Hello, my name is Rachel Rose and I'm an attorney in Houston, Texas, where I've had my own practice for over a decade. As well as being fortunate to teach bioethics at Baylor College of Medicine. My practice primarily focuses on health care, cybersecurity, securities law, the False Claims Act and Dodd-Frank matters. And I address them from a transactional compliance or a litigation standpoint. Additionally, I'm an often cited expert and I'm extensively published and present for a variety of organizations. I'm delighted to be with Quimbee today to present on data breaches the differences between HIPAA and the Federal Trade Commission. No presentation is complete without a disclaimer and the information presented is not meant to constitute legal advice. Please consult your attorney for advice on a specific situation. Additionally, the information presented is current as of the date of the original recording of the presentation. Given the dynamic nature of the topic as well as the evolving areas of law, participants are encouraged to check the relevant government and other resources for the most recent information. So with that, I will move into the overview. I always like to begin my presentations with headline highlights to start the stage and provide a semblance of what's going on related to the topic that I'm discussing. What is privacy is the next item. From there, I'll delve into a recap of HIPAA and the related laws and rules and juxtapose that with the Federal Trade Commission and its health breach notification rule. From there, I'll segway into liability implications for not obtaining appropriate patient or consumer consent before using sensitive information for sales and marketing purposes. I'll then focus upon some recent enforcement actions, and then I always like to round out a presentation with compliance strategies and or risk mitigation. So what are some headline highlights? Well, first and foremost, the Biden-Harris administration announces its national cybersecurity strategy. This took place on March the 2nd of 2023, and what is notable about it is really threefold. First, it's not unusual for an administration stemming back to the George W Bush administration to issue what are known as executive orders. And while this is not an executive order stemming back to President George W Bush and subsequently with every president since, there has been an executive order on cybersecurity.
Now during this current administration, not surprisingly due to the rise in the number of cyber attacks, the sophistication of cyber criminals, as well as the shifting of the landscape regarding the use of electronics, which actually housed data in the year 2000. We we weren't walking around with smartphones. And yet today that's people's primary phone. And that's just one example of how technology has shifted and how it also, if not appropriately safeguarded, can act as a conduit to social engineering, to collecting information or another vessel for a vulnerability to be found and a threat then initiated. So the cybersecurity strategy, I actually don't agree with everything, and there's a reason. So as I mentioned, I primarily focus on a lot of health care law, and I couldn't help but notice when I read the first bullet here, we must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses and local governments, and on to the organizations that are most capable and best positioned to reduce risks for all of us. Well, as soon as I heard individuals, individuals make up organizations, whether or not it is a small organization, a solo practitioner or a solo physician, for example, or a multinational corporation that is made up of individuals. And a lot of those individuals are using technology. Second, if you think of someone, for example, who's been diagnosed with diabetes, there's a certain level of personal responsibility that goes along with anyone's health. And if you have certain conditions, if you're not exercising, if you're not eating correctly, if you're not taking your medication as directed, there are going to be adverse outcomes because the personal responsibility is lacking. The physician can't do all of those things for you, only the individual. Well, if the individual is leaving their laptop unlocked or the individual is handing over passwords, then I don't see how that responsibility, quote, shift helps anybody. It doesn't. But what I will say is for some of the technology items such as the cloud, the onus really is on the larger players and the government to and. Sure that the requisite safeguards are in place, that it's safe, that our major tech companies that all of us use are in fact addressing threats and sending out patches or automatically updating patches for us so that the cloud and or our devices remain safe.
