510 likes | 527 Views
Join Alissa Smith for an in-depth presentation on HIPAA regulations including the Privacy, Security, Breach Notification Rules, and recent updates in OCR Enforcement. Learn about protecting PHI, client authorization, disclosure rules, and safeguarding patient privacy.
E N D
HIPAA Annual TrainingIowa State Association of Counties November 8, 2017 Alissa Smith
Outline of Presentation • HIPAA Privacy Rule Overview • HIPAA Security Rule Overview • HIPAA Breach Notification Rule Overview • Updates on OCR Enforcement • Complaints Up • Investigations Up • Settlement Amounts Up
Overview of Four HIPAA Rules • The Privacy Rule: addresses the Use and Disclosure of PHI by Covered Entities and Business Associates and establishes individuals’ privacy rights to understand and control how their health information is used. • The Security Rule: establishes requirements for protecting electronic PHI (administrative, technical and physical safeguards). • The Enforcement Rule: establishes both civil money penalties (“CMPs”) and federal criminal penalties, as well as procedures for agency enforcement and factors for assessing CMPs. • The Breach Notification Rule: requires notification to HHS, the individual and potentially the media following a Breach of Unsecured PHI.
General HIPAA Rules • Health care providers and health plans are “covered entities” regulated under HIPAA • Covered entity workforce members may only use or disclose protected health information (PHI) as permitted under HIPAA (or, under state law if state law is more restrictive in a particular area, such as privacy for mental health information) • Any member of the workforce of a covered entity (employees, contractors, volunteers, trainees) is an agent of the covered entity whose actions can result in liability for the covered entity under HIPAA. • HIPAA requires covered entities to train workforce members on HIPAA compliance and enforce noncompliance through appropriate sanctions.
Privacy Basics (HIPAA and Iowa Law) • Health Insurance Portability and Accountability Act (HIPAA) rules: 45 CFR §160; 45 CFR §164 • State laws • Iowa’s Mental Health Privacy Law: Iowa Code §228 • Iowa’s Chemical or Substance Abuse Treatment Privacy Law: Iowa Code §125 • Iowa’s HIV/AIDS Records Privacy Law: Iowa Code §141A
What is Protected Health Information (PHI)? • PHI is information that: • Identifies an individual; and • Spoken or recorded in any form or medium; and • Is created or received by a covered entity; and • Relates to the past, present, or future physical or mental health of an individual; or • Relates to the provision of health care to an individual; or • Relates to the past, present, or future payment for provision of health care to an individual
Client Authorization May Not Be Needed • Default rule is that client authorization is needed in order to use or disclose PHI. • BUT: Covered Entities may use/disclose PHI without a patient’s authorization for TPO (Treatment purposes, Payment purposes, health care Operations purposes). • Examples of Health Care Operations • Case management, care coordination, peer review, training, legal, auditing, business management
Exceptions to Authorization Rule • There are several exceptions to the HIPAA Privacy Rule that allow a covered entity to disclose PHI without an authorization, and without giving the patient an opportunity to object. Examples: • When Required By Law (reporting criminal wounds/child abuse/dependent adult abuse) • Public Health Activities (reporting certain diseases) • Judicial/Administrative Proceedings (court orders, subpoenas) • Reporting related to victims of a crime • Reporting for law enforcement to ID/locate • Reporting crime on the premises • Disclosing to coroner/funeral directors • Disclosing PHI to correctional institution about inmate • Disclosing under terms of work comp law
When Can I Disclose to a Client’s Family/Friends? • There are some uses and disclosures of PHI that a covered entity may make without an authorization as long as the patient has been given an opportunity to object. Examples: • Discussing an individual’s care with family/friends who are involved in the care or payment related to the care • May reasonably infer from circumstances (e.g., client accompanied by family and client does not object) • May exercise professional judgment that disclosure is in patient’s best interests (only PHI that is directly related to family/friend involvement in care or payment for care or needed for notification) • May exercise professional judgment to allow a person to act on behalf of client to pick up filled prescriptions, medical supplies, x-rays, other similar forms of PHI
Reasonable Safeguards Rule • Covered Entities must implement reasonable administrative, technical and physical safeguards to protect patient privacy at all times: • Examples: low voices, not discussing any PHI in a public place or where it could be overheard by anyone who is not involved in the matter at hand, pointing computer screens away from the public view, using proper disposal methods, securing paper and electronic records, erasing hard drives before returning leased equipment with PHI, etc.
