hipaa 2015: avoiding penalties
TRANSCRIPT
HIPAA 2015: Avoiding Penalties
Kim C. Stanger
(2/15)
Written Materials• Copy of .ppts• Stanger, HIPAA Update 2014: Why and
How You Must Comply• Checklists of required policies and forms
– Privacy– Security– Breach notification
• Checklist for Notice of Privacy Practices• Checklist for Business Associate
Agreements• Checklist for Omnibus Rule Compliance
Preliminaries
• Presentation will be recorded and available for download at www.hhhealthlawblog.com.
• If you have questions, please submit them using chat line or e-mail me at [email protected].
Preliminaries
This presentation is similar to any other legal education materials designed to provide general information on pertinent legal topics. The statements made as part of the presentation are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the speaker. This presentation is not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of law to your activities, you should seek the advice of your legal counsel.
Preliminaries• This is an overview.
– Check regulations when time to apply.• Rules may depend on entity type.
– Covered entity– Business associate
• More restrictive state or federal laws may apply.– More protective of health info.– More rights to patient concerning their
health info.• Beware state court cases re privacy.
HIPAA History• 2003: Privacy Rule, 45 CFR 164.500 et seq.
– Requires covered entities and business associates to protect the confidentiality of protected health information (“PHI”)
– Gives patients certain rights concerning their PHI.
• 2005: Security Rule, 45 CFR 164.300 et seq.– Requires covered entities to implement
certain safeguards to protect e-PHI.• 2009: HITECH Act
– Breach Notification Rule, 45 CFR 164.400 et seq.
– Enforcement Rule, 45 CFR 160.400 et seq.• 2013: Omnibus Rule changed the rules.
HIPAA Penalties
Covered Entities
Business AssociatesHIPAA
Criminal Penalties(42 USC 1320d-6(a))
• Applies if employees or other individuals obtain or disclose protected health info from covered entity without authorization.
Conduct Penalty
Knowingly obtain info in violation of the law • $50,000 fine• 1 year in prison
Committed under false pretenses • 100,000 fine• 5 years in prison
Intent to sell, transfer, or use for commercial gain, personal gain, or malicious harm
• $250,000 fine• 10 years in prison
Civil Penalties(45 CFR 160.400)
Conduct Penalty
Did not know and should not have known of violation
• $100 to $50,000 per violation• Up to $1.5 million per type per year• No penalty if correct w/in 30 days • OCR may waive or reduce penalty
Violation due to reasonable cause • $1000 to $50,000 per violation• Up to $1.5 million per type per year• No penalty if correct w/in 30 days• OCR may waive or reduce penalty
Willful neglect, but correct w/in 30 days
• $10,000 to $50,000 per violation• Up to $1.5 million per type per year• Penalty is mandatory
Willful neglect,but do not correct w/in 30 days
• At least $50,000 per violation• Up to $1.5 million per type per year• Penalty is mandatory
Civil Penalties• Dermatologists pay $150,000
– Theft of USB containing PHI of 2200 patients; inadequate risk assessment and breach notification policies.
• Affinity Health Plan pays $1,215,780.– Failed to erase photocopiers before returning to
leasing company; failed to consider photocopiers in risk analysis or implement security policies.
• Wellpoint pays $1,700,000 – Web based application left PHI exposed; failed to
implement policies for authorizing on-line access or evaluate effects of software upgrade.
• Shasta Regional Medical Center pays $275,000– Officials disclosed info to media and employees.
Civil Penalties
• Hospice of North Idaho pays $50,000– Theft of unencrypted laptop containing 441 patient’s
PHI; no risk analysis and no policies or procedures re mobile devices
• Idaho State University pays $400,000– Disabled firewall leaving 17,500 patients’ PHI exposed
for 10 months; inadequate policies and safeguards• Massachusetts Eye and Ear Clinic pays $1,500,00
– Theft of unencrypted laptop; no risk analysis and inadequate security policies re mobile devices
• Phoenix Cardiologists pay $100,000– Medical staff members disclosing info to media
• Mass General pays $1,000,000– Employee left records on subway
Civil Penalties• HHS may not impose a civil penalty on a
covered entity or business associate for a violation if the covered entity or business associate establishes that the violation is:– Not due to willful neglect, and– Corrected within either the 30-day
period beginning on the first date the covered entity or business associate knew or should have known that the violation occurred, or such additional time as HHS deems appropriate based on the facts.
