The Emerging Law of Data Security
PENNSYLVANIA
HOMECARE
ASSOCIATION
HEALTHCARE OVERVIEW
Matthew Meade, Data Security & Privacy Group
© Copyright 2010 Buchanan Ingersoll & Rooney
OVERVIEW





Why Does This Matter?
Recent Data Breaches
Recent Enforcement Actions
Statistics & Recent Cases
The Law
–
HITECH Act
– FTC Act
– State Data Breach Laws
WHY DOES THIS MATTER?






Data breaches are costly
Data breaches erode trust and create negative
publicity
With the passage of HITECH Act there is increased
focus on healthcare data security
Rush to convert to EHR to get stimulus incentives
has come at the expense of data security
13.7% of all recent breaches occurred in the
healthcare sector – popular target of hackers
41.5% of hospitals have 10 or more breaches a year
WHY DOES THIS MATTER? (2)


Recent CNN Money Article – “Healthcare: A
'goldmine' for fraudsters”
“We hope the health care industry will take a
close look at this agreement and recognize
that OCR is serious about HIPAA
enforcement. It is a covered entity’s
responsibility to protect its patients’ health
information.” Georgina Verdugo, the Director
of OCR (2/22/11)
WHY DOES THIS MATTER? (3)

March 2011- 2-day instructor-led HIPAA
Enforcement Training to help State Attorneys
General and their staff use their new
authority to enforce the HIPAA Privacy and
Security Rules. The training course will aid
State Attorneys General in investigating and
seeking damages for HIPAA violations that
affect residents of their states.
Recent Data Breaches
Family Planning Council



4/8/11 - Announcement that a computer storage
device containing the personal and medical records
of about 70,000 patients was stolen in December
and remains missing.
Theft blamed on a former worker whose employment
ended 12/28/10, the day the theft was discovered
and reported to police.
The former employee has an extensive criminal
record, and has been in and out of prison for the last
two decades on multiple convictions of theft and
other offenses.
Recent Data Breaches
Dental Practice



4/11/11- dentist left non-shredded PHI in a publically
accessible trash can.
Documents found by a man looking for scrap metal
who called local news because he was concerned
someone could use them to steal the patients’
information.
Dentist said the documents were likely sitting in a
box waiting to be shredded and that a new office
assistant might have accidentally thrown them out
with the trash.
Recent Breaches
CVS

3/7/11- Philadelphia Federation of Teachers Health and Welfare
Fund sued CVS alleging that its unauthorized disclosure of PHI
was an unfair trade practice.

CVS sent letters to physicians that listed their patients’ names,
dates of birth and prescribed medications. The letters
encouraged the physicians to prescribe drugs made by
pharmaceutical manufacturers, who paid CVS to send them.

This purported disclosure of PHI would violate the HIPAA
Privacy Rule’s prohibitions against disclosing PHI for marketing
purposes without an individual’s authorization.
Recent Enforcement Actions
Cignet Health

2/22/11- HHS issued a notice of final determination finding that
Cignet violated the HIPAA Privacy Rule, and imposed a fine of
$4.3 million. First time HHS had imposed a civil monetary
penalty for an entity’s violation of the HIPAA Privacy Rule.

HHS determined that Cignet violated 41 patients’ rights by
denying the patients' requests for access to their medical
records between September 2008 and October 2009.

Cignet refused to respond to demands to produce records;
failed to cooperate with the investigation; and to produce
records in response to a subpoena.
Recent Enforcement Actions
Health Net

Connecticut: (January 2010)
–
–
–
–
–
AG sued Health Net for failing to secure private patient
medical records and financial information of 446,000 CT
residents on 27.7 million scanned pages
First state AG action under HITECH Act
SAG criticized Health Net for its “unconscionable” delay of
over 6 months to identify victims
Data was not encrypted or otherwise protected
Failure to supervise and train employees
Recent Enforcement Actions
Health Net

7/10 Stipulated Judgment Health Net to pay
$250,000 to the Connecticut General Fund
with another $500,000 contingent payment to
Connecticut if third party determines, before
11/30/11, that any data on the missing disk
was accessed and misused or any claims
are made on third party’s insurance policy
linked to misuse of the lost disk drive.
Recent Enforcement Actions
Health Net

