trends and tools for new realities - nelson mullins riley ... 4... · director, office for civil...
TRANSCRIPT
![Page 1: Trends and Tools for New Realities - Nelson Mullins Riley ... 4... · Director, Office for Civil Rights (OCR) U.S. Department of Health and Human Services. ... • "HIPAA Whistleblower"](https://reader034.vdocuments.us/reader034/viewer/2022050221/5f6658a886579075d0176bc9/html5/thumbnails/1.jpg)
HIPAA 2017Trends and Tools for New Realities
Nelson Mullins Riley & Scarborough
Tuesday April 4, 2017
Eli Poliakoff
Trish Markus
Roy Wyman
![Page 2: Trends and Tools for New Realities - Nelson Mullins Riley ... 4... · Director, Office for Civil Rights (OCR) U.S. Department of Health and Human Services. ... • "HIPAA Whistleblower"](https://reader034.vdocuments.us/reader034/viewer/2022050221/5f6658a886579075d0176bc9/html5/thumbnails/2.jpg)
Presenters
2
Eli PoliakoffCharleston
Trish MarkusRaleigh
Roy WymanNashville
![Page 3: Trends and Tools for New Realities - Nelson Mullins Riley ... 4... · Director, Office for Civil Rights (OCR) U.S. Department of Health and Human Services. ... • "HIPAA Whistleblower"](https://reader034.vdocuments.us/reader034/viewer/2022050221/5f6658a886579075d0176bc9/html5/thumbnails/3.jpg)
Today’s Agenda
• General update HIPAA/HITECH topics
• Lessons from recent HIPAA penalties and enforcement actions
• Frequent Business Associate Agreement sticking points and other hot topics
• Security Rule considerations and ransomware
• Cyber-insurance
• The “Internet of Things” and other issues on the near horizon
• Questions
Recording and additional information to be posted at www.nelsonmullins.com/news/events
![Page 4: Trends and Tools for New Realities - Nelson Mullins Riley ... 4... · Director, Office for Civil Rights (OCR) U.S. Department of Health and Human Services. ... • "HIPAA Whistleblower"](https://reader034.vdocuments.us/reader034/viewer/2022050221/5f6658a886579075d0176bc9/html5/thumbnails/4.jpg)
Upcoming Webinars
Registration information to be posted at www.nelsonmullins.com/news/events
Tuesday April 25 – Roy Wyman (Nashville)
o Deeper dive into healthcare disruption and new technologies that impact care
o How companies working with health-related data can minimize regulatory burdens
o Artificial Intelligence, Blockchain and the future of healthcare data
o The future of privacy, including the likelihood of further regulation beyond HIPAA.
Tuesday May 23 – Mike Ruggio (Washington, DC)
o What should a healthcare provider executive do if the U.S. Attorney’s Office comes knocking?
4
![Page 5: Trends and Tools for New Realities - Nelson Mullins Riley ... 4... · Director, Office for Civil Rights (OCR) U.S. Department of Health and Human Services. ... • "HIPAA Whistleblower"](https://reader034.vdocuments.us/reader034/viewer/2022050221/5f6658a886579075d0176bc9/html5/thumbnails/5.jpg)
5
Health Information Technology for Economic and Clinical Health Act ("HITECH Act") - February 2009
HITECH ProposedRegulations - July 2010
Interim "Final" Breach Regulations - August 2009
HIPAA/HITECH Final Rule ("Omnibus Rule") - January 2013
Effective Date: March 26, 2013
Compliance Dates: September 23, 2013 September 23, 2014
HIPAA/HITECH Refresher
![Page 6: Trends and Tools for New Realities - Nelson Mullins Riley ... 4... · Director, Office for Civil Rights (OCR) U.S. Department of Health and Human Services. ... • "HIPAA Whistleblower"](https://reader034.vdocuments.us/reader034/viewer/2022050221/5f6658a886579075d0176bc9/html5/thumbnails/6.jpg)
HITECH’s Reach
6
Covered Entities
Business Associates
HIPAA (Pre-HITECH)
Directly apply
Subsequent Recipients (“Business Associate
Subcontractors")
Business Associate Agreement
Business Associate Agreement
"Subcontract"
HIPAA + HITECH
![Page 7: Trends and Tools for New Realities - Nelson Mullins Riley ... 4... · Director, Office for Civil Rights (OCR) U.S. Department of Health and Human Services. ... • "HIPAA Whistleblower"](https://reader034.vdocuments.us/reader034/viewer/2022050221/5f6658a886579075d0176bc9/html5/thumbnails/7.jpg)
New Sheriff in Town
Roger SeverinoDirector, Office for Civil Rights (OCR)U.S. Department of Health and Human Services
![Page 8: Trends and Tools for New Realities - Nelson Mullins Riley ... 4... · Director, Office for Civil Rights (OCR) U.S. Department of Health and Human Services. ... • "HIPAA Whistleblower"](https://reader034.vdocuments.us/reader034/viewer/2022050221/5f6658a886579075d0176bc9/html5/thumbnails/8.jpg)
On the HIPAA/HITECH Horizon
• HITECH Pending Regulations
• Accounting Rule
• Minimum Necessary
• "HIPAA Whistleblower"
• HIPAA Audit Program
8
![Page 9: Trends and Tools for New Realities - Nelson Mullins Riley ... 4... · Director, Office for Civil Rights (OCR) U.S. Department of Health and Human Services. ... • "HIPAA Whistleblower"](https://reader034.vdocuments.us/reader034/viewer/2022050221/5f6658a886579075d0176bc9/html5/thumbnails/9.jpg)
Lessons from Recent OCR Activity
• Encryption – Feinstein, Care New England, MAPFRE, Children’s
• Removal of mobile devices – Feinstein, Catholic Health Care Services
• Governance – Oregon Health & Science U.
