Emerging Risks for Healthcare P&C Brokers April 3, 2014 1 Agenda вЂў 9:00 Introduction Lindy Hardman, Beazley Broker Relations вЂ“ Western Region вЂў 9:00 Healthcare Regulatory Requirements Carolyn Conners and Kelly Webster, Beazley Underwriters HML вЂў 9:30 Healthcare Claims Trends Kati Bynon, Beazley Healthcare Claims вЂў 10:00 Break вЂў 10:10 Stages of Risk During a Data Breach Alex Ricardo, CIPP\US, Beazley Breach Response Services вЂў 10:30 HITECH: The Final Rule Lynn Sessions, Partner at Baker Hostetler вЂў 11:00 Q&A 2 Healthcare Regulatory Liability Carolyn Conners and Kelly Webster Beazley Healthcare Management Liability 3 Healthcare Regulatory Environment вЂў Healthcare fraud is estimated between $60B to $200B each year вЂў In 2009 the Attorney General and Secretary of Health and Human Services (HHS) created the Health Care Fraud Prevention and Enforcement Action Team (HEAT) вЂў Federal and state governments outsourcing oversight responsibilities вЂў The GovernmentвЂ™s ROI - for every dollar spent fighting fraud and abuse $8 is recovered. вЂў ICD-10 will replace ICD-9 вЂ“ Oct. 1, 2014 (Oct. 1, 2015) 4 Recoveries вЂў In fiscal year 2013, the DOJ obtained $3.8B from fraud. Of this amount $2.6B were health care fraud recoveries. вЂў Since January 2009 total recoveries under the False Claims Act were over $17B, of this $12.1B were in Federal health care dollars. вЂў In the fiscal year 2012, RAC collected $2.4B in overpayments. вЂў In 2012 whistleblowers earned more than $439M in share awards. вЂў Fiscal year 2013 there were 3,214 exclusions of individuals and entities. вЂў For FY 2013 there were 472 civil actions of individuals and entities. 5 WhoвЂ™s Watching? вЂў Department of Justice (DOJ) вЂў Office of Inspector General (OIG) вЂў Department of Health & Human Services (HHS) вЂў Centers for Medicare & Medicaid Services (CMS) вЂў Medicare and Medicaid Contractors o Zone Program Integrity Contractors (ZPICs) o Medicare Administrative Contractors (MACs) o Medicaid Integrity Contractors (MICs) o Recovery Audit Contractors (RACs) вЂў Whistleblowers вЂў Federal, state and municipal governments вЂў Commercial Payors вЂў Competition вЂў Press 6 Fraud and Abuse Laws вЂў False Claims Act вЂ“ o Prohibits individuals and businesses from submitting false or fraudulent claims for payment to the government (applies to all government programs) o 1863, 1943, 1986 o Qui Tam вЂњWhistleblowingвЂќ provision вЂў Anti-Kickback Statute o Illegal kickbacks for referring patients вЂў Stark Law o Physician Self-Referral Act вЂ“ the act of referring a patient for services to a facility in which the physician has a financial interest вЂў Exclusion Statute o Physicians who have been excluded from Medicare can not directly or indirectly bill the government for services вЂў Civil Monetary Penalties Law o The Social Security Act authorizes HHS to seek civil monetary penalties and exclusion for certain behaviors 7 Annual FCA Recoveries by Industry *Gibson Dunn 2013 Year End False Claims Act Update 8 False Claims Act New Matters *Gibson Dunn 2013 Year End False Claims Act Update 9 Fines & Penalties вЂў HIPAA o Civil and criminal penalties of $50K per violation with an annual maximum of $1.5M. вЂў EMTALA o Hospital or Physician fines of up to $50K per violation вЂў False Claims Act. o $5,500 - $11,000 for each item or service improperly claimed, and an assessment of up to three times the amount improperly claimed. вЂў Anti-Kickback. o Criminal fines up to $25K and 5 years in prison for each violation. Civil fines up to $50K per violation and up to 3 times the amount of the kickback. вЂў Stark. o Civil fines and penalties of up to $15K for each service as well as up to 3 times the amount claimed. 