this uba employer webinar series is brought to you by ... · pdas, servers, networks, dial-modems,...
TRANSCRIPT
For a copy of the following presentation, please visit our website at www.UBAbenefits.com. Go to the Wisdom tab and
then to the HR webinar series page.
This UBA Employer Webinar Series is brought to you by United Benefit Advisors
in conjunction with Jackson Lewis
Represents management exclusively in every aspect of employment, benefits, labor, and immigration law and related litigation
Over 780 attorneys in 54 locations nationwide
Current caseload of over 6,500 litigations and approximately 550 class actions
Founding member of L&E Global
What is HIPAA?
Are you a covered entity?
What plans are covered?
Basic principles under HIPAA:o Covered Entities that possess . . .
o individually identifiable information related to an individual’s health care, or provision or payment for health care. . .
o cannot be used or disclosed except under specified circumstances, and must be safeguarded.
4
What is protected health information?o Information created or received by covered entity or employer
o Relating to individual’s past, present or future
• Physical or mental health or condition or
• Provision of health care or
• Payment for health care
o That does or reasonably could identify the individual
o Genetic Information under GINA
5
What is NOT Protected Health Information?o Medical information collected or maintained in connection
with employer obligations under law (wearing your “employer hat”)
• FMLA, ADA , Sick Leave Requests
• Occupational Injury
• Disability Insurance Eligibility
• Drug Screening Results
• Workplace Medical Surveillance
• Fitness-For-Duty Tests
o Focus on WHY employer acquired the information6
What do plans (plan sponsors) need to consider when addressing compliance with HIPAA privacy and security?o Fully insured plan exception v. self-funded plans
o Privacy rules
o Security rules
7
What are the key requirements under the HIPAA privacy rule?o Appoint Privacy Officer
o Amend the health plan for plan sponsor access, and obtain plan sponsor certification
o Adopt written policies including:• Safeguards to protect PHI
• Accommodating individuals’ rights including access, amendments, accounting for disclosures, restrictions, etc.
• Record retention and documentation
• Complaints and sanctions
8
What are the key requirements under the HIPAA privacy rule? (ctd.)o Identify and contract with business associates (and their sub-
contractors—discussion ahead!)
o Distribute notice of privacy practices
o Train employees as reasonably necessary to ensure compliance
o Maintain plan for responding to breaches of unsecured PHI
o Periodically review and document compliance efforts
9
What are the key requirements under the HIPAA security rule?o Security rule applies to electronic PHI only
• PHI that is computer based, e.g., created, received, stored or maintained, processed and/or transmitted in electronic media
• Electronic media includes computers, laptops, disks, memory stick, PDAs, servers, networks, dial-modems, e-mail, web-sites, etc.
o Security - means to ensure the confidentiality, integrity, and availability of PHI that the covered entity creates, receives, maintains, or transmits through applicable administrative, physical and technical standards.
