HIPAA Privacy and Security: Surviving Heightened Enforcement Preparing for OCR Audits, Crafting and Implementing Data Security Policies, and Responding to Breaches
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
WEDNESDAY, FEBRUARY 29, 2012
Presenting a live 90-minute webinar with interactive Q&A
Nathan A. Kottkamp, Partner, McGuireWoods, Richmond, Va.
Rebecca C. Fayed, Associate General Counsel and Privacy Officer, The Advisory Board Company, Washington, D.C.
Gina M. Kastel, Partner, Faegre Baker Daniels, Minneapolis
Conference Materials
If you have not printed the conference materials for this program, please complete the following steps:
• Click on the + sign next to “Conference Materials” in the middle of the left-hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
Continuing Education Credits
For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:
• Close the notification box
• In the chat box, type (1) your company name and (2) the number of attendees at your location
• Click the SEND button beside the box
FOR LIVE EVENT ONLY
Tips for Optimal Quality
Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial 1-866-927-5568 and enter your PIN -when prompted. Otherwise, please send us a chat or e-mail [email protected] immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.
HIPAA Privacy and Security: Surviving Heightened Enforcement
Gina M. Kastel Nathan A. Kottkamp Rebecca C. Fayed
5
HIPAA Privacy and Security: Surviving Heightened Enforcement
HIPAA Enforcement:
The Dawn of a New Era Nathan A. Kottkamp
Strategies to Prepare For and Respond to a Breach Rebecca C. Fayed Audits and Best Practices Gina M. Kastel
Agenda
6
www.mcguirewoods.com
HIPAA Enforcement: The Dawn of a New Era
Nathan A. Kottkamp
McGuireWoods LLP | 8
HIPAA Enforcement: Before HITECH
All Bark, and No Bite?
McGuireWoods LLP | 9
HIPAA Enforcement Pre-HITECH
• Pre-HITECH
– Penalty limited to $100 per violation or $25K for all identical violations
• No Civil Money Penalties cases
McGuireWoods LLP | 10
Providence Health & Services-2008
la di da . . .
McGuireWoods LLP | 11
Providence Health & Services-2008
• Providence agrees to pay $100,000 and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss.
• The Resolution Agreement relates to Providence's loss of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006.
• Providence agreed to perform certain obligations (e.g., staff training) and make reports to HHS for three years.
• During the period, HHS monitors the compliance of the covered entity with the obligations it has agreed to perform.
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/prov
idenceresolutionagreement.html
McGuireWoods LLP | 12
CVS-2009
Patient records?
McGuireWoods LLP | 13
CVS-2009
Under the Resolution Agreement, CVS agreed to pay a $2,250,000 resolution amount and implement a strong Corrective Action Plan that requires: 1.revising and distributing its policies and procedures regarding disposal of
protected health information; 2.sanctioning workers who do not follow them; 3.training workforce members on these new requirements; 4.conducting internal monitoring; 5.engaging a qualified, independent third-party assessor to conduct assessments of
CVS compliance with the requirements of the Corrective Action Plan and render reports to HHS;
6.new internal reporting procedures requiring workers to report all violations of these new privacy policies and procedures; and
7.submitting compliance reports to HHS for a period of three years.
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresolutionagreement.html
McGuireWoods LLP | 14
HIPAA Penalties Under HITECH
– New Penalty Tiers:
• Unknowing ($100 per violation/ $25K max) • Reasonable Cause (($1K per violation /$100 K max) • Willful neglect ($10K per violation/$250K max) • Uncorrected willful neglect ($50K per violation/$1.5M
max) – Civil and criminal liability for HIPAA violations extended to
business associates – Mandatory investigations and civil penalties for violations due
to willful neglect – Increased emphasis and significant funding on enforcement
The Health Information Technology for Economic and Clinical Health (HITECH) Act revised HIPAA’s enforcement regulations:
McGuireWoods LLP | 15
Rite Aid-2010
McGuireWoods LLP | 16
Rite Aid-2010
Under the HHS resolution agreement, Rite Aid agreed to pay a $1 million resolution amount to HHS and must implement a strong corrective action program that includes: – Revising and distributing its policies and procedures regarding
disposal of protected health information and sanctioning workers who do not follow them;
– Training workforce members on these new requirements; – Conducting internal monitoring; and – Engaging a qualified, independent third-party assessor to conduct
compliance reviews and render reports to HHS. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/riteai
dresagr.html
McGuireWoods LLP | 17
2011
McGuireWoods LLP | 18
Enforcement
• To boost enforcement of the HIPAA security rule, OCR has added investigators in 10 regional offices.