Corrective Action Plan
–
–
–
–
–
–
–
–
2 years of credit monitoring service
Enhancing existing security privacy program
Installation of technology to restrict the transfer of PHI and PI to removable
media
Encryption of all laptop hard drives and all desktop hard drives
Improved IT oversight, including the creation of a “Information Security
Analyst” assigned to each new IT project with assessment duties reporting
directly to Health Net's Manager of Information Security.
Requiring all “Business Associates” to execute HIPAA compliant Business
Associate Agreements”.
Enhanced training and awareness including holding an annual
“Compliance Awareness Week” for all employees to “emphasize the
importance of protecting the privacy and security of PHI.”
Providing semi-annual updates to its initial status report to the Connecticut
Attorney General
Recent Enforcement Actions
Health Net



11/8/10 Connecticut Insurance Commissioner announced that
Health Net had agreed to pay $375,000 in penalties for failing
to safeguard the personal information of its members from
misuse by third parties.
The penalties were part of a settlement agreement reached
with Health Net pursuant to which Health Net agreed to provide
credit monitoring protection for two years to all affected
members and providers in Connecticut.
Health Net also agreed that the costs related to improvements
in data and equipment security it made in response to the data
breach will not be passed along to Health Net members.
Recent Enforcement Actions
Mass General

2/24/11 HHS announces $1,000,000 Resolution Agreement for HIPAA violations that
stemmed from the loss of hard copy patient records for 192 patients left on a subway in
March 2009. The records originated from Mass General’s Infectious Disease Associates
outpatient practice and included sensitive records discussing patients’ treatments for
HIV/AIDS.

OCR determined that Mass General had “failed to implement reasonable, appropriate
safeguards to protect the privacy of PHI when removed from Mass General’s premises and
impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule.”

Corrective Action Plan which requires Mass General to:
–
–
–
develop and implement a set of policies and procedures to ensure PHI is protected when it is
removed from Mass General;
train employees on the policies and procedures; and
designate an internal monitor to conduct assessments of Mass General’s compliance with the
Corrective Action Plan and provide semi-annual reports to OCR for three years.
Statistics--Cost of a Stolen or Lost
Employee Laptop

Average cost of a lost laptop is $49,246
–

Average data breach cost of a lost laptop varies by industry
–

Occurrence of data breach represents 80% of this cost
Services ($112,853); Financial Services ($71,820) and Healthcare
($67,873) suffer from the highest data breach costs
Backup and encryption methods affect the average cost of a
lost laptop
–
–
Average cost is about $30,000 more when there is a full backup system
 The backup makes it easier to confirm loss of sensitive or confidential
data
Encryption can reduce the cost of a lost laptop by more than $20,000
5 Leading Causes of Security
Breaches





Negligent and intentional employee behavior
Lost or stolen devices e.g., laptops
System glitches
Malicious or criminal attack
Third party mistake
Recent Cases
Pacosa v. Kaiser Foundation

Physician assistant who took intermittent leave under the FMLA to care for his wife’s clinical depression.
PA signed a number of confidentiality agreements, which prohibited him from accessing his own health
records or those health records of his family or friends on Kaiser Permanente’s proprietary medical
records system unless he had specific authorization from the patient and the access was approved. An
additional confidentiality policy prohibited him, as an employee, from accessing any protected health
information records except where related to his job.

Kaiser’s Compliance Department received a series of phone calls from wife, who informed it that PA had
accessed her medical records without authorization and that he was using the information to obtain a
restraining order against her.

Compliance Department’s investigation revealed access to wife’s records without authorization, and further
access and editing of his daughter’s records as if he was the treating medical provider, all while he was on
alleged FMLA leave. Fired for violating confidentiality policy

PA sued Kaiser, alleging multiple state and federal statutory violations, including that his termination
interfered with his leave rights under the FMLA. Case dismissed--no issue of material fact that PA violated
confidentiality policies, which was the reason for his termination rather than any FMLA violation.
Recent Cases
Indictment


3/15/11 indictment of twelve defendants charged for
their parts in an identity theft and bank fraud scheme
has been unsealed. Two of the defendants, who
worked for HIPAA-covered entities in Florida, and
have also been charged with HIPAA violations.
office assistant with access to patients’ names, dates
of birth, Social Security numbers, and medical
information provided to others in fraud/ID theft ring.
HITECH Act of 2009

Health Information Technology for
Economic and Clinical Health Act
(enacted as part of stimulus bill in
February 2009)
HITECH Act Regulations




Codified at 45 CFR pts 160, 164
Applies to HIPAA covered entities and their
business associates
Effective date 9/23/09
2/22/10-HHS can impose sanctions for noncompliance
HITECH Highlights



HIPAA covered entities must provide affected
individuals with notice of a breach of their
unsecured PHI within 60 days
Covered entity must evaluate the risk of harm
of the breach before providing notice
Notice must include a brief description of the
event, the PHI involved and the steps to take
to protect from future harm
HITECH Highlights (2)



