4.2. Análisis Interno
4.2.1. Cadena de valor
• Notice must be provided in the event of an “unauthorized acquisition, access, use or disclosure” of PHI that is “unsecured” (i.e., a “breach”)
• PHI is “secure” (and the HITECH breach-notice rules are not triggered) if the PHI is encrypted or destroyed in the manner prescribed by HHS Breach Notification Rule
• Prior law
–No obligation to notify individuals or HHS of a breach of the privacy or security rules
–CEs (but not BAs) were obliged to mitigate harm caused by a breach, which may have included notification
• HITECH added two sets of notice rules
–CEs and BAs
–Personal health record (PHR) vendors and related entities (non-CEs)
Breach Notification Rule
• HITECH creates breach reporting requirements for covered entities and business associates
• Breaches of “Unsecured PHI” must be reported to affected individuals and to the federal government (the Department of Health and Human Services Office of Civil Rights)
–“Unsecured PHI” is PHI that has not be secured in accordance with federal standards (encrypted or destroyed)
• A loss of Unsecured PHI that does not present a risk of financial, reputational or other harm may not be a reportable breach
Breach Notification Rule
• Secured PHI means PHI that has been rendered “unusable, unreadable, or indecipherable to unauthorized individuals”
• HHS issued guidance on April 17, 2009, identifying two acceptable methods for securing PHI—encryption (electronic) and destruction (electronic and paper)
Clarifications in Aug. 24, 2009 Interim rule
–Redaction of paper-based PHI does not qualify –Encryption keys must be stored separately
• Intended to be exhaustive, not illustrative
• Use acts as a “safe harbor”
• HHS will likely issue further guidance Encryption/Destruction
• Applies generally to covered entities and business associates, but
–Business associate is required to notify covered entity, not affected individuals (unless the covered entity delegates this responsibility) –Notice must be provided without unreasonable delay…in no case
later than 60 days following discovery of the breach
• "discovery" is when the covered entity knew or "should have known" about the breach
•
Breach Notification Rule
• Business associate and subcontractor knowledge of a breach is imputed to the covered entity and starts the 60-day clock ticking
• Business associate must have breach notice policies and procedures consistent with these requirements.
• As a practical matter, the workforce must PROMPTLY report breaches and even suspected breaches
Breach Notification Rule
• Business associates must immediately report known or suspected
breaches of PHI to covered entities (so that covered entities may report within the 60 day time frame)
• Speed is key
• Be sure to report even SUSPECTED breaches
–Business associate agreements may impose specific reporting time frames. Some may require reporting by within 24-48 hours of the breach.
–Covered entities typically require business associates to cover the Breach Reporting – Business Associate Obligations
• The unauthorized acquisition, access use or disclosure of protected health information in violation of the Privacy Rule is presumed to be a reportable breach unless
–The covered entity or business associate demonstrates there is a low probability that the information has been compromised based on a risk assessment of certain factors, or
– The breach fits within certain exceptions
• Covered entities must ensure that their policies incorporate and apply this new standard
What Constitutes a Breach?
• Exception if unauthorized person could not have reasonably retained the PHI
• Exceptions for unintentional acquisition, access, or use –By workforce member or authorized person
–Made in good faith/within scope of authority –Does not result in further use or disclosure What's Not a Breach?
• The proposed rule provided a "harm standard" for the identification of reportable breaches
• The Omnibus Rule creates an objective, four-factor test for determining whether or not PHI has been compromised
–Nature and extent of the PHI involved
–Unauthorized person who used the PHI or to whom disclosure was made
–Whether the PHI was actually acquired or viewed
–The extent to which the risk to PHI has been mitigated
• Under the Omnibus Rule, there is a presumption of reportable breach New Breach Notification Analysis
• Revise breach notification policies and procedures and breach response plans
–Final rule eliminates “harm threshold” provision
–Instead, assess probability that PHI has been compromised
–Make sure that procedures ensure timely notification of regulators and affected individuals
Breach Notification – Policies and Procedures
• Written notice to the individual (or next of kin if the individual is deceased) at the last known address by first-class mail
• For insufficient or out-of-date contact information, or in the case of 10 or more individuals with insufficient contact information, conspicuous
posting (for 90 days) on the CEs home page or conspicuous notice in major print or broadcast media
• Where there is a possibility of imminent misuse of the unsecured PHI, additional notice by telephone or other methods
Notice to Individuals
• Notice to prominent media outlets within the State or jurisdiction is
required if a breach of unsecured PHI affects or is reasonably believed to affect more than 500 residents of that State or jurisdiction
Notice to the Media
• Notice to HHS by CEs immediately for breaches involving more than 500 individuals and annually for all other breaches
• Posting on HHS Web site of a list that identifies each covered entity involved in a breach in which the unsecured PHI of more than 500 individuals is acquired or disclosed
Notice to and by HHS
• The Office of Civil Rights and US Attorney enforce the civil and criminal provisions of HIPAA and HITECH
• HITECH gave state attorneys general the authority to enforce HIPAA
• Under HITECH, the Office of Civil Rights will be allowed to retain a portion of the fines that it collects from violators
–This may be why we are seeing 7-figure fines from OCR.
