PREMPEH LAW FIRM
Commercial Law, International Business, Regulatory Law and Litigation Firm
Tel:872-222-5031
Email:info@prempehlaw.com
Privacy and Cyber Security
Cyberattack and data breach preparedness can be handled well if plans are put in place to test security incidence through Security Incident Response Plan (SIRP). This plan is crucial at reducing the risk of exposure associated with legal, reputational, operational, and financial harm arising from cyber attacks. Before, simply engaging with outside legal counsel who knew the legal and regulatory landscape was an important step at reducing the potential liability.
​
However, because of the changing trend in technology, cyber criminals and hackers are usually several steps ahead of people with regular knowledge in the law. There is more than ever, a need for counsel to understand how hackers work, what tools they use, and how to fight them both with technology and the law. Simply hiring an outside counsel is not good enough. Businesses must now hire outside who understands technology and the way hackers work to effectively provide cyber security and privacy services to the clients.
Companies are constantly creating and storing increasing amounts of information about their customers, business processes, intellectual property, and employees. These data have great values to companies and must be protected. With the constant attack by hackers to retrieve corporate data, companis are investing in ways that promotes the security of their data.
Some companies are required by law to follow certain regulations such as the HIPPA, NIST framework and PCI. Companies that do not have robust security and privacy programs in place are facing increased legal exposure, including the possibility of long-term regulatory consent decrees that could affect their busineeses.
HIPAA AND HITECH COMPLIANT FOR BUSINESS ASSOCIATES
Business Associate Agreements, a contract required under HIPAA and the HITECH Act, enable healthcare organizations to legally work with outside service providers. The agreement covers information that a business may have accessed or could access in the provision of services. This information not only includes actual medical information relating to patients, but also their names, addresses, social security numbers and other identifiers, which are protected by HIPAA/HITECH.
Many telecommunication companies have recently begun receiving Business Associate Agreements from healthcare entities, including hospitals, clinics, physician offices, public health facilities and similar types of organizations.
The Office of Civil Rights, the governmental entity which enforces HIPAA/HITECH, has published a draft Business Associate Agreement on its website and most healthcare entities either use this draft agreement or something very similar. However, what is not clear from the Agreement, unless you are familiar with the rules and requirements of HIPAA/HITECH, are the obligations placed on you as a Business Associate once the Agreement is signed.
Before assessing your obligations as a Business Associate you should first make a determination as to whether or not this label is being properly applied to your services. HIPAA Business Associates are those entities who access or could access individually identifiable patient information as part of the services provided.
If all you do is provide the phone lines for the hospital then your company is a conduit and is not considered a BA.
If you provide internet access but no direct technical support that is also part of the conduit exception.
If you provide cleaning services the service itself does not require access to data, so you are not a business associate. However, if you provide technical support, access the provider's systems, provide cloud based storage, do data destruction or could access at any point individual patient information, even by accident, then you are considered a Business Associate.
LIABILITY OF BUSINESS ASSOCIATES
Under the Rules released in 2013, Business Associates are now liable for any privacy or security breach which may occur regarding the information which is within their control. Not only is the Business Associate responsible for the breach and any damage which might occur due to the breach, the Business Associate also has to engage in all of the HIPAA/HITECH assessments required by the rules. This requires among other things:
-
You must have a named privacy officer for the company;
-
You must have a named security officer for the company;
-
You must complete a full security audit with periodic updates;
-
You must have policies and practices in place, including administrative safeguards, to address privacy and security issues;
-
You must provide a log and audit trail for information access;
-
You must have employee training on these items; and
-
You must have an employee disciplinary plan in place for HIPAA/HITECH breaches.
FAILURE TO COMPLY
Business Associates face significant liability for failure to comply. In the event the Business Associates use subcontractors, the Business Associates bear liability for them.
IMPENDING AUDIT
It is expected that The Office of Civil Rights (OCR) will audit business associates over the coming five years, beginning in 2015, to determine compliance with all of the technical requirements of HIPAA/HITECH.
Larger fines are anticipated for violations because Business Associates typically are for profit entities. OCR anticipates larger fines and greater enforcement action for Business Associates in comparison to not-for-profit entities.
For anyone covered by HIPAA/HITECH, the recent pilot audit program by OCR, as well as prior audits, indicates that the most common issues in privacy are failure to grant appropriate access, compliance with the minimum necessary standard, which is the standard that requires you release only a limited amount of information if that information is sufficient to answer the question and a failure to obtain proper authorizations.
Perhaps more problematic for Business Associates is security concerns including failure to provide for risk analysis, and issues relating to media storage and disposal where media is not properly encrypted during the storage process or disposal occurs without proper destruction.
RECENT FINES
1.2 Million: OCR fined Affinity Health Plan a whooping 1.2 Million Dollars for the inappropriate re-sale of copy machines which contained patient identifiable information on the copier hard drives.
Failure to provide proper audit controls and tracking information used or accessed is also a significant issue in many OCR complaints.
$400,000.00: Failure to timely update a security patch can lead to a breach. Idaho State University was fined an amount for failure to put up the firewall after standard maintenance leaving information exposed for over 10 months. "Idaho State University agreed to pay $400,000 to the U.S. Department of Health Human Services (HHS) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This settlement involves the breach of unsecured electronic protected health information (ePHI) of 17,500 individuals who were patients at an ISU clinic."
$1.7 million: Alaska Department of Health and Human Services (DHHS) agreed to pay the U.S. Department of Health and Human Services’ (HHS) $1.7 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. Alaska also agreed to take corrective action to improve policies and procedures to safeguard the privacy and security of its patients’ protected health information.
OCR’s investigation followed a breach report submitted by Alaska DHHS as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The report indicated that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHHS employee. Over the course of the investigation, OCR found that DHHS did not have adequate policies and procedures in place to safeguard ePHI. Further, DHHS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.
