Late last year, the South Dakota Supreme Court made a very significant decision relating to the medical peer review privilege in South Dakota. Boyce Law Attorney Matthew D. Murphy recently published an article on the topic in the Medlaw Update for the DRI. It can be found here.
Many data privacy and security conversations these days inevitably lead to discussions about cyberliability insurance policies. What kind? How much? Is what we have enough? Being relatively new, many cyberliability policies remain highly negotiable, although increased standardization of terms is occurring; however, coverage determinations by Courts are few, leaving clients in a somewhat precarious or uncertain position. Until Courts are presented with opportunities to provide additional coverage guidance, clients are left to their own devices to negotiate the terms and conditions of their cyberliability coverages. The prevalence of security incidents is bound to increase, so the necessity of insuring against data breach risk will remain an important risk management tool. Here are a few items to watch out for when procuring cyberliability coverage.
- Amount of Coverage
Quite literally, the million dollar threshold question needing answering is: how much coverage do I need? While there are many types of data breaches, breaches of protected health information are the most costly. According to a 2016, IBM-sponsored study conducted by the Ponemon Institute, the average cost of a data breach for health care organizations was $355 per record. This number can be used as a starting point in determining the amounts and types of coverage a company may need to protect themselves from a data breach.
- Inception Dates—Retroactivity
For first time purchasers of cyberliability coverage, retroactive dates are crucial. Oftentimes the retroactive date is set as the date the policy is procured, or the inception date. This could create a problem because any claims arising out of events that occurred prior to the inception date would not be covered under the policy. While this start-date dilemma will “right size” itself as the company continues to renew coverage, it remains a crucial issue when first procuring cyberliablity coverage.
It seems we can’t have a conversation about data security these days without mentioning ransomware. Public and private companies are reporting increasing numbers of ransomware attacks, and health care providers and business associates are no exception to this trend.
Ransomware – What is it?
At its most fundamental, ransomware is a type of malicious software that infiltrates a person or company’s computer system and encrypts certain data that is stored electronically. Essentially, ransomware locks users out of accessing their data until a “ransom” is paid. Ransomware may also be used in conjunction with other malware to gain access to IT systems in an effort to steal data housed within the IT system.
Although not expressly mentioned in the Security Rule, a covered entity or business associate’s HIPAA compliance program necessarily must include analyses relating to the potential for, and responses to, ransomware attacks. Risk management plans, risk analyses, and other security assessments should identify threats and vulnerabilities to electronic protected health information (PHI) and a company needs to implement procedures to guard against and detect malicious software, including ransomware.
The Office of Civil Rights (OCR), a division of the Department of Health and Human Services, is the governmental agency responsible for investigating and providing technical assistance to covered entities and business associates on matters of HIPAA compliance. When a deficiency is found in a covered entity or business associate’s compliance with the Security Rule or the Privacy Rule, OCR takes necessary action to remedy the deficiency, including imposing penalties or requiring the covered entity or business associate to enter into corrective action plans.
As of the end of January, 2017, OCR reported that the most common HIPAA compliance issues that are investigated are as follows:
- Impermissible uses and disclosures of protected health information (PHI);
- Lack of safeguards of PHI;
- Lack of patient access to their own PHI;
- Use and disclosure of more than the minimum necessary PHI; and
- Lack of administrative safeguards of electronic PHI.
Additionally, the following covered entities are the most common with regards to taking corrective action in light of a compliance deficiency:
- Private practices;
- General hospitals;
- Outpatient facilities;
- Pharmacies; and
- Health plans.
Complete Wellness, a Baltimore treatment center for patients with behavioral health and substance use disorders, was recently forced to post a Warning of Potential Privacy Violation relating to the loss of an unencrypted flash drive containing information of over 600 patients. The employee who lost the flash drive had downloaded, without authorization, certain patient information including patient name, address, phone numbers, email address, birthdate, age, social security number, languages spoken, emergency contact, level of education, employer information, primary care physician, list of medications at admission, list of allergies, ethnicity, race, marital status, hurricane victim status, living situation, military service, arrest history, and hearing or vision difficulties. Complete Wellness’ post fails to delineate a reason why the employee believed there was a need to put this extremely broad and detailed level of information for over 600 patients on a flash drive.
