540 likes | 556 Views
Explore HIPAA Privacy, Security, Breach Notification Rules with updates on OCR Enforcement and Best Practices. Understand PHI, Client Authorization, Safeguards, and Disclosures in Iowa State.
E N D
HIPAA TrainingIowa State Association of Counties December 10, 2018 Alissa Smith
Outline of Presentation • HIPAA Privacy Rule Overview • HIPAA Security Rule Overview • HIPAA Breach Notification Rule Overview • Updates on OCR Enforcement • Complaints • Investigations • Settlement Amounts • Resources and Best Practices Tips
Overview of Four HIPAA Rules • The Privacy Rule: addresses the Use and Disclosure of PHI by Covered Entities and Business Associates and establishes individuals’ privacy rights to understand and control how their health information is used. • The Security Rule: establishes requirements for protecting electronic PHI (administrative, technical and physical safeguards). • The Enforcement Rule: establishes both civil money penalties (“CMPs”) and federal criminal penalties, as well as procedures for agency enforcement and factors for assessing CMPs. • The Breach Notification Rule: requires notification to HHS, the individual and potentially the media following a Breach of Unsecured PHI.
General HIPAA Rules • Health care providers and health plans are “covered entities” regulated under HIPAA • Covered entity workforce members may only use or disclose protected health information (PHI) as permitted under HIPAA (or, under state law if state law is more restrictive in a particular area, such as privacy for mental health information) • Any member of the workforce of a covered entity (employees, contractors, volunteers, trainees) is an agent of the covered entity whose actions can result in liability for the covered entity under HIPAA. • HIPAA requires covered entities to train workforce members on HIPAA compliance and enforce noncompliance through appropriate sanctions.
Privacy Basics (HIPAA and Iowa Law) • Health Insurance Portability and Accountability Act (HIPAA) rules: 45 CFR §160; 45 CFR §164 • State laws • Iowa’s Mental Health Privacy Law: Iowa Code §228 • Iowa’s Chemical or Substance Abuse Treatment Privacy Law: Iowa Code §125 • Iowa’s HIV/AIDS Records Privacy Law: Iowa Code §141A
What is Protected Health Information (PHI)? • PHI is information that: • Identifies an individual; and • Spoken or recorded in any form or medium; and • Is created or received by a covered entity; and • Relates to the past, present, or future physical or mental health of an individual; or • Relates to the provision of health care to an individual; or • Relates to the past, present, or future payment for provision of health care to an individual
Client Authorization May Not Be Needed • Default rule is that client/patient authorization is needed in order to use or disclose PHI. • BUT: Covered Entities may use/disclose PHI without a patient’s authorization for TPO (Treatment purposes, Payment purposes, health care Operations purposes). • Examples of Health Care Operations • Case management, care coordination, peer review, training, legal, auditing, business management
Exceptions to Authorization Rule • There are several exceptions to the HIPAA Privacy Rule that allow a covered entity to disclose PHI without an authorization, and without giving the patient an opportunity to object. Examples: • When Required By Law (reporting child abuse/dependent adult abuse) • Public Health Activities (reporting certain diseases) • Judicial/Administrative Proceedings (court orders, subpoenas) • Reporting related to victims of a crime • Reporting for law enforcement to ID/locate • Reporting crime on the premises • Disclosing to coroner/funeral directors • Disclosing PHI to correctional institution about inmate • Disclosing to employer under terms of work comp law
When Can I Disclose to a Client’s Family/Friends? • There are some uses and disclosures of PHI that a covered entity may make without a patient authorization as long as the patient has been given an opportunity to object. Examples: • Discussing an individual’s care with family/friends who are involved in the care or payment related to the care • May reasonably infer from circumstances (e.g., client accompanied by family and client does not object) • May exercise professional judgment that disclosure is in patient’s best interests (only PHI that is directly related to family/friend involvement in care or payment for care or needed for notification) • May exercise professional judgment to allow a person to act on behalf of client to pick up filled prescriptions, medical supplies, x-rays, other similar forms of PHI
Reasonable Safeguards Rule • Covered Entities must implement reasonable administrative, technical and physical safeguards to protect patient privacy at all times: • Examples: low voices, not discussing any PHI in a public place or where it could be overheard by anyone who is not involved in the matter at hand, pointing computer screens away from the public view, using proper disposal methods, securing paper and electronic records, erasing hard drives before returning leased equipment with PHI, keeping PHI locked if it is removed from premises, etc.