So that right there is a key component of mitigating risk. The strategy recognizes that the government must use all tools of national power in a coordinated manner to protect our national security, public safety and economic prosperity. And I have an example coming up of a recent cyber attack on a city government in Texas, which really brings bullet point number three home. So Texas, as is similar to many other states, has its own biometric privacy law, as well as a very robust Deceptive Trade Practices Act. And what's really interesting is that Illinois has the most robust biometric law. It's called Bipa. And Texas is coming on the heels of that, but it's not quite as stringent as Bipa. Having said that, the state of Texas filed a complaint in state court in February of 2022, claiming that the company violated the state's biometric privacy law and dtpa by misleading the public into believing it did not collect biometric data prior to the Texas suit. Meta announced in November 2021 that it would stop using facial recognition technology after entering a $650 Million settlement in a punitive class action claiming it violated Illinois users biometric privacy rights. Again, Illinois law is called Bipa. And what else is notable is that while many people may not be familiar with Meta, they are familiar with Facebook. And Facebook changed its name a couple of years ago to Meta. So litigation is ongoing. In this case, the DOJ in October of 2021 announced its civil cyber fraud initiative. And I was fortunate, along with my co-counsel, to represent the first whistleblower in that civil cyber fraud initiative. And what's very telling there is, is that first, the case that I settled had to do with the government contract and it had to do among a couple of other causes of action with allegations of the data not being secured and it related to protected health information. So what is required in terms of technical, administrative and physical safeguards, whether it's through HIPAA, the Federal Trade Commission's health breach notification rule, the individual state laws or in contracts with the federal government. Oftentimes there will be provisions that HIPAA compliance is required. But the federal acquisition regulations absolutely require adherence to certain safeguards and the utilization of what are known as NEST standards, which I'll get into later.
So the second settlement under the Civil Cyber Fraud Initiative was again a government contract, and that was against Aerojet that settled within the last 18 months. And I believe that one was it was under 10 million, if I'm not mistaken, but it was significantly larger than this one. Now, this one is notable for several reasons. First, we're dealing with the Florida Medicaid enrollment website. Secondly, as evidenced by the first bullet, both the company as well as an individual were held accountable and agreed to pay approximately $294,000 to resolve false Claims Act allegations that they failed to. Secure personal information on a federally funded Florida children's health insurance website which jelly bean created, posted and maintained. Now, what else is notable is the length of time that this conduct occurred between January 1st, 2014 and December 14th, 2020. That is almost seven years. And these representations that they were HIPAA compliant and had the requisite technical, administrative and physical safeguards in place proved not to be true. There was a data breach of the website for healthy kids and unfortunately it contained minor's information. So more than 500 applications were revealed to having been hacked. The last notable item on here is one of the technical safeguards that was not in place, but was really a flagrant violation, and that was utilizing software that had not been updated or patched since November of 2013. That's completely unacceptable. And if anyone is a. Conscious individual, whether it's your own smartphone or it is a person with a. Job. You know, you have to keep things updated and patched. Otherwise that creates a vulnerability. Having a major company that's hosting this level of sensitive data not do something. That pedestrian is really quite shocking and quite frightening. So an emerging data trend that we see is a. Poaching of data is what I call it. Said another way. Data tracking and sale without the patient's knowledge or consent. Now advocate Aurora Health is a health system in the Midwest, and it basically was using Google and Facebook Web tracking technologies. And realized that a lot of the patient information was being poached without the patient's knowledge and consent. And what was really perplexing to me was that the.
Hospital should have undergone an annual risk analysis, which is required as one of the administrative safeguards. Unfortunately, it either didn't undergo the analysis or it was completely overlooked and it was used. In a. Way that it never should have been utilized. So this raises a flag because they reported this to HHS. They had to notify over 300 million individuals and the investigation is ongoing. Next, we see the flow Federal Trade Commission enforcement action, and I'll delve into that a little bit later. But what's important about that is that flow is a period and ovulation tracking app. And basically, again, it was poaching individuals information, taking it, selling it, and then the third party was using it to. Solicit ads. And unfortunately, because of the reproductive health component. What's interesting is that with the repealing of Roe v Wade in the summer of 2022 by the court case known as Dobbs, there's really been an adverse impact on privacy in general and a heightened awareness on issues surrounding reproductive health care. Now, the Dobbs opinion also prompted HHS to issue guidance on tracking. And this is something that I would recommend everyone read because it does go into the requirements that are inherent in HIPAA, as well as some general consumer requirements to get the patient's consent. Now, good FTC, this is an important case because it's the first time that the Federal Trade Commission used its own breach notification rule. To form the basis of an enforcement action. Now, the FTC's health breach notification rule has been around since February of 2010 was the effective date. So fast forward approximately 13 years later is when it is first utilized. Betterhelp is an important case as well. That followed on the heels of good. It did not use the FTC's health breach notification rule, but what it did do was require betterhelp to pay the consumers back, which that is the first time that that has happened. The FTC also is very active in proposing blanket prohibitions preventing Facebook from monetizing youth data. Now, there are a lot of legislative initiatives and rightly so, in Congress, regarding the cyber hygiene and the safety of children online with various devices as well as child and human trafficking.
