HIPAA & HITECH Privacy and Security Concerns : Are You Covered?

HIPAA & HITECH Privacy and Security Concerns : Are You Covered?

Insurance Accounting and Systems Association Chicagoland Chapter Conference

April 17, 2014

Colin Gainer & Tim Lessman SmithAmundsen, LLC

HIPAA

Privacy and Security

• Health Insurance Portability and Accountability Act of 1996

• HIPAA created and implemented

standards for the use and dissemination of health care information.

• The Privacy Rule and Security Rule are sets of regulations for “administrative

simplification” which were promulgated in order to carry out the requirements set

Privacy Rule

The Privacy Rule regulates the use and

disclosure of individuals’ health information, called protected health information (“PHI”)

Security Rule

The Security Rule sets standards for

ensuring that only individuals with clearance to work with electronic protected health

information (“e-PHI”) have access to such information.

Privacy Rule applies to all forms of patients’ protected health information

Security Rule covers protected health information in electronic form

Both rules stress the need to maintain

“administrative”, “physical” , and “technical” safeguards when working with any form of protected health information.

Under HIPAA and HITECH

• Covered Entity (CE):

–Health plan

–Healthcare Clearinghouse

–Healthcare Provider

What is a Covered Entity

A Health Care Provider A Health Plan A Health Care Clearinghouse

This includes providers such as: Hospitals Doctors Clinics Psychologists Dentists Chiropractors Nursing Homes Pharmacies This includes: Health insurance companies HMOs

Company health plans Government programs that pay for health care, such as Medicare,

Medicaid, and the military and veterans health care programs

This includes entities that process

nonstandard health

information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

Who is a Business Associate of

a Covered Entity

Under HIPAA

• Business Associate (BA) is a person/entity who:

– Performs or assists with a function or

activity involving individually Identifiable information

Business Associate Examples

• Law firms

• Accountants

• Information technology

companies

• Billing services

What is HITECH?

Reinvestment Act of 2009 (“ARRA”) included legislation, commonly referred to as

Health Information Technology for Economic and Clinical

Final Rule

• On January 17, 2013, the Department of Health and Human Services issued long-awaited final regulations implementing the privacy, security, and

breach-notification provisions of the HITECH

• Effective September 23, 2013

• The regulations amend the HIPAA Privacy, Security, and Enforcement Rules and finalize a modified HIPAA

Breach Notification Rule, which has been in effect on an interim basis since 2009.

HITECH on HIPAA

• Creates new privacy and security

requirements for HIPAA covered

entities & their business associates

– New accounting, disclosure, and breach requirements

– New restrictions on marketing & fundraising – Increased Penalties

Expansion of Business

Associate

• Business Associate defined to include: • Patient Safety Organizations

• Health Information Organizations, E-prescribing gateways

Subcontractors

• Downstream entities that work at the direction of or on behalf of a BA

• Does not require CE to have a contract with the subcontractor (BA does)

Subcontractors

• BA required to obtain written “satisfactory assurances” from its immediate

subcontractor (Sub BAA).

• Responsible for compliance with the

business associate requirements under

the Security and Privacy Rules, even if the parties failed to enter into a written

Expansion of Business

Associate

• Entities that maintain PHI

– Document destruction – ePHI vendors

– Storage vendors – Cloud storage

• Test is persistence of custody, not the degree of access

The Big Change for Business

Associates

The Business Associate before

HITECH

• Originally, “the provisions of HIPAA only applied to a business associate through a contractually created relationship with a covered entity.”

• Before HITECH the only remedy available to a covered entity for a business

associate’s violation of HIPAA was one of general contract law.

The Business Associate after

HITECH

• HITECH creates a direct legal obligation on a

business associate in both the application of

the HIPAA requirements and the penalties associated with a violation.

• BA may be liable not only to the CE in the

case of breach of security or privacy, but to the

patient as well through HIPAA.

• BA subject to Civil and Criminal penalties under HIPAA

• Potentially subject to mandatory compliance audits by Secretary of HHS

BA Obligations

• Limit uses and disclosures to what is permitted under the Privacy Rule

– This specifically includes compliance with the minimum necessary standards;

• Provide breach notification to the covered entity;

• Provide a copy of electronic PHI to either the covered entity or individual

• Disclose PHI to the Secretary in an investigation • Provide an accounting of disclosures*

HIPAA’s and HITECH’s

Impact on Identifiable Health

Information

PHI and E-PHI Content

• Individually identifiable health

information contains demographic information collected from an

individual.

