hipaa lessons from the enforcers and the headlines narhc … · awareness” of security risks. •...
TRANSCRIPT
HIPAA LESSONS FROM THE ENFORCERS AND THE HEADLINES
NARHC 2019MARGARET SCAVOTTO, JD, CHC, PRESIDENT, MPA
ST. LOUIS , MO1
PROTECTED HEALTH INFORMATION
HIPAA protects PHI: information that can identify a patient and relates to the patient’s health condition, treatment, or payment for treatment.
2
ELECTRONICPROTECTED HEALTH INFORMATION
ePHI is electronic PHI: PHI received, created, maintained, or transmitted in electronic form.
3
OCR UPDATE -WHAT’S NEW?
4
OCR UPDATE: NEW GUIDANCE
• Social Media• Texting• Encryption
5
Coming soon…
OCR UPDATE: CHANGES
• Presumption of good faith• Removal of the NPP acknowledgment• Compensation for harmed individuals
6
Is HIPAA changing?
OCR UPDATE: ENCRYPTION
Not encrypting?
7
That’s “less and less persuasive”
ENFORCEMENT TRENDS
YEAR # Settlements Total Average per2018 11* $28,683,400 $2,607,5822017 10 $21,693,000 $2,169,3002016 13 $23,504,800 $1,808,0622015 6 $6,193,400 $1,032,2332014 6 $7,940,220 $1,323,3702013 5 $3,740,780 $748,1562012 5 $4,850,000 $970,0002011 3 $6,165,500 $2,055,1672010 2 $1,003,500 $501,7502009 1 $2,250,0002008 1 $100,000 8
2018 ENFORCEMENT
December 2018: Cottage Health• $3,000,000• Two breach reports • Cottage Health did not conduct a thorough risk analysis; failed to
implement security measures; did not have a BAA; and did not perform periodic evaluations in response to changes affecting security of ePHI
9
2018 ENFORCEMENT
October 2018: Anthem• $16,000,000• Data breach – spear phishing• Anthem: "failed to conduct an enterprise-wide risk analysis, had
insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014."
10
2018 ENFORCEMENT
September 20, 2018: Boston Med• $999,000 paid by Boston Medical Center, Brigham and Women’s
Hospital, and Massachusetts General Hospital• ABC was allowed to film patients• Patients did not sign a HIPAA authorization
11
2018 ENFORCEMENT
November 16, 2018: Allergy Associates• $125,000 • Doctor discussed a patient with a TV reporter• The doctor had been advised to not respond to the media or to
say “no comment”• Allergy Associates did not discipline the doctor
12
2018 ENFORCEMENT
June 18, 2018: MD Anderson ordered to pay $4.3 million in civil monetary penalties
MD Anderson filed three separate breach reports in 2012 and 2013:• Unencrypted laptop stolen from employee residence• Two unencrypted USB thumb drives stolen, containing ePHI of 33,500 patients
The OCR found:• MD Anderson had encryption policies since 2006• MD Anderson’s HIPAA security risk analysis identified encryption as high risk• Despite these policies and findings, MD Anderson did not begin encrypting until 2011• MD Anderson did not encrypt devices containing ePHI when these breaches occurred
13
2018 ENFORCEMENT
St. Luke’s-Roosevelt Hospital Center• Provides comprehensive health services to persons living
with HIV or AIDS and other chronic diseases
• $387,200 settlement
• Faxed the patient’s PHI to his employer rather than sending it to the requested personal post office box
• Also found a related breach that occurred nine months prior but had not addressed the vulnerabilities
14
2018 ENFORCEMENT
Filefax• February 13, 2018
• Filefax went out of business
• OCR received an anonymous tip that someone transported medical records from Filefax to a shredding and recycling facility to sell. OCR discovered that records for 2,150 patients were left in an unlocked truck in the Filefax parking lot.
