HIPAA LESSONS FROM THE ENFORCERS AND THE HEADLINES

NARHC 2019MARGARET SCAVOTTO, JD, CHC, PRESIDENT, MPA

ST. LOUIS , MO1

PROTECTED HEALTH INFORMATION

HIPAA protects PHI: information that can identify a patient and relates to the patient’s health condition, treatment, or payment for treatment.

2

ELECTRONICPROTECTED HEALTH INFORMATION

ePHI is electronic PHI: PHI received, created, maintained, or transmitted in electronic form.

3

OCR UPDATE -WHAT’S NEW?

4

OCR UPDATE: NEW GUIDANCE

• Social Media• Texting• Encryption

5

Coming soon…

OCR UPDATE: CHANGES

• Presumption of good faith• Removal of the NPP acknowledgment• Compensation for harmed individuals

6

Is HIPAA changing?

OCR UPDATE: ENCRYPTION

Not encrypting?

7

That’s “less and less persuasive”

ENFORCEMENT TRENDS

YEAR # Settlements Total Average per2018 11* $28,683,400 $2,607,5822017 10 $21,693,000 $2,169,3002016 13 $23,504,800 $1,808,0622015 6 $6,193,400 $1,032,2332014 6 $7,940,220 $1,323,3702013 5 $3,740,780 $748,1562012 5 $4,850,000 $970,0002011 3 $6,165,500 $2,055,1672010 2 $1,003,500 $501,7502009 1 $2,250,0002008 1 $100,000 8

2018 ENFORCEMENT

December 2018: Cottage Health• $3,000,000• Two breach reports • Cottage Health did not conduct a thorough risk analysis; failed to

implement security measures; did not have a BAA; and did not perform periodic evaluations in response to changes affecting security of ePHI

9

2018 ENFORCEMENT

October 2018: Anthem• $16,000,000• Data breach – spear phishing• Anthem: "failed to conduct an enterprise-wide risk analysis, had

insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014."

10

2018 ENFORCEMENT

September 20, 2018: Boston Med• $999,000 paid by Boston Medical Center, Brigham and Women’s

Hospital, and Massachusetts General Hospital• ABC was allowed to film patients• Patients did not sign a HIPAA authorization

11

2018 ENFORCEMENT

November 16, 2018: Allergy Associates• $125,000 • Doctor discussed a patient with a TV reporter• The doctor had been advised to not respond to the media or to

say “no comment”• Allergy Associates did not discipline the doctor

12

2018 ENFORCEMENT

June 18, 2018: MD Anderson ordered to pay $4.3 million in civil monetary penalties

MD Anderson filed three separate breach reports in 2012 and 2013:• Unencrypted laptop stolen from employee residence• Two unencrypted USB thumb drives stolen, containing ePHI of 33,500 patients

The OCR found:• MD Anderson had encryption policies since 2006• MD Anderson’s HIPAA security risk analysis identified encryption as high risk• Despite these policies and findings, MD Anderson did not begin encrypting until 2011• MD Anderson did not encrypt devices containing ePHI when these breaches occurred

13

2018 ENFORCEMENT

St. Luke’s-Roosevelt Hospital Center• Provides comprehensive health services to persons living

with HIV or AIDS and other chronic diseases

• $387,200 settlement

• Faxed the patient’s PHI to his employer rather than sending it to the requested personal post office box

• Also found a related breach that occurred nine months prior but had not addressed the vulnerabilities

14

2018 ENFORCEMENT

Filefax• February 13, 2018

• Filefax went out of business

• OCR received an anonymous tip that someone transported medical records from Filefax to a shredding and recycling facility to sell. OCR discovered that records for 2,150 patients were left in an unlocked truck in the Filefax parking lot.

