Patient Privacy for the Life Sciences Industry: 2012 Update Drew Gantt and David Sclar Cooley LLP 1

Agenda Update on Enforcement Data Breach Notification Requirements HIPAA Best Practices for Business Associates 2

Penalties for Non-Compliance HITECH significantly increased penalties Civil Criminal Tiered penalty structure with scalable penalties based on the nature and circumstances of the violation Government and individual incentives exist to encourage complaints/enforcement Breach notification requirements make breaches public 3

Penalties for Non-Compliance For violations before 2/18/09; CMPs up to $100 per violation, with a cap of $25,000 per calendar year for violations of each requirement For violations after 2/18/09; CMPs up to $100 to $50,000 or more per violation, with a cap of $1,500,000 per calendar year for violations of each requirement OCR may reduce penalties if the failure to comply was due to reasonable cause and not willful neglect, and the penalty would be excessive relative to the noncompliance Graduated criminal penalties up to $250,000 and / or 10 years of imprisonment. Offenses committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain or malicious harm carry higher penalties 4

Enforcement is More Likely Increased penalties encourage enforcement State attorneys general may bring an enforcement action on behalf of residents for HIPAA violations. OCR is now training state AGs how to do so HHS is now required to conduct periodic compliance audits of covered entities and business associates New breach notification requirements create road map for enforcement While no private cause of action, affected parties may share in penalties, which may encourage complaints Growth in e-Health and electronic patient information means violations are more likely 5

Enforcement in Action OCR Delegated authority July 27, 2009 10 regional offices Reviews every complaint received Privacy Rule OCR received 57,375 complaints from April 14, 2003 to December 31, 2010 and obtained corrective action in 12,573 cases Security Rule OCR received 803 complaints from April 20, 2005 to December 31, 2010 and obtained corrective action in 150 cases Almost all cited security issues are administrative requirements In 2010, > 50% of enforcement actions resulted in corrective action 6

Enforcement in Action Breaches make headlines Massachusetts General Hospital – Employee left paper patient records on the metro ($1M fine + Corrective Action Plan + internal monitoring requirement + submission of compliance reports to HHS for 3 years) First criminal sentence against a healthcare worker (April 2010): UCLA cardiothoracic surgeon/researcher sentenced to four months in jail First Civil Monetary Penalty (February 2011): $4.3 million imposed on Cignet Health First enforcement action against a Business Associate (January 2012) Minnesota attorney general brought action against Accretive Health Inc. Employee laptop within PHI stolen from rental car Allegation that Accretive Health failed to adequately disclose its data collection practices to patients 7

Enforcement in Action HITECH enforcement by HHS pending HHS Secretary has indicated it will not enforce HITECH until the final omnibus regulation becomes effective (expected later in 2012) State attorneys general are not bound by the enforcement discretion being exercised by HHS 8

Agenda Update on Enforcement Data Breach Notification Requirements HIPAA Best Practices for Business Associates 9

Breach Notification Rule Overview Breach is defined as: Unauthorized acquisition, access, use or disclosure That compromises data privacy or security Exceptions for inadvertent or harmless mistakes Applies to all electronic “unsecured PHI” EPHI is “unsecured” if it is not encrypted or destroyed 10

Breach Notification Rule Overview Breach notifications required Individual notice HHS Secretary Media notice (500 or more affected state or jurisdiction residents) Notification required 60 days after discovery Discovery means the breach is known or should have been reasonably known Don’t forget state data breach notification laws Laws in forty-six states, DC, Puerto Rico and the Virgin Islands require notification of security breaches involving personal information State notification laws may require faster notice (e.g. 5 days for certain providers in California) 11

Breach Notification Rule Overview Breach reports to HHS Secretary from September 2009 – April 2011 500 or more affected individuals: 265 reports CY 2010: 207 reports (5.4M affected individuals) Less than 500 affected individuals > 31,000 reports CY 2010: >25,000 reports (> 50,000 affected individuals) The 99% and the 1% … A few breaches have widespread impact Three recent significant breaches affect 1.3 million more individuals Utah Department of Health (hacking; 780,000 individuals affected) Emory Healthcare (missing computer disks; 350,000 individuals affected) South Carolina Department of Health and Human Services (employee allegedly transferred patient information to his personal email account; 228,000 individuals affected) 12

Breach Notification Rule Overview Common causes of large breaches (500 or more affected individuals) (1) Theft (50%); (2) Unauthorized access to, use, or disclosure of PHI (18%); (3) Loss of electronic media or paper records containing protected health information (17%); (4) Hacking/IT incidents (7%); and (5) Improper disposal (5%) Theft and loss are 67% of large breaches 53% of large breaches involve laptops (24%), portable electronic devices (15%), or desktop computers (14%) 23% of large breaches involve paper records 13

Agenda Update on Enforcement Data Breach Notification Requirements HIPAA Best Practices for Business Associates 14

Business Associate Compliance HIPAA generally applies to certain Covered Entities, which include certain health care providers, health plans and health care clearinghouses, and to Business Associates of Covered Entities Not all life science companies are Business Associates, but many Business Associates are life science companies Business Associates are persons that perform functions for or on behalf of a Covered Entities that involve the Business Associate’s creation of or receipt from Covered Entity of Protected Health Information (PHI) Business Associates enter into Business Associate Agreements (BAAs) with Covered Entities that allow Business Associates’ creation or receipt of PHI and obligate Business Associates to appropriately safeguard the PHI Business Associates also need to enter into agreements with their subcontractors creating or receiving PHI for or on behalf of Business Associates to ensure they comply with the same restrictions and conditions as apply to Business Associates under their BAAs 15

Business Associate Compliance HITECH results in “sea change” for Business Associates (BAs) Now directly regulated by OCR and contractually liable to covered entity clients Now subject to certain HIPAA Privacy Rule requirements and most Security Rule requirements Now subject to same penalties as covered entities, and those penalties are LARGE HITECH requirements implicate larger compliance effort The “sign the business associate agreement and forget about it” approach is no longer defensible 16

Business Associate Compliance Proactive Business Associates Designate a Privacy Officer and other privacy personnel Have policies and procedures to ensure compliance: Privacy Rule Security Rule Terms of BAAs with Covered Entities BAAs with Subcontractors Take initiative Encrypt information Improve physical security Train and retrain Conduct risk assessments, investigate, and sanction Be prepared to respond to data breaches 17

Questions? Please direct questions regarding this presentation to Drew Gantt and Natasha Leskovsek http://www.cooley.com/agantt http://www.cooley.com/nleskovsek 18