(45 CFR 160.410(b))
Civil Penalties• HHS indicated the following represents a
situation where the covered entity did not act with willful neglect: “A hospital employee accessed the paper medical record of his ex-spouse while he was on duty…, knowing that such access was not permitted by the Privacy Rule and contrary to the policies and procedures of the hospital…. The covered entity had appropriate and reasonable safeguards regarding employee access to medical records, and that it had delivered appropriate training to the employee.”
(75 FR 40879)
• No willful neglect = no penalties, if covered entity corrects the situation within 30 days.
Additional Reasons to Comply
Additional Reasons to Comply
• State attorney general can bring lawsuit.– $25,000 fine per violation + fees and
costs• In the future, affected individuals may
recover percentage of fines or penalties.– Still waiting for regulations.
• Must sanction employees who violate HIPAA.• Covered entity must act to stop business
associate’s misconduct or terminate business associate agreement (“BAA”).
• HHS is resuming audits.• OIG 2015 workplan includes HIPAA issues.
Additional Reasons to Comply
• Affected individuals may bring private lawsuit for violations.– No private cause of action under HIPAA.– Covered entity may sue business associate for
breaching the BAA.– Injured individuals may sue under state tort
theories.• Negligence• Negligence per se• Privacy torts
– Unreasonable, highly offensive intrusion into solitude or seclusion.
– Public disclosure of private facts.– Infliction of emotional distress.
• Vicarious liability of employer.
Tips for Avoiding HIPAA Liability
1. Assign HIPAA responsibility
• Designate officers in writing:– Privacy officer
• Policies and procedures• Implementation• Enforcement
– Security officer• Policies and procedures• Implementation• Enforcement
– Contact person• Complaints and info
(45 CFR 164.530(a))
2. Know the Privacy Rules
• Cannot use or disclose PHI without a valid, written HIPAA authorization unless--– Use or disclosure is for treatment, payment
or health care operations (164.506).– Disclosure is for certain purpose and patient
has not objected.• For facility directory.• To family and others involved in patient’s
care if, in your professional judgment, disclosure is appropriate (164.510)
– Exception applies (e.g., disclosure required by law; to avoid harm; subpoenas and orders; law enforcement; etc.) (164.512)
(45 CFR 164.502-.514).
2. Know the Privacy Rules
• Face to Face
• Promotional gift of
nominal value
Marketing Communication
Authorization needed
• Treatment • Healthcare operations
• Describe covered entity’s own products or
services• Refill reminders
Financial remuneration received for
communication
2. Know the Privacy Rules
• Generally cannot use, disclose, or request more than is minimally necessary.– Does not apply to other providers– May rely on representation of other
covered entities• Must have “minimum necessary” policies.
– Role-based access– Protocols for handling routine
disclosures– Process for non-routine disclosures
• Take reasonable steps to verify that the person is entitled to the info.
(45 CFR 164.502-.514)
2. Know the Privacy Rules
• Read 45 CFR Part 164– 164.300 Security Rule– 164.400 Breach Notification Rule– 164.500 Privacy Rule
• Become familiar with OCR website and OCR-published materials, http://www.hhs.gov/ocr/privacy/.
• Beware false info.
http://www.hhs.gov/ocr/privacy/
3. Respect patients’ rights
• Receive notice of privacy practices.– If you have not done so, update it per
Omnibus Rule.• Request restrictions on use or disclosure for
treatment, payment or operations.– Generally not required to agree unless
disclosure is to health insurer and patient paid for care.
• Request communications by alternative means or at alternative locations. – Warn patient if communicating via e-mail or
text.• Access protected health info.• Amend protected health info.• Account for disclosures of protected health
info. (45 CFR 164.520-.528)
4. Implement written policies
• Must have written policies to ensure compliance.– Privacy– Security– Breach notification
• Don’t wait to create the perfect policy.• Ensure policies are workable.• Periodically review policies and
compliance.(45 CFR 164.530(i))
* See checklists of policies.
4. Implement written policies
• If you have not done so, update policies re Omnibus Rule requirements.– Deceased persons.– Restrictions on disclosures to insurers.– Selling PHI.– Using or disclosing PHI to market.– Access to electronic PHI.– Breach notification standard.
