1

HHS’S HIPAA BREACH NOTIFICATION RULES WEBINAR

Sponsored By MISSISSIPPI HOSPITAL ASSOCIATION And Hosted by BALCH & BINGHAM LLP

Wednesday, November 11, 2009 10:00 a.m. – 11:30 a.m.

2

HITECH Revisions - Breach Notification

• Description of Breach Notification Requirements – Pre-HITECH • Breach Notification – Interim Final Rule Provisions – August 24, 2009 – Guidelines for Risk Analysis • HITECH Revisions to Enforcement and Penalties • FIVE Things CEs Need to Do to Comply with the HITECH Breach Notification Rules • Breach….or No Breach

3

HITECH Revisions - Breach Notification

•

Pre-HITECH:

– No requirement that CE notify anyone (including individual or OCR) of PHI or ePHI breach – BA could be contractually required to notify CE

4 •

HITECH Revisions - Breach Notification – Interim Final Rule

Interim Final Rule implementing HITECH Breach Notification Provisions

2009 vendors

– August 24, 2009

– Effective September 23, 2009 – Comments due October 23, – Implements Section 13402 of HITECH – Includes comments to RFI in April 27, 2009 guidance – Adds new subpart D to Part 164, Title 45 of CFR – Applicable to HIPAA CEs and BAs – Drafted to harmonize with FTC rules applicable to PHR – HHS will use enforcement discretion not to impose sanctions for failure to provide notice until February 22, 2010 – OCR to issue FINAL RULE; may revise Interim Final Rule based on comments received

5

HITECH Revisions - Breach Notification – Interim Final Rule

•

Scope of Notification Requirements

– Applies to Privacy Rule breaches involving both electronic and paper records – “Breach” means the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information (at 45 C.F.R. § 164.402)

6 •

HITECH Revisions - Breach Notification – Interim Final Rule

Exceptions to “Breach” Definition

–

Unintentional access to PHI by workforce member or other individual acting under the authority of a CE or BA if:

• Good faith access and within the scope of authority of CE/BA; and • Information not further acquired, accessed, used or disclosed by such person in manner not permitted by Privacy Rule –

Inadvertent disclosure by person authorized to access CE’s or BA’s PHI to another similarly situated person at same CE, BA or OHCA and PHI not further used in manner not permitted by Privacy Rule

–

Disclosure of PHI to unauthorized person if CE/BA has good faith belief that such person could not reasonably be able to “retain” such information

7

HITECH Revisions - Breach Notification – Interim Final Rule

•

Risk Analysis to Determine Requirement for Breach Notification- Three-step process by CE and/or BA

–

Step One:

Determine whether an impermissible use or disclosure of unsecured PHI under the HIPAA Privacy Rule occurred –

Step Two:

Perform a risk assessment to determine and document whether a significant risk of financial, reputational or other harm to an affected individual has occurred –

Step Three:

Determine whether the incident is excluded from the definition of breach because it satisfies an statutory exception set forth in the Act and interim final rule

8

HITECH Revisions - Breach Notification – Interim Final Rule

•

Guidelines for Risk Analysis

– Review federal and state statutory and regulatory requirements • Each Privacy Rule violation does not necessarily constitute a breach requiring notification under HIPAA • But, a Privacy Rule violation may also constitute a state law violation • Because there is no mandatory requirement to make the various notifications, documentation of the risk analysis becomes more important – OCR will review the documentation with 20/20 hindsight – CEs and BAs must balance mitigation of harm to the individual with concerns of worrying the individual unnecessarily

9

HITECH Revisions - Breach Notification – Interim Final Rule

– Investigate the incident • To whom was the PHI disclosed?

• Why did the individual use, access, or disclose the PHI?

• What type of PHI was impermissibly used or disclosed?

• Did the PHI reflect the type of services the individual received?

• Was risk of identify theft involved?

• What amount of PHI was impermissibly used or disclosed?

• Did the CE or BA take steps to mitigate the impermissible use or disclosure?

