HIPAA & HITECH Privacy and Security Concerns : Are You Covered?
Insurance Accounting and Systems Association Chicagoland Chapter Conference
April 17, 2014
Colin Gainer & Tim Lessman SmithAmundsen, LLC
HIPAA
Privacy and Security
• Health Insurance Portability and Accountability Act of 1996
• HIPAA created and implemented
standards for the use and dissemination of health care information.
• The Privacy Rule and Security Rule are sets of regulations for “administrative
simplification” which were promulgated in order to carry out the requirements set
Privacy Rule
The Privacy Rule regulates the use and
disclosure of individuals’ health information, called protected health information (“PHI”)
Security Rule
The Security Rule sets standards for
ensuring that only individuals with clearance to work with electronic protected health
information (“e-PHI”) have access to such information.
Privacy Rule applies to all forms of patients’ protected health information
Security Rule covers protected health information in electronic form
Both rules stress the need to maintain
“administrative”, “physical” , and “technical” safeguards when working with any form of protected health information.
Under HIPAA and HITECH
• Covered Entity (CE):
–Health plan
–Healthcare Clearinghouse
–Healthcare Provider
What is a Covered Entity
A Health Care Provider A Health Plan A Health Care Clearinghouse
This includes providers such as: Hospitals Doctors Clinics Psychologists Dentists Chiropractors Nursing Homes Pharmacies This includes: Health insurance companies HMOs
Company health plans Government programs that pay for health care, such as Medicare,
Medicaid, and the military and veterans health care programs
This includes entities that process
nonstandard health
information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
Who is a Business Associate of
a Covered Entity
Under HIPAA
• Business Associate (BA) is a person/entity who:
– Performs or assists with a function or
activity involving individually Identifiable information
Business Associate Examples
• Law firms
• Accountants
• Information technology
companies
• Billing services
What is HITECH?
• The American Recovery andReinvestment Act of 2009 (“ARRA”) included legislation, commonly referred to as
Health Information Technology for Economic and Clinical
Final Rule
• On January 17, 2013, the Department of Health and Human Services issued long-awaited final regulations implementing the privacy, security, and
breach-notification provisions of the HITECH
• Effective September 23, 2013
• The regulations amend the HIPAA Privacy, Security, and Enforcement Rules and finalize a modified HIPAA
Breach Notification Rule, which has been in effect on an interim basis since 2009.
HITECH on HIPAA
• Creates new privacy and security
requirements for HIPAA covered
entities & their business associates
– New accounting, disclosure, and breach requirements
– New restrictions on marketing & fundraising – Increased Penalties
Expansion of Business
Associate
• Business Associate defined to include: • Patient Safety Organizations
• Health Information Organizations, E-prescribing gateways
Subcontractors
• Downstream entities that work at the direction of or on behalf of a BA
• Does not require CE to have a contract with the subcontractor (BA does)
Subcontractors
• BA required to obtain written “satisfactory assurances” from its immediate
subcontractor (Sub BAA).
• Responsible for compliance with the
business associate requirements under
the Security and Privacy Rules, even if the parties failed to enter into a written
Expansion of Business
Associate
• Entities that maintain PHI
– Document destruction – ePHI vendors
– Storage vendors – Cloud storage
• Test is persistence of custody, not the degree of access
The Big Change for Business
Associates
The Business Associate before
HITECH
• Originally, “the provisions of HIPAA only applied to a business associate through a contractually created relationship with a covered entity.”
• Before HITECH the only remedy available to a covered entity for a business
associate’s violation of HIPAA was one of general contract law.
The Business Associate after
HITECH
• HITECH creates a direct legal obligation on a
business associate in both the application of
the HIPAA requirements and the penalties associated with a violation.
• BA may be liable not only to the CE in the
case of breach of security or privacy, but to the
patient as well through HIPAA.
• BA subject to Civil and Criminal penalties under HIPAA
• Potentially subject to mandatory compliance audits by Secretary of HHS
BA Obligations
• Limit uses and disclosures to what is permitted under the Privacy Rule
– This specifically includes compliance with the minimum necessary standards;
• Provide breach notification to the covered entity;
• Provide a copy of electronic PHI to either the covered entity or individual
• Disclose PHI to the Secretary in an investigation • Provide an accounting of disclosures*
HIPAA’s and HITECH’s
Impact on Identifiable Health
Information
PHI and E-PHI Content
• Individually identifiable health
information contains demographic information collected from an
individual.