10 GovernmentвЂ™s Targeted Healthcare Industries вЂў Pharmaceuticals вЂў Medical device / Durable medical equipment вЂў Hospitals вЂў Nursing homes / Assisted living / Long term care вЂў Residential treatment facilities вЂў Mental health organizations вЂў Hospices вЂў Home health agencies вЂў Nursing facilities 11 Examples of violations вЂў Billing for services not rendered вЂў Medically unnecessary вЂў Unbundling вЂў Bundling вЂў Double billing вЂў Up-coding вЂў Billing for brand вЂў Kickbacks вЂў Improper referral arrangements 12 Emerging Trends вЂў Meaningful use audits вЂў Executive compensation вЂў Readmission penalties вЂў Whistleblowers вЂў Reverse False Claims вЂў Self Disclosure Protocol вЂў Commercial payor audits 13 Risk Transfer Solutions Directors & Officers вЂў Sublimit of up to $1,000,000 вЂў Coinsurance as high as 50% вЂў Retentions averaging $1,000,000 вЂў Damages rarely cover fines and penalties вЂў Typically defense only вЂў Claim triggers vary Standalone Regulatory Liability вЂў Up to$10,000,000 capacity available on primary вЂў Ability to structure towers of capacity вЂў Fines and penalties covered вЂў Lower coinsurance вЂў Very early claim trigger 14 Expenses Resulting from Regulatory Actions вЂў Legal fees вЂў Shadow auditors / billing consultants / Forensic auditors вЂў Medical experts вЂў Public Relations вЂў Civil and criminal fines and penalties вЂў Data management consulting вЂў Cost of Implementing a Corporate Integrity Agreement вЂў Cost of implementing Compliance Program / Employees / Training вЂў Disgorgement of profits / restitution 15 Best Practices for Health Care Providers вЂў Compliance officer вЂў Compliance plan вЂў Board needs a system for candid reporting вЂў Active compliance helpвЂђline (and follow up) вЂў Effective compliance training program вЂў Robust audit function (Internal and external) вЂў Written policies, procedures, standards of conduct вЂў Thorough exclusion screening process вЂў Favorable benchmarking against similar area providers вЂў Credentialed coders 16 Underwriting вЂў The nature of the organization вЂў Officer position structure вЂў Audited financials вЂў Payor Mix вЂў Compliance program review вЂў Billing practices вЂў Prior claims вЂ“ outcome вЂў Audits conducted by government contractors and the outcome (appeal success rate) вЂў Application (including required attachments) вЂў Conference call or face to face meeting for larger insuredвЂ™s 17 Claim Examples Organization Damages Allegations Florida-based sleep diagnostic company $15.3M settlement. False claims misrepresenting technician credentials Urgent Care Chain $10M settlement. Unnecessary allergy, virus and respiratory testing upcoding Florida health system $26M settlement. Miscoding outpatient service claims as more expensive inpatient services. вЂ“ whistleblower вЂ“ State & Federal FCA Largest healthcare system in Utah $25.5M settlement. Violated FCA by engaging improper financial relationship with referring physicians South Carolina hospital $39M verdict. Improper patient referrals Rhode Island Health System $2.6M in disgorgement and $2.7M in damages Doctors billed Medicare and Medicaid for unnecessary overnight hospital stays Medical Center in Iowa 406K settlement The OIG alleged that they employed an individual that it knew or should have known was excluded Texas dialysis provider $7.3M settlement. Billing for phantom services in violation of FCA by charging for more of a drug than actually administered. Whistleblower received $1.3M Medical Center in KY Ongoing investigation Alleged that the medical center completed 28% more heart stents than any other hospital in the area 18 Regulatory Resources 19 Specialty title slide grey Healthcare Claims Trends Kati Bynon Healthcare Claims Manager April 3, 2014 Overview: What is everyone feeling? What Are You Feeling пѓ� пѓ� пѓ� пѓ� пѓ� пѓ� Some types of cases getting a little harder to resolve? Cases lifespans are increasing? Increased anxiety? Verdicts getting bigger? Settlement values creeping up? Legal expenses increasing? What WeвЂ™re Seeing пѓ� ItвЂ™s NOT your imagination пѓ� Claims environment is changing пѓ� Certain