• Who is the individual/patient?

• Was PHI used/disclosed in the form of a limited data set?

10

HITECH Revisions - Breach Notification – Interim Final Rule

– Based on investigation, determine whether the individual has encountered financial, reputational or other harm?

• Identify nature of potential harm and evidence of harm • Recipient of PHI may impact risk of harm • Ability to retrieve PHI and intent of PHI recipient may impact analysis • Remember 20/20 hindsight rule – What action must individual take?

• Cancel credit card? Notify credit agencies? Contact FTC or State Consumer Protection Agency • Request physical protection?

• Prepare for life insurance rejection? Job loss? Problematic domestic relationships?

– How will notice by CE impact individual?

• Will CE’s or employer’s trust be diminished?

• Alternatively, would that trust be diminished if notice is not provided? • Will individual find out through someone other than CE?

11

•

HITECH Revisions - Breach Notification – Interim Final Rule Guidelines for Risk Analysis

– Burden of Demonstrating No Breach Occurred on CE and/or BA – Section 164.414

• Documentation is critical to proving impermissible use or disclosure did not pose significant risk of harm to individual and therefore no notification required • If using narrow exception for limited data set PLUS, document that lost PHI did not include identifiers mentioned in 164.402(1)(ii)

12

HITECH Revisions - Breach Notification – Interim Final Rule

•

Unsecured PHI Guidance

– HITECH defines “Unsecured PHI” as PHI not secured through use of technology or methodology required in HHS guidance to render PHI “unusable, unreadable or indecipherable to unauthorized individuals” – HHS issued guidance April 27, 2009, identifying two methods to secure and render PHI unusable, unreadable or indecipherable to unauthorized individuals: • encryption and destruction – HHS update of guidance required annually

13 •

HITECH Revisions - Breach Notification – Interim Final Rule

Clarified meaning of “data” - in motion, at rest, in use and disposed • •

Encryption:

– Successful use depends upon strength of encryption algorithm (computer program) and security of the decryption key or process – Two approved processes: • For data considered to be “at rest” – NIST Special Pub 800-111,

Guide to Storage Encryption Technologies for End User Devices

• For data considered to be “in motion” – Federal Information Processing Standards (FIPS) 140-2 • Exhaustive methods, not illustrative

Destruction:

– PHI in written form will be “secured” if materials shredded or destroyed and PHI cannot be read or otherwise reconstructed – PHI in electronic form will be “secured” if information cleared, purged or destroyed consistent with NIST Special Pub 800-88,

Guidelines for Media Sanitization

, such that PHI cannot be retrieved

14

HITECH Revisions - Breach Notification – Interim Final Rule

•

Encryption of electronic patient information

– Portable storage media (CDs, DVDs, tapes, thumb drives) – Portable devices (laptops, minis, PDAs, I-Phones, I-Pods, cameras) – Desktop PCs, servers, NAS, SAN, midranges, mainframes – Communication (email, SMS, MMS, IM, VOIP) – Techniques • Full disk encryption • Virtual disk and volume encryption • File and folder encryption • Message encryption • Network encryption – NIST Special Publication 800-111 (rest), FIPS 140-2 (motion)

15

Types of Encryption

Source NIST Special Publication 800-111

16

HITECH Revisions - Breach Notification – Interim Final Rule

•

Updated HHS Guidance on Securing PHI

– In the preamble to the regulations for breach notification, HHS updated its guidance on “securing” PHI.

– HHS: • Rejected access controls, such as firewalls, as a method for securing PHI. • Rejected redaction as a means of securing PHI, and clarified that only the destruction of paper PHI will render that PHI secure. • Clarified that encryption keys must be kept on a separate device from the data that they encrypt or decrypt. • Reiterated its reliance on certain NIST standards as meeting the encryption standards required to secure PHI.