Sending and Disposing of PHI • Know the appropriate ways to send client information, including: - securing e-mails sent outside the county/region - verifying fax numbers and retrieving misdirected faxes - appropriately labeling internal and outside mail • Follow designated procedures for appropriate disposal of documents containing PHI - PHI must not be discarded in unsecured trash bins, unsecured bags or other publicly-accessible locations. Instead, all PHI, must be discarded in secured trash receptacles or other non-publicly-accessible locations, or shredded, burnt, pulped, or pulverized so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
Minimum Necessary: The Information You Need to Do Your Job • The “Minimum Necessary” Rule limits the amount of information that may be accessed, used, disclosed or requested to: • The amount of client information you need to carry out your job responsibilities (“need to know”) • The amount of information a requesting party needs to carry out their job responsibilities, E.g. • Law enforcement asks you for information related to a client who was involved in a shooting incident; • A report of an outbreak of foodborne illness to appropriate state or federal agencies. Each of these requests is legitimate but the amount of information you may disclose in each instance may vary.
HIPAA and Business Associates • A covered entity may disclose PHI to a Business Associate (“BA”) • But only if the covered entity first obtains written assurance that the BA will appropriately safeguard the PHI (i.e., through a business associate agreement)
Who is a Business Associate? -An entity or individual acting on behalf of the covered entity • (not a member of the workforce of the covered entity) • who creates, receives, transmits or maintains PHI -An entity or individual that provides certain services to or for the covered entity • (not a member of the workforce of the covered entity) • Where the provision of the services involves the disclosure of the covered entity’s PHI to the entity or individual
Who is a Business Associate (cont’d) -An entity that maintains PHI (including physical storage and e-storage/cloud storage), even if the entity does not actually view the PHI -An entity that provides data transmission services of PHI on behalf of the CE and requires access to the PHI on a routine basis as part of those services. • A mere “conduit”, such as a courier service, does not require access to PHI on a “routine basis,” but rather on a random or infrequent basis, and thus is not a BA; e.g., USPS, UPS, internet service provider. -Health information organizations, E-prescribing gateways, or a person that offers a personal health record to one or more individuals on behalf of a CE. -Subcontractors of BAs, and Subs of Subs, are BAs
Who is Not a Business Associate? • Health care providers with respect to disclosures by a covered entity to a health care provider concerning the treatment of the individual. • A health plan sponsor, with respect to disclosures by the health plan to the plan sponsor • A government agency (e.g., Medicare), with respect to determining eligibility for or enrollment in a government health plan that provides benefits (e.g., SSA) where the joint government activities are authorized by law. • An entity or person whose services do not involve the use or disclosure of PHI (or where it would be incidental, if at all), such as janitorial services.
Examples of Business Associates • TPA that assists a health plan with claims processing • A CPA firm or law firm whose accounting or legal services involve access to PHI • A consultant that performs utilization reviews • A pharmacy benefits manager that manages a health plan’s pharmacy network • An independent medical transcriptionist who performs services for a health care provider
General HIPAA Security Rules • The HIPAA Security Rule applies to electronic PHI (“ePHI”). • Covered Entities must implement administrative, technical and physical safeguards to protect the confidentiality, integrity and availability of all ePHI it creates, receives, maintains or transmits. • As with the Privacy Rule, workforce members must only be allowed access as needed for their job/function/assignment, workforce members must be trained, and appropriate sanctions must be applied to workforce members who fail to comply.
HIPAA Security Rule: Risk Analysis • Risk Analysis- This must be completed to document all repositories of ePHI, identify security measures in place for all repositories, identify vulnerabilities related to each repository, assign risk level, determine risk mitigation strategies, and reassess periodically. • All safeguards implemented flow from the findings in the documented risk analysis.
