how to comply with hipaa regulations
DESCRIPTION
CLE Presentation: Anna Selby and Diane Keefe, Attorneys at Armstrong Teasdale Recent changes to the HIPAA Privacy and Security rules impacy how covered entities protect Personal Health Information, one of today's most valuable and sensitive types of confidential data. the protection of this information and management of breach notification is essential to compliance with HIPAA. The choice of a lawyer is an important decision and should not be based solely on this presentation. All rights are reserved and content may not be reproduced, disseminated or transferred, in any form or by means, except with the prior written consent of Armstrong Teasdale.TRANSCRIPT
© 2013 Armstrong Teasdale LLP © 2013 Armstrong Teasdale LLP
HIPAA: Navigating the Labyrinth
Anna Selby Diane Keefe
July 31, 2013
© 2013 Armstrong Teasdale LLP
Navigating the Labyrinth
© 2013 Armstrong Teasdale LLP
Call From Employee
1) Staff Texting Nude Patient Photo. • Patient is Identifiable.
• Hospital Name is visible on scrubs.
2) Nurses photograph x-ray.
• Post x-ray to Facebook.
• Nurse comments regarding patient.
© 2013 Armstrong Teasdale LLP
HIPAA
Regulations Apply to: • Covered Entities (CE)
1) Providers
2) Health Plans
3) Clearinghouses Business Associates of CE’s
• Insurance Broker, Benefit Specialists
• Strategic Consultants
© 2013 Armstrong Teasdale LLP
HIPAA Protects
PHI PERSONAL HEALTH INFORMATION
© 2013 Armstrong Teasdale LLP
PHI Uses & Disclosures
OK to use PHI for: 1) Treatment 2)Payment 3) Health Care Operations
General Rule: Other Uses Require an Authorization.
© 2013 Armstrong Teasdale LLP
HIPAA Breach - New Definition
A Breach is 1. Unauthorized acquisition, access, use or disclosure of
2. Unsecured PHI
3. Compromises the privacy or security of the PHI Presumption of Reportable Breach UNLESS
• CE determines there is a low probability the
• PHI has been compromised after risk assessment.
© 2013 Armstrong Teasdale LLP
HIPAA Risk Assessment
What is Compromised? • Rule does not tell us.
Must Perform Risk Assessment.
© 2013 Armstrong Teasdale LLP
HIPAA Risk Assessment
4 Elements: 1. Nature and extent of PHI involved.
2. The unauthorized person who used PHI or to whom disclosure was made.
3. Whether PHI was actually acquired or viewed.
4. Extent to which the risk to PHI has been mitigated.
© 2013 Armstrong Teasdale LLP
HIPAA Risk Assessment
If you do not do a breach notification you MUST do a Risk Assessment. DOCUMENT, DOCUMENT, DOCUMENT.
© 2013 Armstrong Teasdale LLP
HIPAA Breaches
CVS 2009-Pill bottles thrown in dumpsters. • $2.25 Million Settlement
• No policies.
• No training.
© 2013 Armstrong Teasdale LLP
HIPAA Breaches
Million Dollar Subway Ride • Massachusetts General Hospital employee leaves documents
on subway.
• PHI of 192 patients. (Included HIV/AIDS status)
• $1 Million Settlement.
Stanford 2011. BA posts PHI on web.
• 20,000 patients X $1,000 = $20 Million
© 2013 Armstrong Teasdale LLP
HIPAA Breaches
WellPoint—July 11, 2013 Left Accessible Information on Internet $1.7 Million Settlement 600,000 Patients’ Information WellPoint failed to:
1) Have Policies to authorize access to PHI;
2) Perform technical evaluation of software & database;
3) Have technical safeguards to verify identify of persons accessing PHI.
© 2013 Armstrong Teasdale LLP
HIPAA Breaches-Laptops
Sutter 2011. Stolen unencrypted laptop. • 4 million patients X $1,000 nominal damages per patient.
• $1 Billion Potential Damages. UCLA 2011.
• Encrypted laptop stolen. Paper also stolen.
• 16,000 patients X $1,000
• $16 Million.
© 2013 Armstrong Teasdale LLP
HIPAA Breaches-Hardware
Blue Cross Blue Shield Tennessee 2012 • Self Reported 57 unencrypted hard drives stolen.
• 1 Million people. $1.5 Million Settlement. Pentagon 2011
• BA lost backup tapes, 4.9 Million Tricare beneficiaries.