17

•

HITECH Revisions - Breach Notification – Interim Final Rule Discovery of Breach – Section 164.404(2)

– On first day that known or by exercising reasonable diligence could have been known (except by person committing breach) to CE or BA – CE/BA “deemed” to know when breach known or by exercising reasonable diligence could have been known to any workforce member or CE agent – Meaning of “agent” determined by federal common law of agency

18 • •

HITECH Revisions - Breach Notification – Interim Final Rule

Discovery of Breach – Section 164.404(2) Impact of Agency Relationships on CEs

– When CE delegates certain administrative duties to a contractor or service provider (or BA), agency relationship very likely exists – If low-level employee of such service provider learns of potential security incident but fails to report, service provider may be “deemed” to have “discovered” breach • If the service provider is an agent of the CE, that discovery could be imputed to CE immediately and would begin time frame required for notice, whether or not CE actually knows of breach

19 • •

HITECH Revisions - Breach Notification – Interim Final Rule

Discovery of Breach – Section 164.404(2) Federal Common Law of Agency

“Agency” is used to describe the relation created as a result of the conduct of two parties manifesting that one party (principal) is willing for the other (agent) to act for him subject to his control, and the other consents to so act • “Principal” used to describe person/entity who has authorized another to act on his account and subject to his control • “Agent” used to describe person/entity authorized by another to act on his account and under his control Required factual elements: • Manifestation by principal that agent act for him; • Agent’s acceptance of the undertaking; and • Understanding of the parties that the principal is to be in control of the undertaking

20 •

HITECH Revisions - Breach Notification – Interim Final Rule

Notice to Individuals

– Written Notice for e-mail – Substitute Notice means – Urgent Notice

– Section 164.404

– CEs must notify individuals if “unsecured PHI” has been, or is reasonably believed to have been, accessed, acquired, used or disclosed as a result of a “breach” • Sent via first class mail unless the individual has specified a preference • If insufficient or out-of-date information for individual or if notice is returned undeliverable, CE must provide substitute notice • If fewer than 10 individuals involved, notice may be by phone or other • If 10 or more individuals involved, notice must be by conspicuous posting for 90 days on CE Web site or in major print or broadcast media where affected individuals reside – Must include toll-free phone number active at least 90 days • Notice must be reasonably calculated to reach individual • If possibility of imminent misuse of unsecured PHI, notice required by telephone or other appropriate notice plus written notice

21

HITECH Revisions - Breach Notification – Interim Final Rule

•

Timing of Notice to Individuals by CE – Section 164.404(b)

• Must be made without unreasonable delay and in no case later than 60 calendar days after unsecured PHI breach discovery •

Content of CE Notice to Individual – Section 164.404(c)

– The notice must include: • Description of breach (what happened including date of breach) • Types of information involved (such as SS#, DOB, address) • Mitigation, investigation, protective steps by CE • Steps for individuals to take for protection • Contact information to ask questions or obtain more information (must include toll-free number, email address, Web site or postal address)

22 • • •

HITECH Revisions - Breach Notification – Interim Final Rule

Notice to Media – Section 164.406

– If breach involves unsecured PHI of more than 500 individuals in state or jurisdiction, CE must notify prominent media outlets – Notice must be given without unreasonable delay and no later than 60 calendar days after breach discovery – Depending on the circumstances, an appropriate media outlet may include a local television station or a major general interest newspaper with a daily circulation throughout an entire state

Notice to Secretary – Section 164.408

– If breach involves unsecured PHI of more than 500 individuals • Immediately, meaning without unreasonable delay and no later than 60 calendar days after breach discovery • CEs listed on HHS Web site – If breach involves unsecured PHI of fewer than 500 individuals • CEs must maintain log of breaches and submit annual report of breaches to Secretary • Date for submission will be identified on HHS Web site and will be no later than 60 days after end of each CY

