Breach Notification and Enforcement Sponsored by Health Information and Technology Practice Group June 14, 2012 Presenter: Patricia A. Markus, Esquire, Smith Moore Leatherwood LLP, Raleigh, NC, Trish.Markus@smithmoorelaw.com 1
Overview Definitions Is It A Breach? Discovery, Investigation, and Notification Breach Enforcement 2
Background/History of Breach Notification Under the Health Information Portability and Accountability Act of 1996 (HIPAA): No requirement to notify patients of breaches of Protected Health Information (PHI) The Health Information Technology for Economic and Clinical Health Act (HITECH): First federal law mandating breach notification for health care industry HITECH requirements must be compared to existing state breach notification requirements and, if they don t conflict, both rules must be followed HITECH applies to breaches of certain clinical and financial information 3
Breach Definitions What is a Breach? Key Elements Acquisition, access, use, or disclosure Unsecured PHI Not permitted by Privacy Rule Compromises security or privacy of the PHI 4
Breach Definitions Unsecured PHI : PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of encryption technologies or methods of physical destruction approved by the Secretary of the U.S. Department of Health and Human Services Approved technologies/destruction methods are listed at 74 Fed. Reg. 42742 5
Breach Definitions Compromises the security or privacy of the PHI means poses a significant risk of financial, reputational, or other harm to the person whose PHI was the subject of the inappropriate access, use, or disclosure 6
Is It a Breach? A use/disclosure is not a breach: When the PHI is properly encrypted/destroyed When the use/disclosure is permitted under HIPAA When a HITECH exception applies When the privacy or security of the data is not compromised 7
Is It a Breach? Step 1: Unsecured PHI PHI is secured if: Encrypted or Destroyed (shredded, burned, purged, cut proper destruction method depends on the medium) Also not a breach if: Individually identifiable health information held by covered entity or business associate in its capacity as an employer De-identified in accordance with HIPAA guidelines 8
Is It a Breach? Step 2: Permitted Use/Disclosure A breach is an impermissible use or disclosure; if HIPAA permits or requires the use/disclosure, not a breach If use/disclosure not permitted under HIPAA, must still ask: Does the use/disclosure compromise the security or privacy of the PHI? Not every impermissible disclosure = breach, but may be a violation of the privacy rule! 9
Is It a Breach? Step 3: HITECH Exceptions HITECH contains three narrowly construed exceptions If an acquisition, access, use, or disclosure fits within an exception, it is not a breach, even if information was unsecured PHI and the disclosure is not permitted under HIPAA 10
Is It a Breach? Step 3: HITECH Exceptions Exception 1: Unintentional access to, or acquisition or use of, PHI: By a workforce member for the covered entity or business associate (BA) Acting in good faith Within the course and scope of duties If the access, acquisition, or use does not result in any further use or disclosure in a manner not permitted by HIPAA 11
Is It a Breach? Step 3: HITECH Exceptions Example: Billing employee receives and opens an email containing patient s PHI that was mistakenly sent to her. Billing employee notifies the sender of the error, and then deletes the email without further using or disclosing the information. Exception applies no breach. Example: Receptionist, who is not authorized to access PHI, decides to browse through patient files to find out information about a friend s treatment. Exception does not apply potential breach. 12
Is It a Breach? Step 3: HITECH Exceptions Example: A physician on the medical staff, who is authorized to access PHI, looks through the medical records of patients she has not treated and on whose cases she has not been asked to consult. Exception does not apply potential breach. 13
Is It a Breach? Step 3: HITECH Exceptions Exception 2: Inadvertent disclosure of PHI From one workforce member at the covered entity or BA to another at the same covered entity or BA Where both workforce members are authorized to access the information If the access, acquisition, or use does not result in any further use or disclosure in a manner not permitted by HIPAA 14
Is It a Breach? Step 3: HITECH Exceptions Example: Inadvertent disclosure by a member of the hospital medical staff, even if she is not a hospital employee, to a hospital employee who is authorized to receive PHI, provided that the employee does not subsequently inappropriately use or disclose the information. Exception applies no breach. Example: A member of the medical staff deliberately discloses information to another member of the medical staff regarding a patient for whom the receiving medical staff member has no treatment or consultation responsibilities. Exception does not apply potential breach. 15
Is It a Breach? Step 3: HITECH Exceptions Exception 3: Unauthorized disclosure of PHI to an unauthorized person: Where there is a reasonable good faith belief The unauthorized recipient would not reasonably have been able to retain the information 16
