milada r. goturi tonya m. oliver thompson coburn llp 1
TRANSCRIPT
Milada R. GoturiTonya M. Oliver
Thompson Coburn LLP
1
Overview of Data Breaches
HIPAA/HITECH Considerations
State Data Security Laws
Case Studies & Prevention Strategies
2
Generally, a data breach is:
◦unauthorized
◦acquisition, access, use, or disclosure
◦of confidential information
Protected Health Information
Other confidential information
3
Hacking/IT incident
Improper PHI Disposal
Loss of Electronic Device
Theft – Laptop, Hard Disks, Portable Electronic Devices,
Unauthorized Access (e.g., employee improperly accesses data)
4
Health Net - Lost data servers (2011) Massachusetts General – Documents containing
PHI of 192 patients left on train (2011) Mills-Peninsula Medical Center, California–
Mailroom employee stole medical records of approximately 1,500 patients (2011)
Beth Israel Deaconess Medical Center, Boston– Computer with virus transmitted data files of over 2,000 patients to an unknown location after computer service vendor failed to restore security setting on a computer (2011)
5
2010 OCR Data:
◦ 207 reports to OCR of data breaches impacting 500 or more individuals
◦ 5.4 million individuals affected by these large breaches
◦Over 25,000 reports to OCR of smaller data breaches (that occurred during 2010)
◦More than 50,000 individuals impacted by these smaller breaches
No provider is too big or too small to experience a data breach
6
The average cost of data breach in the healthcare sector = estimated at over $300 per record
In 2010, the average cost was $345 per compromised record, up from an average cost of $301 in 2009
◦ (Ponemon Institute, “U.S. Cost of a Data Breach,” (2010))
7
Statutory violations and related fines and penalties (HIPAA/HITECH, state laws, FTC rules)
Reputational harmSubstantial costs in response and defenseContractual obligationsGovernment investigationPrivate lawsuits
8
HIPAA requires covered entities (and now their business associates) to comply with privacy and security standards to protect PHI
◦ “Covered entities” = health care providers, health plans and clearinghouses
◦ “PHI” is individually identifiable health information (e.g., medical information, demographic information, billing information)
◦ Privacy standards – Designed to protect individuals’ PHI by mandating covered entities comply with certain requirements related to the use and disclosure of PHI
◦ Security standards – Designed to protect electronic PHI by mandating certain physical, technical and administrative safeguards
9
HIPAA requires covered entities (and business associates) to comply with privacy and security standards to protect PHI
HITECH Act (Health Information Technology for Economic and Clinical Health Act of 2009):
◦ Strengthened and expanded HIPAA
◦ Rationale = Concerns for patient privacy and identity theft
◦ Among other things, established mandatory notification requirements for breaches of unsecured PHI
10
Covered entities must provide notice if:
◦There is a “Breach,” and
◦The Breach involves “Unsecured PHI”
Notice must be provided to:
◦Affected patients ◦DHHS ◦Media (in some cases)
Business associates must notify covered entities if a “Breach” occurs
11
12
Step 3: Did the incident compromise the security or privacy of PHI in a way that creates significant risk of financial, reputational, or other harm to the affected individual?
Nature and type of PHI? Who used or obtained PHI? Mitigation? Other relevant factors?
Step 4: Does the incident falls within an exclusion◦ Unintentional use of PHI by employee in good faith within the scope of authority◦ Inadvertent disclosure of PHI among persons authorized to access PHI at covered
entity/business associate◦ Good faith belief that unauthorized person who received PHI would not reasonably
have been able to retain PHI
13
Required for all Breaches of Unsecured PHI Without unreasonable delay In no event more than 60 days after discovery of Breach In writing, by mail or if individual has agreed, by e-mail
14
Description of the Breach
Description of the types of PHI involved in the Breach
Steps affected individuals should take to protect themselves from potential harm
Brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches
Contact information for the covered entity
If substitute notice provided via web posting or major print or broadcast media, toll-free number for individuals to contact the covered entity to determine if their PHI was involved
15
For 10 or more individuals, substitute individual notice by either posting the notice on the home page of its web site or by providing the notice in major print or broadcast media where the affected individuals likely reside.
For fewer than 10 individuals, covered entity may provide substitute individual notice by an alternative form via written, telephone, or other means.