Report to Congress

– HHS must annually report breaches to Congress

23

24

25

26 •

HITECH Revisions - Breach Notification – Interim Final Rule

Notice by BA – Section 164.410

– Required to notify CE of unsecured PHI breach following discovery – Discovery of Breach • Discovered on first day that known or by exercising reasonable diligence would have been known to BA • Deemed knowledge if breach known or by exercising reasonable diligence would have been known (except to person committing breach) to BA employee, officer or other agent (determined by federal common law) – Timing of Notice • Without unreasonable delay and no later than 60 days after breach discovery – Content of Notice • To extent possible, identity of each individual whose unsecured PHI has been or is reasonably believed to have been accessed, acquired, used or disclosed • Must give CE any other available information that CE must include in notice to individual within timing requirements and as promptly thereafter as information becomes available

27

•

HITECH Revisions - Breach Notification – Interim Final Rule Law Enforcement Delay – Section 164.412

– Notice by CE/BA delayed if law enforcement official states notice/posting would impede criminal investigation or cause harm to national security • If statement is in writing and stating time frame for delay, notice must be delayed until the stated date • If oral statement, CE/BA must document statement and identity of official and delay notice not longer than 30 days from date of oral statement (unless written statement received during that time) – Definition of Law Enforcement Official • Moved to Section 164.103 (now applicable for both Privacy Rule and Breach Notification Rule)

28

HITECH’s Revisions to Enforcement and Penalties

•

Pre-HITECH Privacy Rule:

– Enforcement • Through OCR – civil penalties • Through DOJ – criminal penalties – Civil Penalties • $100 per violation of Privacy Rule • $25,000 annual cap per violation – Criminal penalties for knowing violation • $50,000 and one year • $100,000 and five years for obtaining under false pretenses • $250,000 and ten years for intent to sell or obtain commercial advantage – Emphasis on voluntary compliance – No private right of action – State law breach of privacy still available

29

HITECH’s Revisions to Enforcement and Penalties



HITECH Revisions

–

Enforcement

• HHS, specifically OCR, must formally investigate any complaint of HIPAA violation if initial investigation indicates breach due to willful neglect – effective February 17, 2011 – Required to impose CMP if willful neglect found – OCR will perform audits of CEs and BAs (probably not random onsite visits) – beginning February 2010 • Effective February 17, 2009 - State attorneys general may bring civil actions in federal court for HIPAA violations – HHS may intervene – AGs may seek injunction or damages – Only if HHS has not initiated lawsuit

30

HITECH’s Revisions to Enforcement and Penalties

–

Penalties (As per statute and October 30, 2009 Interim Final Rule)

• Applicable to CEs – February 18, 2009 • Applicable also to BAs – February 17, 2010 • Original bases for civil enforcement retained with increased penalties • Penalties based on intent – state of mind • CMPs collected transferred to OCR for purposes of enforcing the Privacy and Security Rules – OCR will consult with GAO to develop system within 3 years to provide percentage of CMPs/settlement to individuals harmed • Non-CEs (e.g., employees of CEs) may violate HIPAA if PHI maintained by CE is obtained or disclosed by person without authorization » Criminal penalties » Broad language

31

HITECH’s Revisions to Enforcement and Penalties

–

Penalties (cont’d):

• Applies a tiered approach to CMPs • Unknown or with reasonable due diligence would not have known: – Not less than $100 or more than $50,000 for each violation OR – In excess of $1.5 million for identical violations during a calendar year • Reasonable cause that is not willful neglect: – Not less than $1,000 or more than $50,000 for each violation OR – In excess of $1.5M for identical violations during a calendar year • Willful neglect and violation corrected within 30 day cure period: – Not less than $10,000 or more than $50,000 for each violation OR – In excess of $1.5M for identical violations during a calendar year • Willful neglect and the violation not corrected within 30 day cure period: – Not less than $50,000 OR – In excess of $1.5M for identical violations during a calendar year

32

HITECH’s Revisions to Enforcement and Penalties

• Definition of “willful neglect”

– Conscious intentional failure or reckless indifference to obligation to comply

• High standard

– Deliberate act – Failure to train, failure to put in place compliance measures?

