data security and privacy practices

Providing Care WithRespect and Dignity

Through Data Security & Privacy Practices

September 23, 2013

HIPAA/HITECH/OMNIBUS Review

For Non-Medical Business Associates

Uncle Sam Wants YOU… to be Compliant.

• HIPAA Privacy Rule 2003• HIPAA Security 2005• HITECH 2009• Omnibus 9/23/13• Your business has new

responsibilities for compliance under HIPAA, and we also may share liability for “willful negligence”, which is why this training is supplied for all of Springfield Clinic’s Non-Covered Entity Business Associates.

• We value our working relationship with your business, and want to be sure that you are aware of the standards that you will be held to as a result of your contract with us.

10 Transactions that Define a “Covered Entity”1. Health Care claims or equivalent encounter information

2. Health care payment and remittance advice

3. Coordination of benefits

4. Health care claim status

5. Enrollment and disenrollment in a health plan

6. Eligibility for a health plan

7. Health plan premium payments

8. Referral certification and authorization

9. First report of injury

10. Health claims attachments

Note: HHS generally considers all providers, sites, and services within an Organization or System to be one CE.

De-identifying PHI is the only legal way to transmit in an unsecured transmission. Consult with I.T. before using ePHI on personal devices. To de-identify information, call the ROI Services Manager in HIM Correspondence.

HIPAA Protects Patient-identifiable Health and/or Billing Information, So What

Constitutes Identifiers?1. Name

2. Street address

3. SSN

4. DOB

5. All dates (admit/discharge, DOS, date of death)

6. First 3 digits of zip only (if population > 20,000)

7. any geographic divisions smaller than state

8. age (if 90 or more, report age as “90+”)

9. Telephone, cell, or other personal number

10. Fax Number

11. URL and IP addresses (e-mail/internet)

12. VIN and serial numbers (vehicle)

13. Full face photos

14. Tattoos and any unique physical anomalies

15. Medical Record Number

16. Account Number

17. Insurance plan numbers

18. Device identifiers and serial numbers

19. Biometrics including fingerprint, voice, iris

20. Certificate/License Numbers

De-identifying PHI is considered a “safe harbor” for transport or storage.However there must be a procedure in place, to de-identify and re-identifyaccurately. Encryption is more commonly used.

HIPAA Privacy Law: The Health Insurance Portability and Accountability Act

HIPAA Privacy is the “baseline” privacy requirement for all Covered Entities. More strict state laws can supersede HIPAA such as Mental Health and Worker’s Comp.

– Requires IPO/ISO designation: Privacy and Security Officer(s)– Requires Notice of Privacy Practices (NPP) with structured content, provision, and retention– Required Privacy Policies, and workforce training– Minimum Necessary Rule for every transaction– Define Treatment, Payment and Operations transactions– Define acceptable uses and disclosures of PHI/ePHI– Define Designated Records Set (what patient will see if asking to review records)– Requires Business Associate Agreements – Requires a PHI de-identification/re-identification process– Awards Patient Rights– Consents and authorizations requirements and conflicting consents resolutions– Documentation Retention Schedules– Uses and disclosures for Research PHI, for continuity of care and notification purposes– Uses and disclosures required by law and for public health activities– Uses and disclosures for marketing, fundraising, and underwriting– Verification of PHI requestors– Right to amend, requests for PHI and timely action, right to access/reasons for denial– Right to Accounting of Disclosures (going back 6 years) content, provision and documentation– Safeguards, mitigating complaints, consistent workforce sanctions, refraining from retaliatory acts– Waiver of Rights– Group Health Plan and Hybrid Covered Entity requirements

HIPAA Security Rule• Requires reasonable and appropriate measures to protect the

confidentiality, integrity and availability of PHI.• Apply Administrative, Physical, and Technical safeguards to ePHI and PHI.• Technology neutral, and is scalable for size of Organization.• “Required” standards must be implemented as written.• “Addressable” standards may be scaled up or down as is reasonable, but

rationale and decision-makers must be documented and meet standards.• If PHI at rest is to be “secured” it must be destroyed or encrypted.• State Attorneys General are now allowed to bring suit in addition to US

Attorneys. NOTE: IL has had all its AG Staff attorneys take HHS training (2-day course). Her record is to generate $30 for every dollar spent!

• To date, over 500 cases have been referred to the Dept. of Justice for prosecution.

Note: There is no privacy without security, so there is quite a bit of crossover in mitigating issues.

HITECH• Part of the American Recovery and Reinvestment Act (ARRA). • HITECH is the Health Information Technology for Economic and Clinical

Health.• Requires Group Health Plan changes.• Requires CE’s and BA’s to notify the patient if they breach and the breach

poses significant risk of financial, personal, or reputational harm to the patient. (NOTE: The notification requirement is now more strict with OMNIBUS – effective 9/23/13 )

• Breach of unsecured PHI for greater than 500 patients requires immediate notification of DHHS, and prominent media outlets. Also requires individual patient notification, and web posting. If financial or personal info is breached (i.e. SSN, credit card info, etc.) organizations add credit monitoring at their expense for each patient. We would also be listed on the OCR’s website “Hall of Shame”.

