Key HIPAA and Related Challenges: Training Staff, Monitoring and Data Breaches
Joseph Lazzarotti, Esq., CIPP Shareholder, Jackson Lewis
Agenda Considerations for an effective, efficient and documented training program ▶ Legal and practical issues with monitoring ▶ Data breach response program, preparedness and response. ▶
Training Why is training needed? ▶ Who should be trained? ▶ Who should conduct the training? ▶ About what? ▶ When and how often? ▶ How should training be conducted? ▶ Do we have to document? ▶
Training ▶
Why is training needed? – HIPAA Privacy Rule § 164.530(b) – HIPAA Security Rule § 164.308(a)(5) – Specific State Requirements – e.g., Texas § 181.101 – General State Laws – e.g., Florida § 501.171(2)? – Accreditation and Industry Guidelines, and “best practices” – Risk management – Strengthening defensible position
Training ▶
Who should be trained? – Workforce members who have access to PHI, but possibly not everyone – Volunteers – Staffing employees – Committees (Peer review, risk, audit, compliance) – HR personnel responsible for discipline, performance reviews – Consider needs beyond HIPAA – state law requirements and company confidential information
Training ▶
Who should conduct the training? – In-house v. Outsourcing – Privacy/Security Officer? – Department Head? – Person from same location? – Technical Expert v. People Person…Both?
Training ▶
About what? – Topics depend on trainees and their responsibilities – Real situations (de-identified, of course!) – Focus on key issues • • • • • • •
Know the basics – e.g., what is protected health information Device management Spotting, preventing, reporting and mitigating a data breach Communicating with family members Responding to requests for information from third parties Incorporate more stringent state laws Your policies and approved practices, not bad habits
Training ▶
When and how often? – Reasonable time after hire date – but watch state law (e.g., Texas – 90 days) – Reasonable time after change in policies – Sensitivity of information, volume – Change in technology, software, devices – Acquire a new business – Following a security incident – • Even if not incurred by your company • Even if no breach happened
Training ▶
How should training be conducted? – Notices, newsletters, dashboard – In-person – Online courses, videos – Testing – Tabletops – ERG – Employee Resource Group – Combination
Training ▶
Do we have to document? – Yes, required under HIPAA and state laws – Document program itself and who participates – Standard request in agency audits and breach investigations – Helps to support wrongful termination claims – Helps to defend negligence and similar claims in litigation
Monitoring ▶
Why monitor? – Facility security – Safeguard residents – Monitoring employee performance – Avoid identity theft/data breach – Detect and dissuade improper behavior – abuse, harassment, discrimination, bullying – At the request of families
Monitoring ▶
How are you monitoring? – Video – Audio, including telephone – Smart home devices that can collect physiological, location, and movement data – GPS – Information Systems – employee email, website activity, etc.
Monitoring ▶
Practical concerns – Technology can promote isolation – Are systems user friendly – Ability to individualize – Costs of installation, operation, updates, etc. – Reluctance to use because of fears about privacy and technology – Storage, record retention and destruction
Monitoring ▶
Legal Concerns - General – Varied concerns relating to residents, employees, visitors – Balance: Privacy v. safety v. security – Constitutional principles: Reasonableness • O’Connor v. Ortega • City of Ontario v. Quon
– Duty to monitor created? – Data captured can become evidence – How to handle the information obtained?
Monitoring ▶
Legal Concerns – Residents – HIPAA compliance • • • •
Is the information captured PHI Are recordings maintained securely Are employees trained Business associate agreements with vendors
– State law requirements • Industry regulations • Common law protections • Voyeurism
Monitoring ▶
Legal Concerns – Residents – Granny Cams • Few states have enacted laws requiring that residents have the right to install. See, e.g., Texas and Oklahoma. Some recent effort in other states. See, e.g., New Jersey and Massachusetts. • Do you have a process for handling requests, addressing cameras that have been installed without your knowledge?
Monitoring ▶
Insider Threat – “A growing number of companies are under pressure to protect sensitive data — and not just from hackers lurking outside the digital walls. They're also looking to protect it from insiders — employees who may want to swipe information such as customer bank account numbers or electronic medical records.”