classes of claims are becoming more difficult to settle for reasonable amounts пѓ� ItвЂ™s not all Claims! Claims Environment вЂ“ Claims vs. Actuaries Claims We are currently managing approximately 3,000 open claims across our Hospital, Long Term Care and Miscellaneous Medical portfolios. Risks range from primary duty to defend accounts with low retentions, to accounts with very large underlying amounts. пѓ� Claims are viewed on a Year of Account basis. пѓ� Good at providing current on the ground observations and perceived trends. пѓ� Weak at providing historical context. пѓ� Perceptions can be subjective. Actuarial The Beazley Healthrate database is populated with 617,000 Professional Liability claims from hospitals submissions, from 1991 to 2013, and represents 39% of the nationвЂ™s hospital beds. пѓ� Actuarial trends are retrieved from losses by closed date. пѓ� Good at providing historical perspective on loss development. пѓ� Rearward looking. пѓ� Less useful at picking up emerging trends. In California our database is representative of 44% of the beds Claims Perspective пѓ� Volume: Overall volumes are steady, but the number of вЂњlargeвЂќ claims is increasing пѓ� Size: The big claims are getting bigger. Plaintiffs are trying to make $10m the new $5m. Our highest paid claims have all been made in the last 12 months пѓ� Venue: вЂњBadвЂќ states seem to be getting worse, but the вЂњgoodвЂќ states are getting tougher as well пѓ� PlaintiffsвЂ™ Bar: Top tier plaintiffsвЂ™ firms are getting more aggressive and demanding more. More often than not, severe cases are requiring multiple mediations пѓ� Anxiety: Certain insureds seem to be more anxious and likely to overpay Actuarial Perspective and Severity Claim Trends вЂ“ Overall vs Tort Reform California Claims Severity Average incurred cost per closed claim California Claims Severity Average incurred cost per closed claim limited to $2m and unlimited $400,000 $350,000 $300,000 $250,000 $200,000 $150,000 $100,000 $50,000 $0 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 Closing Year Limited to $2m Unlimited The trend in California is even more steep when we look at claims severity unlimited. We should note how the gap between limited severity and unlimited is widening, as a sign of a larger number of large claims being paid in the last few years. 7 California Claims Severity Proportion of claims closed above $2m California Claims Severity Average indemnity California Claims Severity Average defense costs Getting Walloped for a $20,000,000 Verdict: The Good Old Days. пѓ� CT: Birth injury trial in CT resulting in a $58m verdict. (May 2011. State Record) пѓ� PA: Birth injury case tried in Philadelphia resulting in a $78m verdict. (July 2012) пѓ� MI: Birth injury trial in Oakland County, MI, resulting in a $144m verdict. (October 2011. State Record) пѓ� FL: Severe neurologic injury to an adult male follow bariatric surgery resulting in a $178m verdict. (January 2012) пѓ� CA: Alleged sexual assault of a 30 year old patient resulting in a $65m verdict. (November 2011) пѓ� CA: Birth injury claim resulting in a $74.5m verdict. (April 2012) пѓ� FL: Long Term Care case in Tampa resulting in a $900m verdict. (February 2012) пѓ� AL: $140m in AL for a Wrongful Death Claim. (December 2012) пѓ� NY: Birth injury claim resulting in a $130m in Nassau County, NY.(April 2013) Not Just the Usual Suspects пѓ� CO: Alleged paralysis to a 36 year old man resulting in a $15m verdict. (April 2012. State Record) пѓ� WY: Alleged paralysis to an adult male secondary to an alleged failure to diagnose a neck fracture resulting in a $9m verdict. (November 2011. State Record) пѓ� ME: Alleged wrongful death of a 44 year old man resulting in a $6.7m verdict. (June 2011. State Record) пѓ� VA: Alleged failure to timely diagnose impending myocardial infarction to a 37 year old resulting to diminished life expectancy. $25m verdict. (February 2013. State Record) And the