Transcript Document
HHS’S HIPAA BREACH NOTIFICATION
RULES WEBINAR
Sponsored By
MISSISSIPPI HOSPITAL ASSOCIATION
And Hosted by
BALCH & BINGHAM LLP
Wednesday, November 11, 2009
10:00 a.m. – 11:30 a.m.
1
HITECH Revisions - Breach
Notification
• Description of Breach Notification Requirements –
Pre-HITECH
• Breach Notification – Interim Final Rule Provisions –
August 24, 2009
– Guidelines for Risk Analysis
• HITECH Revisions to Enforcement and Penalties
• FIVE Things CEs Need to Do to Comply with the
HITECH Breach Notification Rules
• Breach….or No Breach
2
HITECH Revisions - Breach
Notification
•
Pre-HITECH:
– No requirement that CE notify anyone (including
individual or OCR) of PHI or ePHI breach
– BA could be contractually required to notify CE
3
HITECH Revisions - Breach
Notification – Interim Final Rule
• Interim Final Rule implementing HITECH Breach
Notification Provisions – August 24, 2009
– Effective September 23, 2009 – Comments due October 23,
2009
– Implements Section 13402 of HITECH
– Includes comments to RFI in April 27, 2009 guidance
– Adds new subpart D to Part 164, Title 45 of CFR
– Applicable to HIPAA CEs and BAs
– Drafted to harmonize with FTC rules applicable to PHR
vendors
– HHS will use enforcement discretion not to impose sanctions
for failure to provide notice until February 22, 2010
– OCR to issue FINAL RULE; may revise Interim Final Rule
based on comments received
4
HITECH Revisions - Breach
Notification – Interim Final Rule
• Scope of Notification Requirements
– Applies to Privacy Rule breaches involving both
electronic and paper records
– “Breach” means the unauthorized acquisition,
access, use or disclosure of PHI which
compromises the security or privacy of such
information (at 45 C.F.R. §164.402)
5
HITECH Revisions - Breach
Notification – Interim Final Rule
• Exceptions to “Breach” Definition
– Unintentional access to PHI by workforce member or
other individual acting under the authority of a CE or BA
if:
• Good faith access and within the scope of authority of
CE/BA; and
• Information not further acquired, accessed, used or
disclosed by such person in manner not permitted by
Privacy Rule
– Inadvertent disclosure by person authorized to access
CE’s or BA’s PHI to another similarly situated person at
same CE, BA or OHCA and PHI not further used in
manner not permitted by Privacy Rule
– Disclosure of PHI to unauthorized person if CE/BA has
good faith belief that such person could not reasonably
be able to “retain” such information
6
HITECH Revisions - Breach
Notification – Interim Final Rule
• Risk Analysis to Determine Requirement for
Breach Notification- Three-step process by CE
and/or BA
– Step One: Determine whether an impermissible use or disclosure
of unsecured PHI under the HIPAA Privacy Rule occurred
– Step Two: Perform a risk assessment to determine and document
whether a significant risk of financial, reputational or other harm to
an affected individual has occurred
– Step Three: Determine whether the incident is excluded from the
definition of breach because it satisfies an statutory exception set
forth in the Act and interim final rule
7
HITECH Revisions - Breach
Notification – Interim Final Rule
• Guidelines for Risk Analysis
– Review federal and state statutory and regulatory
requirements
• Each Privacy Rule violation does not necessarily constitute a
breach requiring notification under HIPAA
• But, a Privacy Rule violation may also constitute a state law
violation
• Because there is no mandatory requirement to make the
various notifications, documentation of the risk analysis
becomes more important
– OCR will review the documentation with 20/20 hindsight
– CEs and BAs must balance mitigation of harm to the individual
with concerns of worrying the individual unnecessarily
8
HITECH Revisions - Breach
Notification – Interim Final Rule
– Investigate the incident
•
•
•
•
•
•
•
To whom was the PHI disclosed?
Why did the individual use, access, or disclose the PHI?
What type of PHI was impermissibly used or disclosed?
Did the PHI reflect the type of services the individual received?
Was risk of identify theft involved?
What amount of PHI was impermissibly used or disclosed?
