Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving...

Security & Privacy Topics to Watch in 2016

Kirk J. Nahra Wiley Rein LLP

Washington, D.C. 202.719.7335 [email protected] @kirkjnahrawork

(April 27, 2016)

My Presentation

•   Address some of the key hot topics for privacy and security in 2016

•   Start with “inside HIPAA” issues •   Move to issues that are “partially HIPAA,”

even if driven by other rules/laws •   And then conclude with what’s “next to”

HIPAA

Inside HIPAA - Enforcement

•   Remember the HHS OCR overall approach •   Many thousands of complaints, limited official

enforcement actions on privacy or security. •   Hundreds of complaints referred to DOJ for

criminal investigation •   “Our first approach to dealing with any

complaint is to work for voluntary compliance. So far it's worked out pretty well." - (former) OCR Head

Enforcement – HITECH

•   Expectation of new attitude from the new Administration

•   Much higher penalties •   New authority for State AGs •   Criminal sanctions available against

employees •   But not much new yet

Enforcement Issues – Criminal

•   The Gibson case •   Hospice Employee stole patient info, used it

to establish fake credit cards

Enforcement Issues – Criminal

•   Lots of cases involving insiders mis-using data (not just an issue in health care)

•   Celebrities, friends/family, non-friends •   Identity theft and health care fraud •   Selling records to plaintiffs’ personal injury

lawyers

Enforcement Issues – Civil

•   $4.3 million penalty against Cignet Health Care in Maryland

•   An enormous penalty, related to access violations AND a failure to cooperate with the investigation

•   From published documents, Cignet (a) did not take its HIPAA responsibilities seriously AND (b) completely blew off the government investigation.

•   Advice – don’t do that.

Inside HIPAA - OCR Enforcement Changes

•   Despite press reports every time there is a new case, no meaningful increase to date

•   Investigations are more thorough and more burdensome

•   Increasing pressure to do more on both audits and investigations

•   Still generally very reasonable

Enforcement

•   Cases involving significant failures of compliance

•   Cases involving repeated and/or uncorrected problems

•   Particularly “noticeable” problems •   High impact cases (?)

Recent Cases

•   Feinstein Institute for Medical Research agreed to pay Office for Civil Rights (OCR) $3.9 million for security problems in research context

•   North Memorial Health Care of Minnesota agreed to pay $1,550,000 to settle charges that it potentially violated HIPAA Privacy and Security Rules by failing to enter into a BAA with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.

•   Two big cases, on back to back days (Old incidents) •   Security failures are driving these settlements

Enforcement

•   There is pressure to do more •   Note – Many of the biggest breaches have

not resulted in enforcement (yet) •   Remember – A security breach does not

mean a HIPAA violation •   How does the FTC fit into any enforcement

pressure?

Breaches

•   Too many breaches dealing with health care data •   Unclear if there are really “more” breaches, but some

clearly involve more records •   A “breach” does not mean the law was violated – most

reported breaches have not resulted in penalties or enforcement

•   Compliance Tip – Make sure employees know where to go fast if there is a problem

Enforcement - Business Associates

•   Now subject to full HIPAA enforcement regime

•   Many BAs are not in reasonable compliance with HIPAA Security Rule, particularly on documentation

•   Is it fair to think they would be? •   Little consistency across BA universe –

compare your PBM to a local document shredder or small consulting firm

Business Associates

•   No real enforcement involving business associates yet

•   A real challenge for OCR – how to treat companies who deal with much more than health care

•   And the enormous range of size/sophistication of these entities

•   Enormous variations in actual contact with PHI

HIPAA Security Compliance

•   Keep in mind how compliance with the HIPAA Security Rule works

•   Risk assessment and risk management, along with policies and procedures

•   Good security practices as a separate idea •   Appropriate mitigation and risk assessment

for potential security breaches

HIPAA Compliance/Investigations

•   Historically, HHS OCR has been very reasonable

•   HOWEVER, primary difficulty with security breaches is that you are defending your practices after something has gone wrong

•   Doesn’t mean you can’t do it, just a tougher burden

•   This is where a company’s history and mitigation matters a lot


•   HHS OCR investigations typically will trail substantially behind everything else

•   Publicity, notification decisions, law suits •   Many of the most prominent security breaches in the

healthcare industry have never resulted in an HHS penalty or settlement

•   How much of the notice rule is “shame” or pressure to have better practices to avoid notice?

HIPAA Compliance/CyberSecurity

•   Also keep in mind that the HIPAA Security Rule focuses on PHI – data about patients or insureds

•   Cybersecurity focuses on this data PLUS all the other data that you have and how your system works with others in the system

•   So, in theory, you should have strong cyber practices if you comply with HIPAA and ensure that the HIPAA approach covers all of your activities.

•   But lots of new activities and pressures in this area


Expect: •  Significant pressure to implement “tougher” security standards •  Real pressure for broader encryption •  Enforcement and adverse notice publicity to put real pressure on better practices •  Both CEs and BAs have exposure in this area. •  Pay close attention to problems faced by others – through enforcement, media reports and otherwise.

Enforcement – Audits

•   Will we finally see the Phase 2 audit program in 2016? (Yes)

•   What is the goal of this program? (Not clear) •   We can expect that covered entities will do

reasonably well on the Privacy Rule and not as well (and maybe badly) on the Security Rule

•   BAs – if included – likely will be bad at all of it.