Settlements Follow AlongвЂ¦ п‚§ IL: Power Rogers & Smith case in Cook County, IL, involving quadriplegia to a 47 year old following a trucking accident resulting in a $25m settlement п‚§ NY: $17.9m settlement for allegations of failure to timely treat infection resulting in quadruple amputation п‚§ GA: $7.5m settlement for alleged overdose of potassium in pediatric patient resulting in brain damage п‚§ AL: $12m settlement for alleged neurological injury in pediatric patient п‚§ IL: $20m settlement for allegations of failing to respond to cardiac arrest post-surgery in three year old resulting in brain damage п‚§ FL: $11.5m settlement for allegations of failure to timely deliver infant plaintiff causing brain damage Recent California Verdicts and Settlements of Note пѓ� Sacramento County (2013)вЂ“ $27m verdict for alleged elder abuse involving the death of an elderly patient. пѓ� San Francisco County (2013) - $38.6m verdict for alleged tetraplegia as a result of the failure to diagnose and treat an evolving ischemic stroke in a 19 year old. пѓ� Santa Clara County (2012) вЂ“ $22m verdict for medical malpractice action involving quadriplegia following medical procedure пѓ� St. Louis Obispo County(2012)вЂ“ $74m verdict for alleged birth injury failure to diagnose vascular injury resulting in amputation of 14 year old leg. пѓ� Sacramento County (2013) - $9m settlement in a birth injury case пѓ� Los Angeles County (2013) $7.5m settlement involving alleged brain damage in infant born after motherвЂ™s ruptured uterus deprived infant of oxygen during delivery. пѓ� Anonymous County (2013) - $10m settlement in a birth injury case Common Factors: 1%вЂ™ers пѓ�Recognized/Successful PlaintiffвЂ™s Counsel пѓ�Poor Liability Pictures пѓ�Potential for Significant Damages пѓ�Inflammatory Facts пѓ�Generally Venued in вЂњBadвЂќ States пѓ�Increased Expectations Drivers/Consequences пѓ� Top plaintiffsвЂ™ firms are demanding a premium. пѓ� Second tier plaintiffsвЂ™ firms want to emulate the top firms. пѓ� Bad cases are becoming more difficult to settle for the usual amounts. пѓ� Cases that would have been settled in the past are being tried, resulting in more large verdicts. пѓ� Increased anxiety among providers and potential for panic-based decisions. пѓ� Increased tension between insureds and insurers. Where do you draw the line? Case Example 1 (What not to do) Facts: пѓ� Alleged anesthesia error during non-invasive procedure on infant patient causing significant neurological injures пѓ� Well known plaintiffвЂ™s counsel пѓ� Difficult venue with multiple excess verdicts пѓ� Minimal expert support Issues: пѓ� Plaintiffs were unwilling to negotiate until a week before trial when they demanded $50m пѓ� Hospital quickly responded with offer after offer, even when they were not being matched in reductions of demand Strategy: пѓ� The strategy was to throw money at the case in the hopes of shutting it down at all costs Outcome: Within 5 working days, the case was resolved for excess of $25m Case Example 2 (What to do) Facts: пѓ� Alleged failure to diagnose and timely treat a developing infection in a then 23 year old woman following delivery of a healthy infant resulting in the amputation of both legs (above the knees) and arms (above the elbow). Issues: пѓ� Significant publicity surrounding plaintiffвЂ™s condition пѓ� Top tier plaintiffвЂ™s firm (Initial Demand of $90m) пѓ� Indefensible from liability standpoint пѓ� Significant future care costs Strategy: пѓ� Dig in, engage in multiple mediations пѓ� United front between Insured/Excess Insurer пѓ� Leverage causation arguments Outcome: Case resolved before trial for $8.5m Holding the Line пѓ�On the big cases, it is not business as usual пѓ�Prepare for trial, not settlement пѓ�вЂњJust say noвЂќ пѓ�Try the right cases пѓ�Partnership between insured, broker and insurer пѓ�Let someone else be the easy target Thank you Kati Bynon t: 646-943-5917 a: 1270 Avenue