Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Business Law

2/27/2013 1 Agenda Background

advertisement 
2/27/2013
HIPAA Regulations Webinar Series:
Breach Notification and Penalties
Presented by
Stephanie A. Cason and Anthony R. Miles
Stoel Rives Health Care Group
1
HIPAA Regulations Webinar Series – February 27
Wednesday, February 27,
Breach Notification and Penalties
2013
Agenda
• Background
• Changes to Breach Notification Rule
• New Investigation and Enforcement
Standards
• Penalties
• Liability Exposure
• Questions
2
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
Background
• Section 13402 of Health Information
Technology in Economic and Clinical
Health Act (“HITECH”)
– First federal breach notification law
– Interim Final Rule in effect since September
2009. 74 Fed. Reg. 42740 (Aug. 24, 2009)
• Omnibus Rule alters and supplants
existing requirements
3
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
1
2/27/2013
Breach Notification Rule
• Omnibus Rule compliance by September
23, 2013
• Basic requirements same as in HITECH
– Upon the “discovery” of a
– “Breach” of “unsecured” PHI
– Covered entities and business associates
must make required notifications
4
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
Definition of a Breach
• “Breach”
– Unauthorized acquisition, access, use,
disclosure of unsecured PHI
– In a manner not permitted by the HIPAA
Privacy Rule
– That compromises the security or privacy of
the PHI
5
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
New presumption
• An impermissible acquisition, access, use,
or disclosure of PHI is
• Presumed to be a reportable breach
• Unless the entity demonstrates that there
is a low probability that the PHI has been
compromised
6
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
2
2/27/2013
Risk Assessment
• To demonstrate low probability that PHI was compromised
a documented risk assessment must be conducted
• Four mandatory factors
– Nature and extend of PHI involved
– The unauthorized person who used the PHI or to whom
the disclosure was made
– Whether the PHI actually was acquired or viewed
– The extent to which the risk to PHI has been mitigated
• Other factors may be considered—evaluation of overall
probability of risk
7
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
Risk Assessment
• Risk assessment must be
– Thorough
– Completed in good faith
– Have reasonable conclusions
• OCR planning to issue risk assessment
tool to provide guidance
• Discretion to provide notification without
performing a risk assessment
8
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
No more Risk of Harm
• Interim final rule: “Compromise” the PHI
means a Risk of Harm
– Poses a significant risk of financial,
reputational, or other harm to the individual
– Controversial from the beginning
• Omnibus Rule: Risk of Harm abandoned
9
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
3
2/27/2013
Risk Assessment
• OCR views the risk assessment as “more
objective”
• Type of analysis should not be new
• Yet many questions remain
– No definition of “compromise”
• Additional guidance forthcoming
10
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
Loss of the Exception
• Limited Data Sets that do not have ZIP
codes or dates of birth no longer excepted
from notification requirement
• Now subject to risk assessment
11
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
Burden of Proof
• Burden of proof is on the covered entity
and business associate
• Likelihood of increased incidents triggering
breach notification?
12
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
4
2/27/2013
Breach Notification
• HITECH provided for covered entities and
business associates to make mandatory
notifications (from BAs to CE’s and from CE’s to
the media and/or Secretary)
– Individual notice: no later than 60 days after discovery
of Breach
– Media notice: Breach affecting more than 500
residents of a State or jurisdiction
– Secretary notice: Breach affecting 500 or more unique
13
individuals
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
Breach Notification
• Notification to HHS of breach affecting
fewer than 500 people
– Within 60 days of the end of the calendar year
in which the breach was discovered (not
occurred)
– Considering a less burdensome submission
system
14
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
Breach Notifications To Date
• 525 reports involving over 500 individuals
• Over 64,000 reports involving under 500 individuals
• Top types of large breaches
– Theft
– Unauthorized access/disclosure
– Loss
• Top locations for losses
– Laptops/portable devices
– Paper records
– Desktop computers
15
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
5
2/27/2013
HIPAA Regulations Webinar Series:
Breach Notification and Penalties
INVESTIGATIONS AND
ENFORCEMENT
16
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
Background
• Section 13410 of HITECH
– Made several changes to enforcement of HIPAA as
provided in original statute and enforcement rule
• Interim Final Rule for Enforcement 74 Fed. Reg.
