Presentation is loading. Please wait.

Presentation is loading. Please wait.

Patient Privacy for the Life Sciences Industry: 2012 Update Drew Gantt and David Sclar Cooley LLP 1.

Published byFrank Bates Modified over 6 years ago

Similar presentations

Presentation on theme: "Patient Privacy for the Life Sciences Industry: 2012 Update Drew Gantt and David Sclar Cooley LLP 1."— Presentation transcript:

1 Patient Privacy for the Life Sciences Industry: 2012 Update Drew Gantt and David Sclar
Cooley LLP 1

2 Agenda Update on Enforcement Data Breach Notification Requirements
HIPAA Best Practices for Business Associates 2

3 Penalties for Non-Compliance
HITECH significantly increased penalties Civil Criminal Tiered penalty structure with scalable penalties based on the nature and circumstances of the violation Government and individual incentives exist to encourage complaints/enforcement Breach notification requirements make breaches public 3

4 Penalties for Non-Compliance
For violations before 2/18/09; CMPs up to $100 per violation, with a cap of $25,000 per calendar year for violations of each requirement For violations after 2/18/09; CMPs up to $100 to $50,000 or more per violation, with a cap of $1,500,000 per calendar year for violations of each requirement OCR may reduce penalties if the failure to comply was due to reasonable cause and not willful neglect, and the penalty would be excessive relative to the noncompliance Graduated criminal penalties up to $250,000 and / or 10 years of imprisonment. Offenses committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain or malicious harm carry higher penalties 4

5 Enforcement is More Likely
Increased penalties encourage enforcement State attorneys general may bring an enforcement action on behalf of residents for HIPAA violations. OCR is now training state AGs how to do so HHS is now required to conduct periodic compliance audits of covered entities and business associates New breach notification requirements create road map for enforcement While no private cause of action, affected parties may share in penalties, which may encourage complaints Growth in e-Health and electronic patient information means violations are more likely 5

6 Enforcement in Action OCR Delegated authority July 27, 2009
10 regional offices Reviews every complaint received Privacy Rule OCR received 57,375 complaints from April 14, 2003 to December 31, 2010 and obtained corrective action in 12,573 cases Security Rule OCR received 803 complaints from April 20, 2005 to December 31, 2010 and obtained corrective action in 150 cases Almost all cited security issues are administrative requirements In 2010, > 50% of enforcement actions resulted in corrective action 6

7 Enforcement in Action Breaches make headlines
Massachusetts General Hospital – Employee left paper patient records on the metro ($1M fine + Corrective Action Plan + internal monitoring requirement + submission of compliance reports to HHS for 3 years) First criminal sentence against a healthcare worker (April 2010): UCLA cardiothoracic surgeon/researcher sentenced to four months in jail First Civil Monetary Penalty (February 2011): $4.3 million imposed on Cignet Health First enforcement action against a Business Associate (January 2012) Minnesota attorney general brought action against Accretive Health Inc. Employee laptop within PHI stolen from rental car Allegation that Accretive Health failed to adequately disclose its data collection practices to patients 7

8 Enforcement in Action HITECH enforcement by HHS pending
HHS Secretary has indicated it will not enforce HITECH until the final omnibus regulation becomes effective (expected later in 2012) State attorneys general are not bound by the enforcement discretion being exercised by HHS 8

9 Agenda Update on Enforcement Data Breach Notification Requirements
HIPAA Best Practices for Business Associates 9

10 Breach Notification Rule Overview
Breach is defined as: Unauthorized acquisition, access, use or disclosure That compromises data privacy or security Exceptions for inadvertent or harmless mistakes Applies to all electronic “unsecured PHI” EPHI is “unsecured” if it is not encrypted or destroyed 10

11 Breach Notification Rule Overview
Breach notifications required Individual notice HHS Secretary Media notice (500 or more affected state or jurisdiction residents) Notification required 60 days after discovery Discovery means the breach is known or should have been reasonably known Don’t forget state data breach notification laws Laws in forty-six states, DC, Puerto Rico and the Virgin Islands require notification of security breaches involving personal information State notification laws may require faster notice (e.g. 5 days for certain providers in California) 11

