© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP

The Coalition for Academic Scientific Computation

HIPAA Legal Framework and Breach Analysis

Presented by:

Bruce D. Armon, [email protected]

Karilynn Bayus, [email protected]

Saul Ewing LLPMarch 31, 2015


Why are we here today?• HIPAA Privacy and

Security Rule Overview

• Understand the HIPAA Breach Rule

• Learn lessons from HIPAA Breaches in the News

2


HIPAAWhat Is This About?

3


Breaches in the News• This is not a

movie

• This is a real issue 1 billion data

records compromised in 2014

4


2014 Year in Review• 1,023,108,267 records breached in

2014• 1,541 breach incidents• 78% increase in breached records from

2013

Source: 2014 Breach Level Index

5


Breaches in the News• Affects every sector of the economy

6


Breaches in the News• Education

7


Breaches in the News• Healthcare

8


HIPAA OverviewThe Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191) (HIPAA). •In 2009 Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act as part of the American Recovery and Reinvestment Act of 2009, which made changes to HIPAA, including a new breach notification requirement•The HITECH final rule has been in effect since September 23, 2013

9


Administrative “Simplification”

10

• Privacy Standards• Electronic Transactions

and Code Sets Standards

• Security Standards• Breach Notification • Enforcement Provisions


What is the Privacy Rule?• The Privacy Rule sets

national standards to protect the privacy of individuals’ “protected health information” and applies to “covered entities”

11


Individually Identifiable Health Information

• Individually Identifiable Health Information (IIHI) is the health information that identifies an individual or there is a reasonable basis to believe it could be used to identify an individual.

• “Health Information” is any information (including genetic), whether oral or recorded in any form or medium, that:

12


Individually Identifiable Health Information (cont’d)

Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

13


Protected Health Information

The focus of the Privacy Rule is Protected Health Information (PHI). PHI is IIHI that is transmitted or maintained in electronic or any other form or medium, with limited exceptions.

14


Applicability

• Health Care Providers that transmit health information in electronic form in connection with a covered transaction

• Health Plans • Health Care Clearinghouses

15

Privacy Rule applies to covered entities:


Uses and Disclosures of PHI•General Rule:

• Covered entities may not use or disclose PHI except as permitted by the Privacy Rules

•When PHI is to be disclosed for purposes of• Treatment• Payment• Health Care Operations

An individual’s consent is not required

16


PHI and Research• PHI may be used or disclosed for research

without a patient’s authorization if the waiver of an authorization has been approved by an IRB or privacy board.

• Otherwise, a patient’s authorization is required for use or disclosure of PHI for a research study.

17


My University and HIPAA • How does my university fit in?• Are we a covered entity?• Are we a business Associate?• What documentation do we have in

place?

18


HIPAA Security Rule Standards

9 Administrative Safeguard Standards 12 Required Implementation Specifications 11 Addressable Implementation Specifications

4 Physical Safeguard Standards 4 Required Implementation Specifications 6 Addressable Implementation Specifications

5 Technical Safeguard Standards 4 Required Implementation Specifications 5 Addressable Implementation Specifications

19


9 Administrative Safeguard Standards

Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts and Other

Arrangements14


4 Physical Safeguard Standards

Facility Access Controls Workstation Use Workstation Security Device and Media Controls

21


5 Technical Safeguard Standards

Access Control Audit Controls Integrity Person or Entity Authentication Transmission Security

22


We think there was a breach….

• What do we need to do?

23


Breach Notification: General Rule

• Covered entities are required to report breaches of unsecured PHI to the individuals involved, the Secretary of HHS and possibly the media.

24


Breach Definition A “breach” is an acquisition, access, use or

disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI. Three exclusions:

● Good faith, unintentional acquisition, access or use by a workforce member that does not result in further use or disclosure;

● Inadvertent disclosure by authorized person to another authorized person and info is not further used or disclosed;

● Disclosure by which info could not be reasonably retained.

25


Risk Assessments•Risk Assessments must include at least the following factors:

(1) Nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification;(2) Unauthorized person who used the PHI or to whom the disclosure was made; (3) Whether PHI was actually acquired or viewed; and(4) The extent to which the risk to the PHI has been mitigated.

26


Notification RequirementsAlways to the individual(s) affected – without unreasonable delay and no later than 60 days

Always to Secretary – timing depends on whether more than 500 individuals• If less than 500 individuals, must keep a log of breaches and report to HHS within 60 days of the end of a calendar year

To the media if more than 500 residents of a State or jurisdiction affected – without unreasonable delay and no later than 60 days

27


Recent HIPAA Resolution Agreements – University

Related• New York and Presbyterian

Hospital and Columbia University paid HHS $4.8 million for failing to secure electronic PHI on their network (May 2014)

• Idaho State University paid HHS $400,000 for unsecured PHI caused by the disabling of fire wall protections at servers maintained by the University (May 2013)

28


How To Respond If There Is A Breach

• Hit the ground running• Gather evidence• Disclose and inform• Customer/Patient relations• Media strategy

Source: IT Governance USA Blog

29


Hypothetical Scenarios

30


Takeaways

• Make sure e-PHI is secured and risk assessments are regularly performed

• Know your institution’s policies and procedures for reporting breaches

• Err on the side of caution• Do not make system changes without

confirmation on the effect of security of e-PHI

31


Thank you!

32

Documents

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,