Post on 12-Oct-2020
Pillsbury Winthrop Shaw Pittman LLP
February 4, 2009
Pillsbury Winthrop Shaw Pittman LLP and Protiviti, Inc.
Edgar Bueno – Pillsbury
Scott LaLiberte - Protiviti
John Nicholson - Pillsbury
Health Care Privacy and Security Laws: What You Need to Know in 2009
1 | Health Care Privacy and Security Laws
Agenda
Health Care Privacy and Security: Recent Developments
HIPAA Security Rule Compliance
Medical Information Data Breaches
2 | Health Care Privacy and Security Laws
Health Care Privacy and Security – Key Developments
Increased Enforcement- In 2008, the first HIPAA Penalty- Compliance Reviews
“Snooping” of PHI and Curiosity Seekers
Medical Identity Theft
Focus on Business Associate Compliance
Expect Additional Guidance from HHS
Electronic Health Information Networks
3 | Health Care Privacy and Security Laws
Legislative Developments To Watch
Health Information Technology: Expansion of EMRs and PrivacyIs a HIPAA Re-Write Coming?
- Right to Privacy With Respect to Disclosures- Patient Authorizations- Notification of Breaches- Enhanced Penalties (including for unintentional disclosures)- Private Right of Action against Providers- Additional Protections for Research, Drug & Alcohol History, Psychiatric Records, and HIV status
Telemedicine and PrivacyPatient Prescription Data
4 | Health Care Privacy and Security Laws
How to Prepare for Legal Changes and Challenges
Review HIPAA Compliance Plans
Have a Plan Ready for Data Breaches
Enhance Protections for Access to and Storage of PHI
Watch for Updates (Including State and Consumer Protection Laws)
Review Contracts with Agents, Subcontractors, Vendors
Perform Routine Audits and Accounting of Disclosures
Check Insurance Policies
5 | Health Care Privacy and Security Laws
HIPAA Security Rule Compliance – an Overview and Approach
6 | Health Care Privacy and Security Laws
Security Rule General RequirementsEnsure confidentiality, integrity, and availability of all electronic protected health information (PHI) the covered entity creates, receives, maintains, or transmitsProtect against any reasonably anticipated threats or hazards to the security or integrity of such informationProtect against any reasonably anticipated uses or disclosures of such information that are not permitted or requiredEnsure compliance by its workforce
Compliance Date – The Final Rule was published on February 20, 2003 and became enforceable on April 21, 2005.Scope – Applies specifically to electronic protected health informationConcepts of Standards, Required and Addressable Implementation specifications and overall flexibility introduced in Final Rule“Reasonable and Appropriate” concept is usedHIPAA Privacy Rule,
Implies HIPAA security: "A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.“The Security Rule provides the framework to immediately exercise due care related to the privacy requirement of securing both electronic and non-electronic PHI
Background
7 | Health Care Privacy and Security Laws
Latest Developments
NIST has updated SP 800-66 – this is a core implementation guidance document which may provide deeper insight for emerging security issues – and released this as 800-66 Rev1 in October 2008
CMS continues to issues guidance documents (e.g. remote access guidance) – these should be considered for compliance as they may become part/parcel of future audits
The landscape will continue to evolve, especially with emerging issues and State Laws regarding data breaches (e.g. expansion of CA SB 1386) and encryption of customer non-public information (MA, NV, etc) – this places even more emphasis on the risk assessment process and overall security program integration.