• If damages are $1,000 per patient = $4.9 Billion.
• Attempted to use HIPAA for basis of claims.
© 2013 Armstrong Teasdale LLP
Lawsuits Pending
Plaintiffs claim HIPAA violations. (Negligence Per Se) Case law is not clear. We argue no private right of action. Motions to dismiss granted. Breach of Fiduciary Duty & Public Disclosure of Private Fact
claims remain. Each suit involved OCR investigation.
© 2013 Armstrong Teasdale LLP
HIPAA Breach
If you don’t need it for your job=Unauthorized.
Snooping.
© 2013 Armstrong Teasdale LLP
Snooping
There once was a girl … Later goes to psych ward at UCLA…
People get curious. 13 fired & 12 disciplined. OCR investigates $865,000 No evidence PHI disclosed or sold.
© 2013 Armstrong Teasdale LLP
Snooping
Little Rock: News anchor in hospital. Physician watches news from home. Unit Coordinator & Billing employee. 2 fired; physician suspended 2 weeks.
• Face prison & fine.
• Each had HIPAA training. Mom sues Hospital.
• AR SC allows outrageous behavior claim.
© 2013 Armstrong Teasdale LLP
Yes, Someone Went to Prison.
Researcher at UCLA Reviewed records 323 times in 3 weeks. His Boss,
No Evidence PHI was Used or Sold. 4 Months in Prison.
© 2013 Armstrong Teasdale LLP
Breach Notifications < 500
Breach • Must Notify Individual(s)
− In Writing including what happened & steps taken.
− Within 60 days of date breach discovered.
• Notify HHS Secretary
Don’t Delay.
© 2013 Armstrong Teasdale LLP
Breach Notifications > 500
Where a Breach Involves Greater than 500 Residents: • Notify Individuals in Writing
• Notify HHS Secretary
• Notify Media − Press Release to “Prominent” media outlets.
− Within 60 days.
© 2013 Armstrong Teasdale LLP
Penalties-Civil
Per identical violation in a calendar year: Did Not Know: $100 up to $25,000
Willful Neglect Uncorrected: $50,000 up to $1,500,000
Willful Neglect: Conscious, intentional failure or reckless indifference.
Can be Per Record. Extend to BA’s. Can impose penalty without seeking informal resolution.
© 2013 Armstrong Teasdale LLP
Penalties-Criminal
People that knowingly obtain or disclose PHI: • Up to $50,000 AND 1 year imprisonment.
With False Pretenses: • Up to $100,000 AND 5 years.
With Intent to sell or use for personal gain or malicious harm: • Up to $250,000 AND 10 years.
© 2013 Armstrong Teasdale LLP
When a Breach Occurs:
Call Us. What We Can Do:
• Walk you through whether it is reportable. − Multiple factors.
• Advise during investigation.
• Assist with Proactive Prevention.
© 2013 Armstrong Teasdale LLP
What Can/Should be Done to Comply?
Most obvious • Modify your Business Associate Agreements
• Modify your Notice of Privacy Practices
Not so obvious…
• Conduct a Risk Assessment
• Review, evaluate and update polices and procedures
• Educate and train staff/employees
© 2013 Armstrong Teasdale LLP
Modifications to the BAA’s
A statement that the Business Associate (“BA”) now needs to comply with the administrative, physical, and technical components of the Security Rule
• Should also reflect that the BA is required to implement and maintain compliance with the administrative, physical, and technical components of the Security Rule
© 2013 Armstrong Teasdale LLP
Modifications to BAAs
A statement that the BA must report to the Covered Entity any breach of unsecured PHI (in addition to any unauthorized use or disclosure)
• Should reflect exactly what the BA should do in order to notify the Covered Entity of the breach:
− Date of incident − Date of discovery of incident (if different than above) − Categories of the affected information − Individual(s) who were affected − Steps for mitigation − Steps for prevention
© 2013 Armstrong Teasdale LLP
Modifications to BAAs
A statement that the BA must ensure that any subcontractor will agree to the same restrictions and conditions that apply to the BA
• In other words, BAs now need to enter into BAAs with subcontractors
A statement requiring the BA to implement a system for documenting and recording uses and disclosures in compliance with the Security Rule A statement that provides for retention of information for 6
years from the date of the disclosure
© 2013 Armstrong Teasdale LLP
Modifications to BAAs
Other Aspects to Consider • Liability is determined on Agency principles, so a statement
that reflects the status of the parties
• Consider modifying or adding insurance requirements
• Consider modifying or adding limitations of liability and indemnification provisions
© 2013 Armstrong Teasdale LLP
Modifications to BAAs
Compliance Deadline • depends on whether there is an existing BAA or whether
there will be a new BAA entered into between the parties − If existing BAA, then September 22, 2014
− If no existing BAA, then September 23, 2013
© 2013 Armstrong Teasdale LLP
Modifications to Notice of Privacy Practices
Must now include statements regarding the Sale of PHI Must now include statements regarding marketing and other
purposes that require an authorization Must now include statement that an individual can opt out of
fundraising communications/efforts
© 2013 Armstrong Teasdale LLP
Modifications to Notice of Privacy Practices
Must now include statement that the Covered Entity must agree to restrict disclosures to health plans if the individual pays out of pocket in full for the health care service Must now include a statement about an individual’s right to
receive breach notifications
© 2013 Armstrong Teasdale LLP
Conducting a Risk Assessment
Elements of a general risk assessment include: 1. Identify the scope – what are potential risks and
vulnerabilities to your organization?
