1 / 39

Texas Privacy Update

Texas Privacy Update. A Look at HITECH and H.B.300 Developments. Ana E. Cowan, Associate Deborah C. Hiser, Partner Brown McCarroll LLP. H.B. 300 How are Things Different?. H.B. 300  Effective September 1, 2012 Completely New Framework for Enforcement Audits AG initiated action

konane
Download Presentation

Texas Privacy Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Texas Privacy Update A Look at HITECH and H.B.300 Developments Ana E. Cowan, Associate Deborah C. Hiser, Partner Brown McCarroll LLP

  2. H.B. 300How are Things Different? H.B. 300  Effective September 1, 2012 • Completely New Framework for Enforcement • Audits • AG initiated action • Hefty fines • If you did not take HIPAA seriously before—it is time • Update Policies and Procedures • Training • Breach Notification • Marketing • Sale of PHI • NPP • Update of Business Associate Contracts • Authorization for Electronic Disclosure • Access to Medical Record

  3. Complaints Received by OCR

  4. Top 5 Issues in Investigated Cases Closed with Corrective Action

  5. Breach Notification:500+ Breaches by Type of Breach 5

  6. OCR Enforcement Cases OCR has stated that they will investigate every reported breach Rite Aid • Take away: Must dispose of PHI correctly. • Rite Aid pharmacies disposed of labeled prescription bottles containing PHI in containers accessible by the public. $1 million • Entered into a 3 year CAP and a 20 year FTC Order which requires Rite Aid to: • Develop Privacy and Security policies to safeguard PHI during the disposal process, • Train employees on how to properly dispose of PHI, • Sanction offending employees, and • Obtain external assessments of Rite Aid’s compliance. 6

  7. OCR Enforcement Cases Cignet Health • Take away: Must give patients their medical records within 15 days of request. Always comply with OCR’s requests. • Cignet denied 41 patients access to their medical records. During OCR investigation, Cignet ignored OCR’s requests to produce records. $4.3 Million 7

  8. OCR Enforcement Cases Phoenix Cardiac Surgery • Take Away: • Small providers must comply • Pay attention to fundamentals of security—standards are flexible and scalable • Security in the “Cloud” • Failed to secure appointment calendaring app • Failed to have risk analysis and risk management process under Security Rule $100,000 • Entered into a Corrective Action Plan (CAP) which requires a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules.

  9. Authority for HIPAA Audits Section 13411 of the HITECH Act The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements.

  10. The Initial 20 Audits Quick OCR/KPMG HIPAA AUDIT UPDATE – 1ST 20 Audits Level 1 Entities Level 2 Entities Large regional hospital systems/ Regional payor with between $300 million and $ 1 billion in revenue and/ or assets. Large providers/ payors with more than $1 billion in revenue and/ or assets Level 4 Entities Level 3 Entities Community hospitals ambulatory surgery centers, regional pharmacies (with between $50 million) Small providers and community pharmacies with less than $50 million in revenue and/ or assets

  11. Audits: What to Expect

  12. Audits: What to Expect

  13. Audits: What to Expect The Questions HHS Might Ask: Lessons Learned From Piedmont • Establishing and terminating user’s access to systems housing ePHI • Emergency access to electronic information systems • Inactive computer sessions (periods of inactivity) • Recording and examining activity in information systems that contain or use ePHI • Risk assessments and analysis of relevant information that house or process ePHI data. • Employee sanction policies • Incident reports • Audit logs and access reports • Listing of all network perimeter devices, i.e. firewalls and routers

  14. Audits: What to Expect The Questions HHS Might Ask (continued) 10. Remote access activity (network infrastructure platform, access servers, authentication and encryption software) 11. Password and server configurations 12. Antivirus software 13. Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas

  15. Audits: What to Expect Additional Questions HHS Might Ask (continued) • Information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process, or transmit ePHI • Terminated employees • New Hires • Outsourced individuals and contractors with access to ePHI. Provide a copy of the contract for these individuals • Organizational Charts • List of all users with access to ePHi data • Identify each user’s access rights and privileges • List of systems administrators, backup operators, and users • List of all users with remote access capabilities • Regularly review OCR website and review CAPs

