210 likes | 382 Views
HIPAA. The New HIPAA Laws Now Have REAL Penalties; Criminal & Civil. Legal Information Is Not Legal Advice
E N D
HIPAA The New HIPAA Laws Now Have REAL Penalties; Criminal & Civil Legal Information Is Not Legal Advice This site provides information about the law designed to help users safely cope with their own legal needs. But legal information is not the same as legal advice -- the application of law to an individual's specific circumstances. Although we go to great lengths to make sure our information is accurate and useful, we recommend you consult a lawyer if you want professional assurance that our information, and your interpretation of it, is appropriate to your particular situation.
The Old HIPAA Shredded Old Medical Records Added Silly Screen Privacy Devices The OLD HIPPA Sheriff No private right of action Removed The Fax From Patient Hallway Disaster Recovery Plan?
HIPAA RebootThere Is A Real Sheriff In Town Feds to Train State AGs To Enforce HIPAA Breaking News, March 10, 2011 The Department of Health and Human Services' Office for Civil Rights will host four regional meetings to train staff from state and territorial attorneys general offices on enforcement of the HIPAA privacy and security rules. The HITECH Act gives attorneys general authority to enforce the privacy and security rules through civil actions. In a statement on its Web site, OCR welcomes collaboration with attorneys general seeking to bring actions to enforce the rules, and will provide information upon request about pending or concluded OCR actions against covered entities or business associates related to state investigations. The training sessions will provide an overview of the privacy and security rules and related HITECH Act provisions, investigative techniques for identifying and prosecuting potential violations, a review of HIPAA and state laws, OCR's enforcement role, state attorneys general roles and responsibilities under HIPAA and HITECH, resources for states in pursuing alleged violations, and HIPAA enforcement support and results.
What Is New In The HIPAA Reboot? • New Enforcement Rules • New HIPAA Penalties • Breach Notifications to Consumers • BAs Must Comply with HIPAA Security Rule • No Selling of PHI • New Restrictions on Marketing & Fundraising What You Don’t Know CAN Hurt You. HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act Summary of Recent HIPAA Changes
New Enforcement RulesThe Sheriff Has A Posse! • Mandatory investigations for “willful neglect” cases. • Mandatory civil penalties for “willful neglect” violations. • Periodic compliance audits for CE’s and BA’s. • Fines & penalties paid will go to OCR for increased investigations & enforcement. • Harmed individuals will get a percent (t.b.d.) of CMP or settlement. • In addition to CE’s, individuals now made subject to HIPAA criminal provisions. • State AG’s can bring civil suits in federal courts on behalf of state residents.
New HIPAA PenaltiesSheriff Has A Cash “Jail” Four tiers of penalties, depending on nature of offense… • Tier A - Offender didn’t know, and by reasonable diligence would not have known, that he or she violated the law. • $100 per violation • $25,000 annual maximum total per violator • Tier B - Violation due to reasonable cause and not willful neglect. • $1,000 per violation • $100,000 annual maximum total per violator • Tier C - Violation due to willful neglect but was corrected. • $10,000 per violation • $250,000 annual maximum total per violator • Tier D - Violation due to willful neglect and was not corrected. • $50,000 per violation • $1,500,000 annual maximum total per violator
Breach Notifications to ConsumersSheriff Wants The Word Out Breach Notifications to Consumers • CE’s, BA’s, and PHR Vendors are subject to breach notification requirements. • Notify consumers if “unsecured” PHI was accessed, acquired, or disclosed in breach. • “Unsecured” essentially means “unencrypted” data, including all physical media. • Notices must be sent “without reasonable delay” – no later than 60 days after breach. • Minimum content of notifications is specified in the regs. • Notices sent by 1st class mail – email only if consumer stated a preference for email. • If 10 or more victims can’t be located, notice on website or in media must be posted. • Breaches involving > 500 victims: Mandatory, immediate reporting to HHS. • Breaches involving < 500 victims. Entity keeps log, provides to HHS annually. • If over 500 victims, HHS will publicly post on Internet. • PHR breaches get reported to FTC, and FTC in turn notifies HHS. • LA State breach requirements also in effect “encrypted or unencrypted”
Business Associates Must Comply with HIPAA Security RuleSheriff Sees “Guilt By Association” Business Associates Must Comply with HIPAA Security Rule • BA’s subject to same civil & criminal penalties as CE’s. • BA’s must comply with Administrative, Technical, and Physical Safeguards. • BA’s must establish and maintain appropriate policies and procedures. • BA’s must document all Security Rule compliance activities. • BA’s must report breaches just like CE’s. • BA Contracts must be created or amended to include new requirements. • BA’s don’t comply with Privacy Rule, but are restricted from PHI uses and disclosures not incompliance with BA contract. This represents “de-facto” Privacy compliance. • PHR Vendors and Health Information Exchanges become Business Associates
Does The New Sheriff Have A “Bite”? One Breach occurred at Stanford’s Lucile Packard Children’s Hospital in January 2010, when a desktop computer holding the medical records of 532 patients was stolen from the heart center by an employee. Hospital officials said at the time that no patient information was compromised. But California’s Department of Public Health fined the hospital $250,000, the maximum allowed, for failing to report the breach within five days of discovery, as is required under state law. State officials contend it took the hospital 19 days to disclose.
Does The New Sheriff Have A “Bite”? Massachusetts General Hospital in Boston, which trains Harvard medical students, agreed this year to pay a $1 million federal fine after an employee left paper medical records on a subway train while commuting to work. The pages contained the names of 192 patients, and diagnoses for about a third of them, including for H.I.V./AIDS. They were never recovered. The Department of Health and Human Services viewed the breach as a potential violation of the Health Insurance Portability and Accountability Act, the 1996 law that requires protection of medical records.