Did the CE or BA take steps to mitigate the impermissible use or
disclosure?
• Who is the individual/patient?
• Was PHI used/disclosed in the form of a limited data set?
9
HITECH Revisions - Breach
Notification – Interim Final Rule
– Based on investigation, determine whether the individual has
encountered financial, reputational or other harm?
•
•
•
•
Identify nature of potential harm and evidence of harm
Recipient of PHI may impact risk of harm
Ability to retrieve PHI and intent of PHI recipient may impact analysis
Remember 20/20 hindsight rule
– What action must individual take?
• Cancel credit card? Notify credit agencies? Contact FTC or State Consumer Protection
Agency
• Request physical protection?
• Prepare for life insurance rejection? Job loss? Problematic domestic relationships?
– How will notice by CE impact individual?
• Will CE’s or employer’s trust be diminished?
• Alternatively, would that trust be diminished if notice is not provided?
• Will individual find out through someone other than CE?
10
HITECH Revisions - Breach
Notification – Interim Final Rule
• Guidelines for Risk Analysis
– Burden of Demonstrating No Breach Occurred on
CE and/or BA – Section 164.414
• Documentation is critical to proving impermissible use or
disclosure did not pose significant risk of harm to
individual and therefore no notification required
• If using narrow exception for limited data set PLUS,
document that lost PHI did not include identifiers
mentioned in 164.402(1)(ii)
11
HITECH Revisions - Breach
Notification – Interim Final Rule
• Unsecured PHI Guidance
– HITECH defines “Unsecured PHI” as PHI not secured
through use of technology or methodology required in HHS
guidance to render PHI “unusable, unreadable or
indecipherable to unauthorized individuals”
– HHS issued guidance April 27, 2009, identifying two
methods to secure and render PHI unusable, unreadable or
indecipherable to unauthorized individuals:
• encryption and destruction
– HHS update of guidance required annually
12
HITECH Revisions - Breach
Notification – Interim Final Rule
13
•
Clarified meaning of “data” - in motion, at rest, in use and disposed
•
Encryption:
– Successful use depends upon strength of encryption algorithm (computer
program) and security of the decryption key or process
– Two approved processes:
• For data considered to be “at rest” – NIST Special Pub 800-111, Guide
to Storage Encryption Technologies for End User Devices
• For data considered to be “in motion” – Federal Information Processing
Standards (FIPS) 140-2
• Exhaustive methods, not illustrative
•
Destruction:
– PHI in written form will be “secured” if materials shredded or destroyed and
PHI cannot be read or otherwise reconstructed
– PHI in electronic form will be “secured” if information cleared, purged or
destroyed consistent with NIST Special Pub 800-88, Guidelines for Media
Sanitization, such that PHI cannot be retrieved
HITECH Revisions - Breach
Notification – Interim Final Rule
• Encryption of electronic patient information
– Portable storage media (CDs, DVDs, tapes, thumb drives)
– Portable devices (laptops, minis, PDAs, I-Phones, I-Pods,
cameras)
– Desktop PCs, servers, NAS, SAN, midranges, mainframes
– Communication (email, SMS, MMS, IM, VOIP)
– Techniques
•
•
•
•
•
Full disk encryption
Virtual disk and volume encryption
File and folder encryption
Message encryption
Network encryption
– NIST Special Publication 800-111 (rest), FIPS 140-2 (motion)
14
Types of Encryption
Source NIST Special Publication 800-111
15
HITECH Revisions - Breach
Notification – Interim Final Rule
• Updated HHS Guidance on Securing PHI
– In the preamble to the regulations for breach notification,
HHS updated its guidance on “securing” PHI.
– HHS:
• Rejected access controls, such as firewalls, as a method
for securing PHI.
• Rejected redaction as a means of securing PHI, and
clarified that only the destruction of paper PHI will render
that PHI secure.
• Clarified that encryption keys must be kept on a separate
device from the data that they encrypt or decrypt.
• Reiterated its reliance on certain NIST standards as
meeting the encryption standards required to secure PHI.