• Is created or received by a CE • Relates to past, present, or future
health condition of the individual; the provision of health care to the individual; or past, present, or future payment for the provision of health care to the individual
Elements of PHI
• Names
• Geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code
• Elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death
• Telephone and Fax numbers • E-mail address
• Social security numbers • Medical record numbers • Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers • Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voice prints
• Full face photographic images and any comparable images
Secured Information
• Unsecured protected health information is …
protected health information that is not secured through a technology or methodology specified in guidance by HHS. - 45 C.F.R. § 164.402.
• Electronic protected health information may be secured by encryption or workstation security for example.
• Paper protected health information can be secured by destruction or proper storage for example.
Securing PHI and E-PHI
– Automatic log out
– Password protected log on
– Procedures in place for guarding against viruses, Trojan horses, worms, etc.
– Limit access to E-PHI internally
– Verify terminated employees/agents no longer have electronic access
– Increase use of shredders (bins) on daily basis and at time of purging closed files
– Monitor or control areas where PHI is used
– Immediately account for and report lost: Iphone,
laptop, disks, files, etc.
Breaches
Breach Reporting
• HITECH requires every covered entity to notify a person when there has been a “breach” of that person’s PHI and to notify HHS
• Under HITECH, a business associate is required to notify the covered entity of any breach of
confidentiality of PHI acquired from the covered entity
Old Breach Definition
“Breach” meant the acquisition, access, use, or disclosure of
[PHI] in a manner not authorized under [HIPAA] which
compromises the security or privacy of such information
Old Definition
“
compromises the security or
privacy” meant a result of:
“significant risk of financial,
reputational, or other harm to
the individual.”
Final Rule Change
• Replaces the breach notification rule’s “harm” threshold with a more objective standard.
• Breach is any breach UNLESS you can
demonstrate that there is a LOW PROBABILITY that the PHI has been compromised.
Reporting
Within 60 days of the
discovery of a breach, a
covered entity must provide
notice via first class mail to the
affected person’s last known
In any case in which more
than 500 persons are
affected by a breach, the
covered entity must provide
notice to major local media
outlets
What must the notice include?
• A description of what happened • Date
• Types of information involved
• Steps the person should take to protect
• Description of covered entity's investigation & mitigation efforts
• Contact information
• *Toll free number for web/print/broadcast notice
Business Associate Breach Notification Rule
• Business associate must notify the covered entity
• A business associate must provide notice to the covered entity within 60 days (check BAA).
• Provide CE with:
– the identification of each individual
– any information required to be provided by the CE in its notification to affected individuals.
Additional BA Requirements
• Must report to CE if BA knows of a
“pattern of activity or practice” by CE that constitutes a material breach of BAA
• BA must take steps to cure the breach OR:
– Terminate arrangement – Report to HHS
Breaches
• Every breach carries with it the potential for OCR enforcement and civil penalties,
regardless of the size, circumstances, or response of the responsible entity
Penalties
• Prior to HITECH
– No more than $100 for each and up to $25,000
– Also allowed for “ignorance of the law” defense
Penalties
HITECH:
• Tiered approach
– Unaware even through due diligence:
• $100-$50,000per occurrence/ $1.5mil aggregate
– Caused but not from willful neglect:
• $1,000-$50,000per occurrence/ $1.5mil aggregate
– Willful neglect, corrected in 30 days:
• $10,000-$50,000per occurrence/ $1.5mil aggregate
– Willful neglect, not corrected:
OCR Penalties
• Alaska Medicaid Agency
– $1.7 million over PHI of 501 individuals
• BCBS of Tennessee
Other Violation Examples
• OCR imposed $4.3 million penalty on Cignet Health of Prince George’s County, MD
– $1.3 million was imposed on the basis that Cignet had denied 41 patients access to their medical records.
– An additional $3.0 million was imposed because Cignet failed to
cooperate with OCR’s investigations on a continuing basis from March 17, 2009 to April 7, 2010.
• Massachusetts General Physicians Organization Inc. (Mass General) agreed to pay $1,000,000
– Incident involved the loss PHI of 192 patients of Mass General’s
Infectious Disease Associates outpatient practice, including patients with HIV/AIDS.
