health care privacy and security laws: what you need to ...€¦ · 1 | health care privacy and...

Pillsbury Winthrop Shaw Pittman LLP

February 4, 2009

Pillsbury Winthrop Shaw Pittman LLP and Protiviti, Inc.

Edgar Bueno – Pillsbury

Scott LaLiberte - Protiviti

John Nicholson - Pillsbury

Health Care Privacy and Security Laws: What You Need to Know in 2009

1 | Health Care Privacy and Security Laws

Agenda

Health Care Privacy and Security: Recent Developments

HIPAA Security Rule Compliance

Medical Information Data Breaches


Health Care Privacy and Security – Key Developments

Increased Enforcement- In 2008, the first HIPAA Penalty- Compliance Reviews

“Snooping” of PHI and Curiosity Seekers

Medical Identity Theft

Focus on Business Associate Compliance

Expect Additional Guidance from HHS

Electronic Health Information Networks


Legislative Developments To Watch

Health Information Technology: Expansion of EMRs and PrivacyIs a HIPAA Re-Write Coming?

- Right to Privacy With Respect to Disclosures- Patient Authorizations- Notification of Breaches- Enhanced Penalties (including for unintentional disclosures)- Private Right of Action against Providers- Additional Protections for Research, Drug & Alcohol History, Psychiatric Records, and HIV status

Telemedicine and PrivacyPatient Prescription Data


How to Prepare for Legal Changes and Challenges

Review HIPAA Compliance Plans

Have a Plan Ready for Data Breaches

Enhance Protections for Access to and Storage of PHI

Watch for Updates (Including State and Consumer Protection Laws)

Review Contracts with Agents, Subcontractors, Vendors

Perform Routine Audits and Accounting of Disclosures

Check Insurance Policies


HIPAA Security Rule Compliance – an Overview and Approach


Security Rule General RequirementsEnsure confidentiality, integrity, and availability of all electronic protected health information (PHI) the covered entity creates, receives, maintains, or transmitsProtect against any reasonably anticipated threats or hazards to the security or integrity of such informationProtect against any reasonably anticipated uses or disclosures of such information that are not permitted or requiredEnsure compliance by its workforce

Compliance Date – The Final Rule was published on February 20, 2003 and became enforceable on April 21, 2005.Scope – Applies specifically to electronic protected health informationConcepts of Standards, Required and Addressable Implementation specifications and overall flexibility introduced in Final Rule“Reasonable and Appropriate” concept is usedHIPAA Privacy Rule,

Implies HIPAA security: "A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.“The Security Rule provides the framework to immediately exercise due care related to the privacy requirement of securing both electronic and non-electronic PHI

Background


Latest Developments

NIST has updated SP 800-66 – this is a core implementation guidance document which may provide deeper insight for emerging security issues – and released this as 800-66 Rev1 in October 2008

CMS continues to issues guidance documents (e.g. remote access guidance) – these should be considered for compliance as they may become part/parcel of future audits

The landscape will continue to evolve, especially with emerging issues and State Laws regarding data breaches (e.g. expansion of CA SB 1386) and encryption of customer non-public information (MA, NV, etc) – this places even more emphasis on the risk assessment process and overall security program integration.


General Rules – Provide the four general requirements for covered entities and serve as the basis for subsequent sectionsAdministrative Safeguards—Account for over half of the security rule requirements and include requirements for documented policies and procedures for security management, operations, workforce clearance, access to electronic PHI, and business associate contractsPhysical Safeguards—Requires documented policies and procedures to restrict physical access to facilities, electronic media, and workstations housing PHITechnical Security Safeguards—Provides technical security mechanisms designed to ensure the confidentiality and integrity of PHI and requires policies and procedures related to each.Organizational Requirements – Include topics of business associate agreements, business associate responsibilities, and requirements for group health plansPolicies and Procedures and Documentation Requirements – Essentially, everything listed above must be documented, made available, updated, and retained for 6 years or the date when it was last in effect, whichever is later

Security Rule Sections


Standards: what must be met

Implementation specifications: how to meet itRequired: must be implemented

Addressable: Assess if reasonableIf reasonable – implementIf not reasonable –

DocumentImplement alternate that meets standard

Regulation Components


Documentation Standards Policies & Procedures

Organizational Requirements9

10 11Administrative Safeguards

4

2 6Physical Safeguards

5

2 4Technical Safeguards

# Standard

# Required Specification

# Addressable Specification

Count & Regulation Type Standards Sections

Implementation Specifications (R)=Required, (A)=Addressable

Security Management Process 164.308(a)(1) Risk Analysis (R)Risk Management (R)Sanction Policy (R)Information System Activity Review (R)

