Protecting PHI and Responding to Data Thefts
Presenters Randy Gainer Partner Davis Wright Tremaine, LLP Seattle Paul Smith Partner Davis Wright Tremaine, LLP San Francisco Tom Byron Chief Information Officer Washington State Hospital Association
Outline Hospitals’ duties to protect patient and employee data Risks to data Actions that can prevent loss or theft Actions to respond to data breaches
Sources of Hospital Duties to Protect Data
Hospital Duties to Protect Data HIPAA Privacy and Security Rules Washington Uniform Healthcare Information Act Hospital privacy policies coupled with consumer protection statutes Common law duty of care
HIPAA Privacy Rule 45 C.F.R. § (c) requires covered entities –to have appropriate administrative, technical, and physical safeguards to protect the privacy of PHI; and –to safeguard PHI from intentional or unintentional disclosure in violation of HIPAA.
HIPAA Security Rule 45 C.F.R. § requires covered entities, among other things: –to protect against reasonably anticipated threats to the security of ePHI; –to protect against reasonably anticipated mis-uses or disclosures of ePHI; –to assure that their workforces comply with the Security Rule; –to obtain assurances of confidentiality and security from their contractors.
HIPAA Security Rule (cont’d) 45 C.F.R. §§ (a)(1)(ii)(A) & (B) require covered entities to engage in risk analysis and risk management to reduce risks to the security of ePHI to a reasonable level. 45 C.F.R. §§ (a)(2)(ii) & (d)(1) require covered entities to implement policies and procedures to safeguard their physical facilities, hardware, software, and electronic media to protect against theft. (Though (a)(2)(ii) is “addressable,” it will apply to hospitals.)
Medicare Conditions of Participation A Medicare rule, 42 C.F.R. § , requires hospitals to assure that: –patient records are confidential; –unauthorized persons cannot gain access to or alter patient records; and –patient records are released only to authorized persons in accordance with law.
WA Uniform Health Care Information Act A section of the UCHIA, RCW , requires health care providers to implement reasonable safeguards to secure health care information. RCW provides that patients may recover actual damages (though not consequential or incidental damages), attorneys’ fees, and costs.
Hospital Privacy Policies + Consumer Protection Act Hospital privacy polices may assure patients that their information will be kept confidential. In other contexts, the FTC has brought unfair trade practice claims against companies that failed to implement adequate security after claiming they would protect consumers’ data. E.g., BJ’s Wholesale Club Consent Order, FTC File No (May 2005).
Hospital Privacy Policies + Consumer Protection Act (cont’d) Plaintiffs in Gibson v. Providence claim that the hospital violated the Oregon Unlawful Trade Practices Act by representing in its privacy policy that it would protect patient data and allegedly failing to do so. A similar claim could be brought under the Wa CPA. Potential remedies under RCW include actual damages, discretional treble damages, attorneys’ fees, and costs.
Negligence Claims Plaintiffs in many data breach cases have claimed that companies that store consumer information have a duty to use reasonable care to protect the information. Litigants claim that the various statutes that address information security provide references to establish the elements of that duty.
Risks to Data
Many data thefts have been reported but we are probably not experiencing an epidemic of thefts. –73 million consumers’ data have been reported stolen or lost in the 12 months ending September –Only about 5 million individuals have reported their data have been misused.
Risks to Data (cont’d) –Rather than there being more thefts than in the past, it is likely that data breach notification statutes have uncovered a problem that already existed.
Inside Risks General employees –Janitors copied information from paper charts left at a hospital’s workstations; clerks at another hospital copied data IT employees –An IT director ed a large number of patient records to his home computer.
Inside Risks Contractors –The University of California at San Francisco hospital hired a transcriptionist to transcribe tapes. A Pakistani sub-sub-contractor threatened to post confidential medical information on the Internet unless she were paid a certain amount of money.
Outside Risks Walk-in thieves –A laptop used for patient registration in an E.R. was stolen; a desktop computer with ePHI at a clinic was stolen after hours. Thieves who steal laptops from employees’ cars –Numerous laptops with confidential information have been reported stolen.
Outside Risks (cont’d) Electronic penetration –In May 2005, attackers accessed CardSystems Solutions' networks. They found a treasure trove of unencrypted credit card data. –In March 2004, a credit card database was stolen from BJ's Wholesale Club. Three million customers’ card data were exposed to international crime gangs who produced counterfeit cards and made millions of dollars in fraudulent purchases.