Partially HIPAA

•   Potential new legislation – 21st Century Cures •   Major legislation, with small number of privacy

provisions (receiving almost no attention) •   Current provisions could dramatically change research

rules •   Also could allow pharma to buy PHI for “research” or

“pubic health” without payment limits •   Will this open up HIPAA again?

Partially HIPAA

•   Potential new legislation – 21st Century Cures •   Major legislation, with small number of privacy

provisions (receiving almost no attention) •   Current provisions could dramatically change research

rules •   Also could allow pharma to buy PHI for “research” or

“public health” without payment limits •   Will this open up HIPAA again?

Next to HIPAA

•   What is “outside” of HIPAA is growing •   Web sites gather and distribute healthcare

information - ranging from commercial web sites (e.g., Web MD) to patient support groups.

•   Significant expansion of mobile applications directed to healthcare data or offered in connection with health information

•   “Wearables”

More “next generation” issues

•   An emerging (and related) issue - bringing “outside” HIPAA information “inside” HIPAA

•   CEs are gathering all kinds of data about their patients/customers/insureds from outside the health care system and using it for “health care purposes”

Recent Headlines

•   Bloomberg - “You may soon get a call from your doctor if you’ve let your gym membership lapse, made a habit of picking up candy bars at the check-out counter or begin shopping at plus-sized stores.”

•   New York Times - Health plan prediction models using consumer data from data brokers (e.g., income, marital status, number of cars), to predict emergency room use and urgent care.

•   Fortune - Employers Are Quietly Using Big Data to Track Employee Pregnancies.

What’s Next?

•   The debate about “non-HIPAA” healthcare data is not going away

•   Lots of pressure from many fronts to “do something” about this non-HIPAA health care data

•   There is too much data being used by too many people in too many risky contexts

•   Therefore . . .

Tentative Predictions

3 Main Options •  Something specific for this non-HIPAA health care data •  Something that covers all health care data (a “general” HIPAA) •  A broader overall privacy law (with or without a HIPAA carve-out)

De-Identification Issues

•   Lots of discussion and debate about the de-identification standards

•   Some guidance has been issued, with more likely to come

•   Lots of publicity about “re-identification” concerns, but no situation where HIPAA de-identified data has been re-identified


•   HIPAA standard remains the “gold standard” in terms of detail and effectiveness

•   Growth in “non-HIPAA” health care data presents significant complications for de-identification standards

•   Growing ability to gather and analyze data from broader variety of sources

•   Ongoing challenges to ensure appropriate de-identification with differing data standards


•   Should the de-identification rules change? •   Have the principles kept pace with technology?

(A key but somewhat disingenuous issue for “privacy advocates”)

•   Is it “too easy” to re-identify individuals? •   How does “big data” affect de-identification or re-

identification? •   Compliance Challenge – How is this issue relevant to

your company?

Breach Litigation

•   More and more cases being brought after breaches

•   Plaintiffs’ class action bar is not letting this issue go

•   But they are facing ongoing challenges in making these cases stick

•   “Standing” and actual injury are real sticking points

Smith v. Chase Manhattan Bank

•   Facts of the case •   What do you think of the result? •   Why are we talking about this case? •   “The ‘harm’ at the heart of this purported class

action is that class members were merely offered products and services which they were free to decline. This does not qualify as actual harm.”

Maglio v. Advocate Health and Hospitals Corporation

•   Facts of the case •   For the healthcare industry, what are the key

issues here? •   Relevance of allegation that “hospital failed to

meet its obligation to abide by the best practices and industry standards concerning the security of personal information and the computers associated therewith.”


•   “Plaintiffs did not allege that their personal information was used in any unauthorized manner as a result of the burglary, but they claimed that they face an increased risk of identity theft and/or identity fraud.”

•   Implications of this decision for health care companies (and others)

•   Relevance of HIPAA to this case?


•   “plaintiffs’ allegations of injury are clearly speculative, and therefore plaintiffs lack standing to bring suit. Their claims that they face an increased risk of, for example, identity theft are purely speculative and conclusory, as no such identity theft has occurred to any of the plaintiffs. Thus, their allegations fail to show a distinct and palpable injury.”


•   Plaintiffs further argue that the medical information at issue here warrants a finding that the harm is implicit. They urge that an actual injury occurs when a medical professional fails to keep a patient’s medical information private. Such information is, they assert, inherently personal and particularized to the individual. We reject plaintiffs’ argument.

Northwestern Memorial Hospital v. John Ashcroft

•   Facts of the case •   Discussion of the HIPAA standard for

subpoenas •   What do you think of the result?

Northwestern Memorial Hospital v. John Ashcroft

•   “even if there were no possibility that a patient’s identity might be learned from a redacted medical record, there would be an invasion of privacy.”

Questions?

For further information, contact: •   Kirk J. Nahra

Wiley Rein LLP 202.719.7335 [email protected] @kirkjnahrawork

•   Subscribe (for free) to Privacy in Focus - http://www.wileyrein.com/publications.cfm?sp=newsletters

Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving...

Documents

Transcript of Security & Privacy Topics to Watch in 2016 · Business Associates • No real enforcement involving...