Of The Americas, 12th Floor, New York, NY 10020 e: [email protected] Stages of Risk During a Data Breach The вЂњnewвЂќ HIPAA Alex Ricardo, CIPP/US Breach Response Services Lynn Sessions, Esq. Baker Hostetler What we are NOT doing today Providing Legal Advice o Informational Purposes Only o You should consult with Privacy Counsel for any decisions surrounding your Incident Response Plan or Data Breach Response Methodology 41 Agenda вЂў Healthcare Breaches and Fines вЂў A Brief Review of Data Breaches and Breach Response вЂў How NOT to Respond to a Data Breach вЂ“ a Case Study вЂў Regulatory Landscape вЂ“ вЂњThe new HIPAAвЂќ 42 Healthcare Breaches & Fines Healthcare Breaches вЂ“ вЂњin the newsвЂќ вЂў June 2013 вЂ“ Bon Secours вЂ“ 5,000 patients due to breach of electronic records вЂў June 2013 вЂ“ University of Florida Pediatric Clinic вЂ“ 5,682 patients and parents due to insider leaking information to criminals вЂў February 2013 вЂ“ Sonoma Valley Hospital вЂ“ 1,350 patients due to internet exposure of unsecured section of website. (sometimes called вЂњGoogle SearchвЂќ-breaches) вЂў January , 2013 вЂ“ Lucile Packard ChildrenвЂ™s Hospital вЂ“ 57,000 patients вЂ“ stolen laptop from physicianвЂ™s car вЂў January 2013 вЂ“ New York Hospital вЂ“ 9,887 patients due to Hurricane Sandy and structural damage to facility and unauthorized individuals on premise 44 Healthcare Breach Litigation & Fines вЂ“ вЂњin the newsвЂќ вЂў January, 2013 вЂ“ FTC Settles with CBR Systems (Blood Bank) for Failure to Protect Data вЂ“ 20 year consent decree вЂў January, 2013 вЂ“ Goldthwait Associates, Pathology Group pay $140,000 to settle claims that patientsвЂ™ PHI was disposed of improperly вЂў January, 2013 вЂ“ вЂў May, 2013 вЂ“ Hospice of North Idaho fined $50,000 by OCR for a 441 person breach Idaho State University вЂ“ $400,000 settlement involving 17,500 patients for violating HIPAA Security Rule вЂў June, 2013 вЂ“ Shasta Regional Medical Center fined $275,000 for CEO and CMO discussing with media on medical services of a patient вЂў August, 2013 вЂ“ Woman awarded $1.44M against Walgreens due to pharmacist sharing prescription history 45 PhysiciansвЂ™ and Clinic Breaches вЂ“ вЂњin the newsвЂќ вЂў April, 2013 вЂ“ Documents containing personal information of patients left on Brooklyn sidewalk after medical supply company closes down. вЂў April, 2013 вЂ“ Family Health Enterprise notifies patients after laptops stolen in office вЂў April, 2013 вЂ“ Patient records found outside an evicted dental clinic in DetroitвЂ™ вЂў March, 2013 вЂ“ Medical assistant stole patient information вЂў February, 2013 вЂ“ Lee Miller Rehab Associates, MD вЂ“ stolen network server вЂў February, 2013 вЂ“ American Home Patient вЂ“ Stolen laptop вЂў February, 2013 вЂ“ Subcontractor responsible for WisconsinвЂ™s River Falls Medical Clinic breach of 2400 clients вЂў January, 2013 вЂ“ PatientsвЂ™ personal information found in dumpster outside dentistвЂ™s office in Aurora, Colorado вЂў January, 2013 вЂ“ ABQ Health PartnersвЂ™ stolen laptop. вЂў November, 2012 вЂ“ Surgical Associates of Utica вЂ“ stolen network server 46 A Brief Review of Data Breaches and Breach Response What is a Data Breach? вЂў Actual release or disclosure of information to an unauthorized individual/entity that relates to a person and that: o May cause the person inconvenience or harm (financial/reputational) п‚§ Personally Identifiable Information (PII) п‚§ Protected Healthcare Information (PHI) o May cause your company inconvenience or harm (financial/reputational) п‚§ Customer Data, Applicant Data п‚§ Current/Former Employee Data, Applicant Data п‚§ Corporate Information/Intellectual Property 48 Types of Data Security Breaches вЂў Improper Disposal of Data o Paper п‚§ Un-shredded Documents п‚§ File cabinets without checking for contents п‚§ Prescription Bottles п‚§ X-Ray Images o Electronic assets п‚§ computers, smart phones, backup tapes, hard drives, servers, copiers, fax