P2. Health Information Privacy and Security Standards

Size: px

Start display at page:

Download "P2. Health Information Privacy and Security Standards"

Arnold Perry
6 years ago
Views:

P2. Health Information Privacy and Security Standards Adam Greene, Partner Davis Wright Tremaine LLP Iliana Peters, Senior Advisor for HIPAA Compliance and Enforcement, HHS Office for Civil Rights

1 P2. Health Information Privacy and Security Standards Adam Greene, Partner Davis Wright Tremaine LLP Iliana Peters, Senior Advisor for HIPAA Compliance and Enforcement, HHS Office for Civil Rights Marti Arvin VP Audit Strategy CynergisTek, Inc. Agenda What s New with HIPAA Enforcement Update (Iliana) Recurring Security Compliance Issues (Iliana) AGs, DOJ, FTC, and Class Actions (Adam) Practical Tips for Working with OCR and state agencies (Marti) Panel Discussion 2 What s New with HIPAA Enforcement Update 3 1

2 Access Guidance Precision Medicine and Access Guidance OCR provided guidance on individuals access to their protected health information under the Privacy Rule in two releases. The second release included detailed guidance on permissible fees. 4 Cybersecurity NIST Cybersecurity Framework OCR released a crosswalk, developed with NIST and ONC, that identifies mappings between the NIST Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework) and the Security Rule. The crosswalk also includes mappings to other commonly used security frameworks. professionals/security/nistsecurity hipaa crosswalk/index.html 5 Cybersecurity Ransomware Guidance OCR recently released guidance on ransomware. The new guidance reinforces activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats

3 Audit Program OCR is using FCi Federal contractors to help support the next phase of the audit program. They have been trained and are working closely with OCR in house. OCR has been verifying contact information for business associates and covered entities to be included in the next round of audit activities Next round will mostly consist of desk audits, although some onsite audits should also be expected Additional information on OCR s website. 7 OCR Audit Program Best advice be prepared Good news If you have not been selected for a desk audit you won t be in this round Bad news you could still be selected for an onsite audit You could still be part of an enforcement action OCR announced its intention to increase reviews of entities reporting breaches of less than 500 individuals Timelines are tight Know where the data is Modify processes if needed to better prepare your organizations Coordinate efforts between privacy and information security 8 HIPAA Breach Highlights September 2009 through June 30, 2016 Approximately 1,601 reports involving a breach of PHI affecting 500 or more individuals Theft and Loss are 45% of large breaches Hacking/IT now account for 12% of incidents Laptops and other portable storage devices account for 29% of large breaches Paper records are 23% of large breaches Individuals affected are approximately 159,074,609 Approximately 232,297 reports of breaches of PHI affecting fewer than 500 individuals 9 3

HIPAA Breach Highlights Improper Disposal 4% Other 6% Unknown 1% Hacking/IT 12% Unauthorized Access/Disclosure 24% Theft 45% Loss 9% 10 HIPAA Breach Highlights EMR 5% Email 8% Other

4 HIPAA Breach Highlights Improper Disposal 4% Other 6% Unknown 1% Hacking/IT 12% Unauthorized Access/Disclosure 24% Theft 45% Loss 9% 10 HIPAA Breach Highlights EMR 5% 8% Other 10% Paper Records 23% Network Server 14% Desktop Computer 11% Portable Electronic Device 10% Laptop 19% 11 Enforcement Process HIPAA Privacy and Security Rule Complaint Process 12 4

5 Enforcement Highlights (as of 7/31/16) Settlement/CMP, 39, 0% No Violation, 10,055, 8% Technical Assistance, 14,535, 11% Administrative Resolutions, 82,521, 63% Corrective Action, 24,331, 18% Enforcement Actions Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million August 4, 2016 Multiple alleged HIPAA violations result in $2.75 million settlement with the University of Mississippi Medical Center (UMMC) July 21, 2016 Widespread HIPAA vulnerabilities result in $2.7 million settlement with Oregon Health & Science University July 18, 2016 Business Associate s Failure to Safeguard Nursing Home Residents PHI Leads to $650,000 HIPAA Settlement June 29, 2016 Unauthorized Filming for NY Med Results in $2.2 Million Settlement with New York Presbyterian Hospital April 21, 2016 $750,000 settlement highlights the need for HIPAA business associate agreements Improper disclosure of research participants protected health information results in $3.9 million HIPAA settlement March 17, 2016 $1.55 million settlement underscores the importance of executing HIPAA business associate agreements March 16, 2016 Physical therapy provider settles violations that it impermissibly disclosed patient information February 16, 2016 Administrative Law Judge rules in favor of OCR enforcement, requiring Lincare, Inc. to pay $239,800 February 3, Experience in working with OCR What is it like on the other side of an OCR complaint? So you got the letter from OCR regarding a complaint they have received. Now what? Is it something you are aware of already? If not, why not? 15 5

