Core Elements of HIPAA The Privacy Rule establishes individuals privacy rights and addresses the use and disclosure of protected health information ( PHI ) by covered entities and business associates The Security Rule establishes requirements for protecting electronic PHI The Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI The Enforcement Rule establishes both civil monetary penalties and federal criminal penalties for the knowing use or disclosure of PHI in violation of HIPAA
Omnibus Final Rule Original HIPAA Final Rule was issued in 2002 and effective in 2003. On January 17, 2013, HHS released the Omnibus Final Rule ( Final Rule ) interpreting and implementing provisions of the HITECH Act of 2009. Expanded direct regulation to Business Associates and their subcontractors.
HIPAA HAT TRICK: SUMMER 2016 On July 18, OCR announced that Oregon Health & Science University ( OHSU ) agreed to pay $2.7 million and enter into a three-year comprehensive corrective action plan as part of a settlement following OCR s investigation of OHSU s compliance with the HIPAA Security Rule. OHSU submitted multiple reports of HIPAA breaches involving the unsecured protected health information (PHI) of thousands of individuals. Two of the breaches involved unencrypted laptops, and the third involved a stolen, unencrypted thumb drive. On July 21, OCR announced a similar settlement with the University of Mississippi Medical Center ( UMMC ) for $2.75 million. UMMC investigated after it reported a HIPAA breach involving a stolen laptop containing ephi. On August 4, OCR announced that it had entered into the largest ever settlement of HIPAA claims with Advocate Health Care Network ( Advocate ). Advocate agreed to pay $5.55 million, due in part to the extent and duration of Advocate s alleged noncompliance and the large number of individuals whose PHI was affected. Advocate s HIPAA investigated after it reported three separate HIPAA breaches involving its subsidiary, Advocate Medical Group, affecting approximately 4 million individuals. OCR reports that Advocate failed to conduct accurate and thorough risk assessments, implement appropriate security policies and procedures, enter into written business associate agreements to protect ephi, and reasonably safeguard an unencrypted laptop that was left in an unlocked car.
After the Omnibus Final Rule, Who is Required to Protect PHI? HIPAA Covered Entity: health care provider, health plan, or health care clearinghouse (billing services). Business Associate: An individual or entity that provides services on behalf of the Covered Entity or another Business Associate that require the entity to create, receive, maintain, or transmit protected health information (PHI). Includes subcontractors
Who Is NOT a Covered Entity? Employers are not Covered Entities But they must make sure their group health plans are in compliance Strict rules govern the flow of health information between the company (including its subsidiaries), with the group health plan it sponsors
European Union Data Security Security law Cyber attacks Cyber security Personal Data protection (fundamental right + secondary law) Confidentiality of electronic communications (fundamental right + secondary law) Civil liability Specific regulations (lawyers, banks, medical professions, etc.) Contractual protections SLAs NDAs IT contracts (cloud, etc.) Etc. McGuireWoods 23
From Data Protection to Data Security Growing importance of data protection Number of databases containing personal data Value of personal data Civil liability GDPR: up to 20.000.000 or 4 % of annual turnover Actors Data subject : identified or identifiable natural person Controller : the person which determines the purposes and means of the processing of personal data Processor : the person which processes personal data on behalf of the controller Personal data : any information relating to an identified or identifiable natural person McGuireWoods 24
From Data Protection to Data Security Main Duties of the controller Implementation of security measures Notification of security breaches? Security Measures the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. (art. 17 directive 95/46 and see also art. 4 of directive 2002/58) McGuireWoods 25
From Data Protection to Data Security (cont.) Data security Availability Integrity Confidentiality Security Breaches personal data breach : means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (art. 2 (i) directive 2002/58 and see art. 32 GDPR) Examples: laptop or mobile device lost, penetration in a database, read over the shoulder McGuireWoods 26
From Data Protection to Data Security (cont.) Duty of notification Duty under E-Privacy directive Duty under GDPR Standard of care under the directive 95/46 + specific national laws Norway, Germany, Austria Denmark, Republic of Ireland, UK, Spain Civil liability vis-à-vis data subjects McGuireWoods 27
From Data Protection to Data Security (cont.) Duty of notification To whom? Competent National Authority Data subjects: Deadlines? Without undue delay Sanctions fines + civil liability draft GDPR: up to 20.000.000 or 4 % of annual turnover McGuireWoods 28