• HHS is seeking $5.6 million increase in funding for Fiscal 2012 enforcement.
• In FY 2010, the office received approximately 9,400 complaints associated with HIPAA privacy and security rules
McGuireWoods LLP | 19
Cignet Health-Landmark HIPAA Civil Monetary Penalty, February 4, 2011
Today the message is loud and clear: HHS is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule and ensuring provider cooperation with our enforcement efforts.”
-OCR Director Georgina Verdugo
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cignetresolutionagreement.html
“
McGuireWoods LLP | 20
Cignet Health of Prince George’s County
McGuireWoods LLP | 21
Cignet Health of Prince George’s County, MD-Landmark HIPAA Civil Monetary Penalty, February 4, 2011
• The first-ever civil money penalty of $4.3 million • Cignet violated 41 patients’ rights by denying them access to their
medical records when requested between September 2008 and October 2009. – The HIPAA Privacy Rule requires that a covered entity provide
a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request.
– The CMP for these violations is $1.3 million. • Cignet failed to cooperate with OCR’s investigations of the
complaints and produce the records in response to OCR’s subpoena. – Covered entities are required under law to cooperate with the
Department’s investigations. – The CMP for these violations is $3 million.
McGuireWoods LLP | 22
Cignet Health-Landmark HIPAA Civil Monetary Penalty, February 4, 2011
Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements . . . . The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”
-OCR Director Georgina Verdugo
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cign
etresolutionagreement.html
“
McGuireWoods LLP | 23
Mass General-“The Million Dollar Subway Ride,” February 14, 2011
$1M
McGuireWoods LLP | 24
Seriously?
McGuireWoods LLP | 25
Mass General-“The Million Dollar Subway Ride,” February 14, 2011
• An employee of General Hospital Corporation and Massachusetts General Physicians Organization Inc. (“Mass General”) left documents on a subway that included a patient schedule containing protected health information (“PHI”) of 192 patients, and billing forms with PHI for 66 of those patients. This included PHI of patients with HIV/AIDS.
• The records were bound only by a rubber band!
McGuireWoods LLP | 26
Mass General-“The Million Dollar Subway Ride,” February 14, 2011
• Mass General paid the US Government a $1,000,000 settlement and entered into a Corrective Action Plan (“CAP”): – Develop and implement a comprehensive set of
policies and procedures that ensure PHI is protected when removed from Mass General’s premises;
– Train workforce members on these policies and procedures; and
– Designate the Director of Internal Audit Services to serve as an internal monitor who will conduct assessments compliance with the CAP and render semi-annual reports to HHS for a 3-year period.
McGuireWoods LLP | 27
Mass General-“The Million Dollar Subway Ride,” February 14, 2011
To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules. . . . A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”
-OCR Director Georgina Verdugo
“
McGuireWoods LLP | 28
Class Actions
•Big money for big breaches.
McGuireWoods LLP | 29
UCLA (2011)
• $16 Million • 16,000 patients x $1,000 • Encrypted laptop stolen from employees home BUT
also missing is the sheet of paper with the password!!!! • Laptop included various PHI
McGuireWoods LLP | 30
Stanford Hospital & Clinics (2011)
• $20 Million – 20,000 patients x $1,000
• Information (allegedly) posted on website included: – name, – medical record number, – admissions/discharge dates, – diagnosis codes, and – billing charges.