Note: ID Experts quotes economic impact of incident approximately $2M per organization but more important is loss of patients. Lifetime value per lost patient is estimated at $107,580.

OMNIBUS• Final HIPAA Rule compliance deadline of 9/23/13.• Redefines a Business Associate: An entity that performs functions, activities or services on behalf of

covered entities that involve use or disclosure of protected health information (PHI) (create, receive, maintain, transmit, or store PHI). Lack of contract between parties will not prevent this designation.

• BA’s must now contract with subcontractors to follow HIPAA rules, and may be liable for breach by subcontractors.

• Strengthens HIPAA/HITECH, and adds GINA (Genetic Information Non-discrimination Act)• Imposes direct liability on Business Associates and their subcontractors for compliance with HIPAA

rules. Even without a formal agreement, they are still liable.• Stricter rules for using PHI for marketing and fundraising without patient consent.• Prohibits sale of ePHI with limited exceptions (i.e. mergers/acquisitions). No profit allowed from sale of

ePHI (processing costs only). A few exceptions for merger/sale of business.• Allows HITECH Cash Restriction: a CE must accommodate a patient who doesn’t want today’s info going to

the insurance company, as long as the patient pays in full up front. The PHI may NEVER be released in the future to the payer .

• Requires HHS to investigate if a complaint indicates possibility of willful neglect.• Created penalty tiers for non-compliance based on levels of culpability. Max $1.5M per year per type of

violation. Willful negligence broadens investigation scope and penalties. A recent fine for Cignet was $4.3M! Denying record access to 41 insured was $1.3M and for failure to cooperate with an investigation, $3M.

• Expands individual’s right to view their electronic PHI in electronic format of their choice.• Requires NPP modifications and redistribution for Covered Entities and now Business Associates.• Breach Rule is modified, adding presumption that all unauthorized acquisition, access, use or disclosure of

unsecured PHI is a Breach. • Modifies HIPAA Privacy to prohibit health plans and life insurers from using or disclosing genetic info for

underwriting purposes (long-term care insurers may use it).

Why Report Privacy/Security Violations?• HIPAA requires mitigation of violations, and review of incidents, so if

unreported, compliance cannot be achieved.• If we do not report problems, either party may continue to violate

patient rights without improving our procedures.• HITECH requires patient and HHS notification of nearly all

violations, determined by a required risk assessment performed and documented for each violation.

• Patient notification of a privacy breach is required if the protected information has been “compromised”. This is a patient’s civil right.

• Internal reporting is a Risk Management function:– Identifying and preparing administrative recommendations – Review for administrative approval of mitigation vs. acceptance

of a risk.– Identify compliance gaps in current procedures and modify.– The Organization needs to be informed of their Organization’s

report card, and this review should be documented.

Reportable Incidents

• Notify the Clinic’s Privacy Officer for any suspected breach. Examples:

• Information got disclosed to a wrong receiver or on the wrong patient.

• Information belonging to more than one patient was disclosed in processing as if belonging to one patient.

• An electronic device containing patient information was lost or stolen.

• Our network was hacked and we are trying to determine if there was patient information involved.

• Our physical security was breached and we had an intrusion.

• Our subcontractor had any of the above incidents happen at their company.

• We received a file from Springfield Clinic with patient information that we should not have received.

• Backup tapes in trunk, were stolen with my employee’s car.

• Incidents require your mitigation and due diligence documentation. Examples:

• Forwarding an encrypted work email account to a personal unencrypted email accounts.

• Letting family/guests wait in an area with unprotected PHI.

• My coworker copies patient information to a personal thumb drive for off-site visits or work at home.

• I found hard copy patient information outside the building.

• I saw a coworker log in as someone else.• A coworker is propping open physical

security entrances and exits.• My coworker downloads software and

music from the internet to her workstation.

• Access codes for secure information are visible by visitors.

Incidental Vs. Accidental Disclosures

• An incidental disclosure is a HIPAA-allowed communication gone wrong, by being intercepted by an unintended receiver (not reportable).

• An accidental disclosure is a communication which HIPAA would not allow, that has gone wrong because of human error (reportable to Springfield Clinic [if our information], to the patient, and to HHS).

The 10 Commandments of HIPAA Privacy at Springfield Clinic

Thou Shalt Not:1.Access PHI or ePHI on any person that is not required by your job.

2.Discuss patient information in hallways, open cars, or within earshot of passers-by.

3.Text/IM patient-identifiable info on an unencrypted electronic device.

4.Leave your PC logged on and unattended.