So this is an area, if you're interested in, to look at both with the FTC as well as legislative initiatives in general. There are two other items that I wanted to relate to you. And before we delve into privacy, the first is the case that I mentioned with the city that occurred in Dallas and not long ago. And basically what happened was that there was a cyber attack. The courts got shut down, the police got shut down, all of the major city systems got shut down. And so that was an example of governments, local governments being attacked. Another recent Federal Trade Commission enforcement action was against the app Premom. So one can probably surmise very easily that that again is a reproductive health related app geared towards women who are attempting to become pregnant or who are pregnant and using that app. What I really want to emphasize here is that it is the second time that the Federal Trade Commission in the last four months used again that health breach notification rule. So that is definitely an area that is going to be given continued focus by the Federal Trade Commission across a number of fronts. So now this takes us into privacy and I always like to begin with general definitions. These definitions are great because you can include them as part of your risk mitigation and in your policies and procedures. So let's start in a broad based way. First, we have the Black's Law Dictionary definition and the right that determines the non-intervention of secret surveillance and the protection of an individual's information nest, which is the National Institute for Standards and Technology that I mentioned earlier, is really important because those standards are what the government requires that its own agencies have to meet. Additionally, it means they publish what are known as special publications laws and then FIPS, which is the federal information processing standards, which also falls under Nest, by the way, is a department under the US Department of Commerce. And what's important is that these publications can be utilized not only by government contractors and the government, but also by the private sector. And as we'll see momentarily, these are considered recognized securities practices. So if you're looking for a way to mitigate risk and if you ever end up on the wrong end of a government audit or investigation or in a lawsuit, you can say, hey, for years we have been we have been following, missed our risk analysis or risk assessments are premised on this.
The security rule, if you're in health care and all of these other items. From there, we get into the HIPAA privacy rule and the privacy rule is not new. As we'll see, the final privacy rule was published in the Federal Register on August the 14th of 2002. It applies to all forms of protected health information. By way of contrast, the security rule applies only to electronic protected health information. But HIPAA passed in 96, and again, the final privacy rule was promulgated in the Federal Register in 2002. So literally almost to the day, because both occurred in August, it was six years from when HIPAA passed until when the final rule was passed. But this really was the first time a set of national standards for the protection of certain health information were set forth by the government. Now, since we've seen a lot of focus on meta and Google, and I'll take a step back for a second Premom the Aurora health case, the GoodRx case, Betterhelp all of them utilized Google, Facebook, Chinese companies or another similar company. And what's important to note, and this is why I mentioned during your risk analysis, you should really be making sure that when you hire your third party assessor that they are asking you what software you are using and does this have appropriate safeguards or have you obtained patient consent in order for the information to be utilized? So what is really fascinating here, and this is directly off of the Facebook meta site, is that meta pixel is a snippet of JavaScript code that allows one to track visitor activity on your website and meta pixel can collect the following data http headers. As a side note, all of your websites that you have or that you use should have HTTPS. As in Sam, that's means secure, and when you log on to that site or click on a link, there should be a padlock. You can always click on the padlock to see the certificate, to see if it's up to date and relevant. Another thing is pixel specific data, and this is something you have to read in the cookies I call the cookie jar, but button click data includes any buttons clicked by site visitors, the labels of those buttons and any pages visited as a result of the button clicks.
