hipaa, privacy, and security oh my! p
TRANSCRIPT
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
HIPAA, Privacy, and Security – Oh My! Chad D. Kunze CPA – Health Care Principal
Phoenix, AZ
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
At the end of this learning session, you will be able to:
Understand recent changes to HIPAA and HITECH regulations effecting providers and business associates
Understand what is privacy and security?
Identify who is a “covered entity” and who are my “business associates” that require a separate agreement
What is a “breach” and how could I protect my organization
Examples of good business practices, education and 3rd party analysis
Learning Objectives
2
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
HIPAA - What Is It?
3
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) – the 4
original parts included:
• Electronic transactions and code sets standards requirements
• Privacy requirements
• Security requirements
• National identifier requirements
We will focus on privacy and security
HIPAA - What is it?
HIPPA or
HIPAA?
4
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
HIPAA Requirements Historically What’s old and what’s new?
5
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Key Historical Dates
1996 HIPAA
2002 Final Modifications to the Privacy Rule
published
2003 Final Security Rule
published
2009 HITECH passed as part of the American Recovery & Reinvestment Act
•9/15/09 – breach notification obligations effective
2011 OCR Compliance
Audits began
1/17/13 – Omnibus out, effective date
3/26/13 effective 9/23/13
The goal of HIPAA is to make health insurance more portable, ensure privacy and security of an individual’s health and
medical information, and create standardization.
6
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
• HITECH Act - 2009 – Extended the reach of HIPAA
– Breach notification requirements on covered entities and business associates
– Limits use and disclosure of certain PHI
– Increases individuals rights with respect to PHI
– Significant enforcement and penalties for violation of privacy and security of PHI
HITECH ACT in 2009
7
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Protection of Electronic PHI
• Examples of EPHI: – Clinical records, chargemaster, billing, detailed patient records,
etc.
– HUD resident files containing medical information
– A/R and Billing
– Workers Comp
– Health Insurance and other benefits
– Payroll reports
– Revenue documentation
– Other
8
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Protection of PHI – Types of Data
• Written documentation and all paper records
• Spoken and verbal information including voice mails
• Electronic databases, including research information
• PHI on a phone, USB drive, etc.
• Photographic images
• Audio and video
9
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
• Breach notification
– Must notify individuals whose unsecured PHI has been or is reasonably believed to have been breached
– Business Associates must notify covered entities of breach upon becoming aware
– Unsecured PHI defined by HHS and will be updated annually
– Notification “without unreasonable delay” no more than 60 days after discovery of breach
– Notification to individual via first class mail unless individual specified electronic mail
HITECH – Breach Notification
10
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
• Breach notification (continued) – Media notice required depending on number of
individuals effected: ◊ Posting notice on website, major print, or broadcast media if more
than 10 individuals involved
◊ More than 500 individuals in one State – notice to prominent media outlets in the State
– HHS notice for any breach at least annually. If more than 500 then notice immediately.
– Notice must include duplication of facts, type of PHI, steps individuals should take to protect themselves, investigation method, mitigation to prevent and contact information to ask questions.
HITECH – Breach Notification
11
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
• HITECH requires HHS to formally investigate:
– Possible violation exists or if breach reported
– Willful neglect present?
– Reasonable due diligence present
– Corrected?
– Not corrected?
– Tier approach to penalties
HITECH – Penalties and Enforcement
12
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
• Civil monetary penalties:
HITECH – Penalties and Enforcement
Violation Category – Section 1176(a)(1)
Each Violation All such Violations of an Identical Provision in a Calendar Year
(A) Did not know $100 - $50,000 $1,500,000
(B) Reasonable Cause $1,000 - $50,000 $1,500,000
(C) (i) Willful Neglect – Corrected
$10,000 - $50,000 $1,500,000
(C) (ii) Willful Neglect – Not Corrected
$50,000 $1,500,000
13
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
In addition –
• State attorney generals may bring a HIPAA enforcement action against a covered entity or business associate
• HHS is now performing periodic audits related to compliance by covered entities and business associates (see enforcement section upcoming)
HITECH – Penalties and Enforcement
14
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
New Omnibus Rule Changes What’s old and what’s new?