5.Share any of your passwords with ANYONE.

6.Let your browser remember your password (keys to the kingdom).

7.Fail to report or suppress reporting of a violation, or lost/stolen equipment.

8.Make a services-related web page, or social media posting without a compliance review.

9. Email or text patient information without a secure transmission or without encryption on the sending device.

10. Discard, re-assign, sell, or re-purpose a personal electronic device without stripping the memory if used for patient information transactions (delete doesn’t clear it).

NOTE: The same rules apply to your company, so consider these as helpful suggestions to keep you in good standing .

http://www.123rf.com/photo_5909930_the-ten-commandments-of-moses-written-on-stone-tablets.html

Fines/Violations

Degree of Culpability/ “State of Mind”

Potential Penalty Per Violation

Maximum Annual Cap for All Violations of Identical HIPAA Provision

Violation was not known and could not have been discovered with reasonable diligence

$100 - $50,000 $1,500,000

Reasonable cause for violation, not due to willful neglect

$1000 - $50,000 $1,500,000

Violation due to willful neglect, but corrected in 30 days

$10,000 - $50,000 $1,500,000

Violation due to willful neglect, not corrected in 30 days

$50,000 $1,500,000

•Violations are counted up “based on the nature of the … obligation to act or not to act.” New factors - # of persons affected by the violation, potential harm to those persons’ reputations and finances.•Generally, monetary penalties will be tallied on a per person and per day basis. A violation should be corrected promptly within 30 days. Delaying beyond the timeframe will foreclose certain defenses that could decrease monetary penalty amounts.•The maximum annual cap of $1.5 million is applied on a “per provision” basis.•Monetary penalty system is as follows:

HIPAA Patient Rights: Processing With Government Procedures and Due Diligence Documentation

1. The Right to Review RecordsPatients may ask to review their medical and/or billing records, which is called a Health Information Review. The Business

Associate is required to specify a Designated Record Set of PHI created, received, used, disclosed, or transmitted by the BA, which is the basis of what is reviewable by the patient. This includes any patient-specific documents that you relied upon to perform your BA duties. The DRS documents must be able to be subject to amendment (for example, an x-ray film or EKG tracing is unable to be edited, and so will not be listed in the DRS, but a report of results would be included). All Patient Rights transactions are structured for steps and response time frame in the Law.

2. The Right to Request AmendmentDocuments able to be reviewed, are susceptible to requests for amendment. A BA may refuse if :• The information appears to be complete and accurate as it is• The PHI in question was not generated in your organization (refer to source)• The author is no longer available or in the company3. The Right to Request a Privacy RestrictionA request for privacy restriction is when a patient requests an exception to the way their ePHI flows through your business for

treatment, payment, or operations (i.e. your programmer is my Ex’s wife, so I don’t want her to have access to my information).

4. The Right to Request Confidential CommunicationsA request for confidential communications is when a patient requests an exception to the way we communicate with him or

her that are not our normal procedures (i.e. redirected mailings, phone calls requiring passwords of callers, etc.). Your Organization must accommodate where possible without ramifications to your business.

5. The Right to Receive a Notice of Privacy PracticesThe NPP (Notice of Privacy Practices) serves to explain their Privacy Rights, tells them where to direct any

concerns/complaints if they feel their rights have been violated. This is to be given before the patient’s first service if your Organization has a direct care relationship with the patient. Anyone may request and must receive an NPP booklet at that time.

6. Right to an Accounting of Disclosures

When a patient asks where their health or billing information was sent without their specific authorization in the past 6 years. You are required to document direct disclosures of PHI done without the patient’s knowledge.

7. Right to be notified if PHI is “compromised” in a breach.

8. Right to restrict PHI disclosure to an insurer if request and pay cash at time of service for all charges.

Omnibus Added Responsibilities for BA’s

• Numerous provisions of the rules now expressly apply to business associates (and their subcontractors):

– All applicable provisions of the Security Rule– Use and disclosure limitations of the Privacy Rule, including minimum necessary

principal and applicable de-identification standards.– To provide a copy of ePHI to a covered entity, the individual, or the individual’s

designee (specified in the business associate agreement)– To maintain an accounting of disclosures– Obligation to provide PHI to HHS during an investigation or compliance review

• Business associates must report breaches to covered entities, and covered entities are required to report breaches to affected individuals and HHS (and some cases the media).

• Business associates will be subject to audits, compliance reviews, and enforcement actions by HHS as are covered entities – same for subcontractors.

