1 / 46

Get Ready for the New HIPAA Privacy and Security Changes: An Action Plan for Medical Groups

Get Ready for the New HIPAA Privacy and Security Changes: An Action Plan for Medical Groups. MGMA Annual Conference San Diego Oct. 9, 2013 Susan Miller and Robert Tennant Moderated by Amy Nordeng. HIPAA RISK ANALYSIS. MGMA, Session H6 October 8, 2013 Susan A. Miller, JD

naif
Download Presentation

Get Ready for the New HIPAA Privacy and Security Changes: An Action Plan for Medical Groups

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Get Ready for the New HIPAA Privacy and Security Changes: An Action Plan for Medical Groups MGMA Annual Conference San Diego Oct. 9, 2013Susan Miller and Robert Tennant Moderated by Amy Nordeng

  2. HIPAA RISK ANALYSIS MGMA, Session H6 October 8, 2013 Susan A. Miller, JD mailto:info@bridgefront.com www.bridgefront.com 866-447-2211

  3. Amy Nordeng, JD Robert Tennant, MA MGMA Senior Policy Advisor MGMA DC Office rtennant@mgma.org 202-293-3450 • MGMA Senior Counsel • MGMA DC Office • anordeng@mgma.org • 202-293-3450

  4. Current Privacy/Security Environment Increasing # of practices are adopting EHRs, mobile tech MU requires risk assessment (l#1 reason for recoupment) Data sharing for clinical purposes on the rise Patients are increasingly worried that sensitive health information might leak because of weak security Health care lags significantly behind other industries in security Providers face unique challenges with limited resources

  5. What are the Practice Risks? • Loss of patient financial data (identity theft) • Permanent loss of confidential information • Temporary loss of medical records • Unauthorized access to confidential information • Loss of physical assets (i.e., computers, smartphones) • Damage to practice reputation, patient confidence • Business continuity • Government enforcement

  6. Typical Threats and Events Threats • Current employees (most common) • Former employees • Patients / visitors • Vendors • Commercial rivals • Criminals Events • Unauthorized access by employees • Misuse of authorized access • Physical disasters • Server crashes • Ineffective disposal of PHI (i.e., computer disks)

  7. The “Omnibus Rule” Most HITECH Act privacy and security provisions Breach Notification rule modified Enforcement expansion Genetic Information Nondiscrimination Act (limits health plan use of genetic info for underwriting) General compliance date: September 23, 2013

  8. What’s Still Missing? • Accounting of disclosures/access reports • Potentially onerous! • Minimum necessary guidance • Distribution of penalties/settlements to harmed individuals • Could raise interest among patients

  9. Breach notification rule

  10. New “Compromise Standard” • Previous approach: • “Significant risk of financial, reputational, or other harm” • Exception for limited data set without ZIP codes or dates of birth • New approach: • Presumption of reportable breach, unless low probability the PHI has been compromised after risk assessment • NO exception for limited data sets

  11. Breach Risk Assessment Factors Nature and extent of PHI involved The unauthorized person who used the PHI or to whom the disclosure was made Whether the PHI actually was acquired or viewed The extent to which the risk to the PHI has been mitigated

  12. Avoiding Breach Notification:Encryption Safe Harbors Valid processes for encryption of stored PHI include those consistent with NIST Special Publication (“SP”) 800-111, Guide to Storage Encryption Technologies for End User Devices, including (but not limited to) full disk encryption, volume encryption, virtual disk encryption, and file/folder encryption Valid processes for encrypting PHI during transmission would be those complying with the requirements in Federal Information Processing Standard (“FIPS”) 140-2, including NIST SP 800-52, Guidelines for the Selection and Use of Transport Layer Security Implementations, 800-77, Guide to IPsec VPNs, or 800-113, guide to SSL VPNs

  13. Breach Notification: To Do • Avoidance (always your best option!) • Creation of internal “security team” • Conduct a thorough security risk analysis • Identify and address gaps with new or revised policies and procedures • Pay particular attention to highly vulnerable areas (strongly consider encryption): • Mobile technology (laptops, tablets, smart phones) • Remote access to EHR / transmission of PHI

  14. Breach Notification: To Do • Implement/revise breach response plan • Identify potential breaches • Internal reporting of potential breaches • Assess potential breaches (risk assessment with four factors) • Report breaches to individuals, annually to HHS • If 500+ patients, HHS asap and local media • Integrate state law requirements • Train staff

  15. New limits on uses and disclosures of PHI

  16. Marketing: Key Questions to Ask • New restriction on disclosures that describe item or service when covered entity receives financial remuneration from third party whose item or service is described. • Question 1: Communication about a product or service that encourages purchase or use? If yes, marketing (patient authorization required). • Question 2: Describes health-related item or service offered by covered entity or treatment alternative? If yes, no longer marketing. • Question 3: Remuneration received from third party whose item or service is described? If yes, marketing again (patient authorization required). • Question 4: Payment for refill reminders about drug that is currently prescribed with remuneration reasonably related to cost of communication? If yes, no longer marketing. (Awaiting additional guidance.)