If breach involves more than 500 individuals
covered entity must notify the media as well
as HHS
If breach involves less than 500 individuals
must be reported to HHS annually
As of 4/13/11 257reported incidents to HHS
of incidents involving more than 500 people
Breach Under the HITECH Act



Unauthorized acquisition, access, use or
disclosure of unsecured PHI in a manner not
permitted by the Privacy Rule
Compromises the security or privacy of the
PHI
Poses a significant risk of financial,
reputational or other harm
What is Secured PHI




HIPAA security rule encryption standard
Hard copy PHI must be shredded so that it is
unreadable or cannot be reconstructed
Encryption under the HHS guidance is a safe
harbor and no notice would be required in
the event of unauthorized access
Redaction NOT ACCEPTABLE
Not a breach under HITECH Act





Unintentional good faith acquisition, access or use
of PHI (e.g. nurse mistakenly sends a billing
employee an email with patients’ PHI);
Inadvertent disclosure of PHI from authorized
person to another authorized person;
Unauthorized disclosures in which recipient would
not have reasonably been able to retain PHI;
Access to secured PHI;
Use or disclosure of deidentified information.
Risk of Harm Threshold


Poses a significant risk of financial,
reputational or other harm to the individual
Must conduct a written risk assessment
–
–
–
–
Who used PHI and to whom was PHI disclosed
Type, amount and sensitivity of the PHI involved
Whether the covered entity has taken immediate
steps to mitigate
Whether PHI was returned prior to access
HHS Issues Breach Notice Form


http://transparency.cit.nih.gov/breach/index.cfm
The on-line form includes all of the elements
required by the HITECH Act and the related HHS
breach regulations. The form also requires covered
entities to include contact information for a business
associate (where the breach occurred at or by the
business associate), the type of breach, the location
of the breach, safeguards in place prior to the
breach, and the date(s) individual notifications were
provided.
Notice under the HITECH Act


60 days begins on notice when breach is
discovered or should have been discovered
through the exercise of reasonable diligence
If breach is discovered by an agent of a CE it
is considered discovered by CE
Administrative Requirements



Training
Policies and procedures to detect, discover
and report breaches
Complaint process
Notice by Business Associates



BA is responsible for notifying CE
WITHOUT UNREASONABLE DELAY AND
W/I 60 DAYS OF DISCOVERY
Agreements with BA’s should have clear
requirement for immediate notice
FTC Breach Notification Rule





Effective date 9/24/09 -- Enforcement 2/22/10
The FTC final rule applies to vendors of personal health records, PHRrelated entities, third-party service providers and non-profits.
HIPAA covered entities and business associates are excluded from
the definition of PHR vendor and PHR-related entities.
Requires PHR vendors and PHR-related entities to notify consumers
w/i 60 days following discovery of a breach involving unsecured
identifiable health information that is in a personal health record.
Rule requires notice to the FTC within 10 business days of discovery
of a breach involving 500 or more consumers. Notice of smaller
breaches can be provided to the agency on an annual basis.
FTC Rule-PHR-Related Entities




Offer products and services through a PHR vendor’s
website
Offer products and services through the websites of
HIPAA covered entities that offer individuals’ PHRs
Access information in PHRs or send information to a
PHRs
Examples include web-based apps that manage
meds and websites offering personalized health
checklists
FTC Rule


No risk of harm threshold
Unlike HITECH regs -- even if breach
presents a minimal risk of harm the vendor is
still required to give notice
Client Recommendations under
HITECH and FTC Regulations

Possible modification of business associate
contracts to ensure:
–
–



prompt notice of breaches
costs covered by BA for required notices
Develop Incident Response Plan
Create Training Module
Review document retention policies
Breach Notification Laws


As of May 17, 2010, forty-six (46) states and the
District of Columbia and Puerto Rico have enacted
security breach notification laws
Only AL, KY, NM and SD without breach laws
State Laws on Health Information &
Privacy

Health information addressed in state breach laws:
–
6 states currently require notification for breaches of health information:






–
California
Arkansas
New Hampshire
Missouri
Texas
Virginia
Biometric information:

Wisconsin (Wis. Stat. § 134.98 (2008)) and Nebraska (R.R.S. Neb. § 87-802)
expanded their breach laws to include a narrower category of health-related
information: biometric information including DNA and fingerprints
QUESTIONS???

Matthew H. Meade
412 562 5271

matthew.meade@bipc.com