Does The New Sheriff Have A “Bite”? A former UCLA Health System employee became the first person in the nation to be sentenced to federal prison for violating HIPAA. Huping Zhou, 47, of Los Angeles, was sentenced to four months in prison on April 27 after pleading guilty in January to four misdemeanor counts of accessing and reading the confidential medical records of his supervisors and high-profile celebrities, according to the U.S. Attorney’s Office for the Central District of California. Zhou was also fined $2,000.
Does The New Sheriff Have A “Bite”?Sheriff Has Deputies! (Secondary Liability) A recent decision by an appellate court in North Carolina, however, demonstrates that HIPAA may form the basis of a lawsuit by a patient, notwithstanding the absence of a private right of action created by Congress. In the case, Acosta v. Byrum, 638 S.E.2d 246 (Ct. App. December 19, 2006), a patient sued her doctor on the theory of negligent infliction of emotional distress. The trial court dismissed the patient's claim in part on the ground that HIPAA did not provide for a private right of action. The appellate court reversed, however, stating that the patient had not asserted her claim under HIPAA, but had merely used HIPAA to define the standard of care that the physician should have followed to protect her medical information. In other words, the claim is based on the theory that a violation of HIPAA's privacy regulations is negligence per se, which would make unnecessary a jury's determination of the reasonableness of the doctor's conduct.
Does The New Sheriff Have A “Bite”?Sheriff Has Deputies! (Secondary Liability) The use of HIPAA privacy violations as a standard of care for negligence under common law theories of liability is likely to be adopted by other patients whose healthcare information is disclosed, inadvertently or otherwise. This additional litigation risk suggests that strict adherence to HIPAA regulations is important not only to avoid regulatory enforcement, but also to avoid individual lawsuits, which pose a more prevalent and expensive risk. Coping with Breaches, Enforcement, and Other Fallout under HITECH’s Breach Reporting & Enforcement Rules Annual Report to Congress on Breaches of Unsecured Protected Health Information Louisiana Database Security Breach Notification Law
What Constitutes A BREACH Of Personal Information? Under Louisiana Law: "Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when the name or the data element is not encrypted or redacted: • Social security number. (ii) Driver's license number. (iii) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. (b) "Personal information" shall not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. Once The Breach Occurs Notification Requirements Start Some States Now Require You To Pay For Credit Monitoring For Each Patient In The Breached Data Base
Types Of Data Breaches • Hackers Breaching Security • Poor Internal Network Security • Web Based Phishing, Virus, Worms • Insider Theft • Insiders Cause %48 Of All Breaches • Stolen Hardware • Lost Hardware • Laptops, Thumb Drives, Etc. • Third Party Breach • Business Associates From Insider Abuse To Insider Accountability
Types Of Data BreachesThe Social Web Based Threat An aggressive worm known for stealing sensitive information was found on the computer network for the agencies handling unemployment claims in Massachusetts. W32.QAKBOT is a worm that spreads through network drives and removable drives. After the initial infection, usually the result of clicking on a malicious link on a Web page, it can download additional files, steal information and open a back door on the compromised machine. The worm also contains a rootkit that allows it to hide its presence and it works slowly to avoid detection. “Its ultimate goal is clearly theft of information,” said Shunichi Imano, a Symantec researcher. Qakbot is especially aggressive and normally targets online banking, although it has the ability to mutate itself to switch targets and change its methods. The cyber-criminals behind the infection could have remotely instructed the virus to go after names, addresses and Social Security numbers stored in the state systems instead of focusing on banking sites. Where Are Employees Surfing On YOUR Computers? Cyber-criminals used malware to steal personal information from the Massachusetts unemployment offices, according to the state agency “In a nutshell, if your computer is compromised, every bit of information you type into your browser will be stolen,” according to Patrick Fitzgerald, a senior security response manager at Symantec.
The Cost Of Data Breaches $ 301.00 Per Record Breached! How much could a data breach incident cost your company?
Know Your business AssociatesYour In It With Them Billing Service Collection Service Lawyers IT Vendor Medical Record Disposal Co. EHR Vendor Answering Service Transcriptionist Labs Imaging Centers Private Payers Medical Transport Co. Cleaning Service And The List Goes On HIPAA Now Requires Comprehensive Business Associates Agreements
Basic Remedial Action • Performing a new risk assessment • Revising policies and procedures • Improving physical security by installing new security systems or by relocating equipment or records to a more secure area • Training or retraining workforce members who handle protected health information; • Adopting encryption technologies • Establish Acceptable Use Rules For Internet • Imposing sanctions on workforce members who violated policies and procedures primarily in response to serious employee errors, removing protected health information from the facility against policy, and unauthorized access • Changing passwords • Revising business associate contracts to more explicitly require protection for confidential information. • In both • Contact Your Liability/Malpractice Insurance Company REMEMBER If It Is Not Documented It Did Not Happen. HIPAA Will Want It In Writing.
Frank J Davis Frank@GoToSynergy.com 504-834-9550 ext 116 Synergy Solutions 3200 Ridgelake Dr. Suite 203 Metairie LA 70002 Telephone (504) 834-9550 Facsimile (504) 834-5755 Toll Free 866-834-8030 John@GoToSynergy.com John Daigle: 504-834-9550 Ext 115 GoToSynergy@GMail.com www.GoToSynergy.com Legal Information Is Not Legal Advice This site provides information about the law designed to help users safely cope with their own legal needs. But legal information is not the same as legal advice -- the application of law to an individual's specific circumstances. Although we go to great lengths to make sure our information is accurate and useful, we recommend you consult a lawyer if you want professional assurance that our information, and your interpretation of it, is appropriate to your particular situation.