Some General HIPAA Security Rules (cont’d) • Workforce members must be assigned a unique user name/number. • Information systems activity must be reviewed regularly to track user access. • Termination procedures must be implemented to turn off workforce access at the end of employment/engagement. • Physical controls must be implemented to limit access to facilities that house ePHI, including building security, workstation use/access and security, and implementing policies that govern the disposal and reuse of ePHI and the hardware/software on which it is stored.
General HIPAA Security Rules (cont’d) • Automatic logoff procedures should be implemented. • Mechanisms to encrypt/decrypt ePHI must be addressed. • Policies and procedures must be in place to protect ePHI from improper alteration/destruction.
Security Safeguards • Passwords All passwords must be kept confidential: - NEVER share your password - NEVER post your password in public view - NEVER use someone else’s password to log-in • Access Codes/Security Badges - Use access codes only for work purposes - Never share an access code/your badge - Make sure doors are secure - Do not let people into a unit/building with your access code/badge
Security Safeguards • Faxes • Misdirected faxes should be retrieved as soon as possible • Verify, verify, verify the fax number/receipt of fax • Fax machines, printers, copy machines should be out of public view • Never turn in a fax/copy/printer machine to a leasing company without wiping the hard drive (these machines store an image of every copy/fax/print)
Security Safeguards • Mobile Devices • Adopt mobile device policies • When transporting laptops or thumb drives or other records or devices with unencrypted PHI: protect the item as you would your wallet. • Laptops should be locked in your car trunk if you have to leave your car. When in your home, they should be kept in a secure place. • Secure mobile devices, in a locked office or cabinet in your unit/department when not in use. • Social Networking • Demonstrate appropriate use of social networking (Facebook, Twitter, etc.): health care and/or business-sensitive information is NOT to be discussed on social network sites.
HIPAA Breach Notification Rule Breach: The access, acquisition, use or disclosure of unsecured PHI not permitted under the Privacy Rule that compromises the security or privacy of the PHI Unsecured PHI: PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of technology or methodology specified by HHS (e.g., encrypted, shredded).
HIPAA Breach Notification Rule (cont’d) • A potential breach is presumed to be a “breach” (requiring breach notification) unless an exclusion applies or a 4-part risk assessment demonstrates that there is a low probability that the PHI has been compromised.
HIPAA Breach Notification Rule: Exclusions • Three Exclusions • Good faith internal access • Good faith internal disclosure • External disclosure but good faith belief that person to whom disclosure was made would not reasonably have been able to retain the information
HIPAA Breach Notification Rule: Risk Assessment • In order to determine a breach notification is not required, the covered entity must have addressed all four factors in the risk assessment and determined that the use/disclosure of the PHI poses a low probability that the PHI has been compromised. • OCR expects risk assessments to be thorough, completed in good faith, and for the conclusions reached to be reasonable. • Retain documentation of investigation, risk assessment and all notifications (6 years)
HIPAA Breach Notification Rule:4-Part Risk Assessment • The nature and extent of the PHI involved (including the types of PHI, and the likelihood of re-identification); • The unauthorized person who used the PHI or to whom the disclosure was made; • Whether the PHI was actually acquired or viewed; and • The extent to which the risk to the PHI has been mitigated. After considering these factors, the CE must presume there is a “breach” requiring notification unless the analysis demonstrates that there is a low probability that the PHI has been compromised.
Breach Notifications-the who, when, and how Small (less than 500 individuals) Large (500+ individuals) Affected individuals No later than 60 days after breach discovery Delivered by first-class mail Unless an individual agrees to email The Secretary of Health and Human Services No later than 60 calendar days after the breach discovery The Media Breaches involving 500+ residents of a state or jurisdiction all prominent media outlets of the state or jurisdiction No later than 60 days after breach discoveries • Affected individuals • No later than 60 days after breach discovery • Delivered by first-class mail • Unless an individual agrees to email • The Secretary of Health and Human Services • No later than 60 calendar days after the end of the calendar year in which the breach(es) were discovered
Breach Notification: Information • Notification Must be Detailed • a brief description of what happened, including the date of the Breach and the date of discovery of the Breach; • a description of the types of Unsecured PHI involved (without, however, including specific PHI); • any steps Individuals should take to prevent potential harm resulting from the Breach; • a brief description of what Covered Entity is doing (i) to investigate the Breach, (ii) to mitigate harm to Individuals and (iii) to protect against further Breaches; and • contact procedures for Individuals to ask questions or learn additional information, including a toll free telephone number, email address, website, or postal address.