15

2018 ENFORCEMENT

Fresenius Medical Care North America• February 1, 2018

• $3.5 million

• 5 separate breach reports

• No HIPAA security risk analysis

• Missing security P&Ps

16

2018 ENFORCEMENT

Advanced Care Hospitalists• December 4, 2018• $500,000• ACH contracted with a fraudulent vendor, who had a

breach – PHI for 400 patients ended up on the vendor’s website

• ACH did not have a BAA with the vendor• ACH did not have a HIPAA ARA, security measures or

HIPAA policies until after the breach17

2018 ENFORCEMENT

Pagosa Springs Medical Center• December 11, 2018

• $111,400

• Pagosa failed to terminate a former employee’s remote access to the scheduling calendar

• Pagosa did not have a BAA with the scheduling calendar vendor

18

THE OTHER ENFORCER:YOUR STATE

19

2018 STATE AG ENFORCEMENTS

• UMass Memorial Health Care (MA, $230,000)• The Arc of Erie County (NY, $200,000)• EmblemHealth (NY, $575,000)• Aetna (NY, $1,150,000; $365,212 NJ penalty; DC,

$175,000; CT, $99,959)• Virtua Medical Group (NJ, $417,816)

20

LAWSUIT UPDATE

21

EMILY BYRNE

• Avery Center for Obstetrics and Gynecology released Emily Byrne’s medical records in a paternity lawsuit involving Emily Byrne and her former boyfriend without notifying Byrne

• Byrne sued• A Connecticut jury awarded Byrne $850,000• The Connecticut Supreme Court held that patients can sue

providers who disclose their medical information without the patients’ permission. States vary in the extent to which they allow patients to sue for HIPAA related violations.

22

CLASS ACTIONS

• LifeBridge: LifeBridge notified 500,000+ patients of a malware breach. A class action suit was been filed, asserting that LifeBridge failed to protect patient PHI.

• Flowers Hospital: A Flowers employee stole PHI and used it to file fraudulent tax returns. Patients filed a class action; Flowers settled for $150,000.

23

HIPAACRIMINAL CHARGES

24

CRIMINAL CHARGES

• Pharmaceutical company Aegerion entered a $35 million settlement with the United States arising from its Juxtapid marketing practices.

• Aegerion’s sales representatives allegedly accessed medical records in order to find patients who could be prescribed Juxtapid. For example, Dr. Eduardo Montana, a pediatric cardiologist in Atlanta, gave an Aegerion sales rep a list of 280 patients with abnormal lipids – and gave Aegerion the access code to his electronic medical records.

• Dr. Montana pleaded guilty to wrongfully disclosing identifiable health information. 25

HANDLING BREACHES

26

BREACH NOTIFICATION

• Unsecured PHI = not encrypted or destroyed• Within 60 days of discovery• Who:

• The patient• OCR• The media (maybe)

27

BREACH NOTIFICATION

What do you need? • Breach Notification policy• Breach analysis decision tree• HIPAA attorney on speed dial

28

BREACH NOTIFICATION

Don’t mess with Texas.• No risk of harm required.• Texas DHHS contractors that provide HHS services

and create, receive, maintain, use or disclose Confidential Information on behalf of HHS programs or clients must notify HHS of breaches of federal data within 60 minutes

29

IS IT ABREACH?

30

NURSE SNOOPING LEADS TO PATIENT UPROAR

• You are the compliance officer at a hospital. • You just learned that a nurse accessed hundreds of

patient records in the EMR without authorization or a legitimate work related purpose for a period of several months.

• What do you do?

31

HARD DRIVE STOLEN

• An orthopedic practice reported the theft of a hard drive containing X-rays and other diagnostic images for 76,000 patients, plus names and DOB.

• The hard drive was not encrypted; however the orthopedic company asserts that special software is necessary in order to access the images and view the patient names and DOB.

Is it a breach? 32

WAS A HEMOPHILIA PATIENT IDENTIFIED?

• At a rotary club event, Wellmark Blue Cross Blue Shield Executive VP Laura Jackson described the case of a patient with a form of hemophilia that costs more than $1,000,000 a month.

• She didn’t mention the boy’s name or town, but she discussed a 17 year old with a challenging type of hemophilia. There are 25 boys between the ages of 15 and 17 with hemophilia in Iowa.

Is it a breach?33

VIAGRA PROBLEMS

CVS exposed my Viagra scripts – and ruined my marriage!

34

HIPAA FROM THE HEADLINES

35

ADOPTIVE PARENTS SUE

• In 2017, Wayne and Denise Russell’s adopted two year old son drowned in the family swimming pool.