Is It a Breach? Step 3: HITECH Exceptions Example: A nurse mistakenly hands Patient A the discharge instructions for Patient B. The nurse immediately recognizes his error and retrieves the document before Patient A has a chance to review the information. Exception applies no breach. Example: The billing office, due to a lack of reasonable safeguards, sends a number of patient statements to the wrong individuals. Some of the statements are returned unopened, marked undeliverable. Exception applies no breach. The other statements that were sent to the wrong addresses, however, are not returned. Exception does not apply potential breach. 17
Is It a Breach? Step 4: Risk Assessment A breach must involve a significant risk of financial, reputational or other harm Requires a good faith judgment Made by business associate or covered entity Must include various relevant factors Must document basis for determination 18
Is It a Breach? Step 4: Risk Assessment Who impermissibly used the information / to whom was the information impermissibly disclosed? Disclosure to another entity subject to HIPAA likely small risk of harm Lost/stolen information likely high risk of harm Disclosure to member of the general public likely high risk of harm 19
Is It a Breach? Step 4: Risk Assessment In what form was the PHI accessed or disclosed? Verbal or paper likely smaller risk of harm Electronic likely higher risk of harm What were the circumstances surrounding the disclosure? Unintentional disclosure likely smaller risk Intentional disclosure likely higher risk Lost/stolen information or hacking likely higher risk 20
Is It a Breach? Step 4: Risk Assessment What information was the subject of the impermissible use or disclosure? Limited data set low risk of harm Information about fact of treatment: depends on treatment facility ( General Hospital likely small risk of harm; Communicable Disease Clinic likely high risk of harm) Type of treatment (oncology) likely higher risk of harm Type of treatment (sexually transmitted diseases, mental health, substance abuse, abuse victim) deemed to pose significant risk of reputational harm Information that assists in identity theft (Social Security number (SSN), account numbers, personal identification numbers) likely high risk of harm 21
Is It a Breach? Step 4: Risk Assessment What steps were taken to mitigate the impermissible use or disclosure? Obtained recipient s satisfactory assurance that information will be destroyed and not used: likely small risk of harm Information is returned before it is accessed (laptop analysis reveals no access): likely small risk of harm Would notice enable affected persons to protect themselves from harm? 22
If a significant risk of harm to the patient exists, the breach notification requirements must be followed. 23
Discovery and Investigation of Breach Incident starts the clock Discovery = First day where have actual knowledge of breach, including when by using reasonable diligence would have known Must notify individuals as soon as reasonably possible but no later than sixty days after discovery Reasonable diligence means Business care and prudence expected of one seeking to satisfy a legal requirement What is this, and how do you demonstrate it? 24
Notifications Written notice of a breach must be given to: Affected individuals Secretary Covered entity by business associate Sometimes the media Notice must be timely and adequate 25
Notifications To Individuals: No later than sixty days after discovery of breach, written notice must be provided to each affected individual by first-class mail Email notice ok if patient has agreed Notice to next-of-kin or personal representative for deceased patient Content What occurred and when Types of PHI Steps to protect individuals What is being done to investigate, mitigate Covered Entity (CE) contact information 26
Notifications Law enforcement exception: If law enforcement asks CE to delay providing notice because notice would impede criminal investigation or damage national security, CE may delay notification Length of delay: The time period specified in written notice by law enforcement, or Up to thirty days if oral request, unless law enforcement submits writing specifying time frame for delay 27
Notifications Substitute notice for insufficient/out of date address Less than ten individuals affected: alternate form of written notice, telephone, or other means Ten or more affected individuals: must provide substitute notice on home page of entity s website or in major print/broadcast media (include toll-free number) Need not be provided to next-of-kin or personal representative 28
Notifications Media notice: required if more than 500 residents affected in a single state/jurisdiction Secretary of the U.S. Department of Health and Human Services (HHS) notice: If 500 or more individuals affected, notice must be given to Secretary of HHS immediately by filing notice electronically on this form: http://transparency.cit.nih.gov/breach/index.cfm If fewer than 500 individuals affected, notice must be given to Secretary within sixty days of end of calendar year (CY) using same form as above (one form per breach) 29
Breach Enforcement HITECH breach notification rules Require self disclosure/reporting Invite investigation by the Office for Civil Rights (OCR) HITECH s enforcement Interim Final Rule Introduces strict liability unless violations are corrected within thirty days Tiers of penalties Tiers of culpability 30