8 | Health Care Privacy and Security Laws
General Rules – Provide the four general requirements for covered entities and serve as the basis for subsequent sectionsAdministrative Safeguards—Account for over half of the security rule requirements and include requirements for documented policies and procedures for security management, operations, workforce clearance, access to electronic PHI, and business associate contractsPhysical Safeguards—Requires documented policies and procedures to restrict physical access to facilities, electronic media, and workstations housing PHITechnical Security Safeguards—Provides technical security mechanisms designed to ensure the confidentiality and integrity of PHI and requires policies and procedures related to each.Organizational Requirements – Include topics of business associate agreements, business associate responsibilities, and requirements for group health plansPolicies and Procedures and Documentation Requirements – Essentially, everything listed above must be documented, made available, updated, and retained for 6 years or the date when it was last in effect, whichever is later
Security Rule Sections
9 | Health Care Privacy and Security Laws
Standards: what must be met
Implementation specifications: how to meet itRequired: must be implemented
Addressable: Assess if reasonableIf reasonable – implementIf not reasonable –
DocumentImplement alternate that meets standard
Regulation Components
10 | Health Care Privacy and Security Laws
Documentation Standards Policies & Procedures
Organizational Requirements9
10 11Administrative Safeguards
4
2 6Physical Safeguards
5
2 4Technical Safeguards
# Standard
# Required Specification
# Addressable Specification
Count & Regulation Type Standards Sections
Implementation Specifications (R)=Required, (A)=Addressable
Security Management Process 164.308(a)(1) Risk Analysis (R)Risk Management (R)Sanction Policy (R)Information System Activity Review (R)
Assigned Security Responsibility 164.308(a)(2) (R)Workforce Security 164.308(a)(3) Authorization and/or Supervision (A)
Workforce Clearance ProcedureTermination Procedures (A)
Information Access Management 164.308(a)(4) Isolating Health Care Clearinghouse Function (R)Access Authorization (A)Access Establishment and Modification (A)
Security Awareness Training 164.308(a)(5) Security Reminders (A)Protection from Malicious Software (A)Log-in Monitoring (A)Password Management (A)
Security Incident Procedures 164.308(a)(6) Response and Reporting (R)Contingency Plan 164.308(a)(7) Data Backup Plan (R)
Disaster Recovery Plan (R)Emergency Recovery Plan (R)Testing and Revision Procedure (A)Applications and Data Criticality Analysis (A)
Evaluation 164.308(a)(8) (R)Business Associate Contracts and Other Arrangements
164.308(b)(1) Written contract of Other Arrangement (R)
Facility Access Controls 164.310(a)(1) Contingency Operations (A)Facility Security Plan (A)Access Control and Validation Procedures (A)Maintenance Records (A)
WorkStation Use 164.310(b) (R)Workstation Security 164.310(c) (R)Device and Media Controls 164.310(d)(1) Disposal (R)
Media Re-use (R)Accountability (A)Data Backup and Storage (A)
Access Control 164.312(a)(1) Unique User Identification (R)Emergency Access Procedure (R)Automatic Logoff (A)Encryption and Decryption (A)
Audit Controls 164.312(b) (R)Integrity 164.312(c)(1) Mechanism to Authenticate Electronic PHI (A)Person or Entity Authentication 164.312(d) (R)Transmission Security 164.312(e)(1) Integrity Controls (A)
Encryption (A)
HIPAA Security Standards Matrix
Administrative Safeguards
Physical Safeguards
Technical Safeguards
Required vs. Addressable Specifications
11 | Health Care Privacy and Security Laws
Major Areas/Efforts
Risk Assessment/Analysis
Develop and Document Policies & Procedures
Develop and implement security awareness training
Minimum baseline standards
Security Testing
Security patch management
Monitoring and compliance program
Audit and Logging of Access
Managing Business Partner Risks (BA agreements and Due Diligence)
12 | Health Care Privacy and Security Laws
More Information
CMS HIPAA Website –http://www.cms.hhs.gov/HIPAAGenInfo/DHHS OIG Audit of CMS –http://oig.hhs.gov/oas/reports/region4/40705064.pdf
NIST HIPAA Guidance –http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf
HIPAA Compliance Information -http://www.hipaacomply.com/
13 | Health Care Privacy and Security Laws
Medical Information Data Breaches
14 | Health Care Privacy and Security Laws
Medical Information Data Breaches
Generally smaller than financial data breachesFrequently due to curiosity
Acquaintance or celebrity records accessed by curious personnel
Less malicious activity documented so far for medical ID theftMedical ID theft accounts for approximately 250,000 out of 8 million identity theft victims in FTC database as of 2005 (latest FTC report)Best used for theft of services BUT consider implications for future treatment of actual patient
Misdiagnosis/mistreatment could lead to claim of negligence
Data breach notification laws have inconsistent applicationType of dataEncrypted or notResidence of patients impactedLikelihood of misuse
15 | Health Care Privacy and Security Laws
Latest Data Breaches (as of 1/26/09)
Records Date Organizations300 2009-01-26 City of Madison, Wisconsin
2,000 2009-01-25 British Council
5,000 2009-01-24 Abertawe Bro Morgannwg University NHS Trust
10 2009-01-23 Hays Pharma
14 2009-01-22 Lloyds TSB
565 2009-01-21 Missouri State University
11,000 2009-01-20 Kanawha-Charleston Health Department
200 2009-01-16 Southwestern Oregon Community College
See http://datalossdb.org/ for daily updates.
16 | Health Care Privacy and Security Laws
Grady Memorial Hospital
Reported: July 2008 (http://www.ajc.com/metro/content/metro/atlanta/stories/2008/09/23/grady_data_breach.html)
Number Affected: 45
Information Breached: Included doctors' notes, medical conditions, diagnoses, documentation of medical procedures and possibly names and ages of patients.