• Is created or received by a CE • Relates to past, present, or future

health condition of the individual; the provision of health care to the individual; or past, present, or future payment for the provision of health care to the individual

Elements of PHI

• Names

• Geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code

• Elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death

• Telephone and Fax numbers • E-mail address

• Social security numbers • Medical record numbers • Account numbers

• Certificate/license numbers

• Vehicle identifiers and serial numbers, including license plate numbers • Web Universal Resource Locators (URLs)

• Internet Protocol (IP) address numbers

• Biometric identifiers, including finger and voice prints

• Full face photographic images and any comparable images

Secured Information

• Unsecured protected health information is …

protected health information that is not secured through a technology or methodology specified in guidance by HHS. - 45 C.F.R. § 164.402.

• Electronic protected health information may be secured by encryption or workstation security for example.

• Paper protected health information can be secured by destruction or proper storage for example.

Securing PHI and E-PHI

– Automatic log out

– Password protected log on

– Procedures in place for guarding against viruses, Trojan horses, worms, etc.

– Limit access to E-PHI internally

– Verify terminated employees/agents no longer have electronic access

– Increase use of shredders (bins) on daily basis and at time of purging closed files

– Monitor or control areas where PHI is used

– Immediately account for and report lost: Iphone,

laptop, disks, files, etc.

Breaches

Breach Reporting

• HITECH requires every covered entity to notify a person when there has been a “breach” of that person’s PHI and to notify HHS

• Under HITECH, a business associate is required to notify the covered entity of any breach of

confidentiality of PHI acquired from the covered entity

Old Breach Definition

“Breach” meant the acquisition, access, use, or disclosure of

[PHI] in a manner not authorized under [HIPAA] which

compromises the security or privacy of such information

Old Definition

“

compromises the security or

privacy” meant a result of:

“significant risk of financial,

reputational, or other harm to

the individual.”

Final Rule Change

• Replaces the breach notification rule’s “harm” threshold with a more objective standard.

• Breach is any breach UNLESS you can

demonstrate that there is a LOW PROBABILITY that the PHI has been compromised.

Reporting

Within 60 days of the

discovery of a breach, a

covered entity must provide

notice via first class mail to the

affected person’s last known

In any case in which more

than 500 persons are

affected by a breach, the

covered entity must provide

notice to major local media

outlets

What must the notice include?

• A description of what happened • Date

• Types of information involved

• Steps the person should take to protect

• Description of covered entity's investigation & mitigation efforts

• Contact information

• *Toll free number for web/print/broadcast notice

Business Associate Breach Notification Rule

• Business associate must notify the covered entity

• A business associate must provide notice to the covered entity within 60 days (check BAA).

• Provide CE with:

– the identification of each individual

– any information required to be provided by the CE in its notification to affected individuals.

Additional BA Requirements

• Must report to CE if BA knows of a

“pattern of activity or practice” by CE that constitutes a material breach of BAA

• BA must take steps to cure the breach OR:

– Terminate arrangement – Report to HHS

Breaches

• Every breach carries with it the potential for OCR enforcement and civil penalties,

regardless of the size, circumstances, or response of the responsible entity

Penalties

• Prior to HITECH

– No more than $100 for each and up to $25,000

– Also allowed for “ignorance of the law” defense

Penalties

HITECH:

• Tiered approach

– Unaware even through due diligence:

• $100-$50,000per occurrence/ $1.5mil aggregate

– Caused but not from willful neglect:

• $1,000-$50,000per occurrence/ $1.5mil aggregate

– Willful neglect, corrected in 30 days:

• $10,000-$50,000per occurrence/ $1.5mil aggregate

– Willful neglect, not corrected:

OCR Penalties

• Alaska Medicaid Agency

– $1.7 million over PHI of 501 individuals

• BCBS of Tennessee

Other Violation Examples

• OCR imposed $4.3 million penalty on Cignet Health of Prince George’s County, MD

– $1.3 million was imposed on the basis that Cignet had denied 41 patients access to their medical records.

– An additional $3.0 million was imposed because Cignet failed to

cooperate with OCR’s investigations on a continuing basis from March 17, 2009 to April 7, 2010.