Sending and Disposing of PHI • Know the appropriate ways to send client information, including: • - securing e-mails sent outside the county/region • - verifying fax numbers and retrieving misdirected faxes • - appropriately labeling internal and outside mail • Follow designated procedures for appropriate disposal of documents containing PHI • - PHI must be discarded in secured trash receptacles or other non-publicly-accessible locations, or shredded, burnt, pulped, or pulverized so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
Minimum Necessary: The Information You Need to Do Your Job • The “Minimum Necessary” Rule limits the amount of information that may be accessed, used, disclosed or requested to: • - The amount of client information you need to carry out your job responsibilities (“need to know”/ role based access) • - The amount of information a requesting party needs to carry out their job responsibilities or the purpose of the request, e.g.: • - Law enforcement asks you for information related to a client who was involved in a shooting incident; • - A report of an outbreak of foodborne illness to appropriate state or federal agencies. Each of these requests is legitimate but the amount of information you may disclose in each instance may vary based on the purpose of the request.
HIPAA and Business Associates • A covered entity may disclose PHI to a Business Associate (“BA”) • But only if the covered entity first obtains written assurance that the BA will appropriately safeguard the PHI (i.e., through a business associate agreement)
Who is a Business Associate? -An entity or individual acting on behalf of the covered entity • (not a member of the workforce of the covered entity) • who creates, receives, transmits or maintains PHI -An entity or individual that provides certain services to or for the covered entity • (not a member of the workforce of the covered entity) • Where the provision of the services involves the disclosure of the covered entity’s PHI to the entity or individual
Who is a Business Associate (cont’d) -An entity that maintains PHI (including physical storage and e-storage/cloud storage), even if the entity does not actually view the PHI -An entity that provides data transmission services of PHI on behalf of the CE and requires access to the PHI on a routine basis as part of those services. • A mere “conduit”, such as a courier service, does not require access to PHI on a “routine basis,” but rather on a random or infrequent basis, and thus is not a BA; e.g., USPS, UPS, internet service provider. -Health information organizations, E-prescribing gateways, or a person that offers a personal health record to one or more individuals on behalf of a CE. -Subcontractors of BAs, and Subs of Subs, are BAs
Who is Not a Business Associate? • Health care providers with respect to disclosures by a covered entity to a health care provider concerning the treatment of the individual. • A health plan sponsor, with respect to disclosures by the health plan to the plan sponsor • A government agency (e.g., Medicare), with respect to determining eligibility for or enrollment in a government health plan that provides benefits (e.g., SSA) where the joint government activities are authorized by law. • An entity or person whose services do not involve the use or disclosure of PHI (or where it would be incidental, if at all), such as janitorial services.
Examples of Business Associates • A shredding company working off site • An IT company with access to PHI as part of IT services • A consultant that performs utilization/quality reviews • An independent medical transcriptionist who performs services for a health care provider • TPA that assists a health plan with claims processing • A pharmacy benefits manager that manages a health plan’s pharmacy network • A CPA firm or law firm whose accounting or legal services involve access to PHI
General HIPAA Security Rules • The HIPAA Security Rule applies to electronic PHI (“ePHI”). • Covered Entities must implement administrative, technical and physical safeguards to protect the confidentiality, integrity and availability of all ePHI it creates, receives, maintains or transmits. • As with the Privacy Rule, workforce members must only be allowed access as needed for their job/function/assignment, workforce members must be trained, and appropriate sanctions must be applied to workforce members who fail to comply.
