The document discusses the importance of HIPAA and HITECH regulations within the healthcare sector, highlighting the increased responsibilities of business associates and the implications of recent cyberattacks, such as the Anthem breach. It emphasizes the need for healthcare entities to implement robust security measures, conduct risk assessments, and ensure compliance to prevent data breaches and associated liabilities. Additionally, the document outlines enforcement trends and the need for proactive training and policy updates to safeguard protected health information.

1. Presented By:
Cybersecurity and Healthcare: The
Key to Limiting Your Risk is Being
Informed
February 26, 2015
HIPAA/HITECH: Risks and
Liabilities in an Increasing
Enforcement Environment
Gregory M. Fliszar, J.D., Ph.D.
(215) 665-4737
gfliszar@cozen.com

2. Agenda
• HIPAA Refresher
• HITECH Final Rule
–significant changes
• Top HIPAA Issues
• Healthcare Risks
• Enforcement
Environment
2

3. What is HIPAA?
• The Health Insurance Portability And
Accountability Act of 1996 (HIPAA)
– Administrative Simplification
• Standards for health care electronic
transactions and code sets
• Security of electronically stored and transmitted
health information
• Privacy of individually identifiable health
information
3

4. What is HIPAA?
• Privacy Rule – sets the standards for who
may have access to PHI
– applies to all forms of PHI whether electronic,
written or oral
• Security Rule – sets the standards for
ensuring that only those who should have
access to electronic PHI (ePHI) will actually
have access
– Only applies to PHI that is in electronic form
4

5. HIPAA Applicability
• Covered Entities
– Health plans - including, for example:
• Group Health Plans (medical, dental and LTC
plans)
• Health insurance issuers
• Issuers of Flexible spending accounts
– Health care providers that transmit
electronic information in connection with
health claims transactions
– Health care clearinghouses
5

6. HIPAA Applicability
• Business Associates
– a person or organization, other than a
member of a covered entity's workforce,
that performs certain functions or activities
on behalf of, or provides certain services to,
a covered entity that involve the use or
disclosure of individually identifiable health
information
– Examples include billing companies,
attorneys, accountants, consultants, etc.
6

7. HIPAA Applicability
• HIPAA applies only to “Protected
Health Information” (PHI)
– Individually identifiable information
– Received or created by a Covered Entity
– Relating to a person’s past, present or
future health condition, treatment or
payment
– Transmitted or stored by a Covered Entity
in any form (including oral)
7

8. HIPAA General Rule
• PHI may not be disclosed without patient
authorization unless the disclosure is
otherwise permitted under HIPAA or required
by law.
• Failure to comply = breach
– Breach notification if unsecured PHI
8

9. HIPAA/HITECH Final Omnibus Rule
• Significant changes: Business
Associates
– Definition of business associate broadened
to include:
(1) subcontractors of business associates and
(2) Health Information Organizations or other
entities that provide data transmission
services to a covered entity that require
access to PHI on a routine basis
9

10. Business Associates
• Business Associates
– HIPAA now applies to an enormous
number and variety of service providers to
the health-care industry
– Downstream contractors included
– Not limited to traditional health care
• Storage companies
• Cloud providers
10

11. HIPAA/HITECH Final Omnibus Rule
– BAs now directly liable under HIPAA for
violations of the Security Rule and for
impermissible uses and disclosures of PHI
under the Privacy Rule
– Significant compliance obligations
– BAs subject to:
• HIPAA audits
• Civil monetary penalties
• Criminal sanctions
11

12. Business Associates
• HIPAA audits expected to resume in 2015 - BAs
are expected to be prime targets
– Many reported covered entity breaches involved Bas
• Business Associate Agreements are no longer
boilerplate
– Most include indemnification provisions requiring the BA to
indemnify the Covered Entity from all claims and expenses resulting
from the acts or omissions of the BA or any of its subcontractors
– Many also require BA to pay costs of breach caused by
BA/subcontractor
12

13. Business Associates
• Due to the enforcement and liability risks, BAs
should take immediate steps to become
HIPAA compliant
• Compliance steps should include, at a
minimum:
– Conducting a written security risk analysis
– Designating a security officer
– Implementing required security policies and
procedures
13

14. Business Associates
– Implementing technical security measures and
facility access controls
– Conducting HIPAA training programs for staff and
management
– Entering into business associates agreements with
subcontractors
– Developing policies and procedures to provide
breach notification to the covered entity upon
discovering a privacy or security breach
14

15. HIPAA/HITECH Final Omnibus Rule
• Revised Definition of “Breach:”
– Breach presumed unless:
• “LoProCo:” The CE or BA can demonstrate that
there is a low probability that the PHI has been
compromised based on:
– Nature and extent of the PHI involved (including the types
of identifiers and the likelihood of re-identification;
– The unauthorized person who used the PHI or to whom the
disclosure was made;
– Whether the PHI was actually acquired or viewed; and
– The extent to which the risk to the PHI has been mitigated.
– Focus on the risk to the data, instead of risk of
harm to the individual
15

16. Top HIPAA Issues
• Security Breaches
– Covered Entity responsible for BA breaches
– Everyone will eventually experience a
breach: be prepared
– Conduct a risk assessment, implement
policies and do training
– Encryption is a safe harbor
– Don’t forget state identity theft reporting
requirements
– Paper is still a big risk
16