15
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Breach Notification – New Modifications • Change in the definition of a breach in the 2009
omnibus rule– from:
– “acquisition, access, use or disclosure of PHI in a manner not permitted under [the privacy rule] which compromises the security or privacy of the PHI”
◊ “compromises the security or privacy of PHI” is defined as “posing a significant risk of financial, reputational, or other harm to the individual” – the risk of harm threshold
• Final Rule definition of a breach - Section 13400(1)
– “an acquisition, access, use, or disclosure of PHI in a manner not permitted…[and] is presumed to be a breach, unless the covered entity can demonstrate that there is a low probability that the PHI has been compromised.”
16
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Breach Notification – Exceptions
• There are three exceptions to the Breach Notification Requirement which are unchanged:
– Unintentional acquisition access or use of PHI if it was made in good faith
– Inadvertent disclosure which will not be further used or disclosed in an impermissible manner
– Good faith belief that the disclosure was not retained
• If it does not meet the three exceptions, it is presumed to be a breach UNLESS the PHI was rendered “unusable, unreadable, or indecipherable” i.e. ENCRYPTION!!!
17
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Breach - Risk Assessment
• Covered entity AND business associate must consider: – Nature and extent of PHI involved
– Who used the information or to whom was the disclosure made?
– Was PHI actually acquired or viewed?
– How was the risk mitigated?
– Does the event rise to the level of a breach
– Requirement to notify the Secretary of HHS following the discovery of a breach of unsecured PHI
• Should have been compliant by March 26, 2013 – required to be compliant by September 23, 2013
18
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Willful Neglect and Penalties • Appears over 70 times in the final ruling
• Defined by 45 CFR 160.401 as “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated”
19
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Action Plan for Covered Entities
• Encrypt, encrypt, encrypt and implement a BYOD (“Bring your own device”) policy
• Review and update business associate agreements
– Affects an estimated 250,000 – 500,000 business associates around the country and beyond
• Review and revise your breach notification policies
– Affects 19,000 covered entities
• Review and update privacy policies
– Affects 700,000 covered entities
• Provide updated education for your workforce (data obtained from the 2013 HIPAA Omnibus approximate number of affected entities)
20
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
Covered Entities and Business Associate Agreements
21
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
HIPAA - What Is It?
Privacy
• Governs the use and disclosure of individually identifiable health information or Protected Health Information (“PHI”)
Security
• Administrative, technical and physical safeguards required to prevent unauthorized access to PHI
22
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
HIPAA - Covered Entities
Covered entities
• Directly effected – Health care providers
– Health plans
– Health care clearinghouses
• HC providers are: – Person or organization who furnishes, bills, or is paid by HC in the normal
course of business
– Covered ONLY if they transmit health information electronically in connection with transaction covered by HIPAA transaction rules
– Directly or through a business associate
23
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
• Appoint a security officer
• Perform an internal or 3rd party risk analysis:
– Likelihood and impact of risks to ePHI
– Implement security measures to address
– Document the security measures
– Maintain protections (continuous, reasonable, etc.)
• Develop and implement a risk management plan
• Education and training is a MUST
How to Comply – Security Rules
24
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
A business associate is: – A person who performs a function or activity on behalf of,
or provides services to, a covered entity that involves individually identifiable health information
– Not a workforce member
– A covered entity can also be a business associate
HIPAA - Who are Business Associates
25
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
• Vendors providing services not directly but indirectly subject to the HIPAA privacy and security provisions (not covered entities but are business associates):
– Legal
– Accounting
– Consulting
– Information technology
– Financial support
– Claims procession and billing
– Data destruction/shredding
• Required to sign business associates agreements (BAA) – Covered entity who contracts to perform “business associate” services or
activities must protect through BAA
– Agree by contract to maintain privacy and security of PHI
HIPAA - Who are Business Associates (Con’t)
26
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
• What is in a BAA? – It is a contract between covered entity and business associate
– Responsibilities identified
– Understanding and acknowledgement of those responsibilities
– Identification of what constitutes a breach
– Breach notification requirements
– Communication requirements
– Termination clauses
– Subcontractor clauses
– Signed by both parties
Business Associate Agreements
27
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
• Does your organization have business associate agreements in place for all required vendors or partners you work with?
