hipaa privacy and security: surviving heightened...

HIPAA Privacy and Security: Surviving Heightened Enforcement Preparing for OCR Audits, Crafting and Implementing Data Security Policies, and Responding to Breaches

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

WEDNESDAY, FEBRUARY 29, 2012

Presenting a live 90-minute webinar with interactive Q&A

Nathan A. Kottkamp, Partner, McGuireWoods, Richmond, Va.

Rebecca C. Fayed, Associate General Counsel and Privacy Officer, The Advisory Board Company, Washington, D.C.

Gina M. Kastel, Partner, Faegre Baker Daniels, Minneapolis

Conference Materials

If you have not printed the conference materials for this program, please complete the following steps:

• Click on the + sign next to “Conference Materials” in the middle of the left-hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

Continuing Education Credits

For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:

• Close the notification box

• In the chat box, type (1) your company name and (2) the number of attendees at your location

• Click the SEND button beside the box

FOR LIVE EVENT ONLY

Tips for Optimal Quality

Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial 1-866-927-5568 and enter your PIN -when prompted. Otherwise, please send us a chat or e-mail [email protected] immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

HIPAA Privacy and Security: Surviving Heightened Enforcement

Gina M. Kastel Nathan A. Kottkamp Rebecca C. Fayed

5

http://www.mcguirewoods.com/�


HIPAA Enforcement:

The Dawn of a New Era Nathan A. Kottkamp

Strategies to Prepare For and Respond to a Breach Rebecca C. Fayed Audits and Best Practices Gina M. Kastel

Agenda

6

www.mcguirewoods.com

HIPAA Enforcement: The Dawn of a New Era

Nathan A. Kottkamp

McGuireWoods LLP | 8

HIPAA Enforcement: Before HITECH

All Bark, and No Bite?


HIPAA Enforcement Pre-HITECH

• Pre-HITECH

– Penalty limited to $100 per violation or $25K for all identical violations

• No Civil Money Penalties cases


Providence Health & Services-2008

la di da . . .


Providence Health & Services-2008

• Providence agrees to pay $100,000 and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss.

• The Resolution Agreement relates to Providence's loss of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006.

• Providence agreed to perform certain obligations (e.g., staff training) and make reports to HHS for three years.

• During the period, HHS monitors the compliance of the covered entity with the obligations it has agreed to perform.

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/prov

idenceresolutionagreement.html


CVS-2009

Patient records?


CVS-2009

Under the Resolution Agreement, CVS agreed to pay a $2,250,000 resolution amount and implement a strong Corrective Action Plan that requires: 1.revising and distributing its policies and procedures regarding disposal of

protected health information; 2.sanctioning workers who do not follow them; 3.training workforce members on these new requirements; 4.conducting internal monitoring; 5.engaging a qualified, independent third-party assessor to conduct assessments of

CVS compliance with the requirements of the Corrective Action Plan and render reports to HHS;

6.new internal reporting procedures requiring workers to report all violations of these new privacy policies and procedures; and

7.submitting compliance reports to HHS for a period of three years.

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresolutionagreement.html


HIPAA Penalties Under HITECH

– New Penalty Tiers:

• Unknowing ($100 per violation/ $25K max) • Reasonable Cause (($1K per violation /$100 K max) • Willful neglect ($10K per violation/$250K max) • Uncorrected willful neglect ($50K per violation/$1.5M

max) – Civil and criminal liability for HIPAA violations extended to

business associates – Mandatory investigations and civil penalties for violations due

to willful neglect – Increased emphasis and significant funding on enforcement

The Health Information Technology for Economic and Clinical Health (HITECH) Act revised HIPAA’s enforcement regulations:


Rite Aid-2010


Rite Aid-2010

Under the HHS resolution agreement, Rite Aid agreed to pay a $1 million resolution amount to HHS and must implement a strong corrective action program that includes: – Revising and distributing its policies and procedures regarding

disposal of protected health information and sanctioning workers who do not follow them;

– Training workforce members on these new requirements; – Conducting internal monitoring; and – Engaging a qualified, independent third-party assessor to conduct

compliance reviews and render reports to HHS. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/riteai

dresagr.html


2011


Enforcement

• To boost enforcement of the HIPAA security rule, OCR has added investigators in 10 regional offices.

• HHS is seeking $5.6 million increase in funding for Fiscal 2012 enforcement.

• In FY 2010, the office received approximately 9,400 complaints associated with HIPAA privacy and security rules


Cignet Health-Landmark HIPAA Civil Monetary Penalty, February 4, 2011

Today the message is loud and clear: HHS is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule and ensuring provider cooperation with our enforcement efforts.”

