Trends and Tools for New Realities - Nelson Mullins Riley ... 4... · Director, Office for Civil...

transcript

HIPAA 2017Trends and Tools for New Realities

Nelson Mullins Riley & Scarborough

Tuesday April 4, 2017

Eli Poliakoff

Trish Markus

Roy Wyman

Presenters

Eli PoliakoffCharleston

eli.poliakoff@nelsonmullins.com843.534.4122

Trish MarkusRaleigh

trish.markus@nelsonmullins.com919.329.3853

Roy WymanNashville

roy.wyman@nelsonmullins.com615.664.5362

Today’s Agenda

• General update HIPAA/HITECH topics

• Lessons from recent HIPAA penalties and enforcement actions

• Frequent Business Associate Agreement sticking points and other hot topics

• Security Rule considerations and ransomware

• Cyber-insurance

• The “Internet of Things” and other issues on the near horizon

• Questions

Recording and additional information to be posted at www.nelsonmullins.com/news/events

Upcoming Webinars

Registration information to be posted at www.nelsonmullins.com/news/events

Tuesday April 25 – Roy Wyman (Nashville)

o Deeper dive into healthcare disruption and new technologies that impact care

o How companies working with health-related data can minimize regulatory burdens

o Artificial Intelligence, Blockchain and the future of healthcare data

o The future of privacy, including the likelihood of further regulation beyond HIPAA.

Tuesday May 23 – Mike Ruggio (Washington, DC)

o What should a healthcare provider executive do if the U.S. Attorney’s Office comes knocking?

Health Information Technology for Economic and Clinical Health Act ("HITECH Act") - February 2009

HITECH ProposedRegulations - July 2010

Interim "Final" Breach Regulations - August 2009

HIPAA/HITECH Final Rule ("Omnibus Rule") - January 2013

Effective Date: March 26, 2013

Compliance Dates: September 23, 2013 September 23, 2014

HIPAA/HITECH Refresher

HITECH’s Reach

Covered Entities

Business Associates

HIPAA (Pre-HITECH)

Directly apply

Subsequent Recipients (“Business Associate

Subcontractors")

Business Associate Agreement

"Subcontract"

HIPAA + HITECH

New Sheriff in Town

Roger SeverinoDirector, Office for Civil Rights (OCR)U.S. Department of Health and Human Services

On the HIPAA/HITECH Horizon

• HITECH Pending Regulations

• Accounting Rule

• Minimum Necessary

• "HIPAA Whistleblower"

• HIPAA Audit Program

Lessons from Recent OCR Activity

• Encryption – Feinstein, Care New England, MAPFRE, Children’s

• Removal of mobile devices – Feinstein, Catholic Health Care Services

• Governance – Oregon Health & Science U.

• Timely address known security risks – Oregon Health & Science U., U. of MS Medical Center, MAPFRE

Lessons from Recent OCR Activity

• Timely breach notification – Presence Health

• Security risk analyses – North Memorial, Feinstein, Advocate, St. Joseph, Catholic, MAPFRE, U. Mass Amherst

• Updated BAAs – North Memorial, Raleigh Orthopaedic Clinic, Advocate, Care New England

• Policies and procedures – Lincare, Complete P.T., Feinstein, Catholic, Advocate

Reminder: Aggravating/Mitigating Factors Considered

• In assessing penalty, HHS will consider:

oNature and extent of violation

oNature and extent of harm (physical, reputational, financial, or inability to obtain health care)

oHistory of prior HIPAA compliance by entity (previous violations, corrections of noncompliance)

o Financial condition of noncompliant entity

OCR Guidance on Medical Record Copy Fees

• Medical Records Requests

• When do copy fee restrictions apply?

• What are the fee restrictions? How does state law apply?

• Methods of Communication

• Email, fax, text – pros, cons, and approaches

Sticky BAA Provisions

• Subcontractors

• Security incidents

• Indemnification

• No offshoring

• Encryption

• Time frames

Prepare for OCR/Other Enforcement

• BAAs executed with BAs

• Policies

• Training

• Security Rule risk assessment

• Prior internal decisions about breaches

• Know where your internal documentation is

• Be responsive

Security Rule and Compliance: The Practical

• Penalties do not require a breach or loss of privacy or security

oCompliance with the Security Rule ≠ IT Security

• Chart your compliance

oA nice set of policies ≠ compliance

• Fit your HIPAA program within a broader compliance program

Ransomware

• Ransomware = unwanted encryption + Demand of a Ransom

o Fastest growing malware threat.

o$1 Billion in losses in 2016, per FBI estimate.

• Attack scenarios: websites (including ads), email attachments, bad software

• Not all ransomware is the same

o Some can extract data from the affected computer (passwords, PII, etc.)

• How to avoid: use the same protections as other malware

• Be prepared: a quick response is critical

o Implement a Ransomware Response Plan to act quickly

oHave backups ready

HHS Guidance on Ransomware

• Guidance released July 11, 2016

• Ransomware on a CE's or BA's computer systems is a "security incident"

• Any encryption of ePHI by ransomware is presumed a "breach"

o "Control" of data, even if it can't be viewed, is a "disclosure"

o Must report unless there is a “…low probability that the PHI has been compromised,” based on:

Nature and extent of ePHI involved (usually everything);

The unauthorized person to whom the disclosure was made (known bad guy);

Whether the ePHI was actually acquired or viewed (exfiltration capability?); and

The extent to which the risk to the ePHI has been mitigated (can it be mitigated?).

The $7B "Immature Market"

2012 2015 2018* 2020*

Cybersecurity Gross Premiums (in billions)

*Estimated

Basics of cyber liability insurance

• When you've seen one policy, you've seen one policy

• Potential limitations:

o Indemnification

oContractual Obligations

• Bottom line: Know what you're buying.

• When there's a breach:

oCall the rep

oMake sure counsel, forensics are pre-approved.

2017 and Beyond

• Internet of Things and security (e.g., connected medical devices)

• Privacy and security rules for non-covered entities and non-BAs.

• Increased attention to vendors (BAAs and Subcontractors)

oVendor Assessment Process

oTracking BAAs

• Assume Failure—Segmentation; DMZs and Risk Management

• The Unexpected

oBlockchain?

Questions?