6 You are the subject of an OCR investigation Now what? Think about what the issue is and be prepared for OCR s questions and document requests Based on the RA/CAPs and the audit protocol there are certain items you can almost guarantee they will ask about Remember they can ask for anything, it is not necessarily limited to the issue that triggered the investigation 16 You are the subject of an OCR investigation Now what? Educate workforce members on what their involvement with OCR might be Define who will be doing what in the process. Have a small group designated to deal directly with the OCR representative(s) 17 Recurring Security Compliance Issues 18 6

7 Business Associate Agreements Lack of Business Associate Agreements The HIPAA Rules generally require that covered entities and business associates enter into agreements with their business associates to ensure that the business associates will appropriately safeguard protected health information. See 45 C.F.R (b). Examples of Potential Business Associates: A collections agency providing debt collection services to a health care provider which involves access to protected health information. An attorney whose legal services to a health plan involve access to protected health information. An independent medical transcriptionist that provides transcription services to a physician. A subcontractor providing remote backup services of PHI data for an IT contractor business associate of a health care provider. 19 Business Associate issues Do you have a complete list? Who is responsible for assessing the need for a BAA? How well trained are the parties that can contract for you regarding when a BAA is needed? 20 Risk Analysis Incomplete or Inaccurate Risk Analysis Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization]. See 45 C.F.R (a)(1)(ii)(A). Organizations frequently underestimate the proliferation of ephi within their environments. When conducting a risk analysis, an organization must identify all of the ephi created, maintained, received or transmitted by the organization. When identifying ephi, be sure to consider: Applications (EHR, PM, billing systems; documents and spreadsheets; database systems and web servers; fax servers, backup servers; etc.) Computers (servers, workstations, laptops, virtual and cloud based systems, etc.) Medical Devices (tomography, radiology, DXA, EKG, ultrasounds, spirometry, etc.) Messaging Apps ( , texting, ftp, etc.) Mobile and Other Devices (tablets, smartphones, copiers, digital cameras, etc.) Media (tapes, CDs/DVDs, USB drives, memory cards, etc.) 21 7

Risk Analysis Guidance http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrul e/rafinalguidance.html http://scap.nist.gov/hipaa/ http://www.healthit.

measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [the Security Rule]. See 45 C.F.R. 164.308(a)(1)(ii)(B).

8 Risk Analysis Guidance e/rafinalguidance.html providers professionals/ security risk assessment 22 Risk Management Failure to Manage Identified Risk, e.g. Encrypt The Risk Management Standard requires the [implementation of] security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [the Security Rule]. See 45 C.F.R (a)(1)(ii)(B). Investigations conducted by OCR regarding several instances of breaches uncovered that risks attributable to a reported breach had been previously identified as part of a risk analysis, but that the breaching organization failed to act on its risk analysis and implement appropriate security measures. In some instances, encryption was included as part of a remediation plan; however, activities to implement encryption were not carried out or were not implemented within a reasonable timeframe as established in a remediation plan. 23 Mobile Device Security gov/mobiledevices 24 8

9 Expectations meet reality What does OCR guidance mean from a practical operational view? Can you ever know where all of you PHI is when it comes to mobile devices? What can you do to know more? OCR is looking for reasonable processes 25 Transmission Security Lack of Transmission Security When electronically transmitting ephi, a mechanism to encrypt the ephi must be implemented whenever deemed appropriate. See 45 C.F.R (e)(2)(ii). Applications for which encryption should be considered when transmitting ephi may include: Texting Application sessions File transmissions (e.g., ftp) Remote backups Remote access and support sessions (e.g., VPN) 26 Auditing Lack of Appropriate Auditing The HIPAA Rules require the [implementation] of hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. See 45 C.F.R (b). Once audit mechanisms are put into place on appropriate information systems, procedures must be implemented to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. See 45 C.F.R (a)(1)(ii)(D). Activities which could warrant additional investigation: Access to PHI during non business hours or during time off Access to an abnormally high number of records containing PHI Access to PHI of persons for which media interest exists Access to PHI of employees 27 9

10 How much auditing is enough? Does OCR expect you to look at every transaction? As with all risk based processes, the covered entity must review risks and decide appropriately. Increasing level of software and other solutions make the process more efficient and effective. 28 Software Patching No Patching of Software The use of unpatched or unsupported software on systems which access ephi could introduce additional risk into an environment. Continued use of such systems must be included within an organization's risk analysis and appropriate mitigation strategies implemented to reduce risk to a reasonable and appropriate level. In addition to operating systems, EMR/PM systems, and office productivity software, software which should be monitored for patches and vendor end of life for support include: Router and firewall firmware Anti virus and anti malware software Multimedia and runtime environments (e.g., Adobe Flash, Java, etc.) 29 Insider Threat Insider Threat Organizations must [i]mplement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information and to prevent those workforce members who do not have access from obtaining access to electronic protected health information, as part of its Workforce Security plan. See 45 C.F.R (a)(3). Appropriate workforce screening procedures could be included as part of an organization s Workforce Clearance process (e.g., background and OIG LEIE checks). See 45 C.F.R (a)(3)(ii)(B). Termination Procedures should be in place to ensure that access to PHI is revoked as part of an organization s workforce exit or separation process. See 45 C.F.R (a)(3)(ii)(C)