We then have optional values and developers and marketers can optionally choose to send additional information about the visit through custom data events and finally form field names. I would recommend that you take a picture of this screen that I have up and take it to your IT people and make sure that you are. Looking at the. Ramifications of not having the cookies set quickly. And accurately. So privacy in medicine, we know what the general definitions of privacy are, and we know that HIPAA required the privacy rule to be published. Well, something that relates to patient privacy. And in bioethics, there are two main prongs of what are known as rights. There are decisional rights and there are non decisional rights. So a decisional right relates to a patient's autonomy. And that means that so long as the individual has been deemed by a physician to have decision making capacity, then that individual, unless they are a minor, which minors are unless they're emancipated, typically cannot make their own medical decisions. There are some exceptions to that. But the older a minor gets, the more weight their opinion is given in the decision making process. Although the ultimate decision resides with the parent or the guardian in most cases. So once a patient is deemed to have decision making capacity, then they are required to give either informed consent to treatment where they can establish understanding, reasoning, provide assurances, and then articulate the choice to have the procedure, the diagnostic tests, and illustrate that they understand the risks and benefits and why they're choosing this particular path. On the other hand, because of patient autonomy, the option is given for patients who have decision making capacity to do what is known as an AMA, and that is to leave again most medical advice or to refuse treatment against medical advice. The self discharge of a patient from a health care facility, contrary to what his or her physicians perceive to be in the patient's best interest. Now, I've just gone over the decisional rights. Non decisional rights apply regardless of whether you are. Post-op and intubated. They apply whether or not you are an individual with Alzheimer's or if you are someone who has full decision making capacity.
And those are called non decisional rights. Privacy is one of the most inherent forms of a non decisional right to other types of non decisional rights are. To be. Treated respectfully. That's called beneficence and to be treated without harm. That is nonmaleficence. So here this slide kind of pulls everything together as to how privacy relates to medicine and our ability to regulate our autonomy that then Segways into this very important item. And the very important item is that the. Supreme Court actually stemming back to 1891, issued a really great opinion. And in light of some of the privacy considerations that are now in flux because of Dobbs repealing Rho, and that is not a statement on mine or any participant's stance on abortion. And injured woman's right to refuse examination by the railroad doctor was the fundamental issue in play in this case. And this is what the justices wrote even back in the late 1800s, to compel anyone, especially a woman, to lay bare the body or to submit it to the touch of a stranger without lawful authority is an indignity, the justices wrote. Moreover, no right is held more sacred or is more carefully guarded by the common law than the right of every individual people to the possession and control of his or her own person. And this really ties in nicely with what I explained from the previous slide. And then lastly, quoting another judge, they added, The right to one's person may be said to be a right of complete immunity, to be left alone. So in terms of the US Constitution, privacy provisions as articulated in Griswold versus the state of Connecticut, which was a Supreme Court case that was opined on in 1965. This was the first case that declared a right of privacy as implicit in the Constitution and involving the choice to use contraception. The rationale for finding a constitutional right of privacy was evidence repeatedly in the Constitution's text by specific guarantees. Justice William Douglas majority opinion pointed out the following that certain rights reflected heightened concern with privacy, including the Fourth Amendment's protection of persons, papers and effects from government searches. The Third Amendment's bar against quartering soldiers in private homes. And lastly, the Fifth Amendment's guarantee against compelling individuals to surrender evidence against themselves.