33

HITECH’s Revisions to Enforcement and Penalties

• Statements regarding penalties in Interim Final Rule – HHS will not impose maximum penalty amount in all cases – HHS will base penalties on nature and extent of violation, on resulting harm and on other factors, such as CE’s history of prior compliance or financial condition – HHS will use “discretion in providing technical assistance, obtaining corrective action, and resolving possible noncompliance by informal means where the possible noncompliance is due to reasonable cause or…a person did not reasonably know that the violation occurred” – HHS may waive a civil money penalty for violations due to reasonable cause and not willful neglect that are not corrected within the applicable time period if the penalty would be excessive relative to the violation

34

HITECH’s Revisions to Enforcement and Penalties

•

CE and BA Implications

– Significant increases in monetary damages and enforcement – Improper uses by CE employees/medical staff with EHR/paper record access may now involve civil and/or criminal violations – Risk to BAs may reduce availability of services – Costs to provide healthcare services will increase – State AG enforcement likely

35 •

HITECH Revisions - Breach Notification – Interim Final Rule

FTC Requirements for certain Non-CEs and Non BAs

– Required to notify impacted individuals and FTC • Enforcement by FTC; FTC notifies HHS – Includes personal health records (PHRs) vendors – Includes entities providing services to PHR vendors and related entities (similar to BAs) • E.g., web-based application entities that assist individuals in managing medications, entities that provide billing or data storage services – Notice requirements similar to HHS requirements for CEs and BAs – “Safe harbors” same as HHS directed – FTC issued proposed regulations effective for post September 18, 2009, breaches

36 •

HITECH Revisions - Breach Notification – Interim Final Rule

FIVE Things CEs Need to Do to Comply with the HITECH Breach Notification Rules:

1.

2.

3.

4.

5.

CEs should review the new changes under the regulations.

CEs should set out to immediately identify all their BAs and modify the relevant business associate agreements to include new HITECH breach notification provisions.

CEs should examine and update their forms, policies and procedures to incorporate the new changes under the regulations.

CEs should train their relevant workforce on the new changes.

CEs should prepare for contingencies (e.g., create a website).

37 •

HITECH Revisions - Breach Notification – Interim Final Rule

FIVE Things CEs Need to Do to Comply with the HITECH Breach Notification Rules:

1.

Review Breach Notification and HHS Guidance on Securing PHI

– Understand what unauthorized uses or disclosures of PHI will require breach notifications. – Understand the meaning of defined terms. – Understand the exceptions to the breach notification requirements. – Determine if NIST-level encryption is on, or available for the systems and applications on which you and your BAs store or transmit PHI.

38 •

HITECH Revisions - Breach Notification – Interim Final Rule

FIVE Things CEs Need to Do to Comply with the HITECH Breach Notification Rules: 2.

Identify BAs and Revise Relevant Agreements

– Work with each BA regarding implementation of policies and procedures and revised agreements. – Allocate the responsibility for fulfilling the breach notification requirements when a reportable breach has occurred.

– Revise BA agreements to incorporate: • BA’s role in identifying and reporting breaches and suspected breaches. • The precise timing for BA notice to CE of breach. • References to applicable HIPAA and HITECH provisions.

• Indemnification provisions to ensure appropriate party bears costs associated with notification requirements and liability for failure to comply with them. – If three parties are involved (e.g., CE 1 (hospital), CE 2 (physician group), BA to physician group) • Make sure that if BA receives CE 1’s PHI, that CE 1 has contract with BA requiring BA to mitigate harm, indemnify CE 1

39 •

HITECH Revisions - Breach Notification – Interim Final Rule

FIVE Things CEs Need to Do to Comply with the HITECH Breach Notification Rules:

3.

Update Policies and Procedures

– Create, implement and maintain a breach notification plan. Issues to cover in the plan may include: • Steps for identifying a potential breach.

• Steps for determining whether the incident is an impermissible use or disclosure of PHI under the HIPAA privacy rule. • Steps for performing a risk analysis.

• Steps to ensure that affected individuals, HHS and media outlets receive proper notification. • Steps to mitigate risk to affected individuals. • Appointment of a point person to lead the investigation.