5. Develop compliant forms
• Must have compliant:– Authorization– Notice of privacy practices– Business associate agreements
• If have not done so, update forms to comply with Omnibus Rule requirements.– See checklists
• May want other forms– Request to access PHI– Request to amend PHI– Log of disclosures of PHI
www.hhs.gov/ocr/privacy/hipaa/modelnotices
6. Execute BAAs• Business associates (“BA”) = entities to whom
you give PHI to perform function on your behalf.– Includes entities that maintain PHI.– Includes covered entities acting as BAs.
• Execute business associate agreement (“BAA”) before disclose PHI to BAs.– Include required elements.– See checklist.
• Not liable for BA misconduct unless BA is your agent.– Ensure BAA confirms they are not your
agent.• Not obligated to monitor BA, but must
respond if you know BA violates HIPAA or BAA.
(45 CFR 164.314, -.502, -.504)
www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
6. Execute business associate agreements
• Covered entities may want to add these terms:– Business associate must report or act within x days.– Business associate must implement policies.– Business associate must encrypt or implement other specific
safeguards.– Business associate must carry data breach insurance.– Business associate must notify individuals of breaches and/or
reimburse covered entity for costs of the notice.– Business associate must defend and indemnify for losses,
claims, etc.– Business associate is an independent contractor, not agent.– Business associate assumes liability for subcontractors.– Allow termination of underlying agreement.– Must have consent to operate outside the United States.– Covered entity has right to inspect and audit.– Cooperate in HIPAA investigations or actions.
6. Execute business associate agreements
• Business associates probably want to add these terms:– Covered entity will not disclose PHI unless necessary.– Covered entity will not request action that violates HIPAA.– Covered entity will not agree to restrictions on PHI that will
adversely affect business associate.– Covered entity will notify business associate of all such
restrictions.– Covered entity will reimburse for additional costs.– Blanket reporting for unsuccessful security incidents.– Specify business associate does not maintain designated record
set.– Reserve the right to terminate based on restrictions or other
change that adversely affects business associate.– Subcontractors are independent contractor, not agent.– Mutual indemnification.– Limitation or cap on damages.
7. Perform and document security risk analysis
• Required for security rule.– Cited in recent penalties.
• Identifies potential risk areas.– Include mobile devices, USBs, etc.
• Good risk management tool in addition to helping HIPAA compliance.
• Document analysis.• Periodically reevaluate analysis.
– New systems or equipment.• See new tools on OCR website,
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html
www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html
www.nist.gov/itl/csd/20111122_hipaa_tools.cfm
8. Implement required safeguards
• Privacy Rule: must implement reasonable safeguards administrative, technical, and physical safeguards.– Use employee, volunteer, and vendor
confidentiality agreements.– Protect mobile devices and USBs.– Don’t leave PHI laying around or open to
view.(45 CFR 164.306-.312, 164.530(c))
• “Incidental disclosures”– No HIPAA violation if had reasonable
safeguards in place and complied with minimum necessary standard.
– Not required to give breach notice of incidental disclosures.
8. Implement required safeguards
• Security Rule: must implement specified safeguards– Administrative – Technical– Physical
• Implementation specifications– Required– Addressable (alternative must provide
equivalent protection and justification must be documented).
• Remember: these are things you should be doing anyway to protect your business.
(45 CFR 164.306-.312)
* See checklists
www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html
www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security
8. Implement required safeguards
• HIPAA Security Rule generally requires data transmission by secure means.– Encryption is “addressable” standard.
(45 CFR 164.312)
• HIPAA Privacy Rule allows patient to request communications by alternative means or at alternative locations.– Including unencrypted e-mail.
(45 CFR 164.522(b)).
• Omnibus Rule commentary states that covered entity or business associate may communicate via unsecured e-mail so long as they warn patient of risks and patient elects to communicate via unsecured e-mail to text.
(78 FR 5634)
9. Train your workforce• Train members of workforce.
– Practitioners, staff, volunteers, etc. upon hire.
– Periodic retraining.• Change in policies• In response to violation
• Ensure they understand the policies and principles.
• Use notice of privacy practices.• Document training.(45 CFR 164.530(b))
* Remember Walgreens: may not be enough to simply train; may also need to monitor compliance!