In essence, these three areas created what became known as the zone of privacy, which appears in the Constitution from Griswold. We have a couple of other cases, and then we get to Roe, which provided the constitutional right to an abortion and relied upon the right of privacy. Now, Casey versus Planned Parenthood has always fascinated me, because when we look at the premise of it and the footnote, it's based upon informed consent, which is what I just articulated and explained a few moments ago. And Section 3205. Informed consent provision is not an undue burden on a woman's constitutional right to decide to terminate a pregnancy. It issue in the Casey case was whether or not requiring a woman to be informed of the availability relating to the consequences to the fetus does not interfere with fear, with the constitutional right of privacy between a pregnant woman and her physician. So what's really interesting here is that for anyone who's gone in for any medical procedure, even knee surgery, they tell you that there might be no complications or you could end up with a blood clot. You could end up dying. You could have an adverse reaction to a pharmaceutical that you're unaware of, right. On and on and on. And because an abortion is, in fact, a medical procedure, not only should the person be required to have informed consent to give or have the abortion which is required, what is interesting here, and this is why it's it's fascinating that this was even an issue, is that because you have a potential life and you have a. Functioning human being which is carrying the fetus at the time. There could be harm to the fetus if the procedure is not done correctly. There can also be harm to the woman who's having it. So it's important to note that the individual understands the entire process. And what the steps are and what can happen. And so that's all that is. Again, it goes to the. Right. Of autonomy and the ability to make. An informed decision so long as you have decision making capacity. So what about the facts and the procedural posture of. Dobbs Well, here this was premised on a Mississippi law, and the respondent was an abortion clinic.
And basically what they said was the doctor in federal court alleged that it violated the court's precedents, establishing a constitutional right to an abortion. The district court granted summary judgment, the Fifth Circuit affirmed, and then it went up on appeal to the Supreme Court. Justice Alito issued the. Majority opinion in Dobbs and. What was interesting is that they said, Oh, no, all those rights to privacy that were held in Roe and Casey and so forth, they're no longer good. The dissent said, yes, they are good specific guarantees in the Bill of Rights. And these amendments that we see on the left hand side create the zone of privacy. Rejected the majority and relies on precedent. While because of this, there have been a lot of downstream implications, because basically what happened was Dobbs sent the right to have an abortion back to in the language is interesting. The. Lawmakers, which is Congress. Well, there's federal Congress and they're individual state. Bodies, too. And so it did. We have seen play in various states as well as a federal Congress, on ways to deal with some of the residual issues that have arisen. The one thing that's exceptionally important to note, and this applies to companies as well, especially those who do interstate commerce. Justice Kavanaugh, in a concurrence, said, I agree with the overarching holding by the majority, but I need to distinguish that there is nothing in this opinion that prevents a person from leaving one state where a particular procedure or drug may be illegal and then going to another state where it is legal and obtaining it there. So if the. Procedure known as a. Dna is available in another state and and. A person goes and has that. Procedure and then comes back to a state where it was illegal, the state can't do anything, nor can they track you. And that's where the tracking issue in part. Comes. In. The Federal Trade Commission's health breach notification rule. Again, as I mentioned, it's similar to the HIPAA breach notification rule. But first, it relies on the notification to consumers. And that's because when you think of the Federal Trade Commission think consumers, their authority is derived on the Federal Trade Commission Act.
When you think HHS and HIPAA, you have to think patients because of how that law is written. Now, the final rule specifies the timing, method and content of notification. And in the case of certain breaches involving 500 or more people requires actual. Notice. To the media. Now, here is the timeline for the health breach notification rule. Here we have proposed rule making. Then we see the final rule being published with compliance required. By. February 22nd of 2010, which I previously mentioned. And then we see the OMB, the. The more administrative side of the equation, and then. We see the health breach notification rule request for public comment come about in May of 2020. That is not uncommon because as rules and regulations are in effect for a while, it's absolutely imperative that the. Agencies are. Looking at the changes in how changes in the society, technology. Etcetera. Are impacting the rules. To see if they're relevant. So as I mentioned, the Federal Trade Commission applies to consumers. Hipaa applies to three main buckets covered entities, which include health care providers, health plans, health care clearinghouses. Then we have business associates who create, receive, maintain or transmit protected health information. And then subcontractors. Are actually. Part of the definition of a business associate. But those are the persons that a business associate subcontracts with. Texas is different. We have one definition. It is found in Texas House Bill 300. It's been in effect since September 1st of 2012. So this goes back. Over. A decade and the definition of covered entity pretty much encompasses any person who creates, receives, maintains or transmits protected health information. And then the Federal Trade Commission, as we've heard throughout the presentation already, really reaches those. Particular. Vendors. And apps that we. Saw. As examples. So the legislative history we have 96 the privacy rule you know about I mentioned the security rule. Security rule relates to electronic protected health information. And this is where we get those technical, administrative and safeguard requirements. It didn't become effective until 2005 zero nine. We see the high tech act, the HIPAA breach notification rule comes about proposed regulations.