12 Breach Notification Rule Overview
Breach reports to HHS Secretary from September 2009 – April 2011 500 or more affected individuals: 265 reports CY 2010: 207 reports (5.4M affected individuals) Less than 500 affected individuals > 31,000 reports CY 2010: >25,000 reports (> 50,000 affected individuals) The 99% and the 1% … A few breaches have widespread impact Three recent significant breaches affect 1.3 million more individuals Utah Department of Health (hacking; 780,000 individuals affected) Emory Healthcare (missing computer disks; 350,000 individuals affected) South Carolina Department of Health and Human Services (employee allegedly transferred patient information to his personal account; 228,000 individuals affected) 12

13 Breach Notification Rule Overview
Common causes of large breaches (500 or more affected individuals) (1) Theft (50%); (2) Unauthorized access to, use, or disclosure of PHI (18%); (3) Loss of electronic media or paper records containing protected health information (17%); (4) Hacking/IT incidents (7%); and (5) Improper disposal (5%) Theft and loss are 67% of large breaches 53% of large breaches involve laptops (24%), portable electronic devices (15%), or desktop computers (14%) 23% of large breaches involve paper records 13

14 Agenda Update on Enforcement Data Breach Notification Requirements
HIPAA Best Practices for Business Associates 14

15 Business Associate Compliance
HIPAA generally applies to certain Covered Entities, which include certain health care providers, health plans and health care clearinghouses, and to Business Associates of Covered Entities Not all life science companies are Business Associates, but many Business Associates are life science companies Business Associates are persons that perform functions for or on behalf of a Covered Entities that involve the Business Associate’s creation of or receipt from Covered Entity of Protected Health Information (PHI) Business Associates enter into Business Associate Agreements (BAAs) with Covered Entities that allow Business Associates’ creation or receipt of PHI and obligate Business Associates to appropriately safeguard the PHI Business Associates also need to enter into agreements with their subcontractors creating or receiving PHI for or on behalf of Business Associates to ensure they comply with the same restrictions and conditions as apply to Business Associates under their BAAs 15

16 Business Associate Compliance
HITECH results in “sea change” for Business Associates (BAs) Now directly regulated by OCR and contractually liable to covered entity clients Now subject to certain HIPAA Privacy Rule requirements and most Security Rule requirements Now subject to same penalties as covered entities, and those penalties are LARGE HITECH requirements implicate larger compliance effort The “sign the business associate agreement and forget about it” approach is no longer defensible 16

17 Business Associate Compliance
Proactive Business Associates Designate a Privacy Officer and other privacy personnel Have policies and procedures to ensure compliance: Privacy Rule Security Rule Terms of BAAs with Covered Entities BAAs with Subcontractors Take initiative Encrypt information Improve physical security Train and retrain Conduct risk assessments, investigate, and sanction Be prepared to respond to data breaches 17

18 Questions? Please direct questions regarding this presentation to Drew Gantt and Natasha Leskovsek 18

Download ppt "Patient Privacy for the Life Sciences Industry: 2012 Update Drew Gantt and David Sclar Cooley LLP 1."

Similar presentations

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA Training: Health Insurance Portability and Accountability Act.

HIPAA Training: Health Insurance Portability and Accountability Act.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Basics November 1, 2014.

HIPAA Basics November 1, 2014.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Update: The Omnibus Rule Kathleen Stillwell, MPA/HSA,RN,CPHRM Patient Safety Risk Management Account Executive Matthew L. Kinley, Esq., Partner -

HIPAA Update: The Omnibus Rule Kathleen Stillwell, MPA/HSA,RN,CPHRM Patient Safety Risk Management Account Executive Matthew L. Kinley, Esq., Partner -
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
HIPAA in a Post-HITECH World

HIPAA in a Post-HITECH World
Health information security & compliance

Health information security & compliance

Similar presentations

Ads by Google