• NOTE: Stanford’s Business Associate caused the issue, but Stanford is getting sued.
McGuireWoods LLP | 31
Sutter Health (2011)
• $1 Billion – $1,000 per person and over 4 million people affected
• Information included on a stolen, unencrypted desktop PC included: – names, – addresses, – dates of birth, – phone numbers, and – email addresses (if patient provided them)
McGuireWoods LLP | 32
Pentagon (2011)
• $4.9 Billion!! – 4.9 Million TRICARE Beneficiaries x $1,000
• Information included in lost back-up tapes included: – addresses, – PHI, – phone numbers, and – Social Security numbers
• NOTE: the Pentagon’s Business Associate caused the issue, but the Pentagon is getting sued.
McGuireWoods LLP | 33
HIPAA as the Basis for State Law Negligence
• I.S. v. Washington University, E.D. Mo., No 11-235, June 14, 2011.
• Violation of HIPAA served as basis for state-law negligence per se claim.
McGuireWoods LLP | 34
Business Associate Enforcement Action (2012)
• First known enforcement action against a business associate: 2012 – Minnesota Attorney General brought formal enforcement
action against Accretive Health, Inc. – Stolen unencrypted laptop contained records for 23,500
patients including: • names, • addresses, • dates of birth, • social security numbers, and • a score to predict admissions rates
– Beyond HIPAA, key issue appears to be alleged deceptive practices in which patients were not informed of the scope of information collected by Accretive Health
McGuireWoods LLP | 35
Consequences
• MORE, MORE, MORE – Education – Policies – Monitoring – Documentation – Scrutiny
McGuireWoods LLP | 36
Questions?
Nathan A. Kottkamp
804.775.1092 [email protected] www.mcguirewoods.com 2012 McGuireWoods LLP
HIPAA Privacy and Security: Surviving Heightened Enforcement
Strategies to Prepare for or Respond to a Breach February 29, 2012 Rebecca C. Fayed Associate General Counsel & Privacy Officer
©20
12 T
HE
AD
VIS
OR
Y B
OA
RD
CO
MP
AN
Y
10-Step Breach Response Plan Overview
•Prepare for the possibility of a breach. 1. •Investigate the incident. 2. •Mitigate the harm and take corrective action. 3. •Assess and document whether incident is a “breach” under the HITECH Act / HHS Breach Notification Rule. 4. •Analyze whether incident is a breach under applicable state law. 5.
•Notify individuals (or the covered entity). 6.
•Notify the media. 7.
•Notify HHS, and , if applicable, state agencies. 8. •Reassess privacy and security compliance policies and procedures. 9. •Prepare for the possibility of HHS-OCR or state AG investigation. 10.
38
©20
12 T
HE
AD
VIS
OR
Y B
OA
RD
CO
MP
AN
Y
Step 1: Prepare for the Possibility of a Breach
Are we prepared?
Establish Incident
Response Team
Develop and implement incident response and
breach notification policy
Encrypt PHI?
Data security breach insurance?
39
©20
12 T
HE
AD
VIS
OR
Y B
OA
RD
CO
MP
AN
Y
Step 2: Investigate the Incident
• If yes, follow the procedure and initiate actions of incident response team.
• If no, identify individuals in the best positions to help investigate, respond to the incident and make decisions.
Incident response team and incident
response / breach
notification process in place?
• Facts surrounding the incident (e.g., stolen or lost laptop, back up tape, portable storage device; email or fax sent to wrong recipient; paper records thrown in the trash)
• Date of incident • Data elements (e.g., names, addresses, phone numbers, PHI, SSN,
credit card numbers) • Number of people affected • States in which affected people live and total in each state • Whether information was encrypted
Identify the following:
40
©20
12 T
HE
AD
VIS
OR
Y B
OA
RD
CO
MP
AN
Y
Step 3: Mitigate Harm & Take Corrective Action
• A covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of PHI in violation of its policies and procedures or the Privacy Rule by the covered entity or its business associate. 45 C.F.R. 164.530(f).