• Action necessary by covered entity and BAA to ensure they both “live up to” requirements
• Protections added – Indemnification
– Reporting
– Policies in place
– Hardware and software
– Learning and training
HIPAA - How Does It Effect You?
28
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
• CLA approach in the past: – Comply as if we were a covered entity, but with a “highest common
denominator approach to EPHI”
– Protect ALL data at the level for EPHI
• Education – Annual education and orientation for new employees
– Understand requirements and responsibility (not just principal or partner responsibility)
– Identification of breach and how to notify and/or report
• Business associate agreements – CLA MUST HAVE in place for all clients where EPHI is directly used or
indirectly obtained
Example - How Does It Affect CLA?
29
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
Enforcement Covered Entities and Business Associates
30
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Stepped Up HIPAA Related Enforcement – 2012 • HHS to conduct periodic audits to ensure covered entities and business associates are complying
with HIPAA privacy and security rules and breach notification standards.
• For Phase 1 - Office for Civil Rights (OCR) has conducted 115 audits, of which 20 were completed in 2012.
• Entities were stratified into four different levels as follows:
Level 1 Entities • Large Provider/Health Plans • Extensive use of IT/complicated
IT/business work streams • Revenues or assets > $1 billion
Level 2 Entities
• Large regional hospital systems (3-
10 hospitals/region) & Regional
Insurance Companies
• Paper & HIT enabled workflows
• Revenues and/or assets between
$300 million and $1 billion
Level 4 Entities
• Small providers (10 to 50 provider
practices, community or rural
pharmacy)
• Little to no use of HIT – almost
exclusively paper based workflows
• Revenues less than $50 million
Level 3 Entities • Community hospitals/outpatient
surgery, regional pharmacy/all self-insured companies that don’t adjudicate their claims
• Some but not extensive use of HIT – mostly paper based workflows
• Revenues between $50 million and $300 million
Source: U.S. Dept. of HHS Presentation: “2012 HIPAA Privacy and Security Audits” by Linda Sanches, OCR Senior Advisor Health Information Privacy; Lead HIPAA Compliance Audits
31
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Stepped Up HIPAA Related Enforcement (cont’d)
Source: U.S. Dept. of HHS Presentation: “2012 HIPAA Privacy and Security Audits” by Linda Sanches, OCR Senior Advisor Health Information Privacy; Lead HIPAA Compliance Audits
32
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Stepped Up HIPAA Related Enforcement (cont’d)
Source: U.S. Dept. of HHS Presentation: “2012 HIPAA Privacy and Security Audits” by Linda Sanches, OCR Senior Advisor Health Information Privacy; Lead HIPAA Compliance Audits
33
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
HITECH regulations
§164.312 User activity monitoring
Authentication/integrity
§164.310 Media reuse and
destruction
§164.308 Contingency planning
Risk assessment
Ask yourself…
Are you periodically reviewing established users to determine if they are current, authorized, and have the correct access rights?
Risk assessment: How frequently are you examining the information system for vulnerabilities?
Monitoring of controls: How are you verifying the controls are designed to mitigate unacceptable risks?
Security Rule Findings – 65%
34
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
HITECH regulations
§164.502 Deceased individuals
Personal representatives
Verification of the identify of those requesting ePHI
§164.310 Business associate contracts
§164.308 Breach notification process
Ask yourself…
What steps do you take to verify the identity of those requesting PHI?
How do you identify business associates?
How often are your contracts reviewed?
Do your staff know what to do if a breach occurs?
What steps do you take to document the occurrence of the breach and investigation results?