10. Respond immediately to any breach
• Timely response important because:– Required to mitigate breach.– May minimize risk that data is
compromised and avoid breach notification requirements.
– May avoid penalties if do not act with willful neglect and correct the situation within 30 days.
• Train employees to report immediately.
• Sanction workforce members for violations.
• Document your actions.
10. Respond immediately to any breach
• If you think there is a breach:– Take immediate action to stop disclosure or
retrieve the PHI.– Confirm scope of breach.
• Persons who may have received PHI.• Type of PHI involved.• Additional redisclosures.
– Obtain confirmation from recipient[s] that they have not and will not further use or disclose the info, and warn them of penalties.
– Document in writing.
10. Respond immediately to any breach
• HHS interprets “corrected” broadly: “For example, in the event a covered entity’s or business associate’s noncompliant inadequate safeguards policies result in an impermissible disclosure, the disclosure violation itself could not be fully undone or corrected. The safeguards violation, however, could be ‘corrected’ in the sense that the noncompliant policies and procedures could be brought into compliance.”
(75 FR 40879)
11. Report breach if required
• If “breach” of unsecured protected health info:– Business associate must notify covered
entity.– Covered entity must notify—
• Patient or next of kin• HHS• Media in some cases
• Maintain written policy.• Document breaches, evaluation, and
response.(45 CFR 164.400-.410)
11. Report breach if required
• Acquisition, access, use or disclosure of PHI in violation of privacy rules is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the info has been compromised based on a risk assessment of the following factors:– nature and extent of PHI involved;– unauthorized person who used or
received the PHI;– whether PHI was actually acquired or
viewed; and– extent to which the risk to the PHI has
been mitigated.unless an exception applies.
(45 CFR 164.402)
• “Breach” defined to exclude the following:– Unintentional acquisition, access or use by
workforce member if made in good faith, within scope of authority, and PHI not further disclosed in violation of HIPAA privacy rule.
– Inadvertent disclosure by authorized person to another authorized person at same covered entity, business associate, or organized health care arrangement, and PHI not further used or disclosed in violation of privacy rule.
– Disclosure of PHI where covered entity or business associate have good faith belief that unauthorized person receiving info would not reasonably be able to retain info.
(45 CFR 164.402)
11. Report breach if required
11. Report breach if required
• To individual– No more than 60 days from discovery– By mail– Contain required elements
• To HHS– If < 500 persons, by March 1 of next year– If > 500 persons, no more than 60 days
from discovery– Electronic report from OCR website
www.hhs.gov/ocr/privacy/hipaa/administrative/brinstructions.html
• To media if breach > 500 persons in a state.(45 CFR 164.400 et seq.)
12. Maintain required documentation
• Maintain required documentation for 6 years from last effective date.– Policies and procedures– Notice of Privacy Practices and
acknowledgement– Business associate agreements– Accounting logs– Officer designations– Training– Complaints and response– Persons responsible for responding to patient
requests(45 CFR 164.530(j)).
Beware Other Privacy Laws
• Breach of electronic security– Usually applies to breach of electronic
records containing SSN, account info, etc.
– Usually requires notice to patients, perhaps AG, etc.
• More restrictive laws– Drug and alcohol treatment– Mental health
• Employment records• Others?
Remember your employee benefit plan
• HIPAA applies to employee benefit plans if:– Administered by a third party, or– Have 50+ participants.
• Employee benefit plan must comply with HIPAA– Required policies.– Required notices.– Others.
Additional Resources
HIPAA Resources
• OCR website: www.hhs.gov/ocr/hipaa– Regulations– Summary of regulations
• Frequently asked questions– Guidance regarding key aspects of
privacy rule– Sample business associate agreement– Breach notification to HHS portal
• OCR listserve– Notice of HIPAA changes
HIPAA Audit Protocolwww.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
Holland & HartHIPAA Resources
• Holland & Hart Healthlaw Updates• Holland & Hart webinars available at
www.hollandhart.com• Sample HIPAA documents
– Privacy and breach notification policies– Forms (e.g., notice of privacy practices,
request to access info, request to amend info, etc.)
– Agreements (e.g., BAA, confidentiality agreements, etc.)
– Letters (response to OCR, notice to patient, etc.)
• Contact [email protected].
