This Is Not Your Grandmother’s HIPAA:Understanding the Anatomy of a

Complex Healthcare Breach

Andrea Leeb & Ann Tobin

UnitedHealth Group

March 10, 2011

2

• This presentation:– Describes the opinions of the presenters and not of

their employer

– Assumes audience has knowledge of breach notification laws and regulations and experience managing breaches

– Focuses on incident management issues for complex organizations with large amounts of healthcare information

– Looks at U.S. requirements only

Managing Complex U.S. Healthcare Breaches

3

Managing Complex U.S. Healthcare Breaches

• Three major themes:

– Document well

– Apply the laws and regulations

– Project manage--contemplating multiple time

requirements and different scenarios, adjusting

appropriately as incident proceeds

4

Document Well

• “Covered entities and business associates have the burden of proof to demonstrate that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach.” (HHS/OCR Website)

• Federal and State breach notification regulations imply, and sometimes require, that healthcare companies must document their investigative activities and defend their conclusions and actions

5

Document Well

• Healthcare companies should be prepared to demonstrate that cases resolved with or without merit were properly investigated and their decisions based upon reasonable work and evidence, for example:

– Whether PHI and/or PII was involved

– Whether the PHI and/or PII was secure or unsecure

– Whether there was a significant risk of harm

– Whether notifications to individuals were required

– What the number of affected individuals was

– Whether a vendor was involved and whether the vendor was an agent

6

Document Well

• Establish enterprise-wide incident management

policies and procedures

– Include enterprise-wide definition of potential and

actual privacy and security incidents that are to be

internally reported and documented

– Establish clear documentation standards

– Support compliance with federal, state and

international laws and regulations

• Create system for maintaining incident

management documentation

7

Apply the Laws and Regulations

• Remember that numerous federal and state breach notification laws and regulations could apply to a single incident

• Develop legal and regulatory analytical and practical tools and guidance

• Pay attention to details of breach notification laws and regulations

– No substitute for the actual law or regulation

8

Apply the Laws and Regulations

• Was there an unauthorized acquisition, access, use or disclosure of unsecured personal information (PHI, PI, health information) that compromises the security, confidentiality or integrity of the information?

• Does an exception apply under applicable law or regulation (HIPAA, FTC, State)?--e.g.,

– Exception for no signification risk of harm?

– Exception for not being able to retain the information?

– Exception for unintentional, good faith disclosure to someone acting on behalf of company?

– Exception for inadvertent disclosure with the same Covered Entity?

9

• Where notification and/or reporting required,

determine:

– To whom (individuals, data owner/covered entity,

government agency, media)

– When (from date of incident? from date of discovery?)

– What (content of notices and/or reports)

– How (letters, websites, media, phone calls)

Apply the Laws and Regulations

10

Incident Response Project ManagementPro-Active Preparation

• Establish team of internal enterprise subject matter experts in advance

• Procure outside resources in advance– Outside legal counsel

– Forensic firm

– Data breach and cybercrime response firm

– Printing/fulfillment vendor

– Call center vendor

– Credit monitoring company

11

Incident Response Project ManagementPro-Active Preparation (cont’d)

• Prepare tool-kit in advance

– Response procedures and documentation standards

– Contact list for SMEs, including after hours info

– Project management plan template

– Individual notification letter templates

– Customer notification templates (phone calls/letters)

– Website substitute notice templates

– Press release templates for notifying media

– Government agency reporting templates

– Internal escalation process

12

Incident Response Project Management

Phases of Execution

• Detection and discovery

• Intake

• First response and containment

• Data analysis

• Mitigation

• Recovery

• Notifications and reports

• Corrective actions/remediation

• Final internal report and case closure

• Lessons learned and metrics

13

Incident Response Project ManagementScenario-Based Planning

• Determine shortest time from discovery to

required notification and/or reporting to:

– Third parties (data owners/covered entities and

contractual requirements)

– Government agencies (HHS/OCR, FTC, CMS, state

AG, state DOI, etc.)

– Individuals

– Media

– Public (substitute notice on websites)

14

Incident Response Project ManagementScenario-Based Planning (cont’d)

• Plot timeline and dependencies, e.g.,

– Multiple hats worn by company responsible for breach

(CE, BA and sub-BA)

– Multiple data owners/covered entities (and varying

contractual requirements)

– Multiple government laws and regulations (HHS/OCR,

CMS, 50 states)

– Large quantities of different types of data involved

and forensic results available for different data over

period of time

15

Incident Response Project ManagementScenario-Based Planning (cont’d)

• Plan for external communications, potential responses, and possible changes to project plans

– What if third parties (data owner/CE) don’t accept timeline, legal analysis, plan for individual notifications, or plan for reporting to government agencies and media?

– What if state agency decides to issue press release before data analysis is complete and notices can be sent to individuals, other government agencies, etc.?

– What if individual is dissatisfied and files complaint with a government agency?

– What if major media receives press release and runs with the story?

16

Hypothetical

Scenario I

17

Hypothetical Scenario IRegulatory/Legal Analysis

• Was data secure?– Encrypted vs. unencrypted data?

• Is there a law enforcement hold?

• Risk of harm analysis (financial, reputational, other)?– Is this sensitive medical information? – Will risk of harm analysis vary by members or medical

information?

• If risk of harm: – Patient notification?– HHS reporting?– Media notification?

• State agency notification?– Attorneys General?

18

Hypothetical Scenario IProject Management Team

• Privacy

• Security/Risk Management

• IT and/or Information Risk Management– Reproduce records for review

• Legal and Compliance

• Patient Advocacy

• Public Relations/communications– Prepare talking points

– Potential law enforcement press release and/or internal leaks

• Government Relations

19

Hypothetical

Scenario II

20

Hypothetical Scenario IIRegulatory/Legal Analysis

• Date of discovery?

• Law enforcement hold?

• Member notification?– Federal law

– State law

• Provider notification?– Federal law

– State law

• Customer notification?– Employer customers?

– Government customers?

21

Hypothetical Scenario IIRegulatory/Legal Analysis (cont’d)

• Government agency reporting?– CMS?

– HHS/OCR?

– State attorneys general?

– State departments of insurance?

• Media notice?

• Substitute notice for member letters?

22

Hypothetical Scenario IIProject Management Timing

Considerations

• CMS reporting

– no later than 2 business days

• Customers

– Medicaid (by contract--from 1 day to not specified)

– Employer (by contract--from 1 day to not specified)

• State agencies, e.g.,

– CT DOI (5 days after incident identified)

– NJ (in advance of providing individual notification)

23

Hypothetical Scenario IIProject Management Timing

Considerations (cont’d)

• Individual notifications – OCR (without unreasonable delay, but no later than 60 days

from discovery)– States, e.g. FL (without unreasonable delay, but no later than 45

days from determination of breach)– Law enforcement hold delay

• OCR– If 500 or more, concurrently with individual notification– If under 500, with annual filing

• Media– If over 500 in single state or jurisdiction, concurrently with

individual notification

• Substitute member notification– If necessary, concurrently with individual notification

24

Hypothetical Scenario IIScenario-Based Project Management

• What if customers’ legal analyses differ from yours

and/or from each others?

• What if you notify a state agency or law enforcement

soon after discovery of the incident and the agency

issues a press release?

• What if the media publishes a story about the incident?

• What if customers or regulators demand changes to your

approach or your letter?

• What if you have to post a substitute notice on your

website during open enrollment?

25

In Conclusion

• Remember:

– Document well

– Apply the laws and regulations

– Project manage--contemplating multiple time

requirements and different scenarios, adjusting

appropriately as incident proceeds

26

Questions?