• Timely address known security risks – Oregon Health & Science U., U. of MS Medical Center, MAPFRE
9
![Page 10: Trends and Tools for New Realities - Nelson Mullins Riley ... 4... · Director, Office for Civil Rights (OCR) U.S. Department of Health and Human Services. ... • "HIPAA Whistleblower"](https://reader034.vdocuments.us/reader034/viewer/2022050221/5f6658a886579075d0176bc9/html5/thumbnails/10.jpg)
Lessons from Recent OCR Activity
• Timely breach notification – Presence Health
• Security risk analyses – North Memorial, Feinstein, Advocate, St. Joseph, Catholic, MAPFRE, U. Mass Amherst
• Updated BAAs – North Memorial, Raleigh Orthopaedic Clinic, Advocate, Care New England
• Policies and procedures – Lincare, Complete P.T., Feinstein, Catholic, Advocate
10
![Page 11: Trends and Tools for New Realities - Nelson Mullins Riley ... 4... · Director, Office for Civil Rights (OCR) U.S. Department of Health and Human Services. ... • "HIPAA Whistleblower"](https://reader034.vdocuments.us/reader034/viewer/2022050221/5f6658a886579075d0176bc9/html5/thumbnails/11.jpg)
Reminder: Aggravating/Mitigating Factors Considered
• In assessing penalty, HHS will consider:
oNature and extent of violation
oNature and extent of harm (physical, reputational, financial, or inability to obtain health care)
oHistory of prior HIPAA compliance by entity (previous violations, corrections of noncompliance)
o Financial condition of noncompliant entity
11
![Page 12: Trends and Tools for New Realities - Nelson Mullins Riley ... 4... · Director, Office for Civil Rights (OCR) U.S. Department of Health and Human Services. ... • "HIPAA Whistleblower"](https://reader034.vdocuments.us/reader034/viewer/2022050221/5f6658a886579075d0176bc9/html5/thumbnails/12.jpg)
OCR Guidance on Medical Record Copy Fees
• Medical Records Requests
• When do copy fee restrictions apply?
• What are the fee restrictions? How does state law apply?
• Methods of Communication
• Email, fax, text – pros, cons, and approaches
12
![Page 13: Trends and Tools for New Realities - Nelson Mullins Riley ... 4... · Director, Office for Civil Rights (OCR) U.S. Department of Health and Human Services. ... • "HIPAA Whistleblower"](https://reader034.vdocuments.us/reader034/viewer/2022050221/5f6658a886579075d0176bc9/html5/thumbnails/13.jpg)
Sticky BAA Provisions
• Subcontractors
• Security incidents
• Indemnification
• No offshoring
• Encryption
• Time frames
13
![Page 14: Trends and Tools for New Realities - Nelson Mullins Riley ... 4... · Director, Office for Civil Rights (OCR) U.S. Department of Health and Human Services. ... • "HIPAA Whistleblower"](https://reader034.vdocuments.us/reader034/viewer/2022050221/5f6658a886579075d0176bc9/html5/thumbnails/14.jpg)
Prepare for OCR/Other Enforcement
• BAAs executed with BAs
• Policies
• Training
• Security Rule risk assessment
• Prior internal decisions about breaches
• Know where your internal documentation is
• Be responsive
14
![Page 15: Trends and Tools for New Realities - Nelson Mullins Riley ... 4... · Director, Office for Civil Rights (OCR) U.S. Department of Health and Human Services. ... • "HIPAA Whistleblower"](https://reader034.vdocuments.us/reader034/viewer/2022050221/5f6658a886579075d0176bc9/html5/thumbnails/15.jpg)
Security Rule and Compliance: The Practical
• Penalties do not require a breach or loss of privacy or security
oCompliance with the Security Rule ≠ IT Security
• Chart your compliance
oA nice set of policies ≠ compliance
• Fit your HIPAA program within a broader compliance program
![Page 16: Trends and Tools for New Realities - Nelson Mullins Riley ... 4... · Director, Office for Civil Rights (OCR) U.S. Department of Health and Human Services. ... • "HIPAA Whistleblower"](https://reader034.vdocuments.us/reader034/viewer/2022050221/5f6658a886579075d0176bc9/html5/thumbnails/16.jpg)
Ransomware
• Ransomware = unwanted encryption + Demand of a Ransom
o Fastest growing malware threat.