machines, scanners, printers вЂў Phishing/Spear Phishing Attacks вЂў Network Intrusions/Hacks/Malware Viruses вЂў Lost/Missing/Stolen Electronic Assets вЂў Mishaps due to Broken Business Practices вЂў Rogue Employees 49 A Simplified View of a Data Breach Response Methodology Discovery of an Event Evaluation of the Event Managing the Short-Term Crisis Handling the Long-Term Consequences Class-Action Lawsuits Theft, loss, or Unauthorized Disclosure of Personally Identifiable Non-Public Information or Third Party Corporate Information that is in the care, custody or control of the Insured Organization, or a third party for whom the Insured Organization is legally liable Notification and Credit Monitoring Regulatory Fines, Penalties, and Consumer Redress Forensic Investigation and Legal Review Reputational Damage Public Relations Income Loss 50 Why we should be careful with the word вЂњBreachвЂќ Perception is Half the Battle o People use вЂњbreachвЂќ too frequently and you donвЂ™t want your customers or regulators to think you are subject to numerous breaches o вЂњBreachвЂќ suggests something bad happened or is going to happen o вЂњBreachвЂќ has legal significance п‚§ Train your Incident Response Team to not use вЂњBreachвЂќ within internal communications as you vet out or investigate the вЂњSecurity IncidentвЂќ 51 How NOT to Respond to a Data Breach A case study DonвЂ™t assume you know the facts. вЂў Entity Affected: Hospital вЂў Incident Details: Hospital did a вЂњdisaster drillвЂќ. Set up 20 laptops, one in each ER suite. To replicate lost power, each laptop was to be set up with all 500,000 EHRs of the hospital. During course of drill, 1 laptop went missing. вЂў Initial Response: Hospital called a press conference to acknowledge a loss of 500,000 EHRs. They held the press conference BEFORE the investigation. вЂў Investigation: Investigation identified time of loss via surveillance cameras in the ER. IT reviewed network logs for downloading the 500,000 EHRs to each laptop and noticed 1 laptop did not receive the 500,000 EHRs. Investigation took 48 hours. вЂў Conclusion: It was forensically concluded that the missing laptop was stolen BEFORE the download of 500,000 records occurred. вЂў Data Format: Electronic вЂў Information Compromised: PHI вЂў Breach Universe: ZERO вЂ“ вЂњNon-EventвЂќ вЂў Aftermath: The hospital had to hold a second press conference about the вЂњfalse alarmвЂќ. 53 Alex Ricardo, CIPP/US Breach Response Services Beazley Group Rockefeller Center 1270 Avenue of the Americas New York, NY 10020 t: +1 (917) 344 3311 c: +1 (646) 477 1321 e: [email protected] For More Information: www.beazley.com вЂњItвЂ™s bad enough a company may possibly face liability from the data breach itself. The last thing you want is to create further liability exposure from how you respond to the incident. Making sure you are kept in the best defensible position possible during the course of your breach response methodology should be a priority.вЂќ The descriptions contained in this broker communication are for preliminary informational purposes only. The product is available on an admitted basis in some but not all US jurisdictions through Beazley Insurance Company, Inc., and is available on a surplus lines basis through licensed surplus lines brokers underwritten by Beazley syndicates at Lloyd's. The exact coverage afforded by the product described herein is subject to and governed by the terms and conditions of each policy issued. The publication and delivery of the information contained herein is not intended as a solicitation for the purchase of insurance on any US risk. Beazley USA Services, Inc. is licensed and regulated by insurance regulatory authorities in the respective states of the US and transacts business in the State of California as Beazley Insurance Services (License#: 0G55497). 