Presentation Transcript

1. OCR Reports: Recent Regulatory and Enforcement Developments in Health Information Privacy David Holtzman, JD, CIPP U.S. Department of Health and Human Services Office for Civil Rights HIMSS Virginia Chapter Fall Conference November 7, 2013
2. Agenda Overview of the Omnibus Rule Breaches of PHI and Its Impact Recent OCR Enforcement Actions Audit: Identifying Vexing Compliance Challenges New Tools for Provider and Consumer Education Your Questions U.S. Department of Health and Human Services, Office for Civil Rights
3. Omnibus Components HITECH Privacy & Security Business associates (BA) Marketing & Fundraising Sale of protected health information (PHI) Right to request restrictions Electronic access HITECH Breach Notification HITECH Enforcement GINA Privacy Other Modifications Research Notice of privacy practices (NPP) Decedents Student immunizations U.S. Department of Health and Human Services, Office for Civil Rights
4. What’s New for Business Associates BAs must comply with the technical, administrative, and physical safeguard requirements under the Security Rule Liable for Security Rule violations BAs must comply with use or disclosure limitations expressed in its BA agreement and those in the Privacy Rule Criminal and civil liabilities for violations BA definition expressly includes Health Information Organizations, E-prescribing Gateways, and PHR vendors that provide services to covered entities Subcontractors of a BA are now defined as a BA BA liability flows to all subcontractors U.S. Department of Health and Human Services, Office for Civil Rights
5. What’s New for Consumers Right to electronic copy of electronic health record Right to direct copy to designated 3d party Prohibition on sale of PHI without authorization Marketing communications paid for by 3d party require authorization Limited exceptions for refill reminders and current prescriptions Easy way to stop fundraising communications Right to restrict disclosures to health plans of treatment/services paid by patient out of pocket U.S. Department of Health and Human Services, Office for Civil Rights
6. Omnibus Final Rule – What’s New for Breach Harm standard removed New standard – impermissible use/disclosure of (unsecured) PHI presumed to require notification, unless CE/BA can demonstrate low probability that PHI has been compromised based on a risk assessment of at least: Nature & extent of PHI involved Who received/accessed the information Potential that PHI was actually acquired or viewed Extent to which risk to the data has been mitigated U.S. Department of Health and Human Services, Office for Civil Rights
7. Omnibus Final Rule – What’s New for Breach Exceptions for inadvertent, harmless mistakes remain Exception for limited data sets without dates of birth & zip codes removed Makes permanent the notification and other provisions of the 2009 interim final rule (IFR), with only minor changes/clarifications E.g., clarifies that notification to Secretary of smaller breaches to occur within 60 days of end of calendar year in which breaches were discovered (versus occurred) U.S. Department of Health and Human Services, Office for Civil Rights
8. Applying new “probability of compromise” standard to lost or stolen mobile device. Breach Notification Device Theft U.S. Department of Health and Human Services, Office for Civil Rights
9. Applying new “probability of compromise” standard to cyber security breaches. Breach Notification Cyber Incident U.S. Department of Health and Human Services, Office for Civil Rights
10. Breach Notification Highlights 700+ reports involving a breach of PHI affecting 500 or more individuals Theft and Loss are 64% of large breaches Laptops and other portable storage devices account for 36% of large breaches Business Associates own 36% of large breaches 82,000+ reports of breaches of PHI affecting less than 500 individuals U.S. Department of Health and Human Services, Office for Civil Rights
11. Spotlight on Largest Breaches of 2013 Theft of desktop computers from health plan office -- 4 million individuals affected Health plan’s network server was compromised – 780,000 individuals affected Covered entity’s business associate improperly disposed PHI -- 277,000 individuals affected Business associate improperly disposed x-rays -- 189,000 individuals affected PHI mailed to incorrect patients -- 187,000 individuals affected U.S. Department of Health and Human Services, Office for Civil Rights
12. Breach Notification:500+ Breaches by Type of Breach U.S. Department of Health and Human Services, Office for Civil Rights
13. Breach Notification:500+ Breaches by Source of Breach U.S. Department of Health and Human Services, Office for Civil Rights