-OCR Director Georgina Verdugo

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cignetresolutionagreement.html

“


Cignet Health of Prince George’s County


Cignet Health of Prince George’s County, MD-Landmark HIPAA Civil Monetary Penalty, February 4, 2011

• The first-ever civil money penalty of $4.3 million • Cignet violated 41 patients’ rights by denying them access to their

medical records when requested between September 2008 and October 2009. – The HIPAA Privacy Rule requires that a covered entity provide

a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request.

– The CMP for these violations is $1.3 million. • Cignet failed to cooperate with OCR’s investigations of the

complaints and produce the records in response to OCR’s subpoena. – Covered entities are required under law to cooperate with the

Department’s investigations. – The CMP for these violations is $3 million.


Cignet Health-Landmark HIPAA Civil Monetary Penalty, February 4, 2011

Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements . . . . The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”


http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cign

etresolutionagreement.html

“


Mass General-“The Million Dollar Subway Ride,” February 14, 2011

$1M


Seriously?



• An employee of General Hospital Corporation and Massachusetts General Physicians Organization Inc. (“Mass General”) left documents on a subway that included a patient schedule containing protected health information (“PHI”) of 192 patients, and billing forms with PHI for 66 of those patients. This included PHI of patients with HIV/AIDS.

• The records were bound only by a rubber band!



• Mass General paid the US Government a $1,000,000 settlement and entered into a Corrective Action Plan (“CAP”): – Develop and implement a comprehensive set of

policies and procedures that ensure PHI is protected when removed from Mass General’s premises;

– Train workforce members on these policies and procedures; and

– Designate the Director of Internal Audit Services to serve as an internal monitor who will conduct assessments compliance with the CAP and render semi-annual reports to HHS for a 3-year period.



To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules. . . . A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”


“


Class Actions

•Big money for big breaches.


UCLA (2011)

• $16 Million • 16,000 patients x $1,000 • Encrypted laptop stolen from employees home BUT

also missing is the sheet of paper with the password!!!! • Laptop included various PHI


Stanford Hospital & Clinics (2011)

• $20 Million – 20,000 patients x $1,000

• Information (allegedly) posted on website included: – name, – medical record number, – admissions/discharge dates, – diagnosis codes, and – billing charges.

• NOTE: Stanford’s Business Associate caused the issue, but Stanford is getting sued.


Sutter Health (2011)

• $1 Billion – $1,000 per person and over 4 million people affected

• Information included on a stolen, unencrypted desktop PC included: – names, – addresses, – dates of birth, – phone numbers, and – email addresses (if patient provided them)


Pentagon (2011)

• $4.9 Billion!! – 4.9 Million TRICARE Beneficiaries x $1,000

• Information included in lost back-up tapes included: – addresses, – PHI, – phone numbers, and – Social Security numbers

• NOTE: the Pentagon’s Business Associate caused the issue, but the Pentagon is getting sued.


HIPAA as the Basis for State Law Negligence

• I.S. v. Washington University, E.D. Mo., No 11-235, June 14, 2011.

• Violation of HIPAA served as basis for state-law negligence per se claim.


Business Associate Enforcement Action (2012)

• First known enforcement action against a business associate: 2012 – Minnesota Attorney General brought formal enforcement

action against Accretive Health, Inc. – Stolen unencrypted laptop contained records for 23,500

patients including: • names, • addresses, • dates of birth, • social security numbers, and • a score to predict admissions rates

– Beyond HIPAA, key issue appears to be alleged deceptive practices in which patients were not informed of the scope of information collected by Accretive Health


Consequences

• MORE, MORE, MORE – Education – Policies – Monitoring – Documentation – Scrutiny


Questions?

Nathan A. Kottkamp

804.775.1092 [email protected] www.mcguirewoods.com 2012 McGuireWoods LLP


Strategies to Prepare for or Respond to a Breach February 29, 2012 Rebecca C. Fayed Associate General Counsel & Privacy Officer

©20

12 T

HE

AD

VIS

OR

Y B

OA

RD

CO

MP

AN

Y

10-Step Breach Response Plan Overview

•Prepare for the possibility of a breach. 1. •Investigate the incident. 2. •Mitigate the harm and take corrective action. 3. •Assess and document whether incident is a “breach” under the HITECH Act / HHS Breach Notification Rule. 4. •Analyze whether incident is a breach under applicable state law. 5.

•Notify individuals (or the covered entity). 6.

•Notify the media. 7.

•Notify HHS, and , if applicable, state agencies. 8. •Reassess privacy and security compliance policies and procedures. 9. •Prepare for the possibility of HHS-OCR or state AG investigation. 10.