19006 (Oct. 30, 2009) initially implemented
changes
• Omnibus rule makes additional changes to
current provisions
17
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
Investigations
• Investigating agencies:
– HHS Office for Civil Rights
– State attorneys general
– U.S. Department of Justice
• Process
– Complaint
– Compliance review
– Breach report
18
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
6
2/27/2013
HHS Audits
• HHS started an audit process in 2011
– Final protocol posted online looks at privacy,
security, and breach notification
– Future audits may be more focused
• HHS indicated that future audits will include
business associates
• HHS has indicated that audits generally will not
lead to formal enforcement
19
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
HHS Audits
• Completed Audits of 115 entities
– 61 Providers, 47 Health Plans, 7 Clearinghouses
• Total 979 audit findings and observations
– 293 Privacy
– 592 Security
– 94 Breach Notification
• Smaller entities struggle with all three areas
• Still assessing need to follow-up on individual auditees
20
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
Audit & Enforcement Linkages
• Frequent Fliers
– Entities that show up multiple times on
published breach listing (>500 individuals)
– Likely will be referred for audit
• Willful Neglect
– Evidence of willful neglect found during audit
will lead to investigation and enforcement
– E.g., no Security P&P or risk assessment
21
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
7
2/27/2013
HONI Case
22
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
Enforcement
• HITECH increased penalties for HIPAA
violations and added formal investigations
in certain cases
• 4 categories of violations that reflect
increasing levels of culpability and
corresponding civil penalties
• Criminal penalties may also apply
23
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
Levels of Culpability
• No knowledge or with reasonable diligence:
– CE/BA did not know and by exercising reasonable
diligence would not have known of violation
• Reasonable cause:
– CE/BA knew, or by exercising reasonable diligence
would have known of violation
– Has reasonable excuse for noncompliance
• Willful neglect: Conscious, intentional failure or
reckless indifference to be compliant
24
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
8
2/27/2013
Willful Neglect
• OCR will investigate all cases of possible
willful neglect
• OCR will impose penalties on violations
due to willful neglect
25
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
HHS Civil Penalties
• No knowledge/reasonable diligence:
$100- $50,000
• Reasonable cause: $1,000 - $50,000
• Willful neglect:
– Was timely corrected: $10,000 - $50,000
– Was not timely corrected: $50,000 +
• Yearly max for same violation: $1,500,000
26
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
Factors Considered In
Enforcing Penalty
• Nature and extent of any violation, including
number of individuals affected and duration
• Nature and extent of any individual’s resulting
physical, financial, or reputational harm,
including any hindrance to the individual’s ability
to obtain healthcare
• History of prior noncompliance
• Financial condition of the offending party
27
• Other matters as justice may require
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
9
2/27/2013
State Attorney General Civil
Penalties
• Up to $100 per violation
• Up to $25,000 per calendar year for all
violations of an identical provision
• Attorneys’ fees
• Likely to combine with charges under state
law
• May not adhere to HHS guidance
28
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
Criminal Penalties
• Department of Justice (knowingly obtaining or
disclosing PHI in violation of HIPAA)
– $50,000 and/or up to one year imprisonment
– $100,000 and/or up to five years imprisonment if false
pretenses
– $250,000 and/or up to ten years imprisonment if
commercial advantage, personal gain, or malicious
harm
• Only affirmative defense to CMP if imposed
29
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
Other Changes
• Greater OCR discretion to proceed directly
to penalties without seeking informal
resolution
• Vicarious liability for business associate
agents
• Factors impacting CMP calculation
30
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
10
2/27/2013
Who is Liable?
• Covered entity liable for acts of agents
– Workforce members
– Agents who are business associates,
regardless of whether BAA in place
• Business associate also liable for acts of agents
– Workforce members
– Agents who are Subcontractors
31
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
Who is Liable?
• Agents
– Subject to Federal common law on agency
– Does the covered entity or business associate
have authority to control conduct in the course
of its performance?
– Does the covered entity or business associate
have authority to provide instructions or
directions?
32
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
Enforcement As of End of 2012
33
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
11
2/27/2013
Enforcement: Resolution
Agreements
• Five Resolution Agreements and Corrective
Action Plans Negotiated in 2012 ($4.85 million)
• HHS expects continued growth and emphasis on
significant cases – remain small proportion of all
the cases they look at
• Enforcement of compliance with new provisions
after September 2013 -- continue to enforce
with respect to existing provisions not subject to
change
34
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
Other Considerations
• FTC breach notification and enforcement
– Applicable to PHRs
• State breach notification requirements
– Attorney General/Regulatory Notification
– Varied definitions of covered information
– Look for exceptions to requirements
• Encryption
• Current employee
35
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
Incident Response
Preparedness Checklist
 Employees trained to
report suspected
incidents immediately
 Reporting up the chain to
Privacy Office
 Rapid response team
designated in advance
 Ability to quarantine
affected systems and
image for analysis
 Protocol for retracting
improper communications
 Protocol for interviewing
individuals involved
 Assigned responsibility
for risk assessment and
standard protocol
 Advance arrangements
for notification assistance
(e.g., mailing, call center)
36
& credit monitoring
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
12
2/27/2013
Incident Response Checklist
 Quarantine or image affected
systems
 Interview involved personnel
 Identify scope of affected
information and individuals
 Perform risk assessment to
determine whether data
“compromised”
 Document process and
analysis
 Review state law and other
requirements for other
responsibilities
 Initiate notification procedure, if
appropriate
 Initiate corrective action plan
and document
 Violation found? Remediate
w/in 30-days or ASAP
 Train employees on changes
37
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
Resources
• Final Omnibus Rule
– https://www.federalregister.gov/articles/2013/01/25/201301073/modifications-to-the-hipaa-privacy-security-enforcementand-breach-notification-rules-under-the
• HHS-OCR HIPAA FAQ Responses
– http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html
• OCR HIPAA Audit Protocol
– http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.
html
• OCR HIPAA Enforcement Activities & Results
– http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html
38
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
Questions
Stephanie Cason
Associate
STOEL RIVES LLP
Anthony R. Miles
Partner
STOEL RIVES LLP
900 SW 5th Avenue,
Suite 2600
Portland, OR 97204
Direct (503) 294-9868
sacason@stoel.com
600 University Street,
Suite 3600
Seattle, WA 98101
Direct: (206) 386-7577
armiles@stoel.com 39
HIPAA Regulations Webinar Series – February 27
Breach Notification and Penalties
13
Related documents
4-Step Program to HIPAA Compliance
4-Step Program to HIPAA Compliance
Policy No. 3.1009 TITLE: Louisiana Security Breach Notification Law
Policy No. 3.1009 TITLE: Louisiana Security Breach Notification Law
This is to certify that I, ______________________________________ (name of
This is to certify that I, ______________________________________ (name of
SCHOOL OF PSYCHOLOGY AND COUNSELING "Academically Excellent, Distinctively Christian"
SCHOOL OF PSYCHOLOGY AND COUNSELING "Academically Excellent, Distinctively Christian"
Download
advertisement