16
HITECH Revisions - Breach
Notification – Interim Final Rule
• Discovery of Breach – Section 164.404(2)
– On first day that known or by exercising
reasonable diligence could have been known
(except by person committing breach) to CE or BA
– CE/BA “deemed” to know when breach known or
by exercising reasonable diligence could have
been known to any workforce member or CE
agent
– Meaning of “agent” determined by federal
common law of agency
17
HITECH Revisions - Breach
Notification – Interim Final Rule
• Discovery of Breach – Section 164.404(2)
• Impact of Agency Relationships on CEs
– When CE delegates certain administrative duties to a
contractor or service provider (or BA), agency relationship
very likely exists
– If low-level employee of such service provider learns of
potential security incident but fails to report, service provider
may be “deemed” to have “discovered” breach
• If the service provider is an agent of the CE, that discovery
could be imputed to CE immediately and would begin time
frame required for notice, whether or not CE actually knows of
breach
18
HITECH Revisions - Breach
Notification – Interim Final Rule
• Discovery of Breach – Section 164.404(2)
• Federal Common Law of Agency
“Agency” is used to describe the relation created as a result of the conduct of two
parties manifesting that one party (principal) is willing for the other (agent) to act for
him subject to his control, and the other consents to so act
• “Principal” used to describe person/entity who has authorized another to act
on his account and subject to his control
• “Agent” used to describe person/entity authorized by another to act on his
account and under his control
Required factual elements:
• Manifestation by principal that agent act for him;
• Agent’s acceptance of the undertaking; and
• Understanding of the parties that the principal is to be in control of the
undertaking
19
HITECH Revisions - Breach
Notification – Interim Final Rule
• Notice to Individuals – Section 164.404
– CEs must notify individuals if “unsecured PHI” has been, or is
reasonably believed to have been, accessed, acquired, used or
disclosed as a result of a “breach”
– Written Notice
• Sent via first class mail unless the individual has specified a preference
for e-mail
– Substitute Notice
• If insufficient or out-of-date information for individual or if notice is
returned undeliverable, CE must provide substitute notice
• If fewer than 10 individuals involved, notice may be by phone or other
means
• If 10 or more individuals involved, notice must be by conspicuous
posting for 90 days on CE Web site or in major print or broadcast
media where affected individuals reside
– Must include toll-free phone number active at least 90 days
• Notice must be reasonably calculated to reach individual
– Urgent Notice
• If possibility of imminent misuse of unsecured PHI, notice required by
telephone or other appropriate notice plus written notice
20
HITECH Revisions - Breach
Notification – Interim Final Rule
• Timing of Notice to Individuals by CE – Section 164.404(b)
• Must be made without unreasonable delay and in no case later
than 60 calendar days after unsecured PHI breach discovery
• Content of CE Notice to Individual – Section 164.404(c)
– The notice must include:
• Description of breach (what happened including date of breach)
• Types of information involved (such as SS#, DOB, address)
• Mitigation, investigation, protective steps by CE
• Steps for individuals to take for protection
• Contact information to ask questions or obtain more information
(must include toll-free number, email address, Web site or postal
address)
21
HITECH Revisions - Breach
Notification – Interim Final Rule
•
•
•
22
Notice to Media – Section 164.406
– If breach involves unsecured PHI of more than 500 individuals in state or
jurisdiction, CE must notify prominent media outlets
– Notice must be given without unreasonable delay and no later than 60
calendar days after breach discovery
– Depending on the circumstances, an appropriate media outlet may include
a local television station or a major general interest newspaper with a daily
circulation throughout an entire state
Notice to Secretary – Section 164.408
– If breach involves unsecured PHI of more than 500 individuals
• Immediately, meaning without unreasonable delay and no later than 60
calendar days after breach discovery
• CEs listed on HHS Web site
– If breach involves unsecured PHI of fewer than 500 individuals
• CEs must maintain log of breaches and submit annual report of
breaches to Secretary
• Date for submission will be identified on HHS Web site and will be no
later than 60 days after end of each CY
Report to Congress