10
What are the key requirements under the HIPAA security rule? (ctd.)Administrative Safeguards
o Security Management Process • Risk analysis (R)
• Risk management (R)
• Sanction policy (R)
• Information system activity review (R)
o Assign Security Responsibility
11
What are the key requirements under the HIPAA security rule? (ctd.)o Workforce Security
• Authorization or supervision of workforce (A)
• Workforce clearance procedure (A)
• Termination procedures (A)
o Information Access Management• Access authorization (A)
• Access establishment and modification (A)
12
What are the key requirements under the HIPAA security rule? (ctd.)o Security Awareness and Training
• Security reminders (A)
• Protection from malicious software (A)
• Log-in management (A)
• Password protection (A)
o Security Incident Procedures• Response and reporting (R)
13
What are the key requirements under the HIPAA security rule? (ctd.)o Contingency Plan
• Data backup plan (R)
• Disaster recovery plan (R)
• Emergency mode operation plan (R)
• Testing and revision procedures (A)
• Application and data critically analysis (A)
o Evaluation
o Business Associates • Written agreement (R)
14
What are the key requirements under the HIPAA security rule? (ctd.)Physical Safeguards
o Facility Access Controls• Contingency operations (A)
• Facility security plan (A)
• Access control and validation procedures (A)
• Maintenance records (A)
o Workstation Use
o Workstation Security
15
What are the key requirements under the HIPAA security rule? (ctd.)o Device and Medical Controls
• Disposal (R)
• Media re-use (R)
• Accountability (A)
• Data back-up and storage (A)
16
What are the key requirements under the HIPAA security rule? (ctd.)Technical Safeguards
o Access Control• Unique user identification (R)
• Emergency access procedure (R)
• Automatic log-off (A)
• Encryption and decryption (A)
o Audit Controls
o Integrity • Authenticate ePHI (A)
17
What are the key requirements under the HIPAA security rule? (ctd.)o Person or Entity Authentication
o Transmission Security• Integrity controls (A)
• Encryption (A)
18
What are the key features of the breach notification rule under HIPAA?o Applies to covered entities and business associates
• Final regulations confirm covered entities still have obligation to provide notification
• Covered entities may delegate that responsibility to business associates by contract
o Triggered for unsecured PHI
19
What are the key features of the breach notification rule under HIPAA?o No risk of harm standard, CEs and BAs must consider following
factors to determine if there is a breach • nature and extent PHI involved, including the types of identifiers and
the likelihood of re-identification;
• the unauthorized person who used the PHI or to whom the disclosure was made;
• whether the PHI was actually acquired or viewed; and
• the extent to which the risk to the PHI has been mitigated.
20
What are the key features of the breach notification rule under HIPAA?o Generally follows the format of 46 state laws with some key
distinctions:• Absent law enforcement delay, must provide notice without
unreasonable delay but not later than 60 days following discovery
• Notify Secretary of HHS via website – Immediately for breaches affecting 500 or more individuals
– Within 60 days of end of calendar year in which breach occurred for breaches affecting fewer than 500 individuals
• Conspicuously post notice on CE’s website or place notice in major print or broadcast media for breaches involving 10 or more individuals for whom there is insufficient contact information
21
The BA Relationshipo BAs are subject to most of the privacy rules, and virtually all of
the security rules, directly
o Subcontractors of BAs are considered BAs
o An entity is a BA if it meets the regulatory definition, regardless of whether a BAA is in place
o Final regulations make clear that entities that maintain PHI for CEs (even if they do not access it) are likely BAs – e.g., cloud service providers, records storage companies.
22
When are BAs directly liable under HIPAA?o Final regulations make clear that BAs are directly liable for:
• uses and disclosures of PHI not permitted under HIPAA;
• a failure to provide breach notification to the CE;
• a failure to provide access to a copy of electronic PHI to the CE, the individual, or the individual’s designee;
• a failure to disclose PHI to the Secretary of Health and Human Services to investigate or determine the BA’s compliance with the HIPAA privacy and security rules;
• a failure to provide an accounting of disclosures; and
• a failure to comply with the HIPAA security rules..
o But not other portions of privacy rule, such as notice requirement23
What key issues need to be addressed in our BAAs?o OCR provides sample provisions:
• http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
o Caution:• Address agency issue to minimize liability for acts/omissions of BA
• Give attention to state law protections for personal information as BAs often also have access to this kind of information. See, e.g., CA, TX, MD, MA, and others
• Outline process for investigating/handling security incidents/breaches
• Consider indemnification provisions 24
Communications, Location and Actions of Employees and Others:o E-mail, text messages, keylogging, telephone, GPS;
o Call recording/monitoring;
o Video monitoring;
o Duty to monitor?
o Notice requirements – e.g., CT and DE;
o Expectation of privacy generally.
25
Employee participation in blogs, social networks.
Employer-sponsored social media.Clear policies, procedures, and monitoring needed (internal and external).At least 16 states (Including New Jersey) regulate requesting passwords or access to social media accounts.