Breach Enforcement Culpability Amounts by tier Cal. Yr. same violation max Did Not Know $100-$50,000 $1,500,000 Reasonable Cause $1,000-$50,000 $1,500,000 Willful Neglect- Corrected Willful Neglect-Not Corrected $10,000-$50,000 $1,500,000 $50,000 $1,500,000 31
Breach Enforcement Civil penalties maximum $1.5M for all identical violations in CY If entity did not know violation occurred and by exercising reasonable due diligence would not have known Penalties from $100 to $50,000 per violation Violation due to reasonable cause and not to willful neglect Penalties from $1,000 to $50,000 per violation Violation due to willful neglect $10,000 to $50,000 per violation (for violations corrected within thirty days) Minimum of $50,000 per violation (for violations not corrected within thirty days) 32
HITECH Enforcement Developments Penalties apply to covered entities and business associates (lawyers included) Criminal penalties now apply to workforce members who use/disclose PHI without authorization Safe harbor for violations corrected in thirty days (assuming no willful neglect) Starting 2/17/11, OCR must investigate any complaint that may have resulted from willful neglect If violation found, OCR is required to impose civil monetary penalties (CMPs) 33
HITECH Enforcement Developments For HIPAA violations after 2/17/09, HITECH permits State Attorneys General (AGs) to bring civil actions on behalf of state residents to enjoin privacy/security violations or to obtain damages $100 per violation, maximum of $25,000 per year for identical violations Costs of suit and reasonable attorneys fees may be assessed against HIPAA violators and awarded to the state HHS held State AG training in spring 2011 on how to prosecute HIPAA violations 34
HITECH Enforcement Developments Secretary of HHS is required to perform periodic audits to ensure that CEs and their business associates are in compliance with HIPAA and HITECH requirements HHS paying KPMG $9.2 million to create audit program and up to 115 CEs and BAs compliance with HIPAA by end of 2012 HHS to establish regulations (by 2/17/12) that specify methodology under which an individual harmed by a HIPAA violation may receive a percentage of any monetary amount collected 35
HITECH Enforcement Examples OCR has issued eight Resolution Agreements and a huge CMP In Providence Resolution Agreement (July 2008), OCR imposed relatively small fine ($100,000) and no CMPs for loss of data of 386,000 patients on laptops and backup media In 2011 Resolution Agreements: Mass General Hospital: $1 million payment for paper records of 192 patients left on subway (no SSNs, Digital Living Networks (DLNs), or evidence that info ever was used improperly) University of California, Los Angeles (UCLA): $865,500 payment for repeated snooping in celebrity records where UCLA had neither policies prohibiting this conduct nor training on it 36
HITECH Enforcement Examples 2012 Resolution Agreements Blue Cross Blue Shield of Tennessee: Fine of $1.5 million for theft of fifty-seven hard drives containing PHI of over one million individuals, including SSNs Phoenix Cardiac Surgery: $100,000 for posting ephi of more than 1,000 on publicly-accessible, Internet-based calendar 37
HITECH Enforcement Examples Cignet Health CMP (February 2011) Fine of $4.351 million $3 million for failure to cooperate $1.3 million for failing to provide forty-one patients copies of their records A primer on how NOT to respond to OCR investigation Cignet ignored repeated government requests for information and discussion for over a year After receiving court order to produce records, Cignet produced thousands of original medical records of individuals unrelated to the investigation 38
Breach Enforcement Lessons OCR is enforcing, and penalties getting bigger State AGs will act and can obtain money Increasingly strict enforcement shows prevention, prompt identification, and correction of breaches is the best defense 39
Additional Resources Breach Notification for Unsecured Protected Health Information: Interim Final Rule 74 Fed. Reg. 42740 (Aug. 24, 2009) Available at http://edocket.access.gpo.gov/2009/pdf/e9-20169.pdf For additional resources on conducting a breach notification risk assessment, please see the HITECH Breach Notification Evaluation at http://www.smithmoorelaw.com/files/publication/9e40dfb0-4a5c-4f43-a7d8- d1db82a76b2b/presentation/publicationattachment/88297303-93b3-46cb- 9c5a-d416768e0ced/Markus_HITBytesJan2010.pdf, along with AHIMA s Data Breach Investigation and Mitigation Checklist, available at http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_03624 5.pdf. For a more comprehensive breach notification risk assessment tool, see http://www.nchica.org/hipaaresources/samples/breachtool.doc. 40
Breach Notification and Enforcement 2012 is published by the American Health Lawyers Association. All rights reserved. No part of this publication may be reproduced in any form except by prior written permission from the publisher. Printed in the United States of America. Any views or advice offered in this publication are those of its authors and should not be construed as the position of the American Health Lawyers Association. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought from a declaration of the American Bar Association 41