Health Insurance Portability and Accountability Act (HIPAA): Breach Notification Rule April 2019 Alissa Smith 1
Outline of Presentation • HIPAA Breach Notification Rule Overview • Updates on OCR Enforcement – Complaints – Investigations – Settlement Amounts • Examples 2
HIPAA Breach Notification Rule Breach: The access, acquisition, use or disclosure of unsecured PHI not permitted under the Privacy Rule that compromises the security or privacy of the PHI Unsecured PHI: PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of technology or methodology specified by HHS (e.g., encrypted, shredded). 3
HIPAA Breach Notification Rule (cont’d) • A potential breach is presumed to be a “breach” (requiring breach notification) unless an exclusion applies or a 4-part risk assessment demonstrates that there is a low probability that the PHI has been compromised. 4
HIPAA Breach Notification Rule: Exclusions • Three Exclusions – Good faith internal access – Good faith internal disclosure – External disclosure but good faith belief that person to whom disclosure was made would not reasonably have been able to retain the information 5
HIPAA Breach Notification Rule: Risk Assessment • In order to determine a breach notification is not required, the covered entity must have addressed all four factors in the risk assessment and determined that the use/disclosure of the PHI poses a low probability that the PHI has been compromised. • OCR expects risk assessments to be thorough, completed in good faith, and for the conclusions reached to be reasonable. • Retain documentation of investigation, risk assessment and all notifications (6 years) 6
HIPAA Breach Notification Rule: 4-Part Risk Assessment 1. The nature and extent of the PHI involved (including the types of PHI, and the likelihood of re-identification); 2. The unauthorized person who used the PHI or to whom the disclosure was made; 3. Whether the PHI was actually acquired or viewed; and 4. The extent to which the risk to the PHI has been mitigated. After considering these factors, the CE must presume there is a “breach” requiring notification unless the analysis demonstrates that there is a low probability that the PHI has been compromised. 7
Breach Notifications-the who, when, and how Small (less than 500 Large (500+ individuals) individuals) • Affected individuals – No later than 60 days after breach • Affected individuals discovery – No later than 60 days – Delivered by first-class mail after breach discovery • Unless an individual agrees to – Delivered by first-class email mail • Unless an individual • The Secretary of Health and Human agrees to email Services – No later than 60 calendar days after • The Secretary of Health breach(es) were discovered and Human Services – No later than 60 • The Media calendar days after the – Breaches involving 500+ residents of end of the calendar year a state or jurisdiction all prominent in which the breach(es) media outlets of the state or were discovered jurisdiction – No later than 60 days after breach discoveries 8
Breach Notification: Information • Notification Must be Detailed – a brief description of what happened, including the date of the Breach and the date of discovery of the Breach; – a description of the types of Unsecured PHI involved (without, however, including specific PHI); – any steps Individuals should take to prevent potential harm resulting from the Breach; – a brief description of what Covered Entity is doing (i) to investigate the Breach, (ii) to mitigate harm to Individuals and (iii) to protect against further Breaches; and – contact procedures for Individuals to ask questions or learn additional information, including a toll free telephone number, email address, website, or postal address. 9
HIPAA Enforcement • HHS OCR interprets and enforces the Privacy Rule, Security Rule and Breach Notification Rule • Civil Penalties Up to $1.5M/violation • Criminal Penalties Up to $250K and 10yrs prison • No Private Right of Action (Note, state privacy laws and data breach notification laws may include private rights of action) • Liability for Actions of Business Associates – Approximately 20% of PHI data breaches have been caused by Business Associates 10
State Data Privacy and Breach Notification Laws • In addition to HIPAA, almost all states across the country have adopted various laws that require breach notification, privacy and confidentiality standards, and impose additional penalties. – Iowa Personal Information Security Breach Notification (715C) – Iowa Mental Health Information Privacy Law (228) – Iowa HIV/AIDS Test Information Privacy Law (141A) – Iowa and Federal Substance Abuse Treatment Records Privacy Law (125) 11
Current State of Affairs • External threats at all time high- hacking, ransomware • Internal threats are the largest source of risk for covered entities – snooping, social media, phishing attacks • More individual complaints • OCR enforcement posture more aggressive • OCR widening review of small breaches • Settlement amounts are increasing 12
Statistics-2019 • Between April 2003-July 2017, the ORC has: • Since the implementation of the Privacy Rule in April 2003: – 184,614 HIPAA complaint cases/potential breaches have been reported • OCR Initiated over 928 compliance reviews on its own – OCR Resolved 199,485 complaint cases (98%) • Investigated/resolved 26,621 cases by requiring changes through corrective action or providing technical assistance • Referred 717 referrals to the DOJ for criminal sanctions • Reached settlements (called Resolution Agreements) with 62 entities since 2009, totaling $96,581,582 – Almost all Settlements are a result of an initial breach notification – Almost all Settlements include a 2 to 3-year corrective action plan 13
• OCR Concluded 2018 with All-Time Record Year for HIPAA Enforcement – – February 7, 2019 press release: OCR has concluded an all- time record year in HIPAA enforcement activity. In 2018, OCR settled 10 cases and secured one judgment, together totaling $28.7 million. This total surpassed the previous record of $23.5 million from 2016 by 22 percent. In addition, OCR also achieved the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc., representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016. 14
Statistics-2019 • Since the beginning of 2019, 71 large-scale (500 or more) breaches have been reported to the OCR • Breaches are categorized by following: – Type • (Theft, loss, etc.) – Location • (Desktop, portable device, email, etc.) – Entity • (Health Plan or Health Provider) 15
Statistics Type of Breach 0% 14% 23% Theft 0% Hacking/IT Incident 1% Improper Disposal Loss Unauthorized Access/Disclosure Unknown/Other 62% 16
Statistics Location of Breach 1% 6% 9% 9% Desktop Laptop 25% 5% Paper/Films Electronic Medical Record Network Server Email Other Portable Electroic Device 20% Other 25% 17
Statistics Type of Covered Entity 23% 0% Health Plan Healthcare Clearing House Healthcare Provider 77% 18
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • University of Texas MD Anderson Cancer Center (Summary Judgement issued July 18, 2018) • Three separate breaches occurred between April 2012 and December 2013 – The first breach involved the theft of an unencrypted laptop that contained the ePHI of 29,021 individuals – The second and third breaches were both losses of unencrypted USB devices that contained ePHI for 5,862 • Resolution Agreement Amount: $4.3 million 19
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Boston Medical Center, Brigham and Women’s Hospital and Massachusetts General Hospital (September 2018) • At the three separate medical centers, PHI was compromised by inviting documentary film crews from ABC into the premises without first obtaining authorization from patients. • Collectively, the medical centers paid around $990,000 – Boston Medical Center: $100,000 – Brigham and Women’s Hospital: $384,000 – Massachusetts General Hospital: $515,000 • Length of CAPs – Boston Medical Center: 2 years – Brigham and Women’s Health: unspecified – Massachusetts General Hospital: 1 year 20
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Anthem, Inc. (October 15, 2018) • In Marcy 2015, Anthem, an independent licensee of the Blue Cross and Blue Shield Association, reported that their IT system had been attacked “via an undetected continuous and targeted cyberattack” – Between December 2, 2014 and January 27, 2015, the ePHI of almost 79 million individuals had been stolen • Making this the largest health data breach in US history • Resolution Agreement Amount: $16,000,000 • Length of CAPs: 2 years 21
Recommend
More recommend