17. Top HIPAA Issues
• Mobile Devices/BYOD
– Develop a strategy
– Encryption, Encryption, Encryption !!!
– FTC may jump in with regulations
17

18. Healthcare Risks
• Healthcare information is now a HIGH priority
target for cybercriminals
• A complete health record is worth at least 10x
more than credit card information on the black
market
• Health care records include a treasure trove
of personal information
– Identity theft
– Filing false insurance claims
– Obtaining prescription medications
18

19. Healthcare Risks
• Security protections currently in place in the
healthcare industry tend to lag behind those in
the banking and financial sector
• Health information seen as “low hanging fruit”
• FBI warned in August 2014 that hackers were
possibly seeking PHI
19

20. Anthem
• On February 4, 2015 Anthem disclosed that it
was the victim of a “very sophisticated”
cyberattack
• Exposed the birthdates, social security
numbers, medical ID numbers, street and
email addresses and employee data of 80
million customers and employees
• Data was not encrypted in its database
20

21. Anthem
• Hack believed to have begun with phishing e-
mails sent to a handful of its employees
• The e-mails were used to trick the individuals
into visiting malicious websites or executing
malware
21

22. Anthem
• FBI investigating the breach
• HHS Office of Inspector General
working with law enforcement
• State Attorney Generals looking into the
breach
• Numerous class action and individual
lawsuits filed in several states
• Reputational Harm: Anthem = Breach
22

23. HIPAA Enforcement
• HIPAA enforcement has changed dramatically
since 2011 as evidenced by some recent
high-profile and high-penalty enforcement
actions taken by OCR
– HITECH increased monetary penalties available for HIPAA
violations
• CEs and BAs must also be on the alert for
actions by state Attorney Generals, potential
class action lawsuits, OCR’s HIPAA audit
program, and even FTC investigations
23

24. OCR Enforcement
• Skagit County, WA (March 2014)
– First settlement with a county government
– For 2 weeks Skagit County disclosed the ePHI
of 1,581 individuals by providing access to the
ePHI on its public server
– Failed to provide notification to all of the
individuals whose ePHI had been compromised
– Failed to have sufficient policies and
procedures in place
– Paid $215,000 and entered into a three-year
corrective action plan (“CAP”)
24

25. OCR Enforcement
• Concerta Health
Services
• QCA Health Plan, Inc.
of Arkansas (April
2014)
– Stolen, unencrypted
laptops
– Concerta paid
$1,725,220 plus CAP
– QCA paid $ 250,000
plus CAP
25

26. OCR Enforcement
• Anchorage Community Mental Health Services
(December 2014)
– Breach of unsecured ePHI that affected 2,743
individuals.
– Breach resulted from malware compromising the
security of ACMHS’ information technology
resources.
– Failed to conduct a thorough risk assessment and
implement reasonable and appropriate security
policies and procedures.
– $150,000 and entered into a 2 year CAP
26

27. Lessons Learned
• Appropriate Safeguards can prevent
breaches:
– Evaluate the risk to e-PHI when at rest on
removable media, mobile devices and computer
hard drives – Conduct a RISK ANALYSIS
– Take reasonable and appropriate measures to
safeguard e-PHI – policies and procedures
– Encrypt data stored on portable/moveable devices
& media
– Consider appropriate data backup
– Train workforce members on how to effectively
safeguard data and report security incidents
27

28. HHS HIPAA Audits – Phase 2
• Primarily internally staffed
• Selected entities will receive notification and
data requests
• Entities will be asked to identify their BAs and
provide their current contact information
• Will select BA audit subjects
• Significant noncompliance can lead to a
formal investigation by OCR
– Backdoor enforcement tool
28

29. FTC Enforcement
• LabMD
– FTC used general security enforcement
approach
– Wanted monitoring for 20 years
• Mobile applications
• FTC reviewing potential rules for mobile
devices and applications
• Health care is part of this review
29

30. State Attorney General Enforcement
• State Attorney Generals have started to
exercise the authority granted by HITECH to
bring civil actions on behalf of state residents
for violations of HIPAA
• Connecticut, Vermont, Massachusetts,
Minnesota AGs have brought actions under
HIPAA
• Minnesota went against a BA
• Many looking into Anthem breach
30

31. Data Breach Class Actions
• Examples:
– Tenet Health – settled a 17 year old breach case
for $32.5 million in October 2014.
– AvMed settled a class action for $3 million last
October where 2 unencrypted laptops contained
AvMed health plan member PHI
– Community Health System – faces a class action
brought over the data breach that it reported on
August 18 (4.5 million customers affected)
– Anthem
31

32. Employer Liability
• Walgreens
– Indiana jury awarded $1.44 million to a
Walgreen’s customer due to allegations
that a Walgreen’s pharmacist improperly
used and disclosed the customer’s
prescription information
– Rogue employee in a love triangle
– HIPAA used as standard of care
– Walgreens found 80% liable
– Upheld on appeal
32

33. Recommendations
• CEs and BAs must:
• conduct thorough risk assessments and
appropriately update the same
• develop and update robust HIPAA policies and
procedures – including use of encryption
• conduct ongoing HIPAA training and awareness
programs with all staff
• make sure agreements are in place with all BAs
and subcontractors having access to PHI
• emphasis should be on the risks, use and
safeguards of portable electronic devices, which
are frequently at the center of a data breach
33

34. 34

35. Questions
Presented By:
Gregory M. Fliszar, J.D., Ph.D.
Philadelphia
gfliszar@cozen.com
35