HIPAA Security Rule: Risk Analysis • Risk Analysis- This must be completed to document all repositories of ePHI, identify security measures in place for all repositories, identify vulnerabilities related to each repository, assign risk level, determine risk mitigation strategies, and reassess periodically. • All safeguards implemented flow from the findings in the documented risk analysis. • No specific method. Can be outsourced or completed in house: • Guidance on risk analysis: https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html • Risj Assessment Tool: https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment • An ongoing process of regular review and tracking access to ePHI and detecting security incidents to assess risk • Should be completed in full on intervals that make sense for CE’s environment (some do it annually; others do it every 2-3 years, with annual reviews of the effectiveness of the security measures)
Some General HIPAA Security Rules (cont’d) • Workforce members must be assigned a unique user name/number. • Information systems activity must be reviewed regularly to track user access. • Termination procedures must be implemented to turn off workforce access at the end of employment/engagement. • Physical controls must be implemented to limit access to facilities that house ePHI, including building security, workstation use/access and security, and implementing policies that govern the disposal and reuse of ePHI and the hardware/software on which it is stored.
General HIPAA Security Rules (cont’d) • Automatic logoff procedures should be implemented. • Mechanisms to encrypt/decrypt ePHI must be addressed. • Policies and procedures must be in place to protect ePHI from improper alteration/destruction.
Security Safeguards • Passwords All passwords must be kept confidential: - NEVER share your password - NEVER post your password in public view - NEVER use someone else’s password to log-in • Access Codes/Security Badges - Use access codes only for work purposes - Never share an access code/your badge - Make sure doors are secure - Do not let people into a unit/building with your access code/badge
Security Safeguards • Faxes • - Misdirected faxes should be retrieved as soon as possible • - Verify, verify, verify the fax number/receipt of fax • - Fax machines, printers, copy machines should be out of public view • - Never turn in a fax/copy/printer machine to a leasing company without wiping the hard drive (these machines store an image of every copy/fax/print)
Security Safeguards -Mobile Devices • Adopt mobile device policies • When transporting laptops or thumb drives or other records or devices with unencrypted PHI: protect the item as you would your wallet. • Laptops should be locked in your car trunk if you have to leave your car. When in your home, they should be kept in a secure place. • Secure mobile devices, in a locked office or cabinet in your unit/department when not in use. -Social Networking • Demonstrate appropriate use of social networking (Facebook, Twitter, etc.): health care and/or business-sensitive information is NOT to be discussed on social network sites.
HIPAA Breach Notification Rule Breach: The access, acquisition, use or disclosure of unsecured PHI not permitted under the Privacy Rule that compromises the security or privacy of the PHI Unsecured PHI: PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of technology or methodology specified by HHS (e.g., encrypted, shredded).
HIPAA Breach Notification Rule(cont’d) • A potential breach is presumed to be a “breach” (requiring breach notification) unless an exclusion applies or a 4-part risk assessment demonstrates that there is a low probability that the PHI has been compromised.
HIPAA Breach Notification Rule: Exclusions • Three Exclusions • Good faith internal access • Good faith internal disclosure • External disclosure but good faith belief that person to whom disclosure was made would not reasonably have been able to retain the information
HIPAA Breach Notification Rule: Risk Assessment • In order to determine a breach notification is not required, the covered entity must have addressed all four factors in the risk assessment and determined that the use/disclosure of the PHI poses a low probability that the PHI has been compromised. • OCR expects risk assessments to be thorough, completed in good faith, and for the conclusions reached to be reasonable. • Retain documentation of investigation, risk assessment and all notifications (6 years)
HIPAA Breach Notification Rule:4-Part Risk Assessment • The nature and extent of the PHI involved (including the types of PHI, and the likelihood of re-identification); • The unauthorized person who used the PHI or to whom the disclosure was made; • Whether the PHI was actually acquired or viewed; and • The extent to which the risk to the PHI has been mitigated. After considering these factors, the CE must presume there is a “breach” requiring notification unless the analysis demonstrates that there is a low probability that the PHI has been compromised.