  16. Audits: What to Expect Step 3: Site Visits • Personal Interviews with CE leadership • Up Close and Personal Examination • Policy Consistency • Observation

  17. Audits: What to Expect Step 4: Auditor Reports • Auditors will develop a draft report • Final report submitted to OCR • OCR may initiate compliance review for serious issues • If they do, you will be subject to a CAP

  18. New Civil MonetaryPenalty System • Accidental • $100 each violation • Up to $25,000 for identical violations, per year • Not Willful Neglect, but Not Accidental • $1,000 each violation • Up to $100,000 for identical violations, per year • Willful Neglect, Not Corrected • $50,000 each violation • Up to $1.5 million per year

  19. And…Don’t forget about Criminal Penalties • “Knowingly" • $50,000 • Imprisonment up to one year. • False pretenses • Up to $100,000 fine • Up to five years in prison. • Intent to sell, transfer, or use for commercial advantage, or for personal gain or malicious harm • $250,000 • Imprisonment for up to ten years.

  20. H.B. 300Audits H.B. 300 TX Health & Safety Code § 181.206 Audits of Covered Entities • If there appears to be a pattern of violations, the Texas Commission of HHS may: • Require the covered entity to submit a risk analysis regarding the potential risks and vulnerabilities to the confidentiality, integrity, and availability of PHI, and • If the covered entity is licensed by a Texas agency, request the agency to conduct an audit.

  21. Texas H.B. 300AG Action H.B. 300 TX Health & Safety Code § 181.154 AG Initiated Action • AG may sue a covered entity for violation of the Texas Privacy Law. • AG may bring an action only if the agency the entity is licensed by refers the violation to the AG. • AG may retain a reasonable amount of the civil penalty.

  22. H.B. 300 Texas Attorney General Enforcement In May 2011, OCR invited the 50 state attorneys for in person HIPAA training so that they may properly enforce HIPAA and HITECH in their respective state.

  23. Texas H.B. 300It comes down to $$$$ H.B. 300 TX Health & Safety Code § 181.154 Civil Penalties in Addition to Injunctive (May Not Exceed) $5,000 per violation per year  negligently $25,000 per violation per year  knowingly or intentionally $250,000 per violation per year  financial gain

  24. Texas H.B. 300 It comes down to $$$$ • Civil penalties may not exceed $25K for violation(s) of authorization and notice requirements for disclosure of PHI if the disclosure was only made to another covered entity and was only for the purposes of treatment, payment, operations, or insurance, and the PHI was: • Encrypted or transmitted using encryption technology, • PHI recipient did not use or release PHI, and • At time of disclosure, the covered entity had developed, implemented, and maintained security policies, including education and training of employees responsible for PHI security.

  25. Texas H.B. 300 It comes down to $$$$ • If court finds violations occurred enough times to constitute a pattern, a fine not to exceed $1.5 million may be assessed. • In determining the penalty amount, the court should consider: • Seriousness of the violation, • Covered entity's compliance history and effort to correct the violation, • If the violation poses a significant risk of financial, reputational, or other harm to individual, • The required amount to deter future violations, and • If the covered entity was THSA certified at time of the violation.

  26. Texas H.B. 300Training H.B. 300  TX Health & Safety Code § 181.101 Training Requirements • Covered Entities are required to train employees on state and federal laws as they related to: • The CE in its particular course of business • The employee’s scope of employment • 60 day Requirement • Must provide for Training at least once every 2 years • Employees must attest to being trained • H.B. 300 Action Item Update your policy and procedures

  27. Texas H.B. 300Access H.B. 300  TX Health & Safety Code § 181.102 Access Requirements • Electronic Health Records System • Provide record electronically within 15 days of written request • H.B. 300 Action Item Update your policy and procedures

  28. Texas H.B. 300Sale of PHI H.B. 300 TX Health & Safety Code § 181.153 Sale of PHI • Covered entities may not disclose PHI in exchange for direct or indirect remuneration, unless the disclosure is for treatment, payment, health care operations, or insurance. • The remuneration the covered entity receives may not exceed the covered entity's reasonable costs for preparing or transmitting the PHI. • NPRM: Provides that CE disclose in NPP