  17. PHI Disclosures • Practice may not receive remuneration in exchange for PHI • Exceptions • Business associate activities • Any other permissible purpose if remuneration limited to reasonable, cost-based fee for preparation and transmittal (not in HITECH) • Research • Providing access and accounting to an individual • Student Immunization Records • Written or oral agreement from parent/guardian required (must be documented)

  18. Other Changes to Uses/Disclosures • Decedent Information • No longer PHI 50 years after death (not a retention requirement) • Fundraising • More categories of PHI may be used • More stringent opt out requirements • Research • Greater ability to combine research authorizations • Authorization may cover future research

  19. Increased patient rights

  20. Electronic Copy of PHI Practice must now provide an individual with a copy of their PHI that is maintained by the practice electronically, in the electronic form and format requested by the individual if such format is readily producible If the requested format is not readily producible, practice must offer at least one readable electronic format If patient/practice can’t agree on format, a readable hard copy must be provided Fees (paper or e-copy) are limited by state law and only include “reasonable” costs of production

  21. Restriction for Out-of-Pocket Payments • Practice must agree to individual’s request to restrict PHI disclosure to payer if the individual (or 3rd party) pays out-of-pocket and in full • For payment or health care operations • Unless disclosure is required by law • No requirement to monitor downstream providers (e.g., pharmacies) • If payment dishonored, practices must make a reasonable effort to contact patient and obtain payment prior to disclosing PHI to health plan • Practices will need to flag restricted PHI or note in the record that the PHI has been restricted

  22. Notice of privacy practices

  23. Changes to Notice of Privacy Practices • Prohibition on sale of PHI • Duty to notify affected individuals of a breach of unsecured PHI • Right to opt out of fundraising (if applicable) • Right to restrict disclosure of PHI when paid out of pocket

  24. Notice of Privacy Practices: To Do • Review current notice and identify required changes • NPP to all new patients/current patients who request one • Post new notice in prominent public area of the practice and on your website • Good opportunity to revise your notice to include any practice changes (e.g., EHR, PHR, HIE) and write in “plain language” • OCR templates for your office to use! • http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html • Review MGMA sample NPP

  25. HIPAA Security/BAs/Enforcement • RISK ANALYSIS – what it it • Stories from the front! • Mobile Tools • Encryption • Office Tools • Email • Other Social Media • Cost of a Breach • Physical Security • Business Associates (BAs) • Enforcement

  26. HIPAA Security Rule Requirement:RISK ANALYSIS • What it asks of you? • Review the potential risks and vulnerabilities to your systems that hold ePHI • Risks and vulnerabilities include people, weather and technology problems • Office systems include your office EHR, your office mobile tools, your office tools such as FAX, copier, printer + clinical tools • Review, analyze, and report on issues found across the security spectrum

  27. Mobile Tools • What is a mobile device? • It is a computing device that is mobile • It is a HIPAA Security workstation! • What do mobile devices provide? • Anytime, anywhere access to PHI • Anytime, anywhere ability to communicate • What are the categories of mobile devices? • Laptop • Tablet • Smart phone • Portable storage media • Clinical tools

  28. Mobile Tools • Currently loss and theft of mobile tools are the largest HIPAA breach problems: • http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html • Massachusetts provider settles HIPAA case for $1.5 M – loss of laptop • http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/meei-agreement.html • Hospice of North Idaho fined $50,000 – loss of laptop • http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.html

  29. Encryption • Breach = use or disclosure mistake with unsecured ePHI, paper PHI, oral PHI • Unsecured ePHI = not encrypted! • Encryption not mandated by HIPAA Security! • With encryption = safe harbor + no breach! • Typical cost ~$55/laptop, ~$36/tablet and smart phone • See your EHR vendor for encryption help!