This incident is a good reminder for providers and other entities handling protected health information (PHI). Strong policies and procedures, including disciplinary procedures, must be implemented to deter employees from making these types of mistakes. IT systems, if possible and if reasonable, should not allow the downloading of PHI onto portable media without a certain level of authorization. And, if it becomes necessary to place PHI on portable media, that portable media must be encrypted, logged/tracked, and it should only contain the absolute minimum amount of PHI necessary for the intended purpose.
Below is a link to the Complete Wellness notification:
Health care facilities, health plans, and business associates are increasingly turning to cloud service providers to store, maintain, and, at times, wholly manage, the covered entity or business associate’s electronic protected health information (ePHI). As covered entities and business associates migrate their data to the cloud, these entities need to take a closer look at their obligations under the Privacy Rule and the Security Rule.
When a covered entity or business associate contracts with a cloud service provider, the cloud service provider is a business associate of the hiring party. As a threshold matter, the covered entity or business associate needs to enter into a HIPAA-compliant business associate agreement with the cloud service provider. This agreement, often used alongside or as an attachment to a larger, service-level agreement, establishes the permitted and required uses and disclosures of ePHI by the cloud service provider.
Although we are well under way into the new year, health care providers, health care vendors, technology companies, and group health plans should all take additional time to consider and evaluate their health IT security and privacy program. 2017 promises to be a year filled with news of additional data breaches and compliance updates to the Security Rule.
If your company is evaluating or updating its security and privacy programs, a thorough risk analysis is the key starting point. Continue Reading Risk Analyses Remain of Crucial Importance to Health IT Programs
Another 2017 Bill the Health Care Group is watching is Senate Bill No. 61. The Bill makes numerous amendments to South Dakota’s statutory scheme governing nurse practitioners and midwives.
Of the more important changes, SB 61 would broaden the scope of advanced practice nursing and medical functions of nurse practitioner and nurse midwives. Under SB 61, nurse practitioners and nurse midwives would be able to prescribe, procure, administer, and furnish pharmacological agents, including over the counter, legend, and Schedule II controlled drugs or substances for indefinite periods of time as opposed to the 30-day limit currently imposed. Additionally, nurse practitioners would be allowed to conduct physical examinations for the determination of participation in employment duties and not just athletics. Nurse midwives’ functions would add managing sexually transmitted infections in males.
On January 18, 2017, OCR announced a settlement with MAPFRE Life Insurance Company of Puerto Rico. A USB data storage device containing protected health information of 2,209 individuals was stolen from MAPFRE’s IT department where the device was left overnight. In the Resolution Agreement, OCR found that MAPFRE failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities of the confidentiality, integrity, and availability of MAPFRE’s electronic protected health information and failed to implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level. OCR further found that MAPFRE failed to implement a security and awareness training program for its workforce as well as failed to implement a mechanism to encrypt electronic PHI.
As a part of the Resolution Agreement, MAPFRE agreed to pay HHS over $2.2 million dollars and agreed to comply with a three (3) year corrective action plan.
The settlement once again shows the importance of ensuring electronic PHI is secured and encrypted and that a covered entity or business associate must implement reasonable and appropriate security measures to protect such electronic PHI.
A covered entity has settled potential violations of HIPAA’s breach notification rule by paying $475,000 and implementing a corrective action plan. On January 9, 2017, OCR announced a HIPAA settlement with Presence Health based on the untimely reporting of a breach of unsecured protected health information. Presence Health is a major health care network serving the State of Illinois and consists of approximately 150 locations, including 11 hospitals and 27 long-term care and senior living facilities.
Presence Health reported, on January 13, 2014, a HIPAA breach that occurred on October 22, 2013. OCR’s investigation found that Presence Health failed to notify, without unreasonable delay within 60 days of discovery of the breach, the individuals affected by the breach, OCR, and the media, all as required by the HIPAA regulations.
OCR’s enforcement action shows the importance of timely reporting of breaches of unsecured protected health information and the need for covered entities to have policies and procedures in place to ensure timely notification.