And then on January 25th, the 2013, in the 78 Federal Register. Five five. Six six, we see the omnibus rule. Published. The effective. Date. And the compliance date for most. Of the. Provisions. The Genetic Information Non-disclosure Act is also included in this omnibus rule and the express statement that business associates and subcontractors have to meet the same standards and can be held equally civilly and or criminally liable for HIPAA violations. That's what really set the business associate community into action. So from there we go to 2015 and that's when the Cybersecurity Act of 2015 is signed into law. The important provision in that is section 405 D. As in dog. And in fact, I would recommend Googling HHS 405 D as in dog because they just updated the. Volumes of helpful information and templates. That are available. Through this task. Force that was signed. It's really the first time in several years that the. Helpful resources have been updated. Then we have the 21st Century Cures Act, which was signed into law in December of 2016. From there, we have. Two final rules, which were. Put into the Federal Register. One was issued by CMS, the other. By ONC, and those appeared in May of 2020. Now, this is an important law. H.r. 7898 was. Signed into law on January 5th of 2021. Essentially, what it says is by amending this portion of the high tech act, the secretary of HHS may look at mitigating factors, and those factors are premised on recognized security practices. I mentioned that I. Mentioned 405 D. And I mentioned the HIPAA security rule and those technical, administrative. And physical safeguards. So it's always. Advantageous. To do. Five main things undergo your annual risk analysis by a qualified third party and address the gaps. Secondly, make sure your workforce. Undergoes annual. Training. Third, make sure that your policies and procedures are comprehensive and up to date. Next, make sure your. Data is encrypted both at rest and in transit. And lastly, make sure you have a business associate agreement in place. Those are five.
Areas that were identified as low hanging fruit. Does have a criminal provision for penalties. Absolutely. The US Department of Justice does have jurisdiction to enforce criminal penalties for HIPAA violations, and that. Authority is derived from. 42 USC section 1326. Criminal liability may attach when persons knowingly cause or use a unique health identifier, obtain individually identifiable health information. That term is what we see. Used with the Federal Trade Commission. And then we have protected health. Information, which is HIPAA vernacular or disclosed to another person. Another important. Law is the Stored Communications Act, which also may be the basis of. Criminal enforcement, and it includes. Types of data and types of. Conversations that far exceed that of protected health information. So what types of conduct can lead to criminal HIPAA penalties? Well, even viewing without authorization or being on a care team or billing team handling a. Patient, If you're not. On that team. Don't go snooping. Secondly, accessing and using it for financial gain, which includes the sale of PHI. Third, perpetrating a ransomware attack and stealing PHI. And lastly, providing pharmaceutical or medical device representatives with access to patient. Records in exchange for remuneration. This may lead to a false. Claims Act violation. Now. Ftc recent enforcement actions. Hhs guidance and kids data. As we've already seen and. Learned. The Federal Trade Commission and various congressional legislators. Are. Looking at the. Harm and ways to protect children. Online and in. Terms of tracking. Another item I mentioned flow and when. It came about and what's interesting here, again, it's worth emphasizing because data poaching is very pronounced in front of agencies, in front of Congress and in front of the. Courts in terms of class actions. So the complaint. Was announced in January 2021. And basically alleged that despite promising to keep users health data private flow. Shared it with for millions of users with marketing and. Analytics firms, including. Facebook and Google. Again, they generate money through ads and. Sponsors. So that's where that data would go. Advocate health. I was fortunate to be quoted as.
