Presentation is loading. Please wait.

Presentation is loading. Please wait.

Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1.

Published byJerome Morris Modified over 9 years ago

Similar presentations

Presentation on theme: "Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1."— Presentation transcript:

1 Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1

2  Overview of Data Breaches  HIPAA/HITECH Considerations  State Data Security Laws  Case Studies & Prevention Strategies 2

3  Generally, a data breach is: ◦ unauthorized ◦ acquisition, access, use, or disclosure ◦ of confidential information  Protected Health Information  Other confidential information 3

4  Hacking/IT incident  Improper PHI Disposal  Loss of Electronic Device  Theft – Laptop, Hard Disks, Portable Electronic Devices,  Unauthorized Access (e.g., employee improperly accesses data) 4

5  Health Net - Lost data servers (2011)  Massachusetts General – Documents containing PHI of 192 patients left on train (2011)  Mills-Peninsula Medical Center, California– Mailroom employee stole medical records of approximately 1,500 patients (2011)  Beth Israel Deaconess Medical Center, Boston– Computer with virus transmitted data files of over 2,000 patients to an unknown location after computer service vendor failed to restore security setting on a computer (2011) 5

6  2010 OCR Data: ◦ 207 reports to OCR of data breaches impacting 500 or more individuals ◦ 5.4 million individuals affected by these large breaches ◦ Over 25,000 reports to OCR of smaller data breaches (that occurred during 2010) ◦ More than 50,000 individuals impacted by these smaller breaches  No provider is too big or too small to experience a data breach 6

7  The average cost of data breach in the healthcare sector = estimated at over $300 per record  In 2010, the average cost was $345 per compromised record, up from an average cost of $301 in 2009 ◦ (Ponemon Institute, “U.S. Cost of a Data Breach,” (2010)) 7

8  Statutory violations and related fines and penalties (HIPAA/HITECH, state laws, FTC rules)  Reputational harm  Substantial costs in response and defense  Contractual obligations  Government investigation  Private lawsuits 8

9  HIPAA requires covered entities (and now their business associates) to comply with privacy and security standards to protect PHI ◦ “Covered entities” = health care providers, health plans and clearinghouses ◦ “PHI” is individually identifiable health information (e.g., medical information, demographic information, billing information) ◦ Privacy standards – Designed to protect individuals’ PHI by mandating covered entities comply with certain requirements related to the use and disclosure of PHI ◦ Security standards – Designed to protect electronic PHI by mandating certain physical, technical and administrative safeguards 9

10  HIPAA requires covered entities (and business associates) to comply with privacy and security standards to protect PHI  HITECH Act (Health Information Technology for Economic and Clinical Health Act of 2009): ◦ Strengthened and expanded HIPAA ◦ Rationale = Concerns for patient privacy and identity theft ◦ Among other things, established mandatory notification requirements for breaches of unsecured PHI 10

11 HITECH Breach Notification: Basic Rules  Covered entities must provide notice if: ◦ There is a “Breach,” and ◦ The Breach involves “Unsecured PHI”  Notice must be provided to: ◦ Affected patients ◦ DHHS ◦ Media (in some cases)  Business associates must notify covered entities if a “Breach” occurs 11

12  4 Prong Analysis: ◦ Step 1: Has there been an acquisition, access, use or disclosure of PHI in a manner not permitted under the HIPAA Privacy Regulations ◦ Step 2: Did the incident involve Unsecured PHI  “Unsecured PHI” is:  PHI that has not been secured using an HHS approved method to make PHI unusable, unreadable or indecipherable to unauthorized individuals  Only 2 HHS approved methods to date:  Destruction  Encryption 12

13  Step 3: Did the incident compromise the security or privacy of PHI in a way that creates significant risk of financial, reputational, or other harm to the affected individual?  Nature and type of PHI?  Who used or obtained PHI?  Mitigation?  Other relevant factors?  Step 4: Does the incident falls within an exclusion ◦ Unintentional use of PHI by employee in good faith within the scope of authority ◦ Inadvertent disclosure of PHI among persons authorized to access PHI at covered entity/business associate ◦ Good faith belief that unauthorized person who received PHI would not reasonably have been able to retain PHI 13

14  Required for all Breaches of Unsecured PHI  Without unreasonable delay  In no event more than 60 days after discovery of Breach  In writing, by mail or if individual has agreed, by e-mail 14

15  Description of the Breach  Description of the types of PHI involved in the Breach  Steps affected individuals should take to protect themselves from potential harm  Brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches  Contact information for the covered entity  If substitute notice provided via web posting or major print or broadcast media, toll-free number for individuals to contact the covered entity to determine if their PHI was involved 15

16  For 10 or more individuals, substitute individual notice by either posting the notice on the home page of its web site or by providing the notice in major print or broadcast media where the affected individuals likely reside.  For fewer than 10 individuals, covered entity may provide substitute individual notice by an alternative form via written, telephone, or other means. 16

17  Submit report electronically via HHS web site  If a breach affects 500 or more individuals = notify the Secretary without unreasonable delay and no later than 60 days following a breach  If breach affects fewer than 500 individuals = notify HHS no later than 60 days after the end of the calendar year in which the breach occurred  Expect an investigation 17