Outside Risks (cont’d) Electronic penetration –Hospital systems may be penetrated as well.
Preventing Theft or Loss of PHI
Hire a Third Party to Conduct Risk Assessments Contractors experienced with hospital security issues can spot vulnerabilities that employees fail to notice. Electronic security specialists should inspect and test systems, policies, and procedures used to protect ePHI.
Re-perform Risk Assessments Regularly As your technology changes and thieves become more sophisticated, security needs to be re-assessed.
Encrypt Confidential Data and ePHI Stored on Laptops Many laptops are stolen and lost. It is unreasonable to store unencrypted data on laptops. User-friendly laptop encryption programs are available. Alternatively, data needed offsite can be accessed via a VPN.
Screen Employees and Monitor Data Employees and contractors who may have access to PHI should be carefully screened. –Information that may be used for identity theft is valuable and easily converted to cash. –Only those who can be trusted with access to such valuable information should be permitted access to it. There should be video surveillance of areas where PHI is stored.
Responding to Data Breaches
Washington Law RCW requires business to promptly notify individuals whose computerized personal information is reasonably believed to have been obtained by an unauthorized person. –“Personal information” means an individual’s first name or initial, last name, and SSN, driver’s license number, or State ID card number, or account or bank card number.
Washington Law (cont’d) –Note that the Wa. Data breach notice statute applies only to computerized data –It may nonetheless be prudent to notify individuals if a paper record with personal information is stolen
Notice of Data Breach Notice must be in writing or sent electronically in a manner that complies with E-Sign (i.e., by e- mail to an address supplied by the patient) Unless the costs of notice would exceed $250,000, in which case, –substitute notice by , web- posting, and statewide media disclosure may be substituted.
Six Steps to Respond to Data Breaches 1.Notify internal officials 2.Investigate what information was obtained and determine how 3.Determine who should notified – individuals, law enforcement, regulators, others? 4.Send notifications 5.Respond to inquiries, litigation 6.Correct security flaws, remediate damages
Step 1: Notify Internal Officials and Counsel CPO, CSO, CIO, GC, and outside counsel should be informed of the incident and of available information. Written communications to and from counsel should be marked “attorney-client privileged.”
Step 1: Notify Internal Officials and Counsel (cont’d) A team should be designated and tasked –to manage the investigation, –to contact law enforcement (if there was a theft), –to coordinate media strategy, and –to supervise the notice process.
Step 2: Investigate the Breach What information was accessed or stolen? Were “computerized data” and “personal information” obtained by an unauthorized person? If computer forensics, network security, or private investigators are needed, they should be hired by counsel to permit him or her to advise you. The consultants’ reports should be privileged.
Step 3: Determine Whom to Notify Notify senior management and the board. Notify law enforcement of theft. –Discuss with law enforcement whether to delay notifying others. Create lists of any potentially affected individuals, with notice addresses. Notify CMS, JAHCO, State AG? Notify employees, media?
Step 4: Send Notifications If individuals are to be notified: –decide whether to outsource notice; –decide whether to offer credit monitoring and other services (one year of credit monitoring is standard); –draft notice letters with potential litigation in mind; –train operators for a call-in center; draft scripts; and –post important info. and FAQs on your website.
Step 4: Send Notifications (cont’d) Notices to regulators should concisely explain what occurred and what remediation steps have been and are being taken.
Step 5: Respond to Inquiries and Litigation Respond to inquiries from individuals, employees, and the media honestly but with an understanding that everything you state may be used in court. Be prepared to defend against a class action, especially if any information is misused. Emotional distress alone should be insufficient for plaintiffs to avoid dismissal.
Step 6: Correct Security Flaws and Remediate Damages Immediately correct all vulnerabilities that may have contributed to the breach. –institute secure transport and storage of backup tapes; –encrypt ePHI and personal information on laptops; –revise procedures to account for copies of patient data; and –assure that video surveillance of areas where data are stored is functioning properly.
Step 6: Correct Security Flaws and Remediate Damages (cont’d) If your computer network was penetrated, prepare for additional attacks when the breach is disclosed. If individuals can show they suffered fraud related to the breach, compensate them. –Your claims specialist should review fraud claims. –Experts estimate that 1-4% of the population have experienced “identity theft.” –You should compensate only fraud that was probably caused by the breach at your hospital, not by another event.
Questions? Comments?
Thank you for participating! Please fill out the evaluation.