54 HIPAA/HITECH UPDATE Lynn Sessions [email protected] @lynnsessions 713.646.1352 Blog: www.dataprivacymonitor.com Lynn Sessions Lynn Sessions focuses her practice on providing legal services to healthcare industry clients, including hospitals, integrated delivery systems, healthcare providers, and academic medical centers. Using her prior in-house experience at Texas ChildrenвЂ™s Hospital, Lynn represents and provides legal counsel to clients on a variety of privacy and data security matters from an in-house counsel and client perspective. Lynn works with clients to ensure they are in compliance with HIPAA/HITECH regulations, develops proactive compliance programs, provides counsel in response to a privacy or data breach, and works with clients to ensure the effective development of preventative data privacy and security measures. Lynn has worked with clients where multiple parties in various states were involved in high stake data privacy security breaches. She is experienced in applying federal HIPAA/HITECH regulations and specific state privacy and breach statutes and the OCR and other regulatory investigations that follow. Lynn has handled internal investigations on a large and small scale. These investigations are focused on protecting health care providers and their customers from privacy and data breaches, and fraud and identity theft. Ms. Sessions has also worked with clients to develop preventative data privacy and security strategies to avoid potential security breaches, including development of policies and procedures, breach response teams and training programs. OCR Resolution Agreements пЃ¶Providence Health & Services ($100K) пЃ¶CVS Pharmacy ($2.25M) пЃ¶Rite-Aid ($1M) пЃ¶Management Services Organization of Washington ($35K) пЃ¶Cignet ($4.3M) пЃ¶Massachusetts General Hospital ($1M) пЃ¶UCLA Health Services ($865K) пЃ¶Blue Cross Blue Shield of Tennessee ($1.5M) пЃ¶Alaska Medicaid ($1.7M) пЃ¶Phoenix Cardiac Surgery, P.C. ($100K) пЃ¶Massachusetts Eye and Ear Infirmary ($1.5M) пЃ¶Hospice of North Idaho ($50K) пЃ¶Idaho State University ($400K) пЃ¶Shasta Regional Medical Center ($275K) пЃ¶WellPoint ($1.7M) пЃ¶Affinity Health Plan ($1.2M) пЃ¶Adult Pediatric & Dermatology, P.C. ($150K) пЃ¶Skagit County ($215K) What Has OCR Said About Enforcement? вЂњThis final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patientвЂ™s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.вЂќ Director OCR Leon Rodriguez HIPAA Final Rule пЃ¶ Business Associates are directly liable пЃ¶ Assurances of safeguards required пЃ¶ Calculation of CMPs clarified пЃ¶ Breach is presumed пЃ¶ Breach analysis modified пЃ¶ Other clarifications Business Associate Liability пЃ¶ Directly liable for regulatory compliance пЃ¶ Limited to contract with Covered Entity пЃ¶ CE not absolved from reporting responsibility пЃ¶ Both parties may be investigated by OCR/AGs пЃ¶ Both parties may be sued Business Associate Agreements are Critical 60 Calculation of Civil Monetary Penalties (CMPs) пЃ¶ В§160.408 Factors considered in determining the amount of a civil money penalty. пЃ¶ The Secretary MUST consider a list of mitigating or aggravating factors. вЂ“ The nature and extent of the violation (number of individuals affected, time period during which the violation occurred, the п‚§ number of individuals affected. п‚§ time period during which violation occurred. п‚§ the nature and extent of resulting harm (physical harm, reputational harm, or financial harm). п‚§ whether the violation hindered ability to obtain health care (вЂњfacilitatedвЂќ removed). Calculation of Civil Monetary Penalties (CMPs) пЃ¶ The Secretary MUST consider a list of mitigating or aggravating factors вЂ“ The history of prior compliance and attempts to correct indications of noncompliance. вЂ“ Response to technical assistance from the Secretary. вЂ“ Response to prior complaints. вЂ“ Financial condition of CE or BA. вЂ“ Size of the BA or CE. вЂ“ Such other matters as justice may require. What Is A Breach? Baseline definition of a breach