– Provide a process for individuals to complain about the CEs policies and procedures relating to the breach notification process.

40 •

HITECH Revisions - Breach Notification – Interim Final Rule

FIVE Things CEs Need to Do to Comply with the HITECH Breach Notification Rules:

4.

Train Workforce Members

– Workforce members should receive training on the importance of PHI and immediate reporting of breaches. – The training should include information on what uses or disclosures will constitute an impermissible breach and on how and to whom breaches should be reported.

– Workforce members should also receive training on sanctions that may apply for failure to follow the CEs policies and procedures.

41 •

HITECH Revisions - Breach Notification – Interim Final Rule

FIVE Things CEs Need to Do to Comply with the HITECH Breach Notification Rules:

5.

Contingencies

– Establish a website or a specific web portal in order to post breach notification information – Establish a toll-free number in order to respond to requests for information about breaches.

– Develop a contingency public relations plan to minimize damage to the CE’s and or BA’s reputation resulting from a breach.

42 •

HITECH Revisions - Breach Notification – Interim Final Rule

Practical Advice from Experience

– Identifying whose PHI has been disclosed takes a long time – Getting the disclosing party to assist with providing notice (especially if there is no contractual relationship with the CE) can be difficult – Starting from scratch (with no point person, no previously prepared letters to individuals, no relationship with an identity theft vendor) takes time and costs money – Individuals will find out; word travels fast. But, if no harm occurs, individuals generally appreciate the notice and concern – There are many contacts to make: • Individuals impacted • State Consumer Protection Divisions of MS Attorney General’s Office • HHS/OCR/Media (potentially) • PR firm (potentially) • Multiple counsel for involved parties – Doing the right thing from the beginning is important

43

HITECH Revisions - Breach Notification – Interim Final Rule

• Breach…..or no Breach

44

Breach…..or no Breach

ILLUSTRATIVE EXAMPLES: Example No. One:

Sally Prankster, the 13-year-old daughter of a clinic employee, walks off with a list of patient’s names from the clinic when visiting her mother at work. As a joke, she contacts patients and tells them that they have been diagnosed with beriberi.

Example No. Two:

Distracted by his fear of flight, Nervous Nelly, M.D. accidentally leaves behind his computer at the airport. The computer hard drive contains the PHI of over 500 patients. An airline employee of Not So Friendly Skies finds the computer and returns it to Nervous Nelly’s office on his way home from work.

45

Breach…..or no Breach

ILLUSTRATIVE EXAMPLES: Example No. Three:

Two employees of Broken Bones orthopedic clinic realize that Hits McGee, last year’s Heisman trophy winner, is a patient of the clinic. Out of curiosity, the employees review the patient’s medical records. Realizing that Hits McGee has a clean bill of health, the employees post his medical condition in an internet chat room.

Example No. Four:

Thousands of patient records are found in the dumpster outside of the headquarters of a Irresponsible Billing Company, Inc., a medical billing company. Information included diagnosis, patient names and social security numbers and test results. The records appeared to be from multiple health care sites.

46

Breach…..or no Breach

ILLUSTRATIVE EXAMPLES: Example No. Five:

Sally Speakall, a spokesperson for Massive General Hospital, discloses the name of a patient and the fact that the patient was in the hospital for a medical treatment. Miss Speakall is pressed for additional information but declines to go on record with any additional information.

Example No. Six:

We’ve Heard It All Before, a local clinic, admits to maintaining detailed notes of psychotherapy sessions in computer records that were accessible by all clinical employees. Following a series of press reports describing the system, We’ve Heard It All Before revamps its computer security practices.

47

THANK YOU!!!

Dinetia M. Newman Balch & Bingham LLP 401 East Capitol Street, Suite 200 Jackson, MS 39201 Telephone: (601) 965-8169 Email: [email protected]

Richard D. Sanders Balch & Bingham LLP 30 Ivan Allen Jr. Boulevard, N.W., Suite 700 Atlanta, GA 30308 Telephone: (404) 962-3578 Email: [email protected]