HIPAA Enforcement • HHS OCR interprets and enforces the Privacy Rule, Security Rule and Breach Notification Rule • Civil Penalties Up to $1.5M/violation; one aff. defense • Criminal Penalties Up to $250K and 10yrs prison • No Private Right of Action (Note, state privacy laws and data breach notification laws may include private rights of action) • Liability for Actions of Business Associates • Approximately 20% of PHI data breaches have been caused by Business Associates
Statistics-2017 (January-October) • To date this year alone, there have been 243 reported large breaches • OCR expects 17,000 complaints in 2017 alone.
Current State of Affairs • External threats at all time high • Internal threats are the largest source of risk for covered entities – snooping, social media, phishing attacks • More individual complaints • OCR enforcement posture more aggressive • OCR widening review of small breaches • Settlement amounts are increasing
Statistics-2017 (continued) • Between April 2003-July 2017, the ORC has: • 160,927 HIPAA complaint cases/potential breaches have been reported • OCR Initiated over 850 compliance reviews on its own • OCR Resolved 158,293 complaint cases (98%) • Investigated/resolved 25,312 cases by requiring changes through corrective action or providing technical assistance • Referred 634 referrals to the DOJ for criminal sanctions • Reached settlements (called Resolution Agreements) with 52 entities since 2009, totaling $72,929,182.00 • Almost all Settlements, now are a result of an initial breach notification • Almost all Settlements include a 3-year corrective action plan
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • MAPFRE Life Insurance Company of Puerto Rico (filed 9/29/11, settled Jan. 2017) • A USB “pen drive” containing complete names, dates of birth and Social Security Numbers was stolen from the IT department • 2,209 affected individuals • OCR found no risk analysis, no risk management plan, no encryption or equivalent alternatives on laptops/mobile devices until 2014 • Resolution amount: $2,204,182.00 • Length of CAP: 3 years • CAP requirements • Conduct Risk Analysis and implementation of Risk Management Plan • Review/revise/distribute Policies and Procedures • Re-training • Annual reports
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Children’s Medical Center (hospital)-(filed 1/18/2010 AND 7/5/13; Feb., 2017) • 2010 Breach: An unencrypted BlackBerry was reported lost at an airport • 3,800 affected individuals • 2013 Breach: an unencrypted laptop was reported stolen from hospital premises • 2,462 affected individuals • Between the two incidences, the ORC determined that Children’s was in violation of numerous HIPAA rules. After the 2010 incident, it failed to implement a risk management plan to avoid the 2013 breach. No encryption or alternative until 2013 for laptops, blackberries, other mobile devices. Also, it allowed non-authorized workforce members access to ePHI. • Total civil money penalty (CMP) amount: $3.2 million
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Memorial Healthcare System (MHS)- Feb, 2017 • Failed to terminate access of former employee, which had been used daily by this individual between April 2011 (termination date) and April 2012 • Affecting up to 115,134 individuals • Despite this risk ID’d yearly from 2007-2012 in risk analysis, No regular audits of access/system activity, no access removal procedure upon termination • Resolution amount $5.5 million • Length of CAP: 3 years • CAP requirements • Completion of Risk Analysis and Risk Management Plan • Revision of Policies & Procedures • Adoption of Distribution of Policies & Procedures • Monitoring • Internal Reporting • Annual Reports
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Metro Community Provider Network (a federally-qualified health center) (filed 1/27/12- resolution April, 2017) • Hacker accessed employees’ email accounts through a phishing scam • 3,200 affected individuals • OCR found no risk analysis or security risk management plan until 2012 • Resolution Agreement amount: $400,000 (taking into account status as an FQHC/financial ability to pay) • Length of CAP: 3 years • CAP requirements • Conduct Risks Analysis • Develop and Implement Risk Management Plan • Review and revise Policies and Procedures • Review and Revise Training Materials • Regular Reporting