So%ware That Sees Employees, Not Outsiders, As The Real Threat, Shahani, NPR, all tech considered, July 23, 2014
Monitoring ▶
Legal Concerns - Employees – Expectation of privacy – Notice requirements - CT, DE for electronic monitoring – Common law intrusion upon seclusion – Restrictions on requesting or requiring employees or applicants to disclose social media/online account usernames and passwords - does monitoring/spyware provide a backdoor – Wage and hour issues – Handling “theft” of resident records
Monitoring ▶
Legal Concerns - Employees – Stored Communications Act • Service provider and consent exceptions • ER can access employee’s “stored” electronic communications on its systems. Fraser v. Nationwide Mutual Insurance Co., 352 F.3d 107 (3d Cir. 2003) • Policies are important: No implied consent to search employee’s web-based personal emails when policy limited to “Company equipment” Pure Power Boot Camp v Warrior Fitness Boot Camp, 587 F. Supp. 2d 2d 548 (S.D.N.Y. 2008)
– Electronic Communications Privacy Act • Service provider and consent exceptions • Spyware - Contemporaneously transmitted "screen shots" of computer activity to a remote location violates the Wiretap Act. Shefts v. Petrakis, 2012 U.S. Dist. LEXIS 130542
Monitoring ▶
Legal Concerns - Employees – National Labor Relations Act – protected concerted activity • ER’s monitoring of email system is lawful so long as the ER does nothing “out of the ordinary,” such as increasing its monitoring during an organizational campaign or focusing its monitoring efforts on protected conduct or union activists. In Re Purple Communications
Monitoring ▶
“Life is like a box of chocolates” – Resident abuse – Resident/visitor communications – Employee medical information – ADA, GINA, FMLA, HIPAA – Attorney client communications – Personal communications – Section 7 communications – Highly-sensitive company information – Child pornography
Monitoring ▶
Planning a Monitoring Program – Who and what gets monitored, and when? – Who decides? – Who performs the monitoring? – Who can access what is monitored? – Who monitors the monitors? – We find something, now what? – Plan for further investigation? Data incident? – Do we act on what we find and how?
Data Breach ▶
What is a Breach? – Unauthorized use of, or access to, records or data containing personal information • • • •
First name (or first initial) and last name in combination with: Social Security Number Drivers License or State identification number Account number or credit or debit card number in combination with access or security code • Biometric Information (e.g. NC, NE, IA, WI) • Medical Information (e.g. HIPAA, AR, CA, DE, MO, TX, VA) • Broader view taken by FTC – email address, phone numbers, etc.
– Can affect: Residents, Employees, Family Members
Data Breach ▶
How can it happen? – – – – – – – – – – –
The lost laptop/bag Inadvertent access Data inadvertently put in the “garbage” Theft/intentional acts, hacking, phishing attacks other intrusions Inadvertent email attachment(s) Stressed software applications Rogue employees Remote access Wireless networks Peer to peer networks Vendors
Data Breach ▶
First Steps – Get your breach response plan – hopefully you have one – Immediately alert data breach response team, counsel, and insurance carrier, if applicable – Take steps to secure information systems, including any and all files containing customer, employee and other individuals' personal information that may be at risk – Coordinate with law enforcement, as needed – Identify key person to monitor and drive team progress – Involve top management, public relations – Make preliminary assessments and consider preliminary actions, notices – Consider implementing litigation hold
Data Breach ▶
Did a breach occur? – Review applicable federal, state and local laws • FTC/HIPAA/SEC considerations • Risk of harm trigger…e.g., in Michigan – no notification if “the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, 1 or more residents of this state” • Police investigation/consultation • Consider whether immediate federal and/or state notification required/recommended
– Conservative vs. aggressive approach • Breach involves “risk of harm” states and “non-risk of harm” states • Notify individuals, but not state agencies
Data Breach ▶
Issues that have to be considered – Who should be notified? – What should the notice say? – How should it be delivered and when? – Should we offer credit monitoring? – Do we need a call center? – Does insurance cover this? – Do we have to notify the media? – What is notices are undeliverable? – Who should respond to questions from affected individuals, federal and state agencies?
Data Breach ▶
Basic breach preparedness – Take reasonable steps to prevent breaches – develop and implement a written information security program – Have a data breach response plan – Educate employees about the plan, practice the plan, follow the plan – Be transparent, credible, responsive
Questions? Thank you!! Joseph Lazzarotti Jackson Lewis PC 973-451-6363 www.workplaceprivacyreport.com