An expert, and while. Advocate Aurora Health implemented a prudent remedial measure by disabling the pixels. What's interesting is that the preventative measure of understanding how the pixels worked and what data was being accessed should have been done up front. So another. Notable lawyer. Suggested that companies remove the pixel while they figure out where it lives and what data is being collected. My perspective is that you need to do it up. Front before the. Horse is already out of the barn. But if the horse is out of the barn, at least close the barn door. Concerns over the health care industry use of tracking pixels have exploded, as I mentioned, especially after the Dobbs decision. So again, they considered this to be a HIPAA breach. And went through the. Process of notifying patients, the media and the HHS secretary. This is the guidance that was a bullet point. And the one item to be conscious of here is that regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of. The HIPAA rules. Now, what about the FTC targeting. Good under the health breach note role? Well, as I. Mentioned, this was the first case where the Federal Trade Commission utilized that health breach notification rule. And again. What do we see companies. Promoting that they are HIPAA compliant and only disclose limited amounts when absolutely necessary to certain people that they contract with. That was not the case. Here because. They did what the other companies did to. Better help. Same thing here, right? This, again, was the first action returning funds, which is what I mentioned. And here they had to pay seven, 8 million to consumers to settle charges that revealed consumer sensitive data with third parties such as Facebook and Snapchat for advertising. After promising to keep such data private and better help, actually, as you may be aware, is. Utilized for different mental health issues. So here. You have reproductive health and mental health being targeted. By these third parties and. These companies who. Are profiting off of giving the individual sensitive information.
Facebook parent agrees to Settle. A Privacy lawsuit. What's notable about this. Is the. Amount It was. A. $725. Million Class action settlement, which gave third parties access to user data without their knowledge. Or consent. Now, the. Blanket prohibition that I mentioned as part of the proposed changes Meta, which changed its name from Facebook in October 2021, would be prohibited from profiting from data it collects, including through its virtual. Reality products from users under the age of 18. So what. Are some. Key compliance. Considerations as we move into the last part of our presentation? Well, first. I mentioned that HIPAA risk analysis and basically the. Requirement. Is set forth. In 45 CFR. One, 64.308, a one to. A. And again, this is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the security rule. This is foundational now for larger organizations who. Use a Soc2. Report. It's absolutely imperative that the auditor is incorporating every single technical, administrative and physical safeguard, as well as the privacy rule requirements, especially for covered entities, into their assessment. So that the crosswalk. Between the privacy rule and those missed standards can in fact be utilized. Now the security management process standard in the security rule requires organizations to implement policies and procedures to prevent, detect, contain and correct security violations. And so now. The policies and procedures, a great resource is that 405 D website that I mentioned. If you're going to use form procedures, make sure that you're adding the specifics of your organization in there, because. Not every. Organization is ideal. And looking at the substance over the form of a compliance program as well as the policies and procedures and training is something that government agencies do and really focus on on a regular basis. I mentioned the business associate agreement and essentially what it is, is a contract between a covered entity and a business associate or a business associate and its subcontractor. Some of my clients in in general, because most persons are subject to other rules and laws such as the. Socks if you're a.
Publicly traded company. Sarbanes-oxley Act of 2009 or if you're in financial services. The Gramm-Leach-Bliley Act. Title five is similar in terms of its third party requirements. You can call this anything. You want so long as it's relevant. And I have some clients where we. Use a data privacy and security agreement, and that's because not only do we have HIPAA in there, we have other rules. That are applicable in laws as well. But in general, there are three main areas. The first is the parties. Agreeing to give reasonable assurances. That they are adhering to the security rules, technical, administrative and physical. Safeguards. I will tell you that if you are a betting person. One provision. I would add to that is that you have taken appropriate steps to ensure that. The party that you're contracting with is not using the an entity. Such as. Google, Facebook or other marketing or analytics firms and giving the data to those. Entities that can be significant. Another item to consider is if you are a covered entity or if your business associate will be the organization. That gives your patients their medical records or designated. Health records that when they request it, you need to make sure that you're including the 21st Century Cures Act and. Information blocking as well. But in general, the. First of the three main sections is what I would deem reasonable assurances of the technical, administrative and physical safeguards being utilized by both. Parties in order to protect. The confidentiality, integrity and availability of that information. Then from there, the second one has to do with a potential cyber event. And then what happens if it is deemed to be a breach? And he reports. And what is. The time frame to report to. The other party? Who reports to the government, etcetera? The last part has to do. With. When the relationship. Ends and it might not be for a bad reason. Perhaps it is a finite period of time. What happens to that data? That is. Probably the. Biggest area of focus that one should consider. And I've.