Assigned Security Responsibility 164.308(a)(2) (R)Workforce Security 164.308(a)(3) Authorization and/or Supervision (A)

Workforce Clearance ProcedureTermination Procedures (A)

Information Access Management 164.308(a)(4) Isolating Health Care Clearinghouse Function (R)Access Authorization (A)Access Establishment and Modification (A)

Security Awareness Training 164.308(a)(5) Security Reminders (A)Protection from Malicious Software (A)Log-in Monitoring (A)Password Management (A)

Security Incident Procedures 164.308(a)(6) Response and Reporting (R)Contingency Plan 164.308(a)(7) Data Backup Plan (R)

Disaster Recovery Plan (R)Emergency Recovery Plan (R)Testing and Revision Procedure (A)Applications and Data Criticality Analysis (A)

Evaluation 164.308(a)(8) (R)Business Associate Contracts and Other Arrangements

164.308(b)(1) Written contract of Other Arrangement (R)

Facility Access Controls 164.310(a)(1) Contingency Operations (A)Facility Security Plan (A)Access Control and Validation Procedures (A)Maintenance Records (A)

WorkStation Use 164.310(b) (R)Workstation Security 164.310(c) (R)Device and Media Controls 164.310(d)(1) Disposal (R)

Media Re-use (R)Accountability (A)Data Backup and Storage (A)

Access Control 164.312(a)(1) Unique User Identification (R)Emergency Access Procedure (R)Automatic Logoff (A)Encryption and Decryption (A)

Audit Controls 164.312(b) (R)Integrity 164.312(c)(1) Mechanism to Authenticate Electronic PHI (A)Person or Entity Authentication 164.312(d) (R)Transmission Security 164.312(e)(1) Integrity Controls (A)

Encryption (A)

HIPAA Security Standards Matrix

Administrative Safeguards

Physical Safeguards

Technical Safeguards

Required vs. Addressable Specifications


Major Areas/Efforts

Risk Assessment/Analysis

Develop and Document Policies & Procedures

Develop and implement security awareness training

Minimum baseline standards

Security Testing

Security patch management

Monitoring and compliance program

Audit and Logging of Access

Managing Business Partner Risks (BA agreements and Due Diligence)


More Information

CMS HIPAA Website –http://www.cms.hhs.gov/HIPAAGenInfo/DHHS OIG Audit of CMS –http://oig.hhs.gov/oas/reports/region4/40705064.pdf

NIST HIPAA Guidance –http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf

HIPAA Compliance Information -http://www.hipaacomply.com/

http://www.cms.hhs.gov/HIPAAGenInfo/

http://oig.hhs.gov/oas/reports/region4/40705064.pdf

http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf

http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf

http://www.hipaacomply.com/



Generally smaller than financial data breachesFrequently due to curiosity

Acquaintance or celebrity records accessed by curious personnel

Less malicious activity documented so far for medical ID theftMedical ID theft accounts for approximately 250,000 out of 8 million identity theft victims in FTC database as of 2005 (latest FTC report)Best used for theft of services BUT consider implications for future treatment of actual patient

Misdiagnosis/mistreatment could lead to claim of negligence

Data breach notification laws have inconsistent applicationType of dataEncrypted or notResidence of patients impactedLikelihood of misuse


Latest Data Breaches (as of 1/26/09)

Records Date Organizations300 2009-01-26 City of Madison, Wisconsin

2,000 2009-01-25 British Council

5,000 2009-01-24 Abertawe Bro Morgannwg University NHS Trust

10 2009-01-23 Hays Pharma

14 2009-01-22 Lloyds TSB

565 2009-01-21 Missouri State University

11,000 2009-01-20 Kanawha-Charleston Health Department

200 2009-01-16 Southwestern Oregon Community College

See http://datalossdb.org/ for daily updates.

http://datalossdb.org/


Grady Memorial Hospital

Reported: July 2008 (http://www.ajc.com/metro/content/metro/atlanta/stories/2008/09/23/grady_data_breach.html)

Number Affected: 45

Information Breached: Included doctors' notes, medical conditions, diagnoses, documentation of medical procedures and possibly names and ages of patients.

How: Human error posted data to website.