  29. Texas H.B. 300Sale of PHI H.B. 300  TX Health & Safety Code § 181.153 (b) If a covered entity uses or discloses protected health information to send a written marketing communication through the mail, the communication must be sent in an envelope showing only the names and addresses of sender and recipient and must: 1. state the name and toll-free number of the entity sending the marketing communication; and 2. explain the recipient’s right to have the recipient’s name removed from the sender’s mailing list. (c) A person who receives a request under subsection (b)(2) to remove a person’s name from a mailing list shall remove the person’s name not later than the 45th day after the date the person receives the request.

  30. Texas H.B. 300Sale of PHI • This is complicated—Don’t try to figure it out on your own. • EVEN THE FEDS DON’T KNOW HOW TO DEFINE TREATMENT • H.B. 300 Action ItemUpdate policy and procedures. Texas law stricter. • Need to be on look out for NPRM  NPP statement

  31. Texas H.B. 300Notice and Authorization TX Health & Safety Code § 181.154 Notice and Authorization Required for Electronic Disclosure of PHI • CE must Post Notice: • Written notice in covered entity's place of business, • Notice on covered entity's website, or • Notice in any other place where individuals are likely to see the notice. • Obtain Authorization: Even if the above notice is posted, CE may not electronically disclose an individual’s PHI without the individual’s authorization. • EXCEPTION: Disclosure is to another CE for the purpose of treatment, payment, operations, or insurance.

  32. Texas H.B. 300Notice and Authorization TX Health & Safety Code § 181.154 Notice and Authorization Required for Electronic Disclosure of PHI • H.B. 300 Action Items • Update policy and procedures • Update HIPAA authorization form to take electronic disclosure into consideration • Post Notice (either in office or NPP)

  33. Texas H.B. 300 Breach H.B. 300 TX Business and Commerce Code § 521.002-521.053 Breach • A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information must disclose any breach of system security. • “Breach of system security" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data. • Applies only if the individual whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person is a resident of this state or another state that does not have notification laws. • H.B. 300 Action Item Update policy and procedures-Texas law is different than HITECH

  34. Sobering Thoughts Sec. 181.202. DISCIPLINARY ACTION • In addition to the penalties prescribed by this chapter, a violation of this chapter by a covered entity that is licensed by an agency of this state is subject to investigation and disciplinary proceedings, including probation or suspension by the licensing agency. If there is evidence that the violations of this chapter are egregious and constitute a pattern or practice, the agency may: 1. Revoke the covered entity’s license; or 2.refer the covered entity’s case to the attorney general for the institution of an action for civil penalties under Section 181.201(b).

  35. Sobering Thoughts Sec.181.203. EXCLUSION FROM STATE PROGRAMS • In addition to the penalties prescribed by this chapter, a covered entity shall be excluded from participating in any state-funded health care program if a court finds the covered entity engaged in a pattern or practice of violating this chapter.

  36. Texas H.B. 300 Business Associate Contracts • Business Associate Contracts – Contract between a HIPAA covered entity and a HIPAA business associate. The contract protects personal health information (PHI) in accordance with HIPPA guidelines. • Remember that Your Business Associates are considered a CE under Texas law • H.B. 300 Action ItemsNeed to Update BA • Provisions to prohibit the sale and marketing of PHI • Update Training provisions • Update Access provisions • Update breach provisions (HITECH and H.B. 300) • DON’T FORGET TO INDEMNIFY

  37. Final Thoughts • Change in Enforcement Landscape • Update Policies and Procedures for HB 300 Changes • Training Policy • Notice of Privacy Practices • Authorization • Business Associate Contracts • Access Policy • Marketing • Breach Policy • Do Not Ignore Security Rules • Train, Train, Train

  38. Questions?Thank You

  39. Contact Ana E. Cowan 512-703-5791 acowan@brownmccarroll.com Deborah C. Hiser 512-703-5718 dhiser@brownmccarroll.com 111 Congress Suite 1400 Austin, Texas 78701

More Related