CBA Record February_March 2016

Responding to Security Incidents and Preparing for HIPAA Audits

By Daniel A. Cotter CBA Editorial Board A t a recent meeting of the CBA Health Law Committee, Associate Caitlin C. Podbielski and Share- holder Bruce A. Radke at Vedder Price discussed cybersecurity in the healthcare space, including responding to security incidents and preparing for HIPAA audits. Podbielski and Radke opened by discussing data regarding cybersecurity breaches by type of entity, with healthcare representing 66% of all recent breaches. Radke noted that the retail breaches get the most public attention, but the healthcare attacks continue to rise in numbers. Radke next noted that almost one-third of all breaches were by unintended disclosure, such as misdirected e-mails. Previously, the number of breaches that occurred by losses of laptops and portable devices was higher, but that percentage has diminished in recent years because of the prevalence of devices featuring encryption tools. Radke also said that FBI personnel indicated at a recent briefing that in many healthcare attacks, the data is not being collected for commercial purposes but rather for information on individuals for use in some unknown future way. Podbielski next discussed recent trends in litigation, noting that the issue of standing in the cyber breach context was a major issue. Podbielski noted the adverse ruling by the 7 th Circuit Court of Appeals in the 2015 Neiman Marcus decision, but advised that the Illinois courts have issued some good rulings for businesses on data breach and healthcare failures in the last year or so. Radke stated that one way plaintiffs are trying to satisfy the “injury in fact” requirement is by pleading statu- tory claims to show actual injury resulting from the cyber breach. Radke also advised that fraud claims with respect to alleged

misrepresentations in privacy and security policies are common. Radke explained that these fraud claims typically involve allegations that defendants do not have adequate policies and procedures in place in light of language included in privacy notices that the collector of data will take “all commercially reasonable measures” to secure data. Podbielski discussed the healthcare breaches that have been in the news the last few years, and advised that every orga- nization of any size is a potential target. She then advised the group on enhanced enforcement activity by the U.S. Depart- ment of Education Office of Civil Rights (“OCR”) in its HIPAA audits after the Office of Inspector General Report on OCR Enforcement Activity was published in September 2015. The Report concluded that “OCR should strengthen its oversight of covered entities’ compliance with the Privacy Rule.” Podbielski and Radke also advised that OCR was developing revised protocols to ensure greater consistency in the OCR audit process. Podbielski noted that Phase 2 audits by OCR were to have commenced in late 2014, but in October 2015, OCR advised that the audits would commence early in 2016. The Phase 2 audits will encompass not only covered entities but also business associates. A protocol for these Phase 2 audits has yet to bepublished. Incident or Breach Podbielski next discussed practices for responding to a security incident, docu- menting the security incident and prepar- ing for a HIPAA audit. Radke empha- sized that a “security incident” was not equivalent to a “breach” and that it can be confusing distinguishing the two under

HIPAA. Radke advised that every organi- zation should have an incident response plan in place prior to an actual breach and that the plan has to take into account who should be alerted and who decides whether to engage outside parties to help with the investigation, how communication might be made, and when action needs to occur. Radke advised that with the entire response team “at the table,” the first ques- tion is whether personal health information (“PHI”) or personal information (“PI”) is involved. If not, then it is possible that there is no obligation to provide notice to affected individuals. Radke stated the next step was to determine if a breach has occurred as defined by HIPAA or state law, and then if there is a breach, questions of who needs to be notified, when they need to be notified, and other details are con- trolled not only by HIPAA but also by the 47 states with breach notification laws. Podbielski noted that four factors are crucial in a risk assessment to determine whether a security incident had taken place and whether notice requirements are triggered: 1) the nature and extent of the PHI involved; 2) who used the PHI or to whom disclosure of PHI was made; 3) whether the PHI was acquired or viewed; and, 4) the extent to which the risk to the PHI had been mitigated. Documenting an Incident Podbielski next addressed the process for documenting a security incident and detailed a number of factors that favor detailed written documentation, includ- ing the fact that the burden of proof rested with the covered entity to show the organization determined that there was a low probability of a breach. Podbielski also

continued on page 54

16 FEBRUARY/MARCH 2016