Breach Notifications-the who, when, and how Small (lessthan 500 individuals) Large (500+ individuals) Affected individuals No later than 60 days after breach discovery Delivered by first-class mail Unless an individual agrees to email The Secretary of Health and Human Services No later than 60 calendar days after the end of calendar year in which the breach(es) were discovered The Media Breaches involving 500+ residents of a state or jurisdiction all prominent media outlets of the state or jurisdiction No later than 60 days after breach discoveries • Affected individuals • No later than 60 days after breach discovery • Delivered by first-class mail • Unless an individual agrees to email • The Secretary of Health and Human Services • No later than 60 calendar days after the end of the calendar year in which the breach(es) were discovered
Breach Notification: Information • Notification Must be Detailed • a brief description of what happened, including the date of the Breach and the date of discovery of the Breach; • a description of the types of Unsecured PHI involved (without, however, including specific PHI); • any steps Individuals should take to prevent potential harm resulting from the Breach; • a brief description of what Covered Entity is doing (i) to investigate the Breach, (ii) to mitigate harm to Individuals and (iii) to protect against further Breaches; and • contact procedures for Individuals to ask questions or learn additional information, including a toll free telephone number, email address, website, or postal address.
HIPAA Enforcement • HHS OCR interprets and enforces the Privacy Rule, Security Rule and Breach Notification Rule • Civil Penalties Up to $1.5M/violation; one aff. defense • Criminal Penalties Up to $250K and 10yrs prison • No Private Right of Action (Note, state privacy laws and data breach notification laws may include private rights of action) • Liability for Actions of Business Associates • Approximately 20% of PHI data breaches have been caused by Business Associates
State Data Privacy and Breach Notification Laws • In addition to HIPAA, almost all states across the country have adopted various laws that require breach notification, privacy and confidentiality standards, and impose additional penalties. • Iowa Personal Information Security Breach Notification (715C) • Iowa Mental Health Information Privacy Law (228) • Iowa HIV/AIDS Test Information Privacy Law (141A) • Iowa and Federal Substance Abuse Treatment Records Privacy Law (125)
Personal Lawsuits • HIPAA does not provide for a private right of action for plaintiffs. • Violations are subject only to enforcement actions by OCR or SAG on behalf of plaintiffs. • BUT • Courts in some states have allowed plaintiffs to use HIPAA as a standard of care/legal duty in state law tort negligence actions against healthcare providers for privacy violations • Claims have included losses/injuries from slander/defamation, financial, reputational, negligent infliction of emotional distress • E.g.: Connecticut, New York, Massachusetts, Missouri, West Virginia, Tennessee, Minnesota, and North Carolina.
Current State of Affairs • External threats at all time high- hacking, ransomeware • Internal threats are the largest source of risk for covered entities – snooping, social media, phishing attacks • More individual complaints • OCR enforcement posture more aggressive • OCR widening review of small breaches • Settlement amounts are increasing
Statistics-2018 • Between April 2003-July 2017, the ORC has: • 184,614 HIPAA complaint cases/potential breaches have been reported • OCR Initiated over 902 compliance reviews on its own • OCR Resolved 158,293 complaint cases (98%) • Investigated/resolved 26,071 cases by requiring changes through corrective action or providing technical assistance • Referred 688 referrals to the DOJ for criminal sanctions • Reached settlements (called Resolution Agreements) with 52 entities since 2009, totaling $78,829,182 • Almost all Settlements are a result of an initial breach notification • Almost all Settlements include a 2 to 3-year corrective action plan
Statistics-2018 • Since the beginning of 2018, 273 large-scale (500 or more) breaches have been reported to the OCR • Breaches are categorized by following: • Type • (Theft, loss, etc.) • Location • (Desktop, portable device, email, etc.) • Entity • (Health Plan or Health Provider)
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Fresenius Medical Care North America (FMCNA) (Settlement February 1, 2018) • Between February-July 2012, five separate breaches were reported in various Florida branches of FMCNA due to FMNCA: • Failing to perform accurate and thorough risk analysis. • Failing to implement policies and procedures to address security incidents • Disclosing ePHI by allowing access for a purpose “not permitted by the Privacy Rule” • Failing to implement a mechanism to encrypt and decrypt ePHI • Resolution Agreement amount: $3.5 million • Length of CAP: 2 years
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Filefax (Settlement February 13, 2018) • In January and February of 2015, 2,150 individuals’ PHI was disclosed by leaving the information in an unlocked truck of the Filefax parking lot, as well as granting an unauthorized person access to the PHI • Resolution Agreement amount: $100,000 • Filefax is no longer in business, however, remaining assets that have been liquidated to pay for the Resolution Agreement amount • On behalf of Filefax, a receiver has agreed to be the properly dispose of the remaining medical records.