• File a police report • Contact recipient and ask for information to be returned or
destroyed
Mitigate Harm
• Revise policies and procedures • Sanction employees • Conduct additional training
Take Corrective
Action 41
©20
12 T
HE
AD
VIS
OR
Y B
OA
RD
CO
MP
AN
Y
Step 4: Assess Whether Incident is a Breach under HITECH Act / HHS Breach Notification Rule
Breach: Acquisition, access, use, or disclosure of PHI (either electronic or hard copy) not permitted by the Privacy Rule which compromises the security or privacy of PHI (i.e., it poses a significant risk of financial, reputational, or other harm to the individual).
Step 1: Impermissible use or disclosure of PHI under the Privacy Rule?
Step 2: Compromises the privacy or security of PHI by creating significant risk
of harm?
Step 3: Excluded from the definition of a breach?
42
©20
12 T
HE
AD
VIS
OR
Y B
OA
RD
CO
MP
AN
Y
Step 4: Assess Whether Incident is a Breach under HITECH Act / HHS Breach Notification Rule
HITECH Act breach notification requirement applies only to the breach of unsecured PHI.
The breach of secure PHI is not subject to the breach notification requirement.
If PHI is rendered “unusable, unreadable, or indecipherable” to unauthorized individuals, it is secure.
Only 2 Technologies and Methodologies to secure PHI:
Encryption Destruction
43
©20
12 T
HE
AD
VIS
OR
Y B
OA
RD
CO
MP
AN
Y
Step 5: Analyze Whether Incident is a Breach Under State Law
In what states do affected people
reside?
Does the state have a breach notification
law?
What is included within the definition
of “personal information?” Are there any
exceptions to the breach notification obligations (e.g.,
encryption or harm based standards)?
If state breach notification law is
triggered, notification
obligations may exist in addition to
those required under the HITECH Act.
44
©20
12 T
HE
AD
VIS
OR
Y B
OA
RD
CO
MP
AN
Y
Step 6: Notify Individuals or the Covered Entity • Notice must be provided to the individual “without unreasonable delay” and no later than 60 days after breach is discovered. Timing of Notification
• Notification should be made sooner than 60 days if possible. Many state laws require notification sooner.
Other Timing Considerations
• Via first-class mail unless the individual has specified a preference for email.
Format of Notification
• Description of facts about breach. • Type of PHI involved. • Steps individuals should take to protect themselves. • What the covered entity is doing to investigate the situation and prevent future breaches.
• Contact information for individuals to ask questions.
Content of the Notice
• May be required if not able to contact people. Substitute Notice
• Must notify the covered entity of the breach no later than 60 days after breach is discovered.
• BA Agreement may specify shorter notification timeline. • Contract may specify who will notify the individual and/or who will pay for such notification.
Business Association Notification
Requirements 45
©20
12 T
HE
AD
VIS
OR
Y B
OA
RD
CO
MP
AN
Y
Step 7: Notify the Media
If PHI of more than 500 individuals in one state is breached, the entity must notify “prominent media
outlets” in the state.
46
©20
12 T
HE
AD
VIS
OR
Y B
OA
RD
CO
MP
AN
Y
Step 8: Notify HHS and/or State Agencies
Covered entities must notify HHS of the breach:
If more than 500 affected individuals, must notify HHS contemporaneously with notification to the individual via online notification.
If less than 500 affected individuals, must notify HHS via an annual log of events no later than 60 days following the end of the calendar year.
Check state laws to determine whether any state agencies must be notified (e.g., police department, consumer protection agencies, Attorney General’s office).
http://ocrnotifications.hhs.gov/
47
©20
12 T
HE
AD
VIS
OR
Y B
OA
RD
CO
MP
AN
Y
Step 9: Reassess Privacy & Security Policies
Compliance policies and procedures should be evaluated and revised if they do not work for an organization or do not prevent against privacy and security violations. For example: If incident involved lost or stolen backup data tape,
consider changing procedure for transport and/or storage.