o$1 Billion in losses in 2016, per FBI estimate.
• Attack scenarios: websites (including ads), email attachments, bad software
• Not all ransomware is the same
o Some can extract data from the affected computer (passwords, PII, etc.)
• How to avoid: use the same protections as other malware
• Be prepared: a quick response is critical
o Implement a Ransomware Response Plan to act quickly
oHave backups ready
16
![Page 17: Trends and Tools for New Realities - Nelson Mullins Riley ... 4... · Director, Office for Civil Rights (OCR) U.S. Department of Health and Human Services. ... • "HIPAA Whistleblower"](https://reader034.vdocuments.us/reader034/viewer/2022050221/5f6658a886579075d0176bc9/html5/thumbnails/17.jpg)
HHS Guidance on Ransomware
• Guidance released July 11, 2016
• Ransomware on a CE's or BA's computer systems is a "security incident"
• Any encryption of ePHI by ransomware is presumed a "breach"
o "Control" of data, even if it can't be viewed, is a "disclosure"
o Must report unless there is a “…low probability that the PHI has been compromised,” based on:
Nature and extent of ePHI involved (usually everything);
The unauthorized person to whom the disclosure was made (known bad guy);
Whether the ePHI was actually acquired or viewed (exfiltration capability?); and
The extent to which the risk to the ePHI has been mitigated (can it be mitigated?).
17
![Page 18: Trends and Tools for New Realities - Nelson Mullins Riley ... 4... · Director, Office for Civil Rights (OCR) U.S. Department of Health and Human Services. ... • "HIPAA Whistleblower"](https://reader034.vdocuments.us/reader034/viewer/2022050221/5f6658a886579075d0176bc9/html5/thumbnails/18.jpg)
The $7B "Immature Market"
0
1
2
3
4
5
6
7
8
2012 2015 2018* 2020*
Cybersecurity Gross Premiums (in billions)
*Estimated
![Page 19: Trends and Tools for New Realities - Nelson Mullins Riley ... 4... · Director, Office for Civil Rights (OCR) U.S. Department of Health and Human Services. ... • "HIPAA Whistleblower"](https://reader034.vdocuments.us/reader034/viewer/2022050221/5f6658a886579075d0176bc9/html5/thumbnails/19.jpg)
Basics of cyber liability insurance
• When you've seen one policy, you've seen one policy
• Potential limitations:
o Indemnification
oContractual Obligations
• Bottom line: Know what you're buying.
• When there's a breach:
oCall the rep
oMake sure counsel, forensics are pre-approved.
19
![Page 20: Trends and Tools for New Realities - Nelson Mullins Riley ... 4... · Director, Office for Civil Rights (OCR) U.S. Department of Health and Human Services. ... • "HIPAA Whistleblower"](https://reader034.vdocuments.us/reader034/viewer/2022050221/5f6658a886579075d0176bc9/html5/thumbnails/20.jpg)
2017 and Beyond
• Internet of Things and security (e.g., connected medical devices)
• Privacy and security rules for non-covered entities and non-BAs.
• Increased attention to vendors (BAAs and Subcontractors)
oVendor Assessment Process
oTracking BAAs
• Assume Failure—Segmentation; DMZs and Risk Management
• The Unexpected
oBlockchain?
oAI?
20
![Page 21: Trends and Tools for New Realities - Nelson Mullins Riley ... 4... · Director, Office for Civil Rights (OCR) U.S. Department of Health and Human Services. ... • "HIPAA Whistleblower"](https://reader034.vdocuments.us/reader034/viewer/2022050221/5f6658a886579075d0176bc9/html5/thumbnails/21.jpg)
Questions?
21
Eli PoliakoffCharleston
Trish MarkusRaleigh
Roy WymanNashville
Recording and additional information to be posted at www.nelsonmullins.com/news/events