– HHS must annually report breaches to Congress
23
24
25
HITECH Revisions - Breach
Notification – Interim Final Rule
• Notice by BA – Section 164.410
– Required to notify CE of unsecured PHI breach following discovery
– Discovery of Breach
• Discovered on first day that known or by exercising reasonable
diligence would have been known to BA
• Deemed knowledge if breach known or by exercising reasonable
diligence would have been known (except to person committing
breach) to BA employee, officer or other agent (determined by federal
common law)
– Timing of Notice
• Without unreasonable delay and no later than 60 days after breach
discovery
– Content of Notice
• To extent possible, identity of each individual whose unsecured PHI has
been or is reasonably believed to have been accessed, acquired, used
or disclosed
• Must give CE any other available information that CE must include in
notice to individual within timing requirements and as promptly
thereafter as information becomes available
26
HITECH Revisions - Breach
Notification – Interim Final Rule
• Law Enforcement Delay – Section 164.412
– Notice by CE/BA delayed if law enforcement
official states notice/posting would impede criminal
investigation or cause harm to national security
• If statement is in writing and stating time frame for delay,
notice must be delayed until the stated date
• If oral statement, CE/BA must document statement and
identity of official and delay notice not longer than 30
days from date of oral statement (unless written
statement received during that time)
– Definition of Law Enforcement Official
• Moved to Section 164.103 (now applicable for both
Privacy Rule and Breach Notification Rule)
27
HITECH’s Revisions to Enforcement
and Penalties
• Pre-HITECH Privacy Rule:
– Enforcement
• Through OCR – civil penalties
• Through DOJ – criminal penalties
– Civil Penalties
• $100 per violation of Privacy Rule
• $25,000 annual cap per violation
– Criminal penalties for knowing violation
• $50,000 and one year
• $100,000 and five years for obtaining under false pretenses
• $250,000 and ten years for intent to sell or obtain commercial
advantage
– Emphasis on voluntary compliance
– No private right of action
– State law breach of privacy still available
28
HITECH’s Revisions to Enforcement
and Penalties
HITECH Revisions
– Enforcement
• HHS, specifically OCR, must formally investigate any
complaint of HIPAA violation if initial investigation
indicates breach due to willful neglect – effective
February 17, 2011
– Required to impose CMP if willful neglect found
– OCR will perform audits of CEs and BAs (probably not random
onsite visits) – beginning February 2010
• Effective February 17, 2009 - State attorneys general
may bring civil actions in federal court for HIPAA
violations
– HHS may intervene
– AGs may seek injunction or damages
– Only if HHS has not initiated lawsuit
29
HITECH’s Revisions to Enforcement
and Penalties
– Penalties (As per statute and October 30, 2009 Interim
Final Rule)
• Applicable to CEs – February 18, 2009
• Applicable also to BAs – February 17, 2010
• Original bases for civil enforcement retained with increased
penalties
• Penalties based on intent – state of mind
• CMPs collected transferred to OCR for purposes of enforcing
the Privacy and Security Rules
– OCR will consult with GAO to develop system within 3
years to provide percentage of CMPs/settlement to
individuals harmed
• Non-CEs (e.g., employees of CEs) may violate HIPAA if PHI
maintained by CE is obtained or disclosed by person without
authorization
» Criminal penalties
» Broad language
30
HITECH’s Revisions to Enforcement
and Penalties
– Penalties (cont’d):
• Applies a tiered approach to CMPs
• Unknown or with reasonable due diligence would not have known:
– Not less than $100 or more than $50,000 for each violation OR
– In excess of $1.5 million for identical violations during a calendar year
• Reasonable cause that is not willful neglect:
– Not less than $1,000 or more than $50,000 for each violation OR
– In excess of $1.5M for identical violations during a calendar year
• Willful neglect and violation corrected within 30 day cure period:
– Not less than $10,000 or more than $50,000 for each violation OR
– In excess of $1.5M for identical violations during a calendar year
• Willful neglect and the violation not corrected within 30 day cure period:
– Not less than $50,000 OR
– In excess of $1.5M for identical violations during a calendar year
31
HITECH’s Revisions to Enforcement
and Penalties
• Definition of “willful neglect”
– Conscious intentional failure or reckless
indifference to obligation to comply
• High standard
– Deliberate act
– Failure to train, failure to put in place compliance
measures?