14. Privacy and Security Rule Compliance/Enforcement(As of August 15, 2013) U.S. Department of Health and Human Services, Office for Civil Rights
15. Findings from Recent Enforcement Actions U.S. Department of Health and Human Services, Office for Civil Rights
16. Findings from Recent Enforcement Actions U.S. Department of Health and Human Services, Office for Civil Rights
17. HIPAA/HITECH Audit Pilot Completed Audits of 115 entities 61 Providers, 47 Health Plans, 7 Clearinghouses No findings or observations for 13 entities (11%) 2 Providers, 9 Health Plans, 2 Clearinghouses Total 979 audit findings and observations 293 Privacy 592 Security 94 Breach Notification Percentage of Security Rule findings and observations was double what would have been expected based on protocol Smaller entities (Level 4 ) struggle with all three areas U.S. Department of Health and Human Services, Office for Civil Rights
18. Types of Privacy Rule Audit Findings U.S. Department of Health and Human Services, Office for Civil Rights
19. Types of Security Rule Audit Findings U.S. Department of Health and Human Services, Office for Civil Rights
20. We’ve been busyNew Compliance Assistance Tools for Covered Entities and Business Associates The HIPAA Omnibus Rule https://www.youtube.com/watch?v=mX-QL9PoePU U.S. Department of Health and Human Services, Office for Civil Rights 20
21. Model Notices of Privacy Practices Many entities have asked for additional guidance on how to create a clear, accessible notice that their patients or plan members can understand.  In response, OCR and ONC have provided separate models for health plans and health care providers: - Notice in the form of a booklet; - A layered notice that presents a summary of the information on the first page, followed by the full content on the following pages; - A notice with the design elements found in the booklet, but formatted for full page presentation. - A text only version of the notice. http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html U.S. Department of Health and Human Services, Office for Civil Rights 21
22. New OCR Resource Center at Medscape.org Video Programs module imbedded into page for dynamic interest OCR Educational Links, Including Mobile Device Content http://www.medscape.org/sites/advances/patients-rights U.S. Department of Health and Human Services, Office for Civil Rights 22
23. Two New Learning Modules for Free CME and CE Credit The goal of this activity is to describe steps in analyzing and managing risks related to the security of protected health information http://www.medscape.org/viewarticle/810563 The goal of this activity is to describe steps healthcare practices should take to assess and improve the security of protected health information on mobile devices. http://www.medscape.org/viewarticle/810568 U.S. Department of Health and Human Services, Office for Civil Rights September 23, 2013 | page 23
24. Consumer Awareness and Engagement Your New Rights Under HIPAA - Consumers https://www.youtube.com/watch?v=3-wV23_E4eQ Over 262,000 views since September 4, 2013 Visit us at http://www.youtube.com/USGovHHSOCR U.S. Department of Health and Human Services, Office for Civil Rights 24
25. Mobile Device Security Resource Center Created by HHS to help health care providers and professionals to: Know theRISKS. Take the STEPS.PROTECT AND SECURE Health Information. The resource center, HealthIT.gov/mobiledevices, was created to help providers and professionals: Secure and protect health information when using mobile devices In a public space On site At a remote location Regardless of whether the mobile device is Personally owned, bring your own device (BYOD) Provided by your organization U.S. Department of Health and Human Services, Office for Civil Rights
26. Videos on Mobile Device Security Protecting Health Information While Using Mobile Devices One Office, One Risk. How One Provider’s Office Identifies and Implements Safeguards Against One Common Mobile Device Risk Protecting Health Information Against the Possibility of Devices Being Stolen Protecting Health Information When Using a Mobile Device on a Public Wi-Fi Network Worried About Using a Mobile Device for Work? Here’s What to Do! U.S. Department of Health and Human Services, Office for Civil Rights
27. Risk Based Approach to Safeguarding Information Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program Together, appropriate policies and security measures can reduce the risk to unauthorized disclosure of health information U.S. Department of Health and Human Services, Office for Civil Rights
28. Questions? OCR website www.HHS.gov/OCR My Contact Information david.holtzman@hhs.gov U.S. Department of Health and Human Services, Office for Civil Rights