26
January 15, 2015 Chairman of the FTC, Edith Ramirez, announces consumer privacy is a “top priority:”o Protection of personal information;o Must take “reasonable” security measures to protect consumer data.
Federal Trade Commission Act: o Prohibits unfair and deceptive trade practices; o Marketing and advertising (website privacy statements/policies);o Safeguard consumer data.
POTUS: Prosperity and job creation dependent on “digital economy:”o Sharing information to ensure cybersecurity;o Legislation for a single, strong national data breach standard; o Consumer privacy Bill of Rights: privacy balanced with innovation;o Child and student privacy.
27
Data Privacy in U.S.
Generally not prescriptive
Not one-size-fits-all
Important to understand business
Law changes regularly
28
No one federal law in the U.S.
Law governed by sector/industry
States generally have one or more of the following:o Affirmative obligations to safeguard individual private data based
on its risk to an individual were it released. (e.g., CA, CT, IL (biometric information), MA, MI, TX)
o Various Social Security number protections
o Data destruction requirements
o Data breach notification (47 states plus some cities. KY newest state to adopt)
29
Law is fluid
Identity Theft Tops 2013 FTC Consumer Complaint Listo 14th Year in a row
o Consumers lost $1.6 billion to electronic fraud in 2013
o Breach not necessarily ID theft
Can be a “bet the company” issueo Average cost of data breach to a company is $3 million ++
o This is bank robbery without the horses and trains
o One of few laws were the victim becomes the Defendant in a lawsuit.
Risk Assessment-Basic Concepts:o Employee versus customer data;
o Personal data versus business data;
o Focus is on preventing identity theft, but protections against monitoring and general principles of personal privacy remain and are growing – see “Big Data” and “IoT”;
o Be mindful that because no generally applicable and comprehensive federal scheme exists, managing state laws can be critical.
31
Risk Assessment-What should we be doing?o “How” and “What” of Information/Data.
o Strong IT group/support.
o Assess: 1. Standards for handling credit card or payment data; 2. Safeguards for other customer personal information;3. Safeguards for employee/relative personal information.
o Review vendor agreements - What data/information/protections.
o Assess with WISP in mind: (i) documented risk assessment, (ii) administrative physical and technical safeguards/policies, (iii) data breach response plan, (iv) employee training.
32
Unauthorized use of, or access to, records or data containing personal informationo Personal Information (PI) typically includes
• First name (or first initial) and last name in combination with:– Social Security Number– Drivers License or State identification number– Account number or credit or debit card number in combination with
access or security code– Biometric Information (e.g. NC, NE, IA, WI)– Medical Information (e.g. AR, CA, DE, MO, TX, VA)
o What type of PI do you have?– Employees– Customers – Vendors
The lost laptop/bag.Inadvertent access.Data inadvertently put in the “garbage.”Theft/intentional acts, hacking, phishing attacks other intrusions.Inadvertent email attachment(s).Stressed software applications.Rogue employees.Remote access.Wireless networks.Peer to peer networks.Vendors.
34
Notice to consumerso Some states require notice only to state residents
o Balancing test-- RISK OF HARMo Some states require notice to all
o Some states no balancing test but there are sometimes ways to backdoor one.
Regulatory action
Remediation
Reputational Harm
Private Cause of Actiono Some states permit – AK, CA, LA, MD, MN, NH, NC, SC, TN, VA, WA o Always regular tort law (intrusion into seclusion, public disclosure of
private facts, false light, appropriation of name/likeness).o All of the causes of action depend on the ability to show harm.