32
HITECH’s Revisions to Enforcement
and Penalties
• Statements regarding penalties in Interim Final Rule
– HHS will not impose maximum penalty amount in all cases
– HHS will base penalties on nature and extent of violation, on
resulting harm and on other factors, such as CE’s history of
prior compliance or financial condition
– HHS will use “discretion in providing technical assistance,
obtaining corrective action, and resolving possible
noncompliance by informal means where the possible
noncompliance is due to reasonable cause or…a person did
not reasonably know that the violation occurred”
– HHS may waive a civil money penalty for violations due to
reasonable cause and not willful neglect that are not
corrected within the applicable time period if the penalty
would be excessive relative to the violation
33
HITECH’s Revisions to Enforcement
and Penalties
• CE and BA Implications
– Significant increases in monetary damages and enforcement
– Improper uses by CE employees/medical staff with EHR/paper
record access may now involve civil and/or criminal violations
– Risk to BAs may reduce availability of services
– Costs to provide healthcare services will increase
– State AG enforcement likely
34
HITECH Revisions - Breach
Notification – Interim Final Rule
• FTC Requirements for certain Non-CEs and NonBAs
– Required to notify impacted individuals and FTC
• Enforcement by FTC; FTC notifies HHS
– Includes personal health records (PHRs) vendors
– Includes entities providing services to PHR vendors and
related entities (similar to BAs)
• E.g., web-based application entities that assist individuals in
managing medications, entities that provide billing or data
storage services
– Notice requirements similar to HHS requirements for CEs
and BAs
– “Safe harbors” same as HHS directed
– FTC issued proposed regulations effective for postSeptember 18, 2009, breaches
35
HITECH Revisions - Breach
Notification – Interim Final Rule
•
FIVE Things CEs Need to Do to Comply with the HITECH Breach
Notification Rules:
1.
2.
3.
4.
5.
36
CEs should review the new changes under the regulations.
CEs should set out to immediately identify all their BAs and
modify the relevant business associate agreements to
include new HITECH breach notification provisions.
CEs should examine and update their forms, policies and
procedures to incorporate the new changes under the
regulations.
CEs should train their relevant workforce on the new changes.
CEs should prepare for contingencies (e.g., create a website).
HITECH Revisions - Breach
Notification – Interim Final Rule
•
FIVE Things CEs Need to Do to Comply with the HITECH Breach
Notification Rules:
1.
Review Breach Notification and HHS Guidance on Securing
PHI
– Understand what unauthorized uses or disclosures of PHI will
require breach notifications.
– Understand the meaning of defined terms.
– Understand the exceptions to the breach notification requirements.
– Determine if NIST-level encryption is on, or available for the
systems and applications on which you and your BAs store or
transmit PHI.
37
HITECH Revisions - Breach
Notification – Interim Final Rule
•
38
FIVE Things CEs Need to Do to Comply with the HITECH Breach
Notification Rules:
2.
Identify BAs and Revise Relevant Agreements
– Work with each BA regarding implementation of policies and
procedures and revised agreements.
– Allocate the responsibility for fulfilling the breach notification
requirements when a reportable breach has occurred.
– Revise BA agreements to incorporate:
• BA’s role in identifying and reporting breaches and suspected
breaches.
• The precise timing for BA notice to CE of breach.
• References to applicable HIPAA and HITECH provisions.
• Indemnification provisions to ensure appropriate party bears
costs associated with notification requirements and liability for
failure to comply with them.
– If three parties are involved (e.g., CE 1 (hospital), CE 2 (physician
group), BA to physician group)
• Make sure that if BA receives CE 1’s PHI, that CE 1 has
contract with BA requiring BA to mitigate harm, indemnify CE 1
HITECH Revisions - Breach
Notification – Interim Final Rule
•
FIVE Things CEs Need to Do to Comply with the HITECH Breach
Notification Rules:
3.
Update Policies and Procedures
– Create, implement and maintain a breach notification plan. Issues to cover
in the plan may include:
• Steps for identifying a potential breach.
• Steps for determining whether the incident is an impermissible use or
disclosure of PHI under the HIPAA privacy rule.
• Steps for performing a risk analysis.
• Steps to ensure that affected individuals, HHS and media outlets
receive proper notification.
• Steps to mitigate risk to affected individuals.
• Appointment of a point person to lead the investigation.