• Massachusetts General Physicians Organization Inc. (Mass General) agreed to pay $1,000,000

– Incident involved the loss PHI of 192 patients of Mass General’s

Infectious Disease Associates outpatient practice, including patients with HIV/AIDS.

• University of California at Los Angeles Health System agreed to settle for $865,500

– Investigation stemmed from complaint of employees viewing records of two separate celebrity patients

OCR and HHS

• Breaches involving 500 or more individuals made up less than one percent of reports,

– BUT accounted for more than 99 percent of the more than 7.5 million individuals who were affected by a breach of their protected health information

• The largest breaches occurred as a result of theft

• Greatest number of reported incidents:

– Small breaches involving human or technological error

– Most commonly involved the protected health information of just one or two individuals

Trends

• Investigated most

– Impermissible use and disclosure of PHI – Lack of safeguards on PHI

– Lack of patient access

– Violating minimum necessary rule – Lack of admin safeguards on E-PHI

Who is Being Affected

HIPAA Audits under HITECH

Section 13411 of the of the HITECH Act requires Dept. of Health and Human

Services (HHS) to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA

Privacy and Security Rules and Breach Notification standards.

HIPAA Audits under HITECH

HHS was left with the task of developing and implementing an audit program that carries out the mandate under HITECH

Office of Civil Rights (OCR), through HHS, is overseeing the audit process

Audit Protocol

Currently 169 activities OCR considers part of the Audit Program

78 activities for HIPAA Security

81 activities for HIPAA Privacy

10 activities for Breach Notification and Reporting

Security Rule Protocols

• The protocol covers Security Rule requirements for administrative, physical, and technical safeguards

– Examples:

• Risk assessment policy

Privacy Rule Protocols

Covers areas of the Privacy rule concerning: 1) notice of privacy practices for PHI; 2) Rights to request privacy protection for PHI; 3) Administrative requirements; 4) Uses and disclosures of PHI; 5) Access of individuals to PHI; 6) Amendment of PHI; 7) Accounting of disclosures

Examples:

Business Associate Agreement Policy

Consistent “Use and Disclosure” Policies and “Notice of Disclosure” Policies

Breach Protocols

The protocol covers requirements for the Breach Notification Rule

Examples:

–Alerting an individual of a breach involving his/her PHI

–Ensuring breach notification elements are contained in Business Associate Agreement

What OCR Discovered

• Most of the evaluated entities did not conform to HIPAA standards for security, privacy, and breach notification – the three-audit areas

• 2/3 failed to perform a sufficient security risk assessment

• Most common response to non-compliance finding was that the entity was “unaware of the requirement”

What OCR Discovered

• Privacy requirements entities were most “unaware” of:

– notice of privacy practices – access of individuals

– minimum necessary – authorizations

• Security requirements entities were most “unaware” of”

– risk analysis

– media movement and disposal – audit controls and monitoring

Future of the HIPAA Audit

• As suspected…Round II

• February 2014 HHS OCR announced plan to survey 1200 organizations

– 800 covered entities and 400 business associates – “will gather information about respondents to enable

OCR to assess the size, complexity and fitness of a respondent for an audit.”

– Will collect recent data about the number of patient visits or insured lives, use of electronic information, revenue and business locations

Who Can Be Audited?

• Every covered entity and business associate is eligible for an audit

• Initial rounds were designed to provide a broad assessment of the health care industry

• OCR has promised to audit:

“…as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses..."

HHS OCR Perspective

• Views the audits as a way to improve knowledge, compliance, and encourage best practices

• "Audits present a new opportunity to examine

mechanisms for compliance, identify best

practices and discover risks and vulnerabilities that may not have come to light through OCR's ongoing complaint investigations and compliance reviews”

Best Practices

• Self-audits

– The audit process is public information

– No secret formula on how OCR will grade your compliance

• Annually review your program

– Do not rely on out-of-date policies and procedures as evidence of compliance

• OCR has been clear that you are out of compliance with the regulation if you are not reviewing and updating your program on an annual basis

– The areas covered by HIPAA Security Rule are especially sensitive to changes in technology

Best Practices

• Do your policies extend beyond the desktop PC at work?