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • University of Texas MD Anderson Cancer Center (Summary Judgement issued July 18, 2018) • Three separate breaches occurred between April 2012 and December 2013 • The first breach involved the theft of an unencrypted laptop that contained the ePHI of 29,021 individuals • The second and third breaches were both losses of unencrypted USB devices that contained ePHI for 5,862 • Resolution Agreement Amount: $4.3 million
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Boston Medical Center, Brigham and Women’s Hospital and Massachusetts General Hospital (September 2018) • At the three separate medical centers, PHI was compromised by inviting documentary film crews from ABC into the premises without first obtaining authorization from patients. • Collectively, the medical centers paid around $990,000 • Boston Medical Center: $100,000 • Brigham and Women’s Hospital: $384,000 • Massachusetts General Hospital: $515,000 • Length of CAPs • Boston Medical Center: 2 years • Brigham and Women’s Health: unspecified • Massachusetts General Hospital: 1 year
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Anthem, Inc. (October 15, 2018) • In Marcy 2015, Anthem, an independent licensee of the Blue Cross and Blue Shield Association, reported that their IT system had been attacked “via an undetected continuous and targeted cyberattack” • Between December 2, 2014 and January 27, 2015, the ePHI of almost 79 million individuals had been stolen • Making this the largest health data breach in US history • Resolution Agreement Amount: $16,000,000 • Length of CAPs: 2 years
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Allergy Associates of Hartford, PC (AAH) (November 26, 2018) • In February 2015, a doctor working for AAH spoke with a local television reporter about a dispute with a patient • The patient had alleged that AAH had turned away the patient because the use of her service animal • During the conversation, the doctor “impermissibly disclosed the PHI” of the patient • Resolution Agreement Amount: $125,000 • Length of CAPs: 2 years
Class Action Lawsuits: • On November 25, 2018, a plaintiff going by the name Jane Doe filed a class action lawsuit against UnityPoint Health (UPH) • The complaint cites 2 UPH data breaches related to patient records • 1 in 2017 involving 16,429 individuals • 1 in 2018 involving 1.4 million individuals • These breaches divulged the following PHI: • Contact information such as: names, phone numbers, email address, etc. • Billing information such as: insurance information, Medicare numbers, billing numbers, etc. • Health information such as: diagnoses, lab results, medications, etc. • Complaints include: • Invasion of Privacy • Negligent Training and Supervision • Negligence • Breach of Contract • This is the first class action lawsuit of its kind to be filed in the state of Iowa • Amount being sought: $5,000,000
Lessons to Be Learned • The exposure of PHI can be technical (unencrypted devices) and non-technical (loss of papers/property containing PHI)- resources should be applied to prevent both • There is no substitute for customized, implemented HIPAA policies and procedures, with frequent training of staff to mitigate risk from the inside • Business grade IT security is critical to mitigate risk from outside threats • Ongoing implementation of risk assessments is critical to update responses as business and technology evolves • Screen and monitor BAs (there are more than 7M BAs in the US) • Timely reporting to OCR is important
Reporting Incidents, Complaints or Concerns • All workforce members are required to report concerns they may have about potential privacy and security violations to their manager/supervisor, or their Privacy or Information Security Officials, as soon as possible. • The sooner the violation is corrected, the more likely the county/region will have an affirmative defense to a civil penalty (if not due to willful neglect and corrected within 30 days of discovery). • Clock is ticking on breach notification obligation (60 days from date of discovery).