38

©20

12 T

HE

AD

VIS

OR

Y B

OA

RD

CO

MP

AN

Y

Step 1: Prepare for the Possibility of a Breach

Are we prepared?

Establish Incident

Response Team

Develop and implement incident response and

breach notification policy

Encrypt PHI?

Data security breach insurance?

39

©20

12 T

HE

AD

VIS

OR

Y B

OA

RD

CO

MP

AN

Y

Step 2: Investigate the Incident

• If yes, follow the procedure and initiate actions of incident response team.

• If no, identify individuals in the best positions to help investigate, respond to the incident and make decisions.

Incident response team and incident

response / breach

notification process in place?

• Facts surrounding the incident (e.g., stolen or lost laptop, back up tape, portable storage device; email or fax sent to wrong recipient; paper records thrown in the trash)

• Date of incident • Data elements (e.g., names, addresses, phone numbers, PHI, SSN,

credit card numbers) • Number of people affected • States in which affected people live and total in each state • Whether information was encrypted

Identify the following:

40

©20

12 T

HE

AD

VIS

OR

Y B

OA

RD

CO

MP

AN

Y

Step 3: Mitigate Harm & Take Corrective Action

• A covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of PHI in violation of its policies and procedures or the Privacy Rule by the covered entity or its business associate. 45 C.F.R. 164.530(f).

• File a police report • Contact recipient and ask for information to be returned or

destroyed

Mitigate Harm

• Revise policies and procedures • Sanction employees • Conduct additional training

Take Corrective

Action 41

©20

12 T

HE

AD

VIS

OR

Y B

OA

RD

CO

MP

AN

Y

Step 4: Assess Whether Incident is a Breach under HITECH Act / HHS Breach Notification Rule

Breach: Acquisition, access, use, or disclosure of PHI (either electronic or hard copy) not permitted by the Privacy Rule which compromises the security or privacy of PHI (i.e., it poses a significant risk of financial, reputational, or other harm to the individual).

Step 1: Impermissible use or disclosure of PHI under the Privacy Rule?

Step 2: Compromises the privacy or security of PHI by creating significant risk

of harm?

Step 3: Excluded from the definition of a breach?

42

©20

12 T

HE

AD

VIS

OR

Y B

OA

RD

CO

MP

AN

Y

Step 4: Assess Whether Incident is a Breach under HITECH Act / HHS Breach Notification Rule

HITECH Act breach notification requirement applies only to the breach of unsecured PHI.

The breach of secure PHI is not subject to the breach notification requirement.

If PHI is rendered “unusable, unreadable, or indecipherable” to unauthorized individuals, it is secure.

Only 2 Technologies and Methodologies to secure PHI:

Encryption Destruction

43

©20

12 T

HE

AD

VIS

OR

Y B

OA

RD

CO

MP

AN

Y

Step 5: Analyze Whether Incident is a Breach Under State Law

In what states do affected people

reside?

Does the state have a breach notification

law?

What is included within the definition

of “personal information?” Are there any

exceptions to the breach notification obligations (e.g.,

encryption or harm based standards)?

If state breach notification law is

triggered, notification

obligations may exist in addition to

those required under the HITECH Act.

44

©20

12 T

HE

AD

VIS

OR

Y B

OA

RD

CO

MP

AN

Y

Step 6: Notify Individuals or the Covered Entity • Notice must be provided to the individual “without unreasonable delay” and no later than 60 days after breach is discovered. Timing of Notification

• Notification should be made sooner than 60 days if possible. Many state laws require notification sooner.

Other Timing Considerations

• Via first-class mail unless the individual has specified a preference for email.

Format of Notification

• Description of facts about breach. • Type of PHI involved. • Steps individuals should take to protect themselves. • What the covered entity is doing to investigate the situation and prevent future breaches.

• Contact information for individuals to ask questions.

Content of the Notice

• May be required if not able to contact people. Substitute Notice

• Must notify the covered entity of the breach no later than 60 days after breach is discovered.

• BA Agreement may specify shorter notification timeline. • Contract may specify who will notify the individual and/or who will pay for such notification.

Business Association Notification

Requirements 45

©20

12 T

HE

AD

VIS

OR

Y B

OA

RD

CO

MP

AN

Y

Step 7: Notify the Media

If PHI of more than 500 individuals in one state is breached, the entity must notify “prominent media

outlets” in the state.

