![Page 1: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/1.jpg)
Milada R. GoturiTonya M. Oliver
Thompson Coburn LLP
1
![Page 2: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/2.jpg)
Overview of Data Breaches
HIPAA/HITECH Considerations
State Data Security Laws
Case Studies & Prevention Strategies
2
![Page 3: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/3.jpg)
Generally, a data breach is:
◦unauthorized
◦acquisition, access, use, or disclosure
◦of confidential information
Protected Health Information
Other confidential information
3
![Page 4: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/4.jpg)
Hacking/IT incident
Improper PHI Disposal
Loss of Electronic Device
Theft – Laptop, Hard Disks, Portable Electronic Devices,
Unauthorized Access (e.g., employee improperly accesses data)
4
![Page 5: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/5.jpg)
Health Net - Lost data servers (2011) Massachusetts General – Documents containing
PHI of 192 patients left on train (2011) Mills-Peninsula Medical Center, California–
Mailroom employee stole medical records of approximately 1,500 patients (2011)
Beth Israel Deaconess Medical Center, Boston– Computer with virus transmitted data files of over 2,000 patients to an unknown location after computer service vendor failed to restore security setting on a computer (2011)
5
![Page 6: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/6.jpg)
2010 OCR Data:
◦ 207 reports to OCR of data breaches impacting 500 or more individuals
◦ 5.4 million individuals affected by these large breaches
◦Over 25,000 reports to OCR of smaller data breaches (that occurred during 2010)
◦More than 50,000 individuals impacted by these smaller breaches
No provider is too big or too small to experience a data breach
6
![Page 7: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/7.jpg)
The average cost of data breach in the healthcare sector = estimated at over $300 per record
In 2010, the average cost was $345 per compromised record, up from an average cost of $301 in 2009
◦ (Ponemon Institute, “U.S. Cost of a Data Breach,” (2010))
7
![Page 8: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/8.jpg)
Statutory violations and related fines and penalties (HIPAA/HITECH, state laws, FTC rules)
Reputational harmSubstantial costs in response and defenseContractual obligationsGovernment investigationPrivate lawsuits
8
![Page 9: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/9.jpg)
HIPAA requires covered entities (and now their business associates) to comply with privacy and security standards to protect PHI
◦ “Covered entities” = health care providers, health plans and clearinghouses
◦ “PHI” is individually identifiable health information (e.g., medical information, demographic information, billing information)
◦ Privacy standards – Designed to protect individuals’ PHI by mandating covered entities comply with certain requirements related to the use and disclosure of PHI
◦ Security standards – Designed to protect electronic PHI by mandating certain physical, technical and administrative safeguards
9
![Page 10: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/10.jpg)
HIPAA requires covered entities (and business associates) to comply with privacy and security standards to protect PHI
HITECH Act (Health Information Technology for Economic and Clinical Health Act of 2009):
◦ Strengthened and expanded HIPAA
◦ Rationale = Concerns for patient privacy and identity theft
◦ Among other things, established mandatory notification requirements for breaches of unsecured PHI
10
![Page 11: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/11.jpg)
Covered entities must provide notice if:
◦There is a “Breach,” and
◦The Breach involves “Unsecured PHI”
Notice must be provided to:
◦Affected patients ◦DHHS ◦Media (in some cases)
Business associates must notify covered entities if a “Breach” occurs
11
![Page 12: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/12.jpg)
12
![Page 13: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/13.jpg)
Step 3: Did the incident compromise the security or privacy of PHI in a way that creates significant risk of financial, reputational, or other harm to the affected individual?
Nature and type of PHI? Who used or obtained PHI? Mitigation? Other relevant factors?
Step 4: Does the incident falls within an exclusion◦ Unintentional use of PHI by employee in good faith within the scope of authority◦ Inadvertent disclosure of PHI among persons authorized to access PHI at covered
entity/business associate◦ Good faith belief that unauthorized person who received PHI would not reasonably
have been able to retain PHI
13
![Page 14: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/14.jpg)
Required for all Breaches of Unsecured PHI Without unreasonable delay In no event more than 60 days after discovery of Breach In writing, by mail or if individual has agreed, by e-mail
14
![Page 15: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/15.jpg)
Description of the Breach
Description of the types of PHI involved in the Breach
Steps affected individuals should take to protect themselves from potential harm
Brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches
Contact information for the covered entity
If substitute notice provided via web posting or major print or broadcast media, toll-free number for individuals to contact the covered entity to determine if their PHI was involved
15
![Page 16: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/16.jpg)
For 10 or more individuals, substitute individual notice by either posting the notice on the home page of its web site or by providing the notice in major print or broadcast media where the affected individuals likely reside.
For fewer than 10 individuals, covered entity may provide substitute individual notice by an alternative form via written, telephone, or other means.
