HIPAA 2017Trends and Tools for New Realities
Nelson Mullins Riley & Scarborough
Tuesday April 4, 2017
Eli Poliakoff
Trish Markus
Roy Wyman
Presenters
2
Eli PoliakoffCharleston
Trish MarkusRaleigh
Roy WymanNashville
Today’s Agenda
• General update HIPAA/HITECH topics
• Lessons from recent HIPAA penalties and enforcement actions
• Frequent Business Associate Agreement sticking points and other hot topics
• Security Rule considerations and ransomware
• Cyber-insurance
• The “Internet of Things” and other issues on the near horizon
• Questions
Recording and additional information to be posted at www.nelsonmullins.com/news/events
Upcoming Webinars
Registration information to be posted at www.nelsonmullins.com/news/events
Tuesday April 25 – Roy Wyman (Nashville)
o Deeper dive into healthcare disruption and new technologies that impact care
o How companies working with health-related data can minimize regulatory burdens
o Artificial Intelligence, Blockchain and the future of healthcare data
o The future of privacy, including the likelihood of further regulation beyond HIPAA.
Tuesday May 23 – Mike Ruggio (Washington, DC)
o What should a healthcare provider executive do if the U.S. Attorney’s Office comes knocking?
4
5
Health Information Technology for Economic and Clinical Health Act ("HITECH Act") - February 2009
HITECH ProposedRegulations - July 2010
Interim "Final" Breach Regulations - August 2009
HIPAA/HITECH Final Rule ("Omnibus Rule") - January 2013
Effective Date: March 26, 2013
Compliance Dates: September 23, 2013 September 23, 2014
HIPAA/HITECH Refresher
HITECH’s Reach
6
Covered Entities
Business Associates
HIPAA (Pre-HITECH)
Directly apply
Subsequent Recipients (“Business Associate
Subcontractors")
Business Associate Agreement
Business Associate Agreement
"Subcontract"
HIPAA + HITECH
New Sheriff in Town
Roger SeverinoDirector, Office for Civil Rights (OCR)U.S. Department of Health and Human Services
On the HIPAA/HITECH Horizon
• HITECH Pending Regulations
• Accounting Rule
• Minimum Necessary
• "HIPAA Whistleblower"
• HIPAA Audit Program
8
Lessons from Recent OCR Activity
• Encryption – Feinstein, Care New England, MAPFRE, Children’s
• Removal of mobile devices – Feinstein, Catholic Health Care Services
• Governance – Oregon Health & Science U.
• Timely address known security risks – Oregon Health & Science U., U. of MS Medical Center, MAPFRE
9
Lessons from Recent OCR Activity
• Timely breach notification – Presence Health
• Security risk analyses – North Memorial, Feinstein, Advocate, St. Joseph, Catholic, MAPFRE, U. Mass Amherst
• Updated BAAs – North Memorial, Raleigh Orthopaedic Clinic, Advocate, Care New England
• Policies and procedures – Lincare, Complete P.T., Feinstein, Catholic, Advocate
10
Reminder: Aggravating/Mitigating Factors Considered
• In assessing penalty, HHS will consider:
oNature and extent of violation
oNature and extent of harm (physical, reputational, financial, or inability to obtain health care)
oHistory of prior HIPAA compliance by entity (previous violations, corrections of noncompliance)
o Financial condition of noncompliant entity
11
OCR Guidance on Medical Record Copy Fees
• Medical Records Requests
• When do copy fee restrictions apply?
• What are the fee restrictions? How does state law apply?
• Methods of Communication
• Email, fax, text – pros, cons, and approaches
12
Sticky BAA Provisions
• Subcontractors
• Security incidents
• Indemnification
• No offshoring
• Encryption
• Time frames
13
Prepare for OCR/Other Enforcement
• BAAs executed with BAs
• Policies
• Training
• Security Rule risk assessment
• Prior internal decisions about breaches
• Know where your internal documentation is
• Be responsive
14
Security Rule and Compliance: The Practical
• Penalties do not require a breach or loss of privacy or security
oCompliance with the Security Rule ≠ IT Security
• Chart your compliance
oA nice set of policies ≠ compliance
• Fit your HIPAA program within a broader compliance program
Ransomware
• Ransomware = unwanted encryption + Demand of a Ransom
o Fastest growing malware threat.
o$1 Billion in losses in 2016, per FBI estimate.
• Attack scenarios: websites (including ads), email attachments, bad software
• Not all ransomware is the same
o Some can extract data from the affected computer (passwords, PII, etc.)
• How to avoid: use the same protections as other malware
• Be prepared: a quick response is critical
o Implement a Ransomware Response Plan to act quickly
oHave backups ready
16
HHS Guidance on Ransomware
• Guidance released July 11, 2016
• Ransomware on a CE's or BA's computer systems is a "security incident"
• Any encryption of ePHI by ransomware is presumed a "breach"
o "Control" of data, even if it can't be viewed, is a "disclosure"
o Must report unless there is a “…low probability that the PHI has been compromised,” based on:
Nature and extent of ePHI involved (usually everything);
The unauthorized person to whom the disclosure was made (known bad guy);
Whether the ePHI was actually acquired or viewed (exfiltration capability?); and
The extent to which the risk to the ePHI has been mitigated (can it be mitigated?).
17
The $7B "Immature Market"
0
1
2
3
4
5
6
7
8
2012 2015 2018* 2020*
Cybersecurity Gross Premiums (in billions)
*Estimated
Basics of cyber liability insurance
• When you've seen one policy, you've seen one policy
• Potential limitations:
o Indemnification
oContractual Obligations
• Bottom line: Know what you're buying.
• When there's a breach:
oCall the rep
oMake sure counsel, forensics are pre-approved.
19
2017 and Beyond
• Internet of Things and security (e.g., connected medical devices)
• Privacy and security rules for non-covered entities and non-BAs.
• Increased attention to vendors (BAAs and Subcontractors)
oVendor Assessment Process
oTracking BAAs
• Assume Failure—Segmentation; DMZs and Risk Management
• The Unexpected
oBlockchain?
oAI?
20
Questions?
21
Eli PoliakoffCharleston
Trish MarkusRaleigh
Roy WymanNashville
Recording and additional information to be posted at www.nelsonmullins.com/news/events