|
1
|
|
|
2
|
|
|
3
|
- Hospitals’ duties to protect patient and employee data
- Risks to data
- Actions that can prevent loss or theft
- Actions to respond to data breaches
|
|
4
|
|
|
5
|
- HIPAA Privacy and Security Rules
- Washington Uniform Healthcare Information Act
- Hospital privacy policies coupled with consumer protection statutes
- Common law duty of care
|
|
6
|
- 45 C.F.R. § 164.530(c) requires covered entities
- to have appropriate administrative, technical, and physical safeguards
to protect the privacy of PHI; and
- to safeguard PHI from intentional or unintentional disclosure in
violation of HIPAA.
|
|
7
|
- 45 C.F.R. § 164.306 requires covered entities, among other things:
- to protect against reasonably anticipated threats to the security of
ePHI;
- to protect against reasonably anticipated mis-uses or disclosures of
ePHI;
- to assure that their workforces comply with the Security Rule;
- to obtain assurances of confidentiality and security from their
contractors.
|
|
8
|
- 45 C.F.R. §§ 164.308(a)(1)(ii)(A) & (B) require covered entities to
engage in risk analysis and risk management to reduce risks to the
security of ePHI to a reasonable level.
- 45 C.F.R. §§ 164.310(a)(2)(ii) & (d)(1) require covered entities to
implement policies and procedures to safeguard their physical
facilities, hardware, software, and electronic media to protect against
theft. (Though 164.312(a)(2)(ii)
is “addressable,” it will apply to hospitals.)
|
|
9
|
- A Medicare rule, 42 C.F.R. § 482.24, requires hospitals to assure that:
- patient records are confidential;
- unauthorized persons cannot gain access to or alter patient records;
and
- patient records are released only to authorized persons in accordance
with law.
|
|
10
|
- A section of the UCHIA, RCW 70.02.150, requires health care providers to
implement reasonable safeguards to secure health care information.
- RCW 70.02.170 provides that patients may recover actual damages (though
not consequential or incidental damages), attorneys’ fees, and costs.
|
|
11
|
- Hospital privacy polices may assure patients that their information will
be kept confidential.
- In other contexts, the FTC has brought unfair trade practice claims
against companies that failed to implement adequate security after
claiming they would protect consumers’ data. E.g., BJ’s Wholesale Club Consent Order,
FTC File No. 0432160 (May 2005).
|
|
12
|
- Plaintiffs in Gibson v. Providence claim that the hospital violated the
Oregon Unlawful Trade Practices Act by representing in its privacy
policy that it would protect patient data and allegedly failing to do
so.
- A similar claim could be brought under the Wa CPA. Potential remedies under RCW 19.86.090
include actual damages, discretional treble damages, attorneys’ fees,
and costs.
|
|
13
|
- Plaintiffs in many data breach cases have claimed that companies that
store consumer information have a duty to use reasonable care to protect
the information.
- Litigants claim that the various statutes that address information
security provide references to establish the elements of that duty.
|
|
14
|
|
|
15
|
- Many data thefts have been reported but we are probably not experiencing
an epidemic of thefts.
- 73 million consumers’ data have been reported stolen or lost in the 12
months ending September 2006.
- Only about 5 million individuals have reported their data have been
misused.
|
|
16
|
- Rather than there being more thefts than in the past, it is likely that
data breach notification statutes have uncovered a problem that already
existed.
|
|
17
|
- General employees
- Janitors copied information from paper charts left at a hospital’s
workstations; clerks at another hospital copied data
- IT employees
- An IT director emailed a large number of patient records to his home
computer.
|
|
18
|
- Contractors
- The University of California at San Francisco hospital hired a
transcriptionist to transcribe tapes.
A Pakistani sub-sub-contractor threatened to post confidential
medical information on the Internet unless she were paid a certain
amount of money.
|
|
19
|
- Walk-in thieves
- A laptop used for patient registration in an E.R. was stolen; a desktop
computer with ePHI at a clinic was stolen after hours.
- Thieves who steal laptops from employees’ cars
- Numerous laptops with confidential information have been reported
stolen.
|
|
20
|
- Electronic penetration
- In May 2005, attackers accessed CardSystems Solutions' networks. They
found a treasure trove of unencrypted credit card data.