11 Disposal Improper Disposal When an organization disposes of electronic media which may contain ephi, it must implement policies and procedures to ensure that proper and secure disposal processes are used. See 45 C.F.R (d)(2)(i). The implemented disposal procedures must ensure that [e]lectronic media have been cleared, purged, or destroyed consistent with NIST Special Publication : Guidelines for Media Sanitization, such that the PHI cannot be retrieved. Electronic media and devices identified for disposal should be disposed of in a timely manner to avoid accidental improper disposal. Organizations must ensure that all electronic devices and media containing PHI are disposed of securely; including non computer devices such as copier systems and medical devices. 31 Contingency Planning Insufficient Data Backup and Contingency Planning Organizations must ensure that adequate contingency plans (including data backup and disaster recovery plans) are in place and would be effective when implemented in the event of an actual disaster or emergency situation. See 45 C.F.R (a)(7). Leveraging the resources of cloud vendors may aid an organization with its contingency planning regarding certain applications or computer systems, but may not encompass all that is required for an effective contingency plan. As reasonable and appropriate, organizations must periodically test their contingency plans and revise such plans as necessary when the results of the contingency exercise identify deficiencies. See 45 C.F.R (a)(7)(ii)(D). 32 Security Rule Resources professionals/security/index.html The Security Rule Security Rule History Security Rule Guidance and Notices NIST Toolkit FAQs 33 11

AGs, DOJ, FTC, and Class Actions 34 Attorneys General and HIPAA Minnesota Indiana New York Vermont Massachusetts Five HIPAA actions Connecticut Two HIPAA actions 35 Department of Justice and HIPAA

12 AGs, DOJ, FTC, and Class Actions 34 Attorneys General and HIPAA Minnesota Indiana New York Vermont Massachusetts Five HIPAA actions Connecticut Two HIPAA actions 35 Department of Justice and HIPAA Knowingly obtaining or disclosing PHI in violation of HIPAA: $50,000 and/or up to one year imprisonment $100,000 and/or up to five years imprisonment if false pretenses $250,000 and/or up to ten years imprisonment if commercial advantage, personal gain, or malicious harm 36 12

Department of Justice and HIPAA Benton was an employee at Tampa General Hospital (TGH) and had access to the personal health information of thousands of patients.

sentenced Shanakia Benton to three years in federal prison for wrongful disclosure of individual identifiable health information and wire fraud.

13 Department of Justice and HIPAA Benton was an employee at Tampa General Hospital (TGH) and had access to the personal health information of thousands of patients. Benton and her accomplices []used that information to file at least 29 false tax returns seeking refunds totaling $226,000. sentenced Shanakia Benton to three years in federal prison for wrongful disclosure of individual identifiable health information and wire fraud. 37 FTC CVS Caremark (2009) Rite Aid (2010) LabMD (2013, under appeal) Accretive Health (2014) GMR Transcription Services (2014) PaymentsMD (2015) Henry Schein Practice Solutions (2016) 38 Section 5 of the FTC Act Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful

14 Section 5 of the FTC Act The central focus of any inquiry regarding unfairness is consumer injury a finding of unfairness requires that the injury in question be substantial. We conclude that the disclosure of sensitive health or medical information causes additional harms that are neither economic nor physical in nature but are nonetheless real and substantial and thus cognizable under Section 5(n). Opinion of the Commission, In the Matter of LabMD, Inc. 40 Class Actions Most Dismissed Due to Lack of Standing The court in the related Maryland class action reached [the] same conclusion, granting the defendants motion to dismiss for lack of subject matter jurisdiction on standing grounds. It rejected the plaintiffs argument that the breach increased their risk of future harm because most courts to consider the issue have agreed that the mere loss of data without any evidence that it has been either viewed or misused does not constitute an injury sufficient to confer standing. This Court likewise concludes that Plaintiffs have not demonstrated a sufficiently substantial risk of future harm stemming from the breach to establish standing. Attias v. CareFirst, Inc., 1:2015cv00882 Document 40 (D.D.C. 2016) 41 Class Actions Some Settlements Limited Plaintiff Successes Absent Clear Damages AvMed $3 million settlement (1.2 million affected customers, claim of unjust enrichment based on premiums allegedly not going towards adequate information security) (2014) Stanford $4 million settlement (20,000 patients, settlement mostly paid by Stanford s vendors) (2014) 42 14

43 Class Actions: Welcome to California 44 Welcome to

15 Class Actions: Welcome to California You suffer a breach that affects 125,000 California residents. 43 Class Actions: Welcome to California 44 Welcome to California 125,000 x ($1,000 + $3,000 + $1,000) = $625M 45 15

16 Class Actions: Welcome to California But courts have avoided awarding damages in several California cases: In Regents of UC, court found that release requires proving that confidential nature of medical information was breached, not merely the loss of possession of the information. Similarly, in Sutter Health, court held that evidence must show that medical information was actually viewed. In Eisenhower Med. Ctr., court held that patient demographic information was not medical information. 46 QUESTIONS? 47 16

What s New with HIPAA? Policy and Enforcement Update

What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final