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • CardioNet (ambulatory cardiac monitoring service) (filed 1/10/2012; resolution April, 2017) • A work laptop was left in the vehicle of an employee, from where it was stolen outside the employee’s house • 1,391 affected individuals • OCR found insufficient risk analysis and risk management in place; policies and procedures were in “DRAFT” form and no evidence of being adopted or personalized; No policies on safeguards for mobile devices • Resolution Agreement amount: $2.5 million • Length of CAP: 2 years • CAP requirements • Conduct Risk Analysis • Develop and Implement Risk Management Plan • Implement Secure Device and Media Controls • Review and Revise Training Program
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Memorial Hermann Health System (Settlement May, 2017) • Authorities alerted of a crime on the premises (medical ID theft) • Alerting authorities was permitted under HIPAA. What happened next, was not. • Management published press release including patient’s name. • OCR found no evidence of employee sanction for impermissible disclosure. • Resolution Agreement amount: $2.4 million • Length of CAP: 2 years
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • St. Luke’s Roosevelt Hospital (Settlement May, 2017) • Impermissibly disclosed HIV status, medical care, STD information, medications, sexual orientation, mental health diagnosis, and physical abuse information to the patient’s employer (patient had requested the records be sent to his house, and the hospital misdirected the fax to the employer). • OCR investigation found another similar breach 9 months prior to that, but no corrective actions had been taken to prevent it again. • Resolution Agreement amount: $387,200 • Length of CAP: 3 years
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Presence Health (Settlement Jan, 2017) • Failed to report a breach to OCR or patients within 60 days (waited almost 70 days) • Paper operating room schedules for 836 patients “went missing”. These records contained very detailed, sensitive PHI. • OCR also found many other breaches had not been timely reported over the years. • Resolution Agreement amount: $475,000 • Length of CAP: 2 years
Resolution Agreements (RAs) & Corrective Action Plans (CAPs) Example: • Center for Children’s Digestive Health (Settlement April, 2017) • When OCR was investigating an BA of CCDH (File Fax- a records storage vendor), OCR discovered that the BA did not have a BAA with CCDH. • OCR opened a “compliance review” of CCDH, and discovered that between 2003- 2015, no BAA was in place with FileFax. • Resolution Agreement amount: $31,000 • Length of CAP: 2 years
Privacy and Security Compliance: What Are My Resources? • HIPAA Privacy and Security Policies and Procedures- Know where they are located for your county/region. • HIPAA Privacy Officer and Security Officer for your county or region- Know who they are and how to reach them. • OCR Guidance- OCR regularly publishes guidance on a variety of topics, including monthly guidance, such as: • Security Rule: http://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html (ransomware, remote access, mobile devices) • Privacy Rule: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html (communicating with family/friends; methods for de-identification; sharing mental health info; family medical history; disposal) • Rendering data unreadable: https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html
Reporting Incidents, Complaints or Concerns All workforce members are required to report concerns they may have about potential privacy and security violations to their manager/supervisor, or their Privacy or Information Security Officials, as soon as possible. The sooner the violation is corrected, the more likely the county/region will have an affirmative defense to a civil penalty (if not due to willful neglect and corrected within 30 days of discovery). Clock is ticking on breach notification obligation (60 days from date of discovery).
Focus on… • Risk Assessments • Risk Mitigation • Training (Phishing, Snooping, and Social Media) • Business Associate Agreements (due diligence on BAs, and use updated BAAs) • Encryption • Password Security • Mobile Devices • Understand your access limitations: What records are you permitted to access? Understand that you can only access records necessary to complete your job duties. • Understand your disclosure limitations: What records are you permitted to disclose? Understand that any disclosures must meet a HIPAA regulation allowing disclosure. If in doubt, refer to the HIPAA manual or contact the PO.