16
Submit report electronically via HHS web site
If a breach affects 500 or more individuals = notify the Secretary without unreasonable delay and no later than 60 days following a breach
If breach affects fewer than 500 individuals = notify HHS no later than 60 days after the end of the calendar year in which the breach occurred
Expect an investigation
17
Required only for Breaches affecting more than 500 residents of a state or jurisdiction, covered entity is required to provide notice to prominent media outlets serving that State or jurisdiction (e.g., press release)
Media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach
Must include the same information required for the individual notice
18
Business associates must notify the Covered Entity if a Breach occurs.
Without unreasonable delay and in no event more than 60 days after discovery of Breach
Notification should include:◦ the identification of each individual affected by the Breach
◦ any information required to be provided by the covered entity in its notification to affected individuals
19
Personal InformationElectronic (few states cover paper records)In unencrypted form Accessed by or improperly disclosed to
An unauthorized personData breach = state data security law must be
considered
20
“Personal Information”:
◦ Individual’s name and one of the following: Social security number Account Number State identification/driver’s license number Credit card number
Definitions vary by stateIncludes PHI, employee data, consumer data
21
State Data Security Laws Require:◦Notice to affected state residents◦Notice to Attorney General◦Notice to consumer agencies Requirements vary by state Challenge = multi-state breach
22
Enacted by 46 states, including Missouri and Illinois
Only Kentucky, New Mexico, Alabama and South Dakota don’t have these laws
Requirements vary by state
23
R.S.Mo. § 407.1500 "Breach of security" = unauthorized access to or
acquisition of unencrypted computerized personal information that compromises the security, confidentiality or integrity of such information
“Personal information“ = first name and last name in combination with any one of the following:
◦ Social Security number◦ Driver's license number or other unique identification number◦ Financial account number, credit card or debit card number in
combination with security code or password◦ Unique electronic identifier or routing code, in combination with
security code or password◦ Medical or health insurance information
24
Requires notice to Missouri residents of a breach of security of personal information
Notice must be made without unreasonable delay
Content of notice is statutorily prescribed
If over 1000 residents involved = must notify Missouri Attorney General and consumer reporting agencies
25
Risk of Harm Test
Notification not required if, after investigation or consultation with law enforcement, it is determined that a risk of identity theft or other fraud to any consumer is not reasonably likely due to the breach
Determination not to notify must be documented and maintained for five years
Willful and knowing violation of law = AG action for damages, up to $150,000 per security breach
26
Stolen laptop
Unauthorized access by employees
Data files sent to incorrect recipient
Faxes sent without permission
Medical records in trash
Garage sale
27
Maintain solid HIPAA privacy and security compliance program
Establish strong contracts with Business Associates
Minimize unsecured PHI
Follow proper data destruction practicesEducate your staff
28
Effective HIPAA privacy and security policies, procedures and training = key to protecting against data breaches
Winter 2011 - OCR to begin HIPAA privacy and security audits (administered by KPMG) of covered entities◦Audits will focus on HIPAA privacy and security
compliance
◦Corrective actions/fines may result if noncompliance found
29
Issues to consider:
◦Time frame for notifying covered entity of breach
◦Requirements related to investigating breach
◦Financial responsibility related to breach notification
Cost of notice letters, technical expert and legal costs
◦ Indemnification
30
Minimize PHI and other personal information collected and retained
Encryption◦ To avoid being “Unsecured PHI,” PHI must be encrypted using
process tested by the National Institute of Standards and Technology
Destruction◦ Paper, film or other hard copy media
Must be shredded so PHI can’t be read or reconstructed Redaction is not enough!
31
Educate staff about data security and data breach obligations
◦Periodic refresher training
◦Establish and monitor access control
◦Penalties for improper access to PHI/other confidential data
Assign responsibility in the event of a breach
32
If an incident happens, take prompt action
◦Determine if a breach occurred ◦ Technical expert analysis may be required
◦Take prompt mitigation steps ◦Provide required notices ◦ Timing of notices is essential
◦Cooperate with any governmental investigation Cignet Health $4.3M penalty - $3M due to failure to
cooperate with authorities
33
If you have any questions, please contact: Milada R. Goturi [email protected] P: 314.552.6057
F: 314.552.7057 M: 314.602.6057
Tonya M. Oliver [email protected] P: 314.552.6119
F: 314.552.7119 M: 314.602.6119
34