

• Why?

– On the black market, the value of a social security number

• r credit card is only worth pennies. The value of a full

medical record is between $500-$1,000.

• Medical Record can be used for submitting fraudulent

insurance claims, obtaining prescription drugs, and blackmail.

27

Data Breach Litigation Trends, Cont.

• No comprehensive national rules or legislation in place

for litigation for breaches.

• Federal Level

– Claims brought under section 5(a) of the Federal Trade Commission Act for engaging in “unfair” or “deceptive” trade practices.

• E.g., FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602 (D.N.J.

2014); Fed. Trade Comm’n v. D-Link Sys., No. 3:17-cv-00039-JD (N.D. Cal. Sept. 19, 2017).

• State Level

– Attorneys General bring suites for violations of state-specific data breach laws; extensions of unfair consumer practices or unfair trade practices statutes.

• Note: Iowa Code 715C (“Personal Information Security Breach

Protection”) specifically exempts from HIPAA compliant entities.

28

Class Action Lawsuits:

• On November 25, 2018, a plaintiff going by the name Jane Doe filed a class

action lawsuit against UnityPoint Health (UPH)

• The complaint cites 2 UPH data breaches related to patient records

– 1 in 2017 involving 16,429 individuals – 1 in 2018 involving 1.4 million individuals

• These breaches divulged the following PHI:

– Contact information such as: names, phone numbers, email address, etc. – Billing information such as: insurance information, Medicare numbers, billing numbers, etc. – Health information such as: diagnoses, lab results, medications, etc.

• Complaints include:

– Invasion of Privacy – Negligent Training and Supervision – Negligence – Breach of Contract

• This is the first class action lawsuit of its kind to be filed in the state of

Iowa

• Amount being sought: $5,000,000

29

Class Action Lawsuits:

• In February 2019, Community Health Systems (CHS)

settled a class action lawsuit that affected 4.5 million individuals

• In August 2014, that a “group originating from China

used highly sophisticated malware and technology to attack” in a cyberattack against CHS

• Under the terms of the settlement, individuals are

eligible to receive $250

– With individuals who had to pay for out-of-pocket losses attributable to actual identity fraud and/or identity theft that allegedly occurred as a result” of the breach are eligible to claim up to $5,000

• Settlement Amount: $3.1 million

30

Lessons to be Learned: Preventing Breaches

• The exposure of PHI can be technical (unencrypted

devices) and non-technical (loss of papers/property containing PHI)- resources should be applied to prevent both

• There is no substitute for customized, implemented

HIPAA policies and procedures, with frequent training of staff to mitigate risk from the inside

• Business grade IT security is critical to mitigate risk from
• utside threats
• Ongoing implementation of risk assessments is critical to

update responses as business and technology evolves

• Screen and monitor BAs (there are more than 7M BAs in

the US)

31

Lessons to be Learned: Responding to Breaches

• Analyze potential breaches in good faith. 45 CFR 400
• Hire counsel and consultants if needed to evaluate the issues
• Use breach response team to ensure multiple perspectives; follow

breach response policies and protocol (e.g., forms, 2-person interviews, when to hired outside experts, attorney-client privilege considerations)

• Review applicable contracts (e.g., BAAs) to determine other terms

which may govern breach response/notice/indemnification

• Ensure a process is provided for individuals to make complaints

regarding HIPAA. 45 CFR 164.530(d)

• Ensure appropriate sanctions are applied to workforce members who

fail to comply. 45 CFR 164.530 (e)

• Do not intimidate or retaliate against any person who files a complaint,

testifies or assists in an OCR investigation or proceeding, or who

• pposes any act or practice that is unlawful under HIPAA. 45 CFR

160.316

• Mitigate any harmful effects (to the extent practicable) (e.g., credit

monitoring) 45 CFR 164.530 (e)

• Report all breaches timely in accordance with HIPAA’s Breach

Notification Rule. 45 CFR 400

• Report breaches as required under applicable state law

32

Lessons to be Learned: Responding to Breaches (cont’d)

• Review and update policies if needed to ensure non-

compliance will not happen in the future (and to be prepared in the event of an investigation)

• Retrain staff if needed to prevent non-compliance;

prepare key staff about what to expect in the event of an investigation

– Where are policies; what do policies say; who are internal privacy and security officers

• Have policies, procedures, breach risk assessments,

security risk analysis, investigation materials, copies

• f breach notifications, and other compliance

documentation organized and ready in case of an investigation

33

HI PAA Breaches: W hat Are My Resources?

• Office for Civil Rights Website with Breach Notification Toolkit:

https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

• Office for Civil Rights Database of all Large Breaches:

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

• OCR Ransomware Fact Sheet:

https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

• OCR Publishes Quarterly Cybersecurity Newsletters:

https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity- newsletter-spring-2019/index.html

• HIPAA Privacy and Security Policies and Procedures and Officers

34

Real World Example

• Mat-Su Borough, Alaska:

– Zero Day, Advanced Persistent Threat Ransomware Attack – Malware in a link clicked on by an employee May 3, 2018 – Dormant until July 24, 2018, and then a “crypto locker” was launched to lock/encrypt data files – Infected all IT systems connected to the network (computers, phones, faxes, printers, copiers) – Resorted to using typewriters, handwritten forms – Reported to the FBI and shipped all computers, etc. to be cleaned – Decided Not to Pay the Ransom due to strong back up system – IT analysts could not determine whether attackers accessed PHI – Is it a breach?

35

Questions?

Alissa Smith Partner Dorsey & Whitney, LLP smith.alissa@dorsey.com (515) 699-3267

36