How: Human error posted data to website.
State Data Breach Law: GA Code 10-1 §§910-911 only applies to data brokers, BUT other state laws could kick in depending on actual residency of patients whose records were accessed.
17 | Health Care Privacy and Security Laws
University of Iowa Hospitals & Clinics
Reported: Nov. 19, 2008 (http://www.healthimaging.com/index.php?option=com_articles&view=article&id=15146) Number Affected: Unknown (but probably small)Information breached: Medical records (details not provided)How: Unauthorized access by hospital personnel
Probably involved acquaintances of the personnel or celebrities.
State Data Breach Law: Iowa S.F. 2308 requires businesses and government agencies to notify state residents if the unauthorized access of their computerized personal information is likely to do financial harm.
Likelihood of financial harm trigger could exempt breach from notice requirement.Other state laws could kick in depending on actual residency of patients whose records were accessed.
18 | Health Care Privacy and Security Laws
Ohio State University
Reported: Dec. 30, 2008(http://breach.scmagazineblogs.com/2009/01/06/ohio-state-data-breach-caused-by-third-party/)
Number Affected: 18,000
Information Breached: Names and Social Security numbers, insurance group policy number, and OSU ID number (which, at that time, had the same digits as the student’s Social Security Number).
How: Information was erroneously posted on an Internet server maintained by a company that had been doing work on behalf of Ohio State.
State Data Breach Law: Ohio HB 104 requires notice where acquisition of “personal information” (which includes SSN) by the unauthorized person causes or reasonably is believed will cause a material risk of identity theft or other fraud to the resident.
19 | Health Care Privacy and Security Laws
Ohio Data Breach Law
Ohio attorney general has authority to investigate compliance, and apply civil penalties in instances where noncompliance is proved.
Penalties for failing to properly notify affected consumers within 45 days include:$1,000 per day for the first 60 days Maximum $5,000 for 60-90 days Maximum $10,000 per day over 90 days.
Also requires the judge in any case involving noncompliance to gauge whether the delay in notification was intentional or if disclosure was made in good faith when determining the amount of the fine. Maximum fines may be levied if the person or entity is found to have acted in bad faith, and the offending entity may also be liable for the costs of the attorney general’s investigation.
20 | Health Care Privacy and Security Laws
Kanawha-Charleston Health Department
Reported: Jan 20, 2009 (http://wvgazette.com/News/200901200377)
Number Affected: > 14 (11,000 notified)
Information Breached: Names, social security numbers, addresses and other personal information
How: Notes handwritten by contractor at flu-shot clinic
State Data Breach Law: Applies to acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information. Unclear whether information fit definition, BUT other state laws could kick in depending on actual residency of patients whose records were accessed.
21 | Health Care Privacy and Security Laws
What To Do Now?
MassachusettsNew regulations require businesses holding personal information about Massachusetts residents:
To develop a written plan and appoint an employee to manage it and enforce violations,
Outsourcing service providers must provide certification that they complyTo implement firewalls and encrypt information in transit and on portable devices, and To train employees on information security.
Regulation applies to all entities that own, license, store or maintain personal information about a resident of Massachusetts Sensitive personal information that is transmitted electronically or stored on laptop computers must be encrypted beginning May 1, 2009.Information stored on other portable devices must be encrypted beginning on January 1, 2010.
22 | Health Care Privacy and Security Laws
What To Do Now (cont’d)
See new HHS Report on Medical Identity Theft http://www.hhs.gov/healthit/documents/MedIdTheftReport011509.pdfRecommendations include:
Role-based access for users on a “need-to-know” basisAudits that flag anomaliesStronger authentication for patient access to records to prevent unauthorized accessStudying ways to limit use of SSN in patient records
FTC Dec. 2008 Report on Identity Theft http://ftc.gov/os/2008/12/P075414ssnreport.pdfRecommendations include:
Improve consumer authentication where SSNs are usedRestrict public display and transmission of SSNsEstablish national standards for data protection and breach notification
23 | Health Care Privacy and Security Laws
Contacts
Edgar BuenoSr. Associate
Pillsbury Winthrop Shaw Pittman LLP 1650 Tysons Blvd.
McLean, VA 22102-4856703-770-7709
edgar.bueno@pillsburylaw.com
John NicholsonCounsel
Pillsbury Winthrop Shaw Pittman LLP2300 N Street, NW
Washington, DC 20037-1122202-663-8269
john.nicholson@pillsburylaw.com
Scott LaLiberteManaging Director
Protiviti, Inc.50 S. 16th St. #2900
Philadelphia, PA 19102267-256-8825
scott.laliberte@protiviti.com