• The hospital that treated the boy, McAlester Regional Health Center, notified the child’s birth mother – who did not have parental rights – of the boy’s death.

36

WATER COOLER CHAT

A hospital employee discussed an 11 year old’s attempted suicide with people at school, resulting in the boy being bullied. The mom sued the hospital.

37

DELIVERY ERRORS

A Texas Health and Human Services Commission employee was fired for allegedly failing to secure protected health information as required by HIPAA.

A few weeks later, she found two boxes on her doorstop. First, a box of personal items (not hers).

Second, a box of state assistance applications with SSNs, billing statements, and more – for hundreds of people.

38

WOMAN GETS HOSPITAL’S MISDIRECTED FAXES

… for a year

39

SNOOPING

40

STUDENT SNOOPERS

• Students working at an Amsterdam hospital had access to patient information due to a software error.

• They told a newspaper they dug up “juicy details” about friends, family and celebrities while doing “boring jobs.”

• The students could access these files because they were supposed to be able to work anywhere in the hospital.

41

12 HOSPITAL EMPLOYEES LOOK UP CAR ACCIDENT VICTIMS

• Washington Health System in Pennsylvania suspended approximately 12 employees while it investigated a potential HIPAA breach.

• The investigation likely involves a fatal motor vehicle accident involving a Washington Health System employee.

• The driver and another passenger were then treated at local hospitals for injuries.

42

RECEPTIONIST FIRED FOR LOOKING UP CO-WORKER CONTACT INFO IN EHR

• Hospital OR Secretary looked up a co-worker’s phone number in the hospital’s EHR.

• She was fired.• She sued – and lost.

43

PAPERSTILL COUNTS

44

1,800 MEDICAL RECORDS FOUND ON THE SIDEWALK

…by a reporter

45

PHISHING

46

BREACHES CAUSED BY PHISHING

• Anthem• Spear phishing attack that took down the

Ukrainian power grid• Clinton presidential campaign email breach• Sony data breach spear phishing data breach

47

48

77% OF EMPLOYEES UNAWARE OF SECURITY RISKS

• 77% of employees in management roles “showed a general lack of awareness” of security risks.

• 75% of employees “struggled with identifying best practices relating to correct behaviors in cybersecurity and data privacy.”

• 26% of employees “made poor decisions involving the secure use of social media.”

• 14% of employees could not identify phishing emails.

MediaPRO 2018 State of Privacy and Security Awareness Reporthttps://pages.mediapro.com/2018-State-of-Privacy-Security-Awareness.html

49

SAY CHEESE!

50

FOOLISH PHOTOS

• A new nurse took a photo of a patient medical record with her cell phone so she could take it home and study it.

• Two nurses were in a patient room. One nurse took a photo of the other nurse and put it on Facebook. The patient’s wrist was in the background. Someone identified the patient by her distinctive watch.

51

SHARK ATTACK

• A patient was bitten twice while kite boarding. • He had one bite with teeth marks across the

buttocks, and a 9-inch bite on his right thigh that hit the bone.

• Multiple hospital employees took cell phone photographs of a patient treated in the ER following a shark attack.

52

SOCIALMEDIA

53

CHICKEN PROBLEMS: CODE IN A COOP

“Well, we had a first… We worked a code in a chicken coop! Knee deep in chicken droppings.”

54

YOUR ACTION PLAN

55

SECURITY RISK ANALYSIS

• Conduct a HIPAA Security risk analysis• Mitigate risks• Update the risk analysis • Keep updating!

56

POLICIES

• Privacy• Security• Breach Notification• Social Media

57

TRAIN, TRAIN

• New hires• Annual training• Quarterly or monthly reminders• Board, employees, contractors, managers,

volunteers, students• In-services, written reminders, email, flyers, video,

text alerts, tip sheets58

AUDIT

• Walk throughs• Security audits• Privacy audits• Breach notification audits• Social media audits

59

LOOK FOR GUIDANCE

• Texting• Social media• Encryption

60

61

Margaret Scavotto, JD, CHC

President

314-394-2222 ext. 24

mcs@healthcareperformance.com

Questions?

(c) 2019 Management Performance AssociatesThis presentation does not constitute legal advice 62