15
2018 ENFORCEMENT
Fresenius Medical Care North America• February 1, 2018
• $3.5 million
• 5 separate breach reports
• No HIPAA security risk analysis
• Missing security P&Ps
16
2018 ENFORCEMENT
Advanced Care Hospitalists• December 4, 2018• $500,000• ACH contracted with a fraudulent vendor, who had a
breach – PHI for 400 patients ended up on the vendor’s website
• ACH did not have a BAA with the vendor• ACH did not have a HIPAA ARA, security measures or
HIPAA policies until after the breach17
2018 ENFORCEMENT
Pagosa Springs Medical Center• December 11, 2018
• $111,400
• Pagosa failed to terminate a former employee’s remote access to the scheduling calendar
• Pagosa did not have a BAA with the scheduling calendar vendor
18
THE OTHER ENFORCER:YOUR STATE
19
2018 STATE AG ENFORCEMENTS
• UMass Memorial Health Care (MA, $230,000)• The Arc of Erie County (NY, $200,000)• EmblemHealth (NY, $575,000)• Aetna (NY, $1,150,000; $365,212 NJ penalty; DC,
$175,000; CT, $99,959)• Virtua Medical Group (NJ, $417,816)
20
LAWSUIT UPDATE
21
EMILY BYRNE
• Avery Center for Obstetrics and Gynecology released Emily Byrne’s medical records in a paternity lawsuit involving Emily Byrne and her former boyfriend without notifying Byrne
• Byrne sued• A Connecticut jury awarded Byrne $850,000• The Connecticut Supreme Court held that patients can sue
providers who disclose their medical information without the patients’ permission. States vary in the extent to which they allow patients to sue for HIPAA related violations.
22
CLASS ACTIONS
• LifeBridge: LifeBridge notified 500,000+ patients of a malware breach. A class action suit was been filed, asserting that LifeBridge failed to protect patient PHI.
• Flowers Hospital: A Flowers employee stole PHI and used it to file fraudulent tax returns. Patients filed a class action; Flowers settled for $150,000.
23
HIPAACRIMINAL CHARGES
24
CRIMINAL CHARGES
• Pharmaceutical company Aegerion entered a $35 million settlement with the United States arising from its Juxtapid marketing practices.
• Aegerion’s sales representatives allegedly accessed medical records in order to find patients who could be prescribed Juxtapid. For example, Dr. Eduardo Montana, a pediatric cardiologist in Atlanta, gave an Aegerion sales rep a list of 280 patients with abnormal lipids – and gave Aegerion the access code to his electronic medical records.
• Dr. Montana pleaded guilty to wrongfully disclosing identifiable health information. 25
HANDLING BREACHES
26
BREACH NOTIFICATION
• Unsecured PHI = not encrypted or destroyed• Within 60 days of discovery• Who:
• The patient• OCR• The media (maybe)
27
BREACH NOTIFICATION
What do you need? • Breach Notification policy• Breach analysis decision tree• HIPAA attorney on speed dial
28
BREACH NOTIFICATION
Don’t mess with Texas.• No risk of harm required.• Texas DHHS contractors that provide HHS services
and create, receive, maintain, use or disclose Confidential Information on behalf of HHS programs or clients must notify HHS of breaches of federal data within 60 minutes
29
IS IT ABREACH?
30
NURSE SNOOPING LEADS TO PATIENT UPROAR
• You are the compliance officer at a hospital. • You just learned that a nurse accessed hundreds of
patient records in the EMR without authorization or a legitimate work related purpose for a period of several months.
• What do you do?
31
HARD DRIVE STOLEN
• An orthopedic practice reported the theft of a hard drive containing X-rays and other diagnostic images for 76,000 patients, plus names and DOB.
• The hard drive was not encrypted; however the orthopedic company asserts that special software is necessary in order to access the images and view the patient names and DOB.
Is it a breach? 32
WAS A HEMOPHILIA PATIENT IDENTIFIED?
• At a rotary club event, Wellmark Blue Cross Blue Shield Executive VP Laura Jackson described the case of a patient with a form of hemophilia that costs more than $1,000,000 a month.
• She didn’t mention the boy’s name or town, but she discussed a 17 year old with a challenging type of hemophilia. There are 25 boys between the ages of 15 and 17 with hemophilia in Iowa.
Is it a breach?33
VIAGRA PROBLEMS
CVS exposed my Viagra scripts – and ruined my marriage!
34
HIPAA FROM THE HEADLINES
35
ADOPTIVE PARENTS SUE
• In 2017, Wayne and Denise Russell’s adopted two year old son drowned in the family swimming pool.