2. Identify where all the PHI is stored, received, maintained or transmitted
3. Assess current security measures: − Do you utilize encryption software?
− Are passwords used and changed frequently?
− Are firewalls used?
− Are mobile devices protected?
© 2013 Armstrong Teasdale LLP
Conducting a Risk Assessment
Other Aspects: • Determine likelihood of the occurrence of a threat
• Determine the potential impact of that threat
• Determine the level of risk
Which becomes a mathematical equation…
• Vulnerability x likelihood x impact = level of risk
Which can then assist in the mitigation that risk
© 2013 Armstrong Teasdale LLP
Conducting a Risk Assessment
Threat Source Terminated EE Calculation
Threat Unauthorized Access to Patient Information
Vulnerability No formal process in place to notify the IT department when ee’s are terminated and periodic reviews are not performed
3
Likelihood Removal of access for terminated ee has not been performed
3
Impact PHI is viewed, altered or destroyed 3
Risk Disgruntled ee gains unauthorized access to PHI after termination, deleting records
Total = 27
Risk Mitigation IT implements daily automated program to read ee database in payroll system and automatically removes access to network and application systems for terminated ees
Risk is now significantly reduced
© 2013 Armstrong Teasdale LLP
Reviewing/Updating Policies and Procedures
Update policies and procedures on breach notification and integrate into the policy the four factors of whether a breach occurred by a risk assessment:
1. Nature and extent of the PHI involved
2. The unauthorized person who used the PHI or to whom the disclosure was made
3. Whether PHI was actually acquired or viewed
4. Extent to which the risk has been mitigated
© 2013 Armstrong Teasdale LLP
Reviewing/Updating Policies and Procedures
Use and disclosure of PHI for marketing • Requires determination of what is and is not considered
marketing
• Once that determination is made, then clarify the policy to reflect what requires an authorization from the individual
Sale of PHI
• Selling an individual’s PHI without an authorization is prohibited
© 2013 Armstrong Teasdale LLP
Reviewing/Updating Policies and Procedures
Electronic Access to PHI • May require revisions to job descriptions to clearly delineate who
has access and in what situation • May require revisions to IT policies and procedures
Requests for Restrictions
Use and disclosures of decedent information
Social media and cell phone policies
© 2013 Armstrong Teasdale LLP
Reviewing/Updating Policies and Procedures
Covered entities may use any security measures that allow them to reasonably and appropriately implement the HIPAA regulations. So, in determining whether to draft new or revise old policies and procedures, you should consider:
• Size, complexity, and capabilities of the Covered Entity
• Technical infrastructure, hardware, and software
• Costs
• Likelihood and impact of risks or potential risks, i.e., risk assessment
© 2013 Armstrong Teasdale LLP
Educate and Train Staff/Employees
Must ensure that the policies and procedures reviewed, revised, and/or created are implemented by staff/employees. Sign-in sheets should be passed around so attendance of staff
members/employees is documented Staff/Employee training must be conducted at the following
intervals: • At the start of employment
• Annual basis If staff/employees do not apply these policies to their
everyday practice, then organizations are at risk!
© 2013 Armstrong Teasdale LLP
Questions?
Anna Selby 314.552.6616
Diane Keefe 314.259.4731