• Recent OCR enforcement trends have focused heavily on internet and mobile technology

– e.g. cloud and social networking

• Entities need policies and procedures addressing tracking, authentication, and security of PHI accessible “outside” of the physical work area

Worst Practices

• Hoping you do not get selected (fingers crossed approach)

• Thinking you are too small to be noticed by OCR

• Waiting until you receive an Audit letter to begin developing HIPAA/HITECH compliant policies

What the future will bring…

• More audits!

• Evidence Audits will not go away:

– HHS mandated under HITECH to periodically audit

– Audits perform two-fold function of enforcing HIPAA and generating

(potentially) revenue in the form of penalties stemming from HIPAA violations

– Money has been appropriated for the audit program

• OCR Director Leon Rodriguez:

“We did our audit pilot this year and…the idea after that is to have a permanent program, part of which will need to be funded by the proceeds of enforcement. I saw these articles out there that said “More audits are coming” and “Are you ready for audits?” and

that’s a smart question because that is really what’s ahead for us.”

The Cyber Threat

• Hacking

• Theft of storage devices • Viruses

• Catastrophic weather events • State-sponsored hacking

The Implications:

• Exposure of Personally Identifiable Information Business interruption

Litigation

• Regulatory Implications Government Investigations Reputational Damages

Will Insurance Help?

• Some decisions have found coverage under traditional policies

• Going forward, however, traditional forms of insurance may not offer sufficient

protection.

Property Insurance

• Ward General Ins. Serv., Inc. v. Employers Fire Ins. Co., 114 Cal.App. 4th _{548 (Cal. App. 2003)}

• Lost data does not constitute tangible property, thus there was no “physical loss” as was required by the policy.

• See also: America Online, Inc. v. St. Paul Mercury Ins. Co., 207

F.Supp.2d 459 (E.D. Va. 2002); Southeast Mental Health Center, Inc. v.

Pacific Ins. Co., Ltd., 439 F.Supp.2d 831 (W.D. Tenn. 2006)

• But….

• Landmark American Ins. Co. v. Gulf Coast Analytical Laboratories, 2012 WL 1094761 (M.D. La., Mar. 30, 2012)

• Tangibility was not a defining quality of physicality; electronic data deemed to be ‘physical’.

Crime Insurance

• Retail Ventures, Inc. v. National Union Fire Ins. Co. of Pittsburgh,

Pa., 691 F.3d 821 (6th _{Cir. 2012)}

• Insured prevailed on appeal in its coverage claim seeking $6.8 million in data breach losses under a computer fraud rider to a commercial crime policy. Loss resulted “directly from” theft of insured property by computer fraud.

Errors & Omissions Insurance

• Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th _{Cir. 2010)}

• Online marketing firm was provided coverage under its E&O policy because the insured’s acts were not intentionally wrongful, thus fell within coverage grant.

• Also found coverage under CGL due to allegations of loss of use of plaintiff’s computer. Was not excluded under the “impaired property” exclusion because no evidence was presented that the situation could be remedied by the

CGL Insurance

• Loss of Electronic Data not “Tangible Property” – Recall Total Information

Management v. Federal Ins. Co., 2012 WL 469988 (Conn.Super. Jan. 17, 2012); Union Pump Co. v. Centrifugal Technologies, Inc.

• But…. remember Eyeblaster

• Also, Netscape Communications Corp. v. Federal Ins. Co., 343 Fed.Appx 271 (9th

Cir. 2009) found that an insured was covered under the Personal & Advertising Injury

• Encore Receivable Management, Inc. v. ACE Property & Cas. Ins. Co., 2013 WL

3354571 (S.D. Ohio, July 3, 2013) found that “publication” occurs the moment a customer’s conversation is recorded. Could serve to limit the “publication”

requirement.

• Hartford Cas. Ins. Co. v. Corcino & Assoc. et al. – C.D. California case finding

publication of confidential medical information triggered a duty to defend.

• Zurich American Ins. Co. v. Sony Corp. of America: PlayStation Data Breach.

Recent pro-insurer ruling – “publication” that occurred was not by policyholder, but by third-party hackers. No duty to defend found.

Limitations of Existing Forms

of Coverage

• Exclusions being added to these types of policies to prevent coverage extensions

• The War Exclusion and Terrorism Exclusions • Insurers willing to litigate issues

Best Practices: Cyber Coverage

• Types of coverage offered widely varies, but consultation with professionals regarding

needs can ascertain the appropriate type of coverage.