- In March 2004, a credit card database was stolen from BJ's Wholesale
Club. Three million customers’ card data were exposed to international
crime gangs who produced counterfeit cards and made millions of dollars
in fraudulent purchases.
|
|
21
|
- Electronic penetration
- Hospital systems may be penetrated as well.
|
|
22
|
|
|
23
|
- Contractors experienced with hospital security issues can spot
vulnerabilities that employees fail to notice.
- Electronic security specialists should inspect and test systems,
policies, and procedures used to protect ePHI.
|
|
24
|
- As your technology changes and thieves become more sophisticated,
security needs to be re-assessed.
|
|
25
|
- Many laptops are stolen and lost.
It is unreasonable to
store unencrypted data on laptops.
- User-friendly laptop encryption programs are available.
- Alternatively, data needed offsite can be accessed via a VPN.
|
|
26
|
- Employees and contractors who may have access to PHI should be carefully
screened.
- Information that may be used for identity theft is valuable and easily
converted to cash.
- Only those who can be trusted with access to such valuable information
should be permitted access to it.
- There should be video surveillance of areas where PHI is stored.
|
|
27
|
|
|
28
|
- RCW 19.255.010 requires business to promptly notify individuals whose
computerized personal information is reasonably believed to have been
obtained by an unauthorized person.
- “Personal information” means an individual’s first name or initial,
last name, and SSN, driver’s license number, or State ID card number,
or account or bank card number.
|
|
29
|
- Note that the Wa. Data breach notice statute applies only to
computerized data
- It may nonetheless be prudent to notify individuals if a paper record
with personal information is stolen
|
|
30
|
- Notice must be in writing or sent electronically in a manner that
complies with E-Sign (i.e., by e-mail to an address supplied by the
patient)
- Unless the costs of notice would exceed $250,000, in which case,
- substitute notice by e-mail, web-posting, and statewide media
disclosure may be substituted.
|
|
31
|
- Notify internal officials
- Investigate what information was obtained and determine how
- Determine who should notified – individuals, law enforcement,
regulators, others?
- Send notifications
- Respond to inquiries, litigation
- Correct security flaws, remediate damages
|
|
32
|
- CPO, CSO, CIO, GC, and outside counsel should be informed of the
incident and of available information.
- Written communications to and from counsel should be marked
“attorney-client privileged.”
|
|
33
|
- A team should be designated and tasked
- to manage the investigation,
- to contact law enforcement (if there was a theft),
- to coordinate media strategy, and
- to supervise the notice process.
|
|
34
|
- What information was accessed or stolen?
- Were “computerized data” and “personal information” obtained by an
unauthorized person?
- If computer forensics, network security, or private investigators are
needed, they should be hired by counsel to permit him or her to advise
you. The consultants’ reports
should be privileged.
|
|
35
|
- Notify senior management and the board.
- Notify law enforcement of theft.
- Discuss with law enforcement whether to delay notifying others.
- Create lists of any potentially affected individuals, with notice
addresses.
- Notify CMS, JAHCO, State AG?
- Notify employees, media?
|
|
36
|
- If individuals are to be notified:
- decide whether to outsource notice;
- decide whether to offer credit monitoring and other services (one year
of credit monitoring is standard);
- draft notice letters with potential litigation in mind;
- train operators for a call-in center; draft scripts; and
- post important info. and FAQs on your website.
|
|
37
|
- Notices to regulators should concisely explain what occurred and what
remediation steps have been and are being taken.
|
|
38
|
- Respond to inquiries from individuals,
employees, and the media honestly but with an understanding that
everything you state may be used
in court.
- Be prepared to defend against a class action, especially if any
information is misused. Emotional
distress alone should be insufficient for plaintiffs to avoid dismissal.
|
|
39
|
- Immediately correct all vulnerabilities that may have contributed to the
breach.
- institute secure transport and storage of backup tapes;
- encrypt ePHI and personal information on laptops;
- revise procedures to account for copies of patient data; and
- assure that video surveillance of areas where data are stored is
functioning properly.
|
|
40
|
- If your computer network was penetrated, prepare for additional attacks
when the breach is disclosed.
- If individuals can show they suffered fraud related to the breach,
compensate them.
- Your claims specialist should review fraud claims.
- Experts estimate that 1-4% of the population have experienced “identity
theft.”
- You should compensate only fraud that was probably caused by the breach
at your hospital, not by another event.
|
|
41
|
|
|
42
|
- Please fill out the evaluation.
|
Notes
