navigating states & hipaa breach notification compliance · 2019 state breach notification...
TRANSCRIPT
Navigating States & HIPAA Breach Notification Compliance
March 17, 202011:00 am PT / 2:00 pm ET
Today’s Speakers:
Welcome & Introductions
Doug KrugerVP Business Development
RadarFirst
Adam GreenePartner
Davis Wright Tremaine, LLP
Agenda
● Keeping up with complexities of breach notification regulations● 2019 state breach notification regulatory trends● OCR & State AGs enforcement trends● Unified framework for incident response lifecycle● Healthcare benchmarking stats● Automation in incident response● Questions & Answers
Complex regulatory landscape
Specified and reduced timelines for breach notifications worldwide
Growing breach regulations - 2019 U.S. activity
● 15 new laws or amendments went into effect that impacted breach notification obligations
○ 4 new, 11 amendments
● 4 additional laws or amendments went into effect Jan 1, 2020
State breach notification law trends
Expanding scope of personal info
Specifiedtimeline
Specified contents
Attorney General
● Arkansas● Delaware● New Jersey● New York● Ohio● South Carolina● Virginia
● Delaware (60 days)
● Maine (30 days)
● Delaware● Massachusetts● New Jersey● New York● Ohio● South Carolina
● Arkansas● Massachusetts● New York● Maryland
Challenging interplay between state & federal
● State breach laws and HIPAA fall under three categories:○ Complete exemption from the state law○ Partial exemption○ No exemption
● Is AG notification required even if otherwise exempt?
● What is timing of notification to the state? Same as HIPAA or sooner?
● Legislative jurisdiction: When are you subject to a state’s notification law?
Breaches affecting 500+ Individuals
Source: U.S. Department of HHS OCR, 29th National HIPAA Summit, Update from HHS OCR
500+ Breaches by Type of Breach
Source: U.S. Department of HHS OCR, 29th National HIPAA Summit, Update from HHS OCR
Breaches affecting 500+ - Reports involving hacking/IT incidents
Source: U.S. Department of HHS OCR, 29th National HIPAA Summit, Update from HHS OCR
2019 OCR enforcement actions
4/2019 Touchstone Medical Imaging $3,000,000
4/2019 Medical Informatics Engineering $100,000
9/2019 Bayfront Health St. Petersburg $85,000
9/2019 Elite Dental Associates $10,000
10/2019 Jackson Health System (CMP) $2,154,000
10/2019 Texas Health and Human Services Commission (CMP) $1,600,000
10/2019 University of Rochester Medical Center $3,000,000
11/2019 Sentara Hospitals $2,175,000
12/2019 Korunda Medical $85,000
12/2019 West Georgia Ambulance $65,000
Source: U.S. Department of HHS OCR, 29th National HIPAA Summit, Update from HHS OCR
OCR enforcement action
Source: U.S. Department of HHS OCR, Nov 26, 2019 Agreement, Sentara
● Understanding definition of PHI and knowing your notification obligations is critical
● “Sentara concluded, incorrectly, that unless the disclosure included patient diagnosis, treatment information or other medical information, no reportable breach of PHI had occurred.”
OCR enforcement action
“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive
information has been exposed.” - Roger Severino, OCR Director.
“When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”
Source: U.S. Department of HHS OCR, Nov 26, 2019 Agreement, Sentara
Mature incident response process
What does it mean to build an effective incident response program?
Defensible You must be able to show consistent, objective, multi-factor risk assessments and well-documented criteria for your decisions whether to notify or not.
Up-to-date & Comprehensive
Your risk assessment and response needs to take into account all laws and regulations that may be applicable to each separate incident.
Timely & CompliantYour team needs to consistently arrive at a compliant notification decision that is in time to meet compliance deadlines for all applicable regulation and jurisdiction.
Proactive incident response program
What does it mean to build a proactive incident response program?
● You’re thinking ahead, anticipating what will happen and taking action ahead of time.
● Document each step that will be taken and practice with all the key players involved.
● Practice practice practice - so everyone is very clear on what to do and when. Becomes muscle memory.
The incident response lifecycle
Preparedness
Identify & Investigate
The clock begins ticking for the IR team to investigate the incident, involve appropriate stakeholders, and capture enough information to drive an accurate risk assessment.
Identify & Investigate
Assess Decide Notify Analyze
Risk Assess & Decide
The ability to demonstrate a consistent approach is a critical factor in making defensible notification decisions to regulators.
Identify & Investigate
Assess Decide
Notify Analyze
+
Notify
If you determine that notification is required, your privacy and legal teams have to be ready to quickly generate notification letters to individuals, regulatory agencies, and data protection authorities, as well as track responses and document their efforts.
Identify & Investigate
Assess Decide
Notify
Analyze
Analyze
The time after an incident is also the time before the next incident - time you can use to evaluate and improve your incident response process and to pinpoint and fix gaps.
Analyze
Identify & Investigate
Assess Decide Notify
Incident lifecycle time periods (days)
2019 BakerHostetler Report:
● Occurrence to discovery = 66 days
● Discovery to notify = 56 days
% of on time notifications
Electronic vs Paper vs Verbal/Visual
Is there a reasonable notification rate?
• Sufficient risk mitigation is crucial in reducing risk of harm
• Consistent and objective multi-factor risk assessment provides the necessary proof of compliance.
Simplify compliance with automation
Radar provides consistency and efficiency by operationalizing incident response:1. Simplify incident escalation & details2. Quickly assess whether an incident requires notification3. Manage third party data processing notification obligations4. Monitor trends and measure program metrics5. Provide proof of compliance
Real-time trend analysis and dashboards
Benchmarking provides Radar users the ability to view and analyze a number of metricsin comparison to their industry.
Radar users can select a specific industry with predefined date ranges.
● Allows users to quickly establish internal metric-driven goals
● Helps organizations understanding and improve operational efficiencies
Stay current with changing breach laws
Free Law Overview Tool ● Access up to-date overview of global breach notification laws (including CCPA and GDPR)
● Remain informed of US federal and state incident risk assessment and reporting requirements for data breaches
radarfirst.com/breach-law-library
Today’s Speakers:
Questions & Answers
Doug KrugerVP Business Development
RadarFirst
Adam GreenePartner
Davis Wright Tremaine, LLP
Thank You