  30. Office Tools • What are office tools that the HIPAA Security rule covers? • Fax machines • Copy machines • Printers • Why does the HIPAA Security Rule cover these tools? • In 2013 they are all computers? • They all have a hard drive like a computer that retains the ePHI that is faxed, copied or printed

  31. Office Tools • How do your dispose or clean of hard drives? • Dispose = shred! • Clean = degauss! • Degauss = write over the original many times • What happens if you dispose of a hard drive has not been cleaned? • Photocopier Breach Case: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/affinity-agreement.html

  32. EMail • EMail is not mentioned in the HIPAA Security rule! • HIPAA Security rule = transmission security • EMail = electronic transmission • EMail with PHI needs transmission security • And encryption …. OR…EMail should not include PHI • Meaningful Use Stage 2 Portals • Load patient’s lab results, appointment notice, prescription refill to portal • Send EMail to patient that there is something on the portal for them

  33. EMail • What happens when your office EMail does not go to the intended person? • Alaska: Hope Community Resources • Statewide network • EMail was to promote a survey • It included confidential information about 3,700 disabled clients • Names • Dates of birth • Addresses • www.alaskadispatch.com/article/email-accident-violates-privacy-thousands-hope-community-clients

  34. Other Social Media • What other social media being used in healthcare? • Websites • Facebook • Twitter • You name it! • If you use social media, your office needs • A policy when you will include ePHI in social media and when you will not permit ePHI in social media • An inventory of current and proposed uses for social media

  35. Physical Security • What is Physical Security? • It is your locks on doors and windows • It is the safety of your electronic tools • It includes Workstation Use and Workstation Security • It is part of a risk analysis + easy to do! • Make sure no one keeps the back door propped open • Position computer screens to avoid being seen • Turn paper records over so no one can read the PHI • Have a sign-in sheet for patients • Have a sign-in sheet for vendors

  36. Business Associates (BAs) • What is a Business Associate? • An individual or business that acts on behalf of your practice and uses PHI • They create or receive and maintain or transmit PHI or ePHI • Examples of Business Associates • Mailing company • Shredding company • Possibly, the Regional Extension Center (REC) in your state

  37. Changes to BA Contracts • Must specify compliance with Breach Notification Rule • Should specify to whom BA provides electronic access • Subcontractor must be subject to BA contract • If practice delegates HIPAA responsibility, must specify that BA will comply with HIPAA • Optional: • Control over BA use of subcontractors • Clarity regarding minimum necessary and safeguards • More stringent reporting timelines • INDEMNIFICATION

  38. Business Associates (BAs) • What/who is not a Business Associate? • The people who clean your office • The people who fix your printer • You want a confidentiality statement with this type of vendor, and have a sign in sheet at your front desk for this type of vendor • From the feds: sample business associate agreement provisions at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html • From MGMA: http://www.mgma.com/search/default.aspx?q=business%20associate%20agreement

  39. Overview of Settlements and Civil Money Penalties 15 settlements, 1 civil monetary penalty Average settlement amount ~ $920,000 Average settlement’s corrective action plan (CAP) is about 2.4 years Some settlements also involved Federal Trade Commission 5 of the settlements include independent on-site monitoring

  40. Cost of a Breach • If a mobile tool such as a laptop or tablet was lost or stolen and it contained PHI for 625 individuals the cost would be: • Breach response costs: $175 X 625 = $ 109, 375. • If a healthcare entity is fined by OCR the average lately is ~$1 M • Costs to remediate, mitigate and fix the mistake: estimated at $50,000 + • Total costs might be $ 1,159,375

  41. General Steps to HIPAA Compliance

  42. Steps to HIPAA Compliance • Begin with a thorough risk assessment • Review all current policies and procedures (gap analysis) • Identify all locations with PHI • Determine whether encryption is warranted and to what extent • Review your medical record retention and destruction policies to confirm that data is being destroyed properly

  43. Steps to HIPAA Compliance Create a cost-effective plan to mitigate top risks (i.e., physician laptops) Ensure BA contracts are modified Update policies and procedures Train impacted staff Take a cross-functional approach to compliance This is a good opportunity to do a HIPAA house-cleaning! “HIPAATIZE” your staff!!

  44. Resources • MGMA: www.mgma.com/hipaa • HIMSS-MGMA Toolkit • Sample BAA, sample NPP, Security Risk Analysis toolkit • NIST resources (risk assessment tool, guidance) • Office for Civil Rights: http://www.hhs.gov/ocr/office/index.html • Rules, regulations, guidance • Audit and enforcement actions

  45. Questions?

  46. Contact Information • Sue Miller • TMSAM@aol.com • (O) 978-369-2092 • (C) 978-505-5660 • Robert Tennant • rtennant@mgma.org • Amy Nordeng • anordeng@mgma.org • (O) 202-293-3450

More Related