State Data Breach Law: GA Code 10-1 §§910-911 only applies to data brokers, BUT other state laws could kick in depending on actual residency of patients whose records were accessed.

http://www.ajc.com/metro/content/metro/atlanta/stories/2008/09/23/grady_data_breach.html




University of Iowa Hospitals & Clinics

Reported: Nov. 19, 2008 (http://www.healthimaging.com/index.php?option=com_articles&view=article&id=15146) Number Affected: Unknown (but probably small)Information breached: Medical records (details not provided)How: Unauthorized access by hospital personnel

Probably involved acquaintances of the personnel or celebrities.

State Data Breach Law: Iowa S.F. 2308 requires businesses and government agencies to notify state residents if the unauthorized access of their computerized personal information is likely to do financial harm.

Likelihood of financial harm trigger could exempt breach from notice requirement.Other state laws could kick in depending on actual residency of patients whose records were accessed.

http://www.healthimaging.com/index.php?option=com_articles&view=article&id=15146




Ohio State University

Reported: Dec. 30, 2008(http://breach.scmagazineblogs.com/2009/01/06/ohio-state-data-breach-caused-by-third-party/)

Number Affected: 18,000

Information Breached: Names and Social Security numbers, insurance group policy number, and OSU ID number (which, at that time, had the same digits as the student’s Social Security Number).

How: Information was erroneously posted on an Internet server maintained by a company that had been doing work on behalf of Ohio State.

State Data Breach Law: Ohio HB 104 requires notice where acquisition of “personal information” (which includes SSN) by the unauthorized person causes or reasonably is believed will cause a material risk of identity theft or other fraud to the resident.

http://breach.scmagazineblogs.com/2009/01/06/ohio-state-data-breach-caused-by-third-party/




Ohio Data Breach Law

Ohio attorney general has authority to investigate compliance, and apply civil penalties in instances where noncompliance is proved.

Penalties for failing to properly notify affected consumers within 45 days include:$1,000 per day for the first 60 days Maximum $5,000 for 60-90 days Maximum $10,000 per day over 90 days.

Also requires the judge in any case involving noncompliance to gauge whether the delay in notification was intentional or if disclosure was made in good faith when determining the amount of the fine. Maximum fines may be levied if the person or entity is found to have acted in bad faith, and the offending entity may also be liable for the costs of the attorney general’s investigation.


Kanawha-Charleston Health Department

Reported: Jan 20, 2009 (http://wvgazette.com/News/200901200377)

Number Affected: > 14 (11,000 notified)

Information Breached: Names, social security numbers, addresses and other personal information

How: Notes handwritten by contractor at flu-shot clinic

State Data Breach Law: Applies to acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information. Unclear whether information fit definition, BUT other state laws could kick in depending on actual residency of patients whose records were accessed.


What To Do Now?

MassachusettsNew regulations require businesses holding personal information about Massachusetts residents:

To develop a written plan and appoint an employee to manage it and enforce violations,

Outsourcing service providers must provide certification that they complyTo implement firewalls and encrypt information in transit and on portable devices, and To train employees on information security.

Regulation applies to all entities that own, license, store or maintain personal information about a resident of Massachusetts Sensitive personal information that is transmitted electronically or stored on laptop computers must be encrypted beginning May 1, 2009.Information stored on other portable devices must be encrypted beginning on January 1, 2010.


What To Do Now (cont’d)

See new HHS Report on Medical Identity Theft http://www.hhs.gov/healthit/documents/MedIdTheftReport011509.pdfRecommendations include:

Role-based access for users on a “need-to-know” basisAudits that flag anomaliesStronger authentication for patient access to records to prevent unauthorized accessStudying ways to limit use of SSN in patient records

FTC Dec. 2008 Report on Identity Theft http://ftc.gov/os/2008/12/P075414ssnreport.pdfRecommendations include:

Improve consumer authentication where SSNs are usedRestrict public display and transmission of SSNsEstablish national standards for data protection and breach notification

http://www.hhs.gov/healthit/documents/MedIdTheftReport011509.pdf

http://ftc.gov/os/2008/12/P075414ssnreport.pdf


Contacts

Edgar BuenoSr. Associate

Pillsbury Winthrop Shaw Pittman LLP 1650 Tysons Blvd.

McLean, VA 22102-4856703-770-7709

[email protected]

John NicholsonCounsel

Pillsbury Winthrop Shaw Pittman LLP2300 N Street, NW

Washington, DC 20037-1122202-663-8269

[email protected]

Scott LaLiberteManaging Director

Protiviti, Inc.50 S. 16th St. #2900

Philadelphia, PA 19102267-256-8825

[email protected]

health care privacy and security laws: what you need to ...€¦ · 1 | health care privacy and...

Documents