remains unchanged. пЃ¶ В§164.402: Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under Subpart E of this part which compromises the security or privacy of the protected health information. Breach Analysis пЃ¶ An acquisition, access, use, or disclosure of protected health information in a manner not permitted . . . is presumed to be a breach пЃ¶ Unless, the CE or BA can demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment пЃ¶ Compromise is not defined Risk Assessment пЃ¶ Risk Assessment вЂ’ Documented вЂ’ Based on at least 4 factors п‚§ п‚§ п‚§ п‚§ The nature and extent of the PHI The unauthorized person involved Whether the PHI was actually acquired or viewed Extent to which any risk has been mitigated Reporting/Notification Obligations пЃ¶ Notification, in situations where the use or disclosure is so inconsequential, is not warranted because it may cause the individual unnecessary anxiety or even eventual apathy if notifications of these types of incidents are sent routinely. пЃ¶ Notification to patients and media within 60 days but substitute notice may occur after depending on circumstances. пЃ¶ Breaches under 500 must be reported no later than 60 days after the calendar year in which they were discovered, not when they occurred. пЃ¶ Notification to the Secretary must occur at same time as notice to individuals for breaches over 500. What does it mean? пЃ¶ пЃ¶ пЃ¶ пЃ¶ пЃ¶ Expect to have more breaches reported Greater scrutiny and enforcement Increased CMP amounts CE and BA relationship tension More litigation вЂ“ Class Action вЂ“ Personal litigation 67 Litigation вЂў Hollenbach v. Catholic Health Initiatives, Case No. 11-10855 (Berks County, Pennsylvania Court of Common Pleas) вЂў Garcia v. Sutter Medical Foundation et al., Case No. RG11604927 (Alameda County, Superior Court) (putative class action complaint alleging violations of the Confidentiality of Medical Information Act) вЂў Atkinson v. Sharp Memorial Hospital, Case No. 37-2011-00102684 (putative class action complaint alleging violation of the Confidentiality of Medical Information Act) вЂў Zacarias v. Eisenhower Medical Center, Case No. INC 1108128 (Riverside County, Superior Court, 2011) (putative class action complaint alleging violations of the Confidentiality of Medical Information Act and Customer Records Act) вЂў Gonzalez v. South Broward Hospital District, Case No. 12-22437 (Broward County, Florida) (putative class action arising from alleged employee theft of patient information) вЂў Burgess v. Blue Cross Blue Shield of South Carolina, N.D. Cal. 2012 (putative class action arising out of the recording of calls to a call center) вЂў Care England In re: Women and Infants Hospital of Rhode Island (Civil Investigative Demand 2013-CPD-18) вЂў Beson v. Park Nicollet Health Service, 12CV02171 (D. Minn. 2012) (putative class action brought pursuant to Fair and Accurate Credit Transactions Act) вЂў Merring v. St. ClareвЂ™s Health System et al, Case No. MRS-L-379-12 (Morris County, Superior Court of New Jersey, 2012) (complaint alleging disclosure of protected health information) вЂў Faircloth v. Adventist Health System et al, Case No. 2013-CA-009369 (Orange County, Florida) (putative class action arising from alleged employee theft of patient information) 68 HIPAA as Standard of Care Hinchey v. Walgreens, Indiana Superior Court (2013) пЃ¶ Jury Verdict of $1.44M пЃ¶ HIPAA does not create private cause of action пЃ¶ HIPAA establishes the standard of care for provider пЃ¶ Walgreens found vicariously liable for pharmacist 69 Regulatory Hot Buttons пЃ¶ пЃ¶ пЃ¶ пЃ¶ пЃ¶ пЃ¶ пЃ¶ пЃ¶ Security risk analysis Risk management plans Encryption Business Associate Agreements Minimum necessary Documentation of breaches Policies and procedures Storing old data 70 Chicago Cincinnati Cleveland Columbus Costa Mesa Denver Houston Los Angeles New York Orlando Washington, DC www.bakerlaw.com В© 2013 Baker & Hostetler LLP Q&A 72