18  Required only for Breaches affecting more than 500 residents of a state or jurisdiction, covered entity is required to provide notice to prominent media outlets serving that State or jurisdiction (e.g., press release)  Media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach  Must include the same information required for the individual notice 18

19  Business associates must notify the Covered Entity if a Breach occurs.  Without unreasonable delay and in no event more than 60 days after discovery of Breach  Notification should include: ◦ the identification of each individual affected by the Breach ◦ any information required to be provided by the covered entity in its notification to affected individuals 19

20  Personal Information  Electronic (few states cover paper records)  In unencrypted form  Accessed by or improperly disclosed to  An unauthorized person  Data breach = state data security law must be considered 20

21  “Personal Information”: ◦ Individual’s name and one of the following:  Social security number  Account Number  State identification/driver’s license number  Credit card number  Definitions vary by state  Includes PHI, employee data, consumer data 21

22  State Data Security Laws Require: ◦ Notice to affected state residents ◦ Notice to Attorney General ◦ Notice to consumer agencies  Requirements vary by state  Challenge = multi-state breach 22

23  Enacted by 46 states, including Missouri and Illinois  Only Kentucky, New Mexico, Alabama and South Dakota don’t have these laws  Requirements vary by state 23

24  R.S.Mo. § 407.1500  "Breach of security" = unauthorized access to or acquisition of unencrypted computerized personal information that compromises the security, confidentiality or integrity of such information  “ Personal information“ = first name and last name in combination with any one of the following: ◦ Social Security number ◦ Driver's license number or other unique identification number ◦ Financial account number, credit card or debit card number in combination with security code or password ◦ Unique electronic identifier or routing code, in combination with security code or password ◦ Medical or health insurance information 24

25  Requires notice to Missouri residents of a breach of security of personal information  Notice must be made without unreasonable delay  Content of notice is statutorily prescribed  If over 1000 residents involved = must notify Missouri Attorney General and consumer reporting agencies 25

26  Risk of Harm Test  Notification not required if, after investigation or consultation with law enforcement, it is determined that a risk of identity theft or other fraud to any consumer is not reasonably likely due to the breach  Determination not to notify must be documented and maintained for five years  Willful and knowing violation of law = AG action for damages, up to $150,000 per security breach 26

27  Stolen laptop  Unauthorized access by employees  Data files sent to incorrect recipient  Facebook  Faxes sent without permission  Medical records in trash  Garage sale 27

28  Maintain solid HIPAA privacy and security compliance program  Establish strong contracts with Business Associates  Minimize unsecured PHI  Follow proper data destruction practices  Educate your staff 28

29  Effective HIPAA privacy and security policies, procedures and training = key to protecting against data breaches  Winter 2011 - OCR to begin HIPAA privacy and security audits (administered by KPMG) of covered entities ◦ Audits will focus on HIPAA privacy and security compliance ◦ Corrective actions/fines may result if noncompliance found 29

30  Issues to consider: ◦ Time frame for notifying covered entity of breach ◦ Requirements related to investigating breach ◦ Financial responsibility related to breach notification  Cost of notice letters, technical expert and legal costs ◦ Indemnification 30

31 Minimize Unsecured PHI/Follow Proper Data Destruction Practices  Minimize PHI and other personal information collected and retained  Encryption ◦ To avoid being “Unsecured PHI,” PHI must be encrypted using process tested by the National Institute of Standards and Technology  Destruction ◦ Paper, film or other hard copy media  Must be shredded so PHI can’t be read or reconstructed  Redaction is not enough! 31

32  Educate staff about data security and data breach obligations ◦ Periodic refresher training ◦ Establish and monitor access control ◦ Penalties for improper access to PHI/other confidential data  Assign responsibility in the event of a breach 32

33  If an incident happens, take prompt action ◦ Determine if a breach occurred ◦ Technical expert analysis may be required ◦ Take prompt mitigation steps ◦ Provide required notices ◦ Timing of notices is essential ◦ Cooperate with any governmental investigation  Cignet Health $4.3M penalty - $3M due to failure to cooperate with authorities 33

34  If you have any questions, please contact:  Milada R. Goturi  mgoturi@thompsoncoburn.com mgoturi@thompsoncoburn.com  P: 314.552.6057 F: 314.552.7057  M: 314.602.6057  Tonya M. Oliver  toliver@thompsoncoburn.com toliver@thompsoncoburn.com  P: 314.552.6119 F: 314.552.7119  M: 314.602.6119 34

Download ppt "Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1."

Similar presentations

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
Breach SHOULD Be a Four Letter Word HIPAA Omnibus.

Breach SHOULD Be a Four Letter Word HIPAA Omnibus.
1 HIPAA Privacy and Security Cindy Cummings, RHIT.

1 HIPAA Privacy and Security Cindy Cummings, RHIT.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.

1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.

W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Health information security & compliance

Health information security & compliance
Helping you protect your customers against fraud Division of Finance and Corporate Securities.

Helping you protect your customers against fraud Division of Finance and Corporate Securities.

Similar presentations

Ads by Google