Written different articles on it because. People often ask me about, well, I'm getting pushback on this. The key is to have your data retention policies and procedures in writing and up to date, because if you have an internal policy that you have to retain data. For a certain period of time. And typically HIPAA says six years and state laws may require it longer, even if the engagement ends. You may still have a right to keep that data for a certain period of time per your own organization's. Policies. And procedures. Otherwise, the other party could. Require you. To return all the data and give proof that it's been returned and you no longer have access to it. So it just depends on the facts and circumstances. Here we have the general framework. We have. Prevention, detection and correction, which is what I. Said before. So if you want to break it down even further, you can go into identify, protect, detect. Respond and recover. If you think about how the Aurora health situation arose, how. The apps were utilizing that data. Without the. Person's knowledge and consent. That's something that. Really should be. Addressed in any organization's policies and procedures. Now, HIPAA has its own requirements. For obtaining. Patient consent for. Certain types. Of sales and marketing. And on the. Flip side of that, the Federal Trade Commission. Has different ones. But when in doubt, make sure that. That notice is visible on the app and that patients can opt out of it if they elect to opt. Into. It. So in regards to ransomware, if you're. Unfamiliar with what ransomware. Is. It's the illegal taking of data and holding it hostage. In exchange for. Some type of payment. And the payment can be Bitcoin. The payment can be some of your checking account, whatever it is. And so that's how that would occur. Now best practices are to maintain. Offline backups, maintain regularly updated gold images of critical systems in the event that they need to be rebuilt, maintain a comprehensive incident. Response plan. That goes to your disaster recovery and business continuity plan.
So in health care in general, you want to develop a mindset of cybersecurity is patient safety, and the American Hospital Association has some great resources for. Individuals and organizations alike. Secondly, data poaching, as we saw by some of the government enforcement actions as well as class actions. Is more and more. Prevalent. And it's something that your cyber insurance companies may also be asking about. Hipaa violations can carry criminal penalties. So in today's cybersecurity focused environment, this is only more likely do not take patient data and sell it downstream or utilize it. For submitting false. And fraudulent. Claims to. Federal government. Programs. If a person's name and Medicare beneficiary. Information is being utilized, that's a surefire way to end up. On the orange jumpsuit. List. Cyber is a team effort, both at an individual level, a corporate level, as well as. A local city. State and federal government level. As well. We have seen more coordination between our law enforcement agencies. In different countries. And recently, the FBI and 80 other. Nations effectuated a. Coordinated. Effort which brought down. The. Hive Ransomware gang, which was notorious. Cyber criminals are becoming increasingly more sophisticated, again, ensuring that those technical, administrative and physical safeguards are in place is critical to mitigating risk, especially in light of the reproductive. Health arena and. Mental health and substance. Use disorder. You should really be aware of. What the state. Laws are requiring and saying and what the potential ramifications are there to the DOJ, the FTC, the FBI, the current administration, as well as subsequent administrations and past administrations, have focused on cyber and it includes illicit gain as well as using PHI for a malicious intent. So whether it's cyberbullying. Or to extort money from someone, that's. Something that everyone should be aware of. So with that, I wanted to thank you and Quimbee for your time and attention here today. If you have any questions, they can be submitted through my website. Or you can reach out to me directly. At the number on the screen. Thank you again. And I wish everyone a great day.
Read full transcriptSee less