46

©20

12 T

HE

AD

VIS

OR

Y B

OA

RD

CO

MP

AN

Y

Step 8: Notify HHS and/or State Agencies

Covered entities must notify HHS of the breach:

If more than 500 affected individuals, must notify HHS contemporaneously with notification to the individual via online notification.

If less than 500 affected individuals, must notify HHS via an annual log of events no later than 60 days following the end of the calendar year.

Check state laws to determine whether any state agencies must be notified (e.g., police department, consumer protection agencies, Attorney General’s office).

http://ocrnotifications.hhs.gov/

47

©20

12 T

HE

AD

VIS

OR

Y B

OA

RD

CO

MP

AN

Y

Step 9: Reassess Privacy & Security Policies

Compliance policies and procedures should be evaluated and revised if they do not work for an organization or do not prevent against privacy and security violations. For example: If incident involved lost or stolen backup data tape,

consider changing procedure for transport and/or storage.

If incident involved faxing information to a wrong number, consider changing procedure to require contacting the intended recipient before the fax is sent to confirm number and after the fax is sent to confirm receipt.

If incident was the result of employee error, consider retraining employees. If incident was the result of a business associate’s error, consider imposing more stringent safeguards under the agreement.

48

©20

12 T

HE

AD

VIS

OR

Y B

OA

RD

CO

MP

AN

Y

Step 10: Prepare for a Possible Investigation by OCR or State Attorney General

HHS-OCR stated that they have initiated an investigation into every breach reported to their office via the online notification system that involved more than 500 individuals. OCR trained state AGs on HIPAA enforcement. Investigations have been initiated via letter and by phone. As evidenced by recent actions, OCR expects cooperation. Generally, OCR has been asking for:

Facts surrounding the breach. Copies of notification letters, media notices,

business associate agreements. Actions taken to locate missing data, prevent

further loss of data, and protect affected individuals (e.g., credit monitoring services).

Security Rule risk assessments. Description of safeguards in place to protect

the information, specifically requesting information related to whether data was encrypted.

Compliance efforts related to policies and procedure revisions, training, and sanctions imposed.

49

©20

12 T

HE

AD

VIS

OR

Y B

OA

RD

CO

MP

AN

Y

Rebecca C. Fayed Associate General Counsel & Privacy Officer [email protected]

Audits and Best Practices Gina M. Kastel

51

• HITECH Act requires HHS to provide for periodic audits to ensure covered entities and business associates comply with HIPAA privacy and security rules and breach notification standards

• Pilot program developed for up to 150 audits of covered entities and business associates

• KPMG LLP is audit contractor under $9 million contract

Audit Overview

52

• Follow generally familiar audit mechanisms • Selected entities will be informed by OCR

of their selection and asked to provide compliance documentation

• In pilot phase, every audit will include a site visit and result in an audit report

• During site visits, auditors will interview key personnel and observe processes and operations

Audit Process

53

Audit Timeline (2011-12)

54

• Auditors will develop and share a draft report • Prior to finalizing the report, covered entity will have

the opportunity to discuss concerns and describe corrective actions

• Final report submitted to OCR will incorporate steps taken to resolve any compliance issues and best practices of the entity

• OCR may initiate compliance review for serious issues • Audited entities will not be identified publicly

Audit Follow Up

55

Best Practices

57

Reassess and Ensure Compliance

• Review and update policies and procedures – Complete? Accessible? Any zombies?

• Once house in order, update for HITECH • Monitor new developments

58

Learn from the Mistakes of Others

• Massachusetts General Resolution Agreement www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/massgeneralra.pdf

• Cignet Notice of Final Determination www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cignetpenaltyletter.pdf

• OCR enforcement examples and resolution available at www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html

• OCR security breach list www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

59

• Consider mix of training methods • Train regularly • Focus on high risk issues • Have staff take tests and certify to completion of training • Keep training materials

Train, Train, Train

60

• Ensure prompt incident response processes are in place • Investigate thoroughly • Implement appropriate corrective action • Take appropriate disciplinary action • COOPERATE WITH THE GOVERNMENT!

Respond Quickly

61

• Get buy in on health care compliance from executive team

• Ensure managers and supervisors stress importance of compliance

Set the Tone at the Top

62

• Develop a program of self-monitoring and auditing • Focus on high risk areas

– Mobile devices – High profile patients and members – Improper disclosures – Disposal of records

• Follow up when problems are found

Conduct Ongoing Compliance Assessments

63

• Someone in organization should be responsible for tracking new developments

• Share information when the law or enforcement activity changes

• Have mechanism in place to respond to new developments

Monitor New Developments

64

Contact Information Gina M. Kastel | [email protected] | 612 766 7923

65

hipaa privacy and security: surviving heightened...

Documents