• University of California at Los Angeles Health System agreed to settle for $865,500
– Investigation stemmed from complaint of employees viewing records of two separate celebrity patients
OCR and HHS
• Breaches involving 500 or more individuals made up less than one percent of reports,
– BUT accounted for more than 99 percent of the more than 7.5 million individuals who were affected by a breach of their protected health information
• The largest breaches occurred as a result of theft
• Greatest number of reported incidents:
– Small breaches involving human or technological error
– Most commonly involved the protected health information of just one or two individuals
Trends
• Investigated most
– Impermissible use and disclosure of PHI – Lack of safeguards on PHI
– Lack of patient access
– Violating minimum necessary rule – Lack of admin safeguards on E-PHI
Who is Being Affected
Top 5: • Private Practices • General Hospitals • Outpatient Facilities • Health Plans • PharmaciesHIPAA Audits under HITECH
Section 13411 of the of the HITECH Act requires Dept. of Health and Human
Services (HHS) to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA
Privacy and Security Rules and Breach Notification standards.
HIPAA Audits under HITECH
HHS was left with the task of developing and implementing an audit program that carries out the mandate under HITECH
Office of Civil Rights (OCR), through HHS, is overseeing the audit process
Audit Protocol
Currently 169 activities OCR considers part of the Audit Program
78 activities for HIPAA Security
81 activities for HIPAA Privacy
10 activities for Breach Notification and Reporting
Security Rule Protocols
• The protocol covers Security Rule requirements for administrative, physical, and technical safeguards
– Examples:
• Risk assessment policy
Privacy Rule Protocols
Covers areas of the Privacy rule concerning: 1) notice of privacy practices for PHI; 2) Rights to request privacy protection for PHI; 3) Administrative requirements; 4) Uses and disclosures of PHI; 5) Access of individuals to PHI; 6) Amendment of PHI; 7) Accounting of disclosures
Examples:
Business Associate Agreement Policy
Consistent “Use and Disclosure” Policies and “Notice of Disclosure” Policies
Breach Protocols
The protocol covers requirements for the Breach Notification Rule
Examples:
–Alerting an individual of a breach involving his/her PHI
–Ensuring breach notification elements are contained in Business Associate Agreement
What OCR Discovered
• Most of the evaluated entities did not conform to HIPAA standards for security, privacy, and breach notification – the three-audit areas
• 2/3 failed to perform a sufficient security risk assessment
• Most common response to non-compliance finding was that the entity was “unaware of the requirement”
What OCR Discovered
• Privacy requirements entities were most “unaware” of:
– notice of privacy practices – access of individuals
– minimum necessary – authorizations
• Security requirements entities were most “unaware” of”
– risk analysis
– media movement and disposal – audit controls and monitoring
Future of the HIPAA Audit
• As suspected…Round II
• February 2014 HHS OCR announced plan to survey 1200 organizations
– 800 covered entities and 400 business associates – “will gather information about respondents to enable
OCR to assess the size, complexity and fitness of a respondent for an audit.”
– Will collect recent data about the number of patient visits or insured lives, use of electronic information, revenue and business locations
Who Can Be Audited?
• Every covered entity and business associate is eligible for an audit
• Initial rounds were designed to provide a broad assessment of the health care industry
• OCR has promised to audit:
“…as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses..."
HHS OCR Perspective
• Views the audits as a way to improve knowledge, compliance, and encourage best practices
• "Audits present a new opportunity to examine
mechanisms for compliance, identify best
practices and discover risks and vulnerabilities that may not have come to light through OCR's ongoing complaint investigations and compliance reviews”
Best Practices
• Self-audits
– The audit process is public information
– No secret formula on how OCR will grade your compliance
• Annually review your program
– Do not rely on out-of-date policies and procedures as evidence of compliance
• OCR has been clear that you are out of compliance with the regulation if you are not reviewing and updating your program on an annual basis
– The areas covered by HIPAA Security Rule are especially sensitive to changes in technology
Best Practices
• Do your policies extend beyond the desktop PC at work?