Omnibus Added Responsibilities for BA’s (Cont.)• A covered entity will not have an agency relationship with a BA (nor a BA with a subcontractor) if the covered

entity does not have the ability to provide the BA with ongoing instructions. (ongoing authority to direct BA’s activities)

• Mandates for a variety of comprehensive security measures:– Periodic risk analyses– Information system activity review– Procedures to authorize, supervise, modify, and terminate workforce access to ePHI– Training– Incident response procedures– Data backup plans– Contingency plans– Disaster recovery plans – Periodic program evaluations– Facility access controls– Workstation security – Portable media controls– Emergency access procedures– Unique user IDs– Encryption– Integrity controls– Appropriate written agreements with contractors

HIPAA Says: No Snooping!Five medical workers have been fired over patient data breaches at Cedars-Sinai Medical Center. The audit was triggered by Kim Kardashian’s delivery of daughter North West on June 15, 2013. Kim’s family suspected a leak of information at Cedars-Sinai after media reports included undisclosed details of the stay.

Four of the workers logged onto the hospital’s information system to access patient records, as employees of local physicians with staff privileges at the hospital. The others included a Medical Assistant, a Foundation employee, and a volunteer student research assistant.

After “Octomom’ was discharged, Kaiser Permanente fired 15 employees and disciplined 8 more for inappropriate access.

After Fashion Designer Gianni Versace passed away, 5 employees were fired for inappropriate access.

UCLA paid $865,500 for breach of celebrity privacy. The audit was 2005-2009 where breaches had been reported on dozens of celebrities, including Britney Spears, Farrah Fawcett, and Maria Shriver.

• Extra sensitivity for well-known patients is required. Access audits are likely on VIP’s, such as celebrities, politicians, or recent news stories.

• Even mentioning that the VIP was treated at the Clinic is a HIPAA violation.

Secure Handling of Paperwork

HIPAA requires that we provide security

to the extent that it is available.1.Lock your office door, or file cabinet.2.In open areas, make sure to turn paperwork face down and minimize screens when not in use.3.When carrying tablets, be sure the screen faces your body.4.Do not leave hardware unlocked in empty rooms, visible in your car, or set it down while traveling – most breaches result from loss or theft.5.Don’t leave portable backup drives or CD’s in computers.

Password Protection:Don’t Give Away the Keys to the Kingdom!

To safeguard YOUR system access, protect your password:1. Don’t use a word that can easily be found in a dictionary (English or

otherwise).2. Use a combination of letters, numbers, and symbols.3. Don’t share your password or logon and leave others to work. Protect

it the same as you would the key to your residence. After all, it is a “key” to your identity in electronic systems.

4. Don’t let your web browser remember your passwords. This will allow others to access your password if the device is lost or stolen.

5. If you forget your password or believe it has been compromised, call your IT person to get it changed right away before leaving for the day.

Be Informed: The Law requires that you will be held accountable for any

inappropriate activity under your User ID.

Workstations: Physical Access Controls

• Log-off – when leaving a workstation unattended.• Lock-up – Lock your workstation, Ctrl+Alt+Dell keys and

then “enter” for quick trips from your desk. Just Ctrl+Alt+Del and re-enter your password to resume working.

• Reminder: Critical during a building evacuation (i.e., fire drill, etc.) when your workstation could be compromised!

• Do not leave PHI on remote printers or copiers.• If printed materials are viewable by any unauthorized user,

ask to have your printer relocated.• Multi-function processors (copy machines that also scan)

have storage of PHI on board. Address this before rental equipment is returned.

Report Privacy & Security Incidents

Everyone is responsible to report security incidents to management.Security Incident defined:The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with system operations in an information system.

Privacy Incident defined: The acquisition, access, use, or disclosure of protected health information in a manner not permitted by the HIPAA Privacy Rule which compromises the security or privacy of the PHI. Also, any denial of patient privacy rights under the law.

Whaaaat Breach?

Unfortunately, this attitude remains a common barrier to compliance.It’s called WILLFUL NEGLIGENCE.

HIPAA requires your workforce to report all suspected privacy and security violations.Please notify your management. They will notify the Springfield Clinic Information Privacy Officer.

WWWWWwWWWWw

…because HIPAA Violationsare not Victimless crimes.

HiHiGiHiHIh

ErgrgGFDfGsdGsdfGDfgSdgDfgFGdfDfgDfgh

Why Should We Care About HIPAA?

Keeping privacy compliance on “the back burner” has real consequences.

Consequences for the patient:•Identity Theft•Loss of workplace privacy•Personal/reputational damage•Denial of benefits or insurance

Consequences for our Company:•Increased client dissatisfaction•Loss of contract for services•OCR/IL Atty. General Investigations•Fines for non-compliance•Civil Monetary Penalties (CMP) for willful negligence•Long-term Corrective Action Plans•Company reputational loss with breach and required media announcements•Huge costs to mitigate•No willful negligence coverage in breach insurance policies

THANK YOU!

from Springfield Clinic’s Administration and our patients

Notice: The contents in this review are meant onlyto notify our Business Associates of their privacy andsecurity responsibilities under privacy laws. Thispresentation should not be considered as legal advice.