RYAN MEADE, JD, CHRC, CHC-F DIRECTOR, REGULATORY COMPLIANCE STUDIES LOYOLA UNIVERSITY CHICAGO SCHOOL OF LAW LESSONS LEARNED FROM FEDERAL HIPAA PRIVACY ENFORCEMENT

Topics/Agenda Privacy Protection Enforcement 2

The Landscape Business is highly data driven today There is less human contact in commerce Data is everywhere! Computers, phones, tablets, chips, innumerable devices And don’t forget the old fashioned way to keep data: paper 3

The Landscape Data is valuable It even has a “street value” SSN: $30 Health insurance #: $11 Credit card credentials $4-8 Bank account number: $300 4

FTC Takes the Lead FTC Consumer Sentinel Network is significant coordinator of privacy and identity theft enforcement FTC received over 480,000 complaints about suspected identity theft in

States with the highest identify theft incidents Missouri Connecticut Florida Maryland Illinois (WSJ May 18, 2016) 6

Enforcement Agencies The principal enforcement agencies FTC DOJ/FBI HHS-OCR State Attorneys General 7

Examples: Software Vendor The FTC recently announced a settlement with Henry Schein Practice Solutions Inc. (Henry Schein), a dental practice software provider, concluding an investigation into claims that Henry Schein misled customers about the encryption capabilities of its software. The software provider is required to pay $250,000 to settle the FTC charges that it falsely advertised the level of encryption it provided to protect patient data. 8

Software Vendors Henry Schein marketed Dentrix software to dentists/dental practices. The software enables dentists to perform common office tasks, such as entering patient data, sending appointment reminders, processing patient payments, submitting patient insurance claims, documenting treatment planning, entering progress notes, and recording diagnostic information. Henry Schein’s Dentrix G5 software incorporated a “database engine” provided by a third-party vendor, which included a form of data protection that Henry Schein advertised as “encryption.” 9

Software Vendors The FTC alleged that for a period of two years after it had been informed by its third-party vendor that the software’s data protection was less secure and more vulnerable than the widely used, industry-standard encryption algorithms, Henry Schein advertised Dentrix G5 as having the ability to encrypt patient data and help dentists meet their regulatory obligations under HIPAA. The FTC alleged that in light of what Henry Schein knew about its product, Henry Schein violated Section 5 of the FTC Act by making deceptive claims that its Dentrix G5 met industry encryption standards despite being aware that the software used a proprietary data masking technique that fell short of the NIST encryption standard. 10

Software Vendors Under the terms of the proposed consent order, Henry Schein must pay $250,000 to the FTC. In addition, the company will be prohibited from misleading customers about the extent to which its products use industry-standard encryption, help ensure regulatory compliance, or protect consumers’ personal information. Henry Schein also must notify each customer who purchased Dentrix G5 during the period when the company made the misleading statements, and provide the FTC with ongoing reports on the notification program. df df 11

Pharmacy OCR opened a compliance review and investigation after receiving notification from a local Denver news outlet regarding the disposal of unsecured documents containing the PHI of 1,610 patients in an unlocked, open container on Cornell’s premises. The documents were not shredded and contained identifiable information regarding specific patients. Evidence obtained by OCR during its investigation revealed Cornell’s failure to implement any written policies and procedures as required by the HIPAA Privacy Rule. Cornell also failed to provide training on policies and procedures to its workforce as required by the Privacy Rule 12

Hospital $850,000 settlement with OCR on November 25, 2015 Not-for-profit teaching hospital (Lahey Hospital and Medical Center) (affiliated with Tufts Medical School) in Burlington, Massachusetts Self-disclosure by Lahey on October 11, 2011: Laptop stolen from an unlocked treatment room during overnight hours on August 11, 2011 Laptop was on a stand associated with a portable CT scanner Hard-drive contained PHI of 599 individuals OCR attributed the need for corrective action based on its findings of widespread noncompliance with the HIPAA Security Rule. 13

Hospital OCR conducted an investigation and identified non-compliance prior to the breach, including: Failure to conduct a thorough risk analysis of all of its ePHI Failure to physically safeguard a workstation that accessed ePHI Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue in this incident Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident 14

OCR stated in a press release: “Because these workstations often contain ePHI and are highly portable, such ePHI must be considered during an entity’s risk analysis, and entities must ensure that necessary safeguards that conform to HIPAA’s standards are in place.”.” Resolution Agreement: OCR sets out a list of 6 violations of the Privacy and Security Rules The principal violations are associated with the Security Rule which leads up to a Privacy Rule violation (“impermissibly disclosed the ePHI of 599 individuals for a purpose not permitted by the Privacy Rule”). 15 Hospital

Resolution Agreement: Lahey agreed to a Corrective Action Plan very similar to Cancer Care, but with the following difference: Term lasts 2 years Conduct risk analysis “The risk analysis shall include all ePHI maintained by Lahey, and include but not be limited to, ePHI stored on and accessed by workstations utilized in connection with diagnostic/laboratory equipment.” Risk Analysis methodology must be approved by HHS before conducting the Risk Analysis 16

Hospital Resolution Agreement: Policies and Procedures Revision 1.“maintaining a record of receipt, removal, and disposition of hardware and electronic media that maintain ePHI into and out of Lahey’s facility, and the movement of these items within its facility” 2.“ensuring workstations that maintain ePHI utilized in connection with diagnostic/laboratory equipment are registered with Lahey’s Information Services Department (“ISD”) and under the control of ISD” 3.“implementing hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use workstations that maintain ePHI utilized in connection with diagnostic/laboratory equipment.” 17

Insurance Triple-S Management Corporation $3.5 million settlement with OCR on September 2, 2015 Insurance company in Puerto Rico with multiple holdings providing a variety of health insurance offerings through subsidiaries OCR investigated after several breach notifications. 5 notices in excess of 500 individuals between November 2010 and March 2015 and another two breaches affecting under 500 individuals in February and August

Insurance OCR claimed to find: 1.Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI; 2.Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement; 3.Use or Disclosure of more PHI than was necessary to carry out mailings; 4.Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and 5.Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. 19

Insurance Resolution Agreement: Triple-S agreed to: Risk analysis and a risk management plan; A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds; Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises. 20

Ransomware Prevalence of ransomware attacks Is ransomware attack a breach? Law is unsettled Disaster plan essential 21

Lessons Learned Privacy Compliance Programs Needed Elements: 1.Privacy Officer (Security Officer) 2.Policies and Procedures 3.Training 4.Hotline 5.Auditing and Monitoring 6.Demonstrated Response to Suspected Non-compliance 7.Discipline ….and a Risk Assessment 22

Lessons Learned (Routine) Risk Assessment Essential to do one. Fundamental to compliance with the HIPAA Security Rule and OCR almost always requests documentation of the security risk analysis in its investigations. Needs to cover both privacy and security risks Document the Risk Analysis Develop a remediation plan Remediation plan should include, as appropriate: Policies Training Auditing Emphasis on “movement” and storage of e-data Revisit the Risk Analysis periodically Note: A Risk Analysis that shows a risk is not a problem as long as the risk is remediated or a plan is put together to manage it 23

Content: Learning from resolutions 1.Uses and Disclosures of Data 2.Only Disclose Minimum Necessary 3.Disclosures to Vendors 4.Training 5.Identification of Safeguards 6.Changes to Policies and Procedures 7.Device and Media Controls 8.Encryption 9.Audit the Controls 24

Questions? 25