Privacy Rule Findings – 26% Breach Notification - 9%
35
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Phase 2 of OCR Audits • 550-800 entities will be contacted for “pre-survey”
• OCR will use survey data to select a projected 350 covered entities to audit
• Audits to begin in fall of 2014
• Covered entities will identify their business associates and selection from those provided will be subject to be audited in 2015
• Desk audits for selected areas and comprehensive on-site audits as resources allow
• Focus areas for 2014-2015 audits – Security – risk analysis and risk management
– Breach – content and timeliness of notifications
– Privacy – notice and access 36
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Fines and Penalties
• WellPoint pays $1.7M for leaving information accessible over the internet. Issues related to their implementation of changes in their IT systems. WellPoint provided a breach report. 612,402 individuals ePHI was unsecured and unprotected.
37
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Fines and Penalties • MEEI, a Harvard medical school affiliate, and Alaska DHS
have agreed to pay the HHS $1.5 and $1.7 million (respectively) to settle potential violations.
38
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Fines and Penalties
• Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, “has agreed to pay the HHS a $100,000 settlement” the first small practice to be penalized over HIPAA violations.
39
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Fines and Penalties • Hospice of North Idaho has agreed to pay HHS a $50,000
settlement for potential violations and became the 1st settlement related to a breach of unprotected ePHI that affected <500 individuals.
40
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Additional Thoughts and Stats
• After EHR implementations providers have seen a surge in data breaches
• Average breach cost was approximately $2.5MM
• Most were preventable
• 40% of breaches in 2013 involved a business associate
• Reputation costs are hard to quantify but are significant
41
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Encryption – Why it is important
• Lack of encryption – now is the #1 reason for penalty
• Emails containing ePHI (electronic protected health information)
• Data published on an internet site
• Mobile devices such as laptops, smart phones, or tablets
• Remote access sessions
42
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Six Steps to Breach Prevention or Mitigation
• Lock down end users and infrastructure – know where your data resides
• User identification
• Single point of control
• Anti-malware
• Encryption
• e-Discovery
43
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
Best Practices They are in place to protect us all!
44
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
• Administrative safeguards – the management of: – Risk
– Employees and training
– Continuity
– Evaluation
– Business associates
• Physical safeguards – securing and accounting for: – Facilities
– Workstations
– Media disposal
• Technical safeguards – logical access: – System logging and review
– Password requirements
– User accounts and access
HIPAA Safeguards: Administrative, Physical, and Technical
45
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
• Secure laptops and desktops at all times
• Do not “loan” your laptop to others
• Do not allow others to use your computer unattended
• Do not leave laptop or equipment unattended
• If left unattended for any reason lock the office space being used or place computer into “Lock” mode requiring password to re-start programs
• Use privacy screens if available
• Know your surroundings
Safeguarding Computers
46
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
• Personnel should NOT be permitted to send emails that containsSensitive PHI that is NOT encrypted
• PHI is defined as information about: – Health status
– Provision of health care
– Payment of health care
• PHI linked through any of the following must be treated with care:
– Names, phone/fax numbers, addresses, email addresses, dates (related to care, admit, discharge, etc.)
– SSN, medical record numbers, health plan info, photos, device identifiers, etc.
Messages That Contain Sensitive or Protected Information
47
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
Administrative Safeguards
Risk management IT policies Security leadership Access management Awareness Incident response Inquiry response Auditing
Example of CLA IT Security That Is In Place Due To Being A Business Associate
Technical Safeguards
Passwords Change control Anti-Virus/SPAM Firewall Workstation control
(CSA) Web filtering Remote access FTP Encryption Portable media
control Event correlation
Physical Safeguards
Office physical
security Laptop policy Equipment disposal Data backup and
storage
48
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
• Can you and your employees answer “YES” to all of these?
– If I follow my organization’s policies I believe that we are covered
– Am I following my organization’s policies?
– Do I understand what constitutes a potential or actual breach?
– Do I protect data as if it is my own?
Don’t We Already Have Enough Security?
49
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
• Clean your offices
• Move any resident data off your hard drive
• Don’t store PHI or resident data in emails
• Use the network or other solutions to store data
• Don’t request or receive or send EPHI to/from anyone unless it is encrypted and is absolutely needed
• Return EPHI or private data when complete or delete immediately
What Can You Do Today?
50
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
• Protect discussions – Public places, elevators, client location, airplane, etc
– Discussions with friends, spouse, family, etc.
• If you are in public places or travel in planes - Privacy screens on computers
• Provide data with