• HITECH enforcement is designed to be a public, embarrassing, process. See, the OCR “wall of shame”:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationru Enforcement
• HHS audited CEs only in response to complaints
• HITECH directs HHS to conduct periodic audits of CEs and BAs, even if no complaint has been filed
• Where a preliminary investigation indicates “willful neglect”
–An audit is required, and
–Penalties must be imposed for willful neglect Enforcement – Enhanced Audits
• State Attorneys General are authorized to bring a civil action for HIPAA violations to enjoin violations and seek damages
–Damages calculated by multiplying number of violations by $100, not to exceed $25,000. Court may award costs and reasonable attorneys’ fees to State
–State action may not be brought during pendency of Federal action Enforcement – State AGs
• Individuals to recover portion of HHS civil penalty or monetary settlements
• HHS is directed to report to Congress regarding complaints filed and their disposition (will be made available to the public)
Enforcement – Individuals
• Penalties range from $100 to $50,000 per violation, depending on the level of culpability
• $1.5 million cap per calendar year for multiple violations of identical provisions
• Criminal penalties of up to 10 years’ imprisonment
• Willful neglect is at the top of the scale
• Even where there is merely a possibility of a violation due to willful neglect, the Department of Health and Human Services (“HHS”) can impose civil monetary penalties without exhausting informal resolution New Penalty-Based System
• Tier 1: $100 per violation, not to exceed $25,000
• Tier 2: If due to “reasonable cause” but not willful neglect, at least
$1,000/violation, not to exceed $100,000
• Tier 3: If due to willful neglect and corrected in 30 days, at least
$10,000/violation, not to exceed $250,000
• Tier 4: If due to willful neglect and is not corrected in 30 days, at least
$50,000/violation, not to exceed $1.5 million Annual Penalties
• A server containing PHI of 780,000 patients was hacked into and PHI was stolen for one month until the breach was discovered and the server was shut down.
• An Atlanta health care company misplaced 10 backup disks for more than
315,000 surgical patients treated between 1990 and 2007. About 228,000 of the files included patient Social Security numbers, names, surgery dates,
diagnoses and procedure codes.
• A South Carolina Department of Health and Human Services employee compiled data on more than 228,000 people and sent it to a private email
account. About 22,600 people had their Medicaid ID numbers stolen (linked to Social Security numbers). Patient names, addresses and birth dates were also Big Breaches of 2012
2 USC 1320d-5(d)(2)(c):
Reduction of Damages — In assessing damages under subparagraph (A), the court may consider the factors the Secretary may consider in determining the amount of a civil money penalty under subsection (a) under the HIPAA privacy regulations.
Mitigation of Damages
• Who impermissibly used/received the PHI?
–Was it another covered entity or federal agency (less risk), or someone without separate privacy obligations?
• Can you take immediate steps to mitigate (e.g., obtain recipient’s assurances that the info will not be further disclosed or will be destroyed)?
• Was information returned without being opened or accessed (forensic analysis would be required on laptops, etc.)
Factors Considered in Reducing Damages
• Greater Risk of Harm:
• Name of individual, along with sensitive service types or provider types:
– Oncology services
– Substance abuse treatment – AIDS treatment
– Abortion clinic – Plastic surgery
• Name of individual, along with information that increases risk of identity theft:
– SSN
– Credit card info
– Mother’s maiden name
• Lesser Risk of Harm:
• Name of individual and fact that he/she received services from a particular
hospital as long as service type was not disclosed or sensitive and no financial info.
Factors Considered in Reducing Damages
• 46 states have adopted them
• The laws generally protect “personal information” or name, first initial and last name, coupled with social security, credit card or financial account number or state issued identification number (including Medicare/Medicaid number)
• The breach or loss of “personal information” triggers state reporting obligations
• These reporting obligations apply in addition to HIPAA reporting obligations
State Data Security Laws
The challenge:
• State laws impose separate security and sometimes contracting requirements (use more stringent requirements)
• Breach reporting time frames vary widely
• Breach reporting requirements vary widely
• Compliance can be extremely complex for organizations operating in multiple states or serving individuals from multiple states
State Data Security Laws