• Recent OCR enforcement trends have focused heavily on internet and mobile technology
– e.g. cloud and social networking
• Entities need policies and procedures addressing tracking, authentication, and security of PHI accessible “outside” of the physical work area
Worst Practices
• Hoping you do not get selected (fingers crossed approach)
• Thinking you are too small to be noticed by OCR
• Waiting until you receive an Audit letter to begin developing HIPAA/HITECH compliant policies
What the future will bring…
• More audits!
• Evidence Audits will not go away:
– HHS mandated under HITECH to periodically audit
– Audits perform two-fold function of enforcing HIPAA and generating
(potentially) revenue in the form of penalties stemming from HIPAA violations
– Money has been appropriated for the audit program
• OCR Director Leon Rodriguez:
“We did our audit pilot this year and…the idea after that is to have a permanent program, part of which will need to be funded by the proceeds of enforcement. I saw these articles out there that said “More audits are coming” and “Are you ready for audits?” and
that’s a smart question because that is really what’s ahead for us.”
The Cyber Threat
• Data Breach Examples:• Hacking
• Theft of storage devices • Viruses
• Catastrophic weather events • State-sponsored hacking
The Implications:
• Exposure of Personally Identifiable Information Business interruption
Litigation
• Regulatory Implications Government Investigations Reputational Damages
Will Insurance Help?
• Some decisions have found coverage under traditional policies
• Going forward, however, traditional forms of insurance may not offer sufficient
protection.
Property Insurance
• Ward General Ins. Serv., Inc. v. Employers Fire Ins. Co., 114 Cal.App. 4th 548 (Cal. App. 2003)
• Lost data does not constitute tangible property, thus there was no “physical loss” as was required by the policy.
• See also: America Online, Inc. v. St. Paul Mercury Ins. Co., 207
F.Supp.2d 459 (E.D. Va. 2002); Southeast Mental Health Center, Inc. v.
Pacific Ins. Co., Ltd., 439 F.Supp.2d 831 (W.D. Tenn. 2006)
• But….
• Landmark American Ins. Co. v. Gulf Coast Analytical Laboratories, 2012 WL 1094761 (M.D. La., Mar. 30, 2012)
• Tangibility was not a defining quality of physicality; electronic data deemed to be ‘physical’.
Crime Insurance
• Retail Ventures, Inc. v. National Union Fire Ins. Co. of Pittsburgh,
Pa., 691 F.3d 821 (6th Cir. 2012)
• Insured prevailed on appeal in its coverage claim seeking $6.8 million in data breach losses under a computer fraud rider to a commercial crime policy. Loss resulted “directly from” theft of insured property by computer fraud.
Errors & Omissions Insurance
• Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir. 2010)
• Online marketing firm was provided coverage under its E&O policy because the insured’s acts were not intentionally wrongful, thus fell within coverage grant.
• Also found coverage under CGL due to allegations of loss of use of plaintiff’s computer. Was not excluded under the “impaired property” exclusion because no evidence was presented that the situation could be remedied by the
CGL Insurance
• Loss of Electronic Data not “Tangible Property” – Recall Total Information
Management v. Federal Ins. Co., 2012 WL 469988 (Conn.Super. Jan. 17, 2012); Union Pump Co. v. Centrifugal Technologies, Inc.
• But…. remember Eyeblaster
• Also, Netscape Communications Corp. v. Federal Ins. Co., 343 Fed.Appx 271 (9th
Cir. 2009) found that an insured was covered under the Personal & Advertising Injury
• Encore Receivable Management, Inc. v. ACE Property & Cas. Ins. Co., 2013 WL
3354571 (S.D. Ohio, July 3, 2013) found that “publication” occurs the moment a customer’s conversation is recorded. Could serve to limit the “publication”
requirement.
• Hartford Cas. Ins. Co. v. Corcino & Assoc. et al. – C.D. California case finding
publication of confidential medical information triggered a duty to defend.
• Zurich American Ins. Co. v. Sony Corp. of America: PlayStation Data Breach.
Recent pro-insurer ruling – “publication” that occurred was not by policyholder, but by third-party hackers. No duty to defend found.
Limitations of Existing Forms
of Coverage
• Exclusions being added to these types of policies to prevent coverage extensions
• The War Exclusion and Terrorism Exclusions • Insurers willing to litigate issues
Best Practices: Cyber Coverage
• Types of coverage offered widely varies, but consultation with professionals regarding
needs can ascertain the appropriate type of coverage.