If incident involved faxing information to a wrong number, consider changing procedure to require contacting the intended recipient before the fax is sent to confirm number and after the fax is sent to confirm receipt.
If incident was the result of employee error, consider retraining employees. If incident was the result of a business associate’s error, consider imposing more stringent safeguards under the agreement.
48
©20
12 T
HE
AD
VIS
OR
Y B
OA
RD
CO
MP
AN
Y
Step 10: Prepare for a Possible Investigation by OCR or State Attorney General
HHS-OCR stated that they have initiated an investigation into every breach reported to their office via the online notification system that involved more than 500 individuals. OCR trained state AGs on HIPAA enforcement. Investigations have been initiated via letter and by phone. As evidenced by recent actions, OCR expects cooperation. Generally, OCR has been asking for:
Facts surrounding the breach. Copies of notification letters, media notices,
business associate agreements. Actions taken to locate missing data, prevent
further loss of data, and protect affected individuals (e.g., credit monitoring services).
Security Rule risk assessments. Description of safeguards in place to protect
the information, specifically requesting information related to whether data was encrypted.
Compliance efforts related to policies and procedure revisions, training, and sanctions imposed.
49
©20
12 T
HE
AD
VIS
OR
Y B
OA
RD
CO
MP
AN
Y
Rebecca C. Fayed Associate General Counsel & Privacy Officer [email protected]
Audits and Best Practices Gina M. Kastel
51
• HITECH Act requires HHS to provide for periodic audits to ensure covered entities and business associates comply with HIPAA privacy and security rules and breach notification standards
• Pilot program developed for up to 150 audits of covered entities and business associates
• KPMG LLP is audit contractor under $9 million contract
Audit Overview
52
• Follow generally familiar audit mechanisms • Selected entities will be informed by OCR
of their selection and asked to provide compliance documentation
• In pilot phase, every audit will include a site visit and result in an audit report
• During site visits, auditors will interview key personnel and observe processes and operations
Audit Process
53
Audit Timeline (2011-12)
54
• Auditors will develop and share a draft report • Prior to finalizing the report, covered entity will have
the opportunity to discuss concerns and describe corrective actions
• Final report submitted to OCR will incorporate steps taken to resolve any compliance issues and best practices of the entity
• OCR may initiate compliance review for serious issues • Audited entities will not be identified publicly
Audit Follow Up
55
56
Best Practices
57
Reassess and Ensure Compliance
• Review and update policies and procedures – Complete? Accessible? Any zombies?
• Once house in order, update for HITECH • Monitor new developments
58
Learn from the Mistakes of Others
• Massachusetts General Resolution Agreement www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/massgeneralra.pdf
• Cignet Notice of Final Determination www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cignetpenaltyletter.pdf
• OCR enforcement examples and resolution available at www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html
• OCR security breach list www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
59
• Consider mix of training methods • Train regularly • Focus on high risk issues • Have staff take tests and certify to completion of training • Keep training materials
Train, Train, Train
60
• Ensure prompt incident response processes are in place • Investigate thoroughly • Implement appropriate corrective action • Take appropriate disciplinary action • COOPERATE WITH THE GOVERNMENT!
Respond Quickly
61
• Get buy in on health care compliance from executive team
• Ensure managers and supervisors stress importance of compliance
Set the Tone at the Top
62
• Develop a program of self-monitoring and auditing • Focus on high risk areas
– Mobile devices – High profile patients and members – Improper disclosures – Disposal of records
• Follow up when problems are found
Conduct Ongoing Compliance Assessments
63
• Someone in organization should be responsible for tracking new developments
• Share information when the law or enforcement activity changes
• Have mechanism in place to respond to new developments
Monitor New Developments
64
Contact Information Gina M. Kastel | [email protected] | 612 766 7923
65