• The hospital that treated the boy, McAlester Regional Health Center, notified the child’s birth mother – who did not have parental rights – of the boy’s death.
36
WATER COOLER CHAT
A hospital employee discussed an 11 year old’s attempted suicide with people at school, resulting in the boy being bullied. The mom sued the hospital.
37
DELIVERY ERRORS
A Texas Health and Human Services Commission employee was fired for allegedly failing to secure protected health information as required by HIPAA.
A few weeks later, she found two boxes on her doorstop. First, a box of personal items (not hers).
Second, a box of state assistance applications with SSNs, billing statements, and more – for hundreds of people.
38
WOMAN GETS HOSPITAL’S MISDIRECTED FAXES
… for a year
39
SNOOPING
40
STUDENT SNOOPERS
• Students working at an Amsterdam hospital had access to patient information due to a software error.
• They told a newspaper they dug up “juicy details” about friends, family and celebrities while doing “boring jobs.”
• The students could access these files because they were supposed to be able to work anywhere in the hospital.
41
12 HOSPITAL EMPLOYEES LOOK UP CAR ACCIDENT VICTIMS
• Washington Health System in Pennsylvania suspended approximately 12 employees while it investigated a potential HIPAA breach.
• The investigation likely involves a fatal motor vehicle accident involving a Washington Health System employee.
• The driver and another passenger were then treated at local hospitals for injuries.
42
RECEPTIONIST FIRED FOR LOOKING UP CO-WORKER CONTACT INFO IN EHR
• Hospital OR Secretary looked up a co-worker’s phone number in the hospital’s EHR.
• She was fired.• She sued – and lost.
43
PAPERSTILL COUNTS
44
1,800 MEDICAL RECORDS FOUND ON THE SIDEWALK
…by a reporter
45
PHISHING
46
BREACHES CAUSED BY PHISHING
• Anthem• Spear phishing attack that took down the
Ukrainian power grid• Clinton presidential campaign email breach• Sony data breach spear phishing data breach
47
48
77% OF EMPLOYEES UNAWARE OF SECURITY RISKS
• 77% of employees in management roles “showed a general lack of awareness” of security risks.
• 75% of employees “struggled with identifying best practices relating to correct behaviors in cybersecurity and data privacy.”
• 26% of employees “made poor decisions involving the secure use of social media.”
• 14% of employees could not identify phishing emails.
MediaPRO 2018 State of Privacy and Security Awareness Reporthttps://pages.mediapro.com/2018-State-of-Privacy-Security-Awareness.html
49
SAY CHEESE!
50
FOOLISH PHOTOS
• A new nurse took a photo of a patient medical record with her cell phone so she could take it home and study it.
• Two nurses were in a patient room. One nurse took a photo of the other nurse and put it on Facebook. The patient’s wrist was in the background. Someone identified the patient by her distinctive watch.
51
SHARK ATTACK
• A patient was bitten twice while kite boarding. • He had one bite with teeth marks across the
buttocks, and a 9-inch bite on his right thigh that hit the bone.
• Multiple hospital employees took cell phone photographs of a patient treated in the ER following a shark attack.
52
SOCIALMEDIA
53
CHICKEN PROBLEMS: CODE IN A COOP
“Well, we had a first… We worked a code in a chicken coop! Knee deep in chicken droppings.”
54
YOUR ACTION PLAN
55
SECURITY RISK ANALYSIS
• Conduct a HIPAA Security risk analysis• Mitigate risks• Update the risk analysis • Keep updating!
56
POLICIES
• Privacy• Security• Breach Notification• Social Media
57
TRAIN, TRAIN
• New hires• Annual training• Quarterly or monthly reminders• Board, employees, contractors, managers,
volunteers, students• In-services, written reminders, email, flyers, video,
text alerts, tip sheets58
AUDIT
• Walk throughs• Security audits• Privacy audits• Breach notification audits• Social media audits
59
LOOK FOR GUIDANCE
• Texting• Social media• Encryption
60
61
Margaret Scavotto, JD, CHC
President
314-394-2222 ext. 24
Questions?
(c) 2019 Management Performance AssociatesThis presentation does not constitute legal advice 62