16
![Page 17: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/17.jpg)
Submit report electronically via HHS web site
If a breach affects 500 or more individuals = notify the Secretary without unreasonable delay and no later than 60 days following a breach
If breach affects fewer than 500 individuals = notify HHS no later than 60 days after the end of the calendar year in which the breach occurred
Expect an investigation
17
![Page 18: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/18.jpg)
Required only for Breaches affecting more than 500 residents of a state or jurisdiction, covered entity is required to provide notice to prominent media outlets serving that State or jurisdiction (e.g., press release)
Media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach
Must include the same information required for the individual notice
18
![Page 19: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/19.jpg)
Business associates must notify the Covered Entity if a Breach occurs.
Without unreasonable delay and in no event more than 60 days after discovery of Breach
Notification should include:◦ the identification of each individual affected by the Breach
◦ any information required to be provided by the covered entity in its notification to affected individuals
19
![Page 20: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/20.jpg)
Personal InformationElectronic (few states cover paper records)In unencrypted form Accessed by or improperly disclosed to
An unauthorized personData breach = state data security law must be
considered
20
![Page 21: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/21.jpg)
“Personal Information”:
◦ Individual’s name and one of the following: Social security number Account Number State identification/driver’s license number Credit card number
Definitions vary by stateIncludes PHI, employee data, consumer data
21
![Page 22: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/22.jpg)
State Data Security Laws Require:◦Notice to affected state residents◦Notice to Attorney General◦Notice to consumer agencies Requirements vary by state Challenge = multi-state breach
22
![Page 23: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/23.jpg)
Enacted by 46 states, including Missouri and Illinois
Only Kentucky, New Mexico, Alabama and South Dakota don’t have these laws
Requirements vary by state
23
![Page 24: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/24.jpg)
R.S.Mo. § 407.1500 "Breach of security" = unauthorized access to or
acquisition of unencrypted computerized personal information that compromises the security, confidentiality or integrity of such information
“Personal information“ = first name and last name in combination with any one of the following:
◦ Social Security number◦ Driver's license number or other unique identification number◦ Financial account number, credit card or debit card number in
combination with security code or password◦ Unique electronic identifier or routing code, in combination with
security code or password◦ Medical or health insurance information
24
![Page 25: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/25.jpg)
Requires notice to Missouri residents of a breach of security of personal information
Notice must be made without unreasonable delay
Content of notice is statutorily prescribed
If over 1000 residents involved = must notify Missouri Attorney General and consumer reporting agencies
25
![Page 26: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/26.jpg)
Risk of Harm Test
Notification not required if, after investigation or consultation with law enforcement, it is determined that a risk of identity theft or other fraud to any consumer is not reasonably likely due to the breach
Determination not to notify must be documented and maintained for five years
Willful and knowing violation of law = AG action for damages, up to $150,000 per security breach
26
![Page 27: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/27.jpg)
Stolen laptop
Unauthorized access by employees
Data files sent to incorrect recipient
Faxes sent without permission
Medical records in trash
Garage sale
27
![Page 28: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/28.jpg)
Maintain solid HIPAA privacy and security compliance program
Establish strong contracts with Business Associates
Minimize unsecured PHI
Follow proper data destruction practicesEducate your staff
28
![Page 29: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/29.jpg)
Effective HIPAA privacy and security policies, procedures and training = key to protecting against data breaches
Winter 2011 - OCR to begin HIPAA privacy and security audits (administered by KPMG) of covered entities◦Audits will focus on HIPAA privacy and security
compliance
◦Corrective actions/fines may result if noncompliance found
29
![Page 30: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/30.jpg)
Issues to consider:
◦Time frame for notifying covered entity of breach
◦Requirements related to investigating breach
◦Financial responsibility related to breach notification
Cost of notice letters, technical expert and legal costs
◦ Indemnification
30
![Page 31: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/31.jpg)
Minimize PHI and other personal information collected and retained
Encryption◦ To avoid being “Unsecured PHI,” PHI must be encrypted using
process tested by the National Institute of Standards and Technology
Destruction◦ Paper, film or other hard copy media
Must be shredded so PHI can’t be read or reconstructed Redaction is not enough!
31
![Page 32: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/32.jpg)
Educate staff about data security and data breach obligations
◦Periodic refresher training
◦Establish and monitor access control
◦Penalties for improper access to PHI/other confidential data
Assign responsibility in the event of a breach
32
![Page 33: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/33.jpg)
If an incident happens, take prompt action
◦Determine if a breach occurred ◦ Technical expert analysis may be required
◦Take prompt mitigation steps ◦Provide required notices ◦ Timing of notices is essential
◦Cooperate with any governmental investigation Cignet Health $4.3M penalty - $3M due to failure to
cooperate with authorities
33
![Page 34: Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1](https://reader035.vdocuments.site/reader035/viewer/2022062423/56649e155503460f94aff824/html5/thumbnails/34.jpg)
If you have any questions, please contact: Milada R. Goturi [email protected] P: 314.552.6057
F: 314.552.7057 M: 314.602.6057
Tonya M. Oliver [email protected] P: 314.552.6119
F: 314.552.7119 M: 314.602.6119
34