– Provide a process for individuals to complain about the CEs policies and
procedures relating to the breach notification process.
39
HITECH Revisions - Breach
Notification – Interim Final Rule
•
FIVE Things CEs Need to Do to Comply with the HITECH Breach
Notification Rules:
4.
Train Workforce Members
– Workforce members should receive training on the importance of
PHI and immediate reporting of breaches.
– The training should include information on what uses or disclosures
will constitute an impermissible breach and on how and to whom
breaches should be reported.
– Workforce members should also receive training on sanctions that
may apply for failure to follow the CEs policies and procedures.
40
HITECH Revisions - Breach
Notification – Interim Final Rule
•
FIVE Things CEs Need to Do to Comply with the HITECH Breach
Notification Rules:
5.
Contingencies
– Establish a website or a specific web portal in order to post breach
notification information
– Establish a toll-free number in order to respond to requests for
information about breaches.
– Develop a contingency public relations plan to minimize damage to
the CE’s and or BA’s reputation resulting from a breach.
41
HITECH Revisions - Breach
Notification – Interim Final Rule
• Practical Advice from Experience
– Identifying whose PHI has been disclosed takes a long time
– Getting the disclosing party to assist with providing notice
(especially if there is no contractual relationship with the CE) can
be difficult
– Starting from scratch (with no point person, no previously prepared
letters to individuals, no relationship with an identity theft vendor)
takes time and costs money
– Individuals will find out; word travels fast. But, if no harm occurs,
individuals generally appreciate the notice and concern
– There are many contacts to make:
•
•
•
•
•
Individuals impacted
State Consumer Protection Divisions of MS Attorney General’s Office
HHS/OCR/Media (potentially)
PR firm (potentially)
Multiple counsel for involved parties
– Doing the right thing from the beginning is important
42
HITECH Revisions - Breach
Notification – Interim Final Rule
• Breach…..or no Breach
43
Breach…..or no Breach
ILLUSTRATIVE EXAMPLES:
Example No. One:
Sally Prankster, the 13-year-old daughter of a clinic employee, walks off with a
list of patient’s names from the clinic when visiting her mother at work. As a
joke, she contacts patients and tells them that they have been diagnosed with
beriberi.
Example No. Two:
Distracted by his fear of flight, Nervous Nelly, M.D. accidentally leaves behind
his computer at the airport. The computer hard drive contains the PHI of over
500 patients. An airline employee of Not So Friendly Skies finds the computer
and returns it to Nervous Nelly’s office on his way home from work.
44
Breach…..or no Breach
ILLUSTRATIVE EXAMPLES:
Example No. Three:
Two employees of Broken Bones orthopedic clinic realize that Hits McGee, last
year’s Heisman trophy winner, is a patient of the clinic. Out of curiosity, the
employees review the patient’s medical records. Realizing that Hits McGee has
a clean bill of health, the employees post his medical condition in an internet
chat room.
Example No. Four:
Thousands of patient records are found in the dumpster outside of the
headquarters of a Irresponsible Billing Company, Inc., a medical billing company.
Information included diagnosis, patient names and social security numbers and
test results. The records appeared to be from multiple health care sites.
45
Breach…..or no Breach
ILLUSTRATIVE EXAMPLES:
Example No. Five:
Sally Speakall, a spokesperson for Massive General Hospital, discloses the
name of a patient and the fact that the patient was in the hospital for a medical
treatment. Miss Speakall is pressed for additional information but declines to go
on record with any additional information.
Example No. Six:
We’ve Heard It All Before, a local clinic, admits to maintaining detailed notes of
psychotherapy sessions in computer records that were accessible by all clinical
employees. Following a series of press reports describing the system, We’ve
Heard It All Before revamps its computer security practices.
46
THANK YOU!!!
Dinetia M. Newman
Balch & Bingham LLP
401 East Capitol Street, Suite 200
Jackson, MS 39201
Telephone: (601) 965-8169
Email: [email protected]
Richard D. Sanders
Balch & Bingham LLP
30 Ivan Allen Jr. Boulevard, N.W., Suite 700
Atlanta, GA 30308
Telephone: (404) 962-3578
Email: [email protected]
47