Fines, Penalties, Settlements:o State Attorney Generals
• Vary By State– Multipliers: Michigan permits civil fines of not more than $250 per failure
(each person), with a maximum of $750,000.– Length of notification delay: Florida imposes fines when notification is not
provided within the statute’s mandated time frame (45 days). Calculate the fine as $1,000 per day for the first 30 days, and $50,000 for each 30 day period thereafter with a maximum fine of $500,000.
o Health and Human Services (HIPAA)• Penalties and settlements in the millions of dollars
Regulators require them of financial, health and other “critical infrastructure” businesses
Can create a defense in the event of a breach –think “Ellerth/Farragher”
New regulatory actions say Board of Directors can be liable if it does not intentionally accept or reject residual risk
Risk assessments are not pleasant for clients. We often find +100 failures to meet ISO standards. But, as with a colonoscopy, better to detect the problem when it is treatable than find it when it is too late.
Have taught clients how to monetize their risk assessment.
Involve key stakeholders.
Understand your organizational risks, including vendors.
Educate all employees as appropriate.
Identify outside support – forensic investigators, legal counsel, media relations, fulfillment and call center services.
Develop high-level plan, have sample communications ready, conduct “breach drills.”
38
3 critical phases:
1. Discovery;
2. Notification and response process (if needed);
3. Review and evaluate to avoid future incidents.
*TIME MATTERS.*
39
Discovery: stop the bleeding…first steps:o Dust off your breach response plan — hopefully you have one;o Immediately alert data breach response team, counsel, and insurance
carrier, if applicable;o Take steps to secure information systems;o What happened? (is this a breach?);o Coordinate with law enforcement, as needed;o Identify key person to monitor and drive team progress;o Involve top management, public relations;o Make preliminary assessments and consider preliminary actions,
notices;o Consider implementing litigation hold.
40
Notification and response:o Who must be notified?
o What should notice say/who approves?• Some states have content requirements.
o When and How to deliver notice?
o Is credit monitoring service required?
o Call center/script.
o Returned mail & substitute notice provisions.
o Responding to inquiries.
o Document, document, document.41
Review and assess:o Why did the breach occur?o Amend and implement updated policies and procedures as appropriate,
such as training;o Document post-breach considerations and remedial steps taken, if any;o Document why breach not reported (see, e.g., FL, HIPAA).
Other Key Features:o Private cause of action:
• Some states permit — AK, CA, LA, MD, MN, NH, NC, SC, TN, VA, WA.
o Fines, penalties, settlements.o Published notices.
42
Think about:o The industry(ies):
• Healthcare, professional (accounting, law), finance, insurance, retail, government . . .
o The information vendor handles:• SSN, DL #s, credit card, medical . . .
o Where services are performed - What laws apply.
o How critical data security is to reputation.
o Technology at play.
43
Confidentiality o The Vendor shall maintain any Protected Information in
confidence to be used solely for purposes of performing the [services] under this Agreement.
Compliance with Applicable Lawo The Vendor shall comply in all respects with all international,
federal, state and local privacy and data security laws, regulations and ordinances (“Government Regulations”) relating to the access, creation, maintenance, use, processing, disclosure, retention or destruction of all Protected Information to which such Government Regulations apply.
Safeguardso The Vendor shall use appropriate safeguards to prevent any access,
use or disclosure of Protected Information other than as permitted under this Agreement, which shall include but not be limited to administrative, physical and technical safeguards as necessary and appropriate to protect the confidentiality, integrity and availability of Protected Information.
Breacho Vendor agrees to immediately report to the Company any “Breach of
Protected Information” which refers to any and all incidents of unauthorized access, acquisition, use, modification, disclosure or destruction of Protected Information by Vendor, its employees, agents, subcontractors, or affiliates, that is known to Vendor and whether or not harm is likely to result.
It’s the greatest, happiest, best invention of the last 10 years Indemnification and cyber insurance
The market
What it covers and what it doesn’t cover
47
To obtain a recording of this presentation, or to register for future presentations, contact your local UBA Partner Firm.
Thank you for your participation in the UBA Employer Webinar Series
If your question was not answered during the webinar or if you have a follow-up question, you can email the presenters today or
tomorrow at: [email protected]
www.UBAbenefits.com www.jacksonlewis.com