SLIDE 1
39 Offices in 19 Countries
2
What Keeps You Up at Night? Issues of Fraud and Abuse Compliance - - PowerPoint PPT Presentation
What Keeps You Up at Night? Issues of Fraud and Abuse Compliance - - PowerPoint PPT Presentation
What Keeps You Up at Night? Issues of Fraud and Abuse Compliance Series My Datas Been Stolen: Now What? Part II November 21, 2013 39 Offices in 19 Countries Todays Hosts Thomas E. Zeno Of Counsel, Squire Sanders T +1 513 361 1202
SLIDE 2
SLIDE 3
3
Review of Part I – September 19
- How to know a breach has occurred
- Insider and outsider threats
- Should you notify law enforcement?
- What does HIPAA require about Business
Associates? PowerPoint link:
http://www.squiresanders.com/files/Event/14e2e0c3-5769- 48e6-b68d- f87ef7d1ccff/Presentation/EventAttachment/2d7a653a-eb4a- 4f27-bffd-0147fcdbecc4/My-Data's-Been-Stolen-Now-What- Part-I.pdf
Recording link:
https://cc.readytalk.com/cc/playback/Playback.do?id=9466ij
SLIDE 4
4
Today’s Speakers
Scott A. Edelstein Partner, Squire Sanders T +1 202 626 6602 scott.edelstein@squiresanders.com Thomas J. Hibarger Managing Director, Stroz Friedberg T +1 202 464 5803 thibarger@strozfriedberg.com
SLIDE 5
5
Today’s Agenda
- What more does HIPAA require?
- Data breach remediation
- Tips to prevent a breach
- Pre-planning for a breach
SLIDE 6
6
HIPAA has Teeth
- HHS Office for Civil Rights (OCR)
- U.S. Department of Justice (DOJ)
- State Attorneys General
- Expanded role of FTC
SLIDE 7
7
HIPAA Penalties and Enforcement
- Civil Penalties
- $100 per violation up to a maximum of $1.5 million per
year
- Criminal Penalties
- Up to $50,000; one year jail for wrongful disclosure
- Up to $250,000; ten years jail if intent to sell, transfer or
use PHI for commercial advantage
- Applies to both Covered Entities and Business
Associates
SLIDE 8
8
State Patient Privacy Lawsuits
- No HIPAA private right of action
- Patients still can sue under state common law principles
– e.g., invasion of privacy
- HIPAA as standard of reasonableness?
SLIDE 9
9
State Data Breach Notification Laws
SLIDE 10
10
Other HIPAA Obligations
- Duty to mitigate
- Accounting of disclosures
- Review administrative, technical and physical
safeguards
SLIDE 11
11
Federal Data Breach Notification – General Rule
After discovering a breach of unsecured PHI, a Covered Entity must notify each individual whose information was, or reasonably is believed to have been, accessed, acquired, used, disclosed as a result
SLIDE 12
12
Federal Data Breach Notification - Definitions
- “Unsecured PHI”
- Not rendered unusable, unreadable or indecipherable
– Encryption or destruction encouraged but not required
- “Breach”
- Unauthorized acquisition, access, use or disclosure of PHI
– Compromises the security or privacy of PHI. – Elimination of subjective standard (“significant risk of financial,
reputational, or other harm”)
– New objective standard creates presumption of breach
unless CE/BA demonstrate low probability that PHI has been compromised.
- Exceptions
– Certain unintentional or inadvertent disclosures – Good faith belief recipient reasonably would not retain data
SLIDE 13
13
Federal Breach Notification – Risk Assessment to Determine Low Probability
- Nature and extent of PHI involved (e.g., types of
identifiers and likelihood of re-identification)
- The unauthorized person who used PHI or to
whom PHI was disclosed
- Whether PHI was actually acquired or viewed
- Extent to which the risk to PHI has been
mitigated
SLIDE 14
14
Federal Data Breach Notification – Notification Obligations
- Notification required within 60 days of discovery
- Enforcement rule requires correction in 30 days
- BA failing to notify CE can be penalized directly
- State law may have shorter notice periods (e.g., Calif.)
- Notification:
- Briefly describe what happened and when
- Describe types of unsecured PHI involved
- Describe how individuals can protect themselves
- Briefly describe investigation, mitigation and protection
- Provide contact information
SLIDE 15
15
Federal Data Breach Notification – Form of Notice
- Plain language
- Written
- Via mail (or electronic if individual agrees)
- If deceased, next of kin or personal representative
- Also telephone or other means if urgent
- Substitute notice if contact info insufficient
- < 10, alternative written, telephone or other means
- > 10, either 90-day website posting or media notice
PLUS 90-day toll-free number
SLIDE 16
16
Federal Data Breach Notification – Additional Required Notice
- Media Notification
- > 500 residents of State, notify prominent media outlets
- Within 60 days of breach discovery
- Same content as notice to individuals
- HHS Notification
- > 500, notify HHS at same time as individuals
- < 500, maintain a breach log and notify HHS with 60
days after the end of calendar year
– Hospice of North Idaho settlement Dec. 2012
SLIDE 17
17
Lessons Learned
- Encryption will prevent a lot of headaches
- OCR will have access to everything
- State AGs may become involved
- Media attention
- Enterprise embarrassment
- Consider cyber insurance
- May prompt litigation
- Between covered entities and business associates
– Who will pay costs associated with notification? – Security incident versus breach – Enforcement of agreements with offshore BAs
- By affected individuals
SLIDE 18
18
Key Steps
- Organize your network data
- Update Policies and Procedures
- Develop a Response Plan
- Perform a Risk Assessment
SLIDE 19
19
Organize Your Network Data
- Map your critical assets
- Record backup schedules and inventories
- Update user lists
- Centralize logging functions
SLIDE 20
20
Update Policies and Procedures
- Conform them to HIPAA Security and Privacy
Audit Protocols
- Account for New Technology
- Text Messaging
- Social Media
- BYOD
- Cloud Computing
SLIDE 21
21
BYOD – Bring Your Own Device
http://blogs.wsj.com/riskandcompliance/2013/09/26/hospitals-allowing-byod-face-complications-with-new-hipaa-rule/
- Consider the risk implications of BYOD vs. convenience
- Where is the perimeter of your network and who controls
it?
- ePHI transmitted via emails, texts, attached documents
- ePHI must be secured in transit and at rest - container
- iOS vs. Android
SLIDE 22
22
Develop a Response Plan
- Management endorsement
- Contact lists
- Legal analysis and timeline
- Categories of adverse events
- Facilities and equipment list
- Outreach plan
- An effective team
SLIDE 23
23
The Cloud
- OCR Guidance that Cloud providers are
Business Associates
SLIDE 24
24
Develop a Response Plan – Effective Team
SLIDE 25
25
Communication
- Other Key Constituents
- Team Members
− Outside & in-house counsel − Compliance, HR, IT − Business managers, public affairs − Experts
- Board/CEO, Executives
- Employees
- Shareholders
- Unaffected Patients, Providers, or Customers
SLIDE 26
26
Perform a Risk Assessment
- The HIPAA Security Rule requires it
- HHS auditors report it as one of the most
common compliance failures
SLIDE 27
27
Preservation
- Unhook infected machines
- Do NOT poke around
- Insert clean and patched machines
- Call experts to image infected machines
- Save off log files
- Pull needed backup(s) out of rotation
- Save keycard data and surveillance tapes
- Start real-time packet capture
- Force password changes
SLIDE 28
28
Breach Timeline
SLIDE 29
29
Mitigating Your Risks Simple steps to reduce risk of compromising your data and systems
- Encrypt data – in motion and at rest
- Install software security patches
- Train employees to avoid security threats
- Robust passwords; changed; no default passwords
- Use multi-factor authentication for remote access
- Employees from outside the office
- Sensitive on-line accounts such as financial and cloud
storage of patient data
- Terminate dormant user accounts
- Use up-to-date virus scanning software
- Periodically audit compliance with data security
rules
SLIDE 30
30
Mitigating Your Risks
- Don’t store data you don’t need
- Know where your data is
- Use internal network walls to
protect sensitive data
- Train employees to spot and
report anomalies
- Monitor logs in your system to
detect anomalies
Simple steps to reduce the damage if/when a compromise occurs
SLIDE 31
31
Mitigating Your Risks Steps for reducing insider cybercrime and data breach risk
- Create written employee conduct policies
- Include social media use policies
- Restrict internet sites able to exfiltrate sensitive data
- Create tiered access to sensitive information
- Not everyone needs access to everything
- Check background of employees with access to
sensitive information
- Restrict use of external storage devices
SLIDE 32
32
Mitigating Your Risks Steps for reducing insider cybercrime and data breach risk (con’t)
- Implement employee exit procedures
- Acknowledgement of post-employment obligations
- Termination of account access
- Dual controls for access to certain sensitive data
SLIDE 33
33
Mitigating Your Risks Reducing the risk of employee negligence
- Good risk management of malicious conduct
- Encryption
- Don’t store data unnecessarily
- Encryption
- Data security policies and audits
- Encryption
- Employee training
- Audit compliance with data security rules
SLIDE 34
34
Tips for Avoiding Data Breaches
- Conduct random security audits
- Perform random reviews of access logs
- Have strong physical safeguards for areas where
paper records are stored and used
- Don't store PHI on laptop hard drive or desktop
- Address administrative and physical safeguards
clearly for storage devices and removable media
SLIDE 35
35
Hypothetical
A Business Associate contracted to send invoices to patients experiences a computer error which mismatches the patient’s name and address resulting in 200 bills sent to the wrong address. Eighty bills were returned unopened.
SLIDE 36
36
Stay Alert
SLIDE 37
37
Thank You for Joining Our Webinar
Questions?
SLIDE 38
38
Thank You for Joining Our Webinar
Contact us with other topics, questions or issues:
- Scott Edelstein: scott.edelstein@squiresanders.com
- Tom Hibarger: thibarger@strozfriedberg.com
- Tom Zeno: thomas.zeno@squiresanders.com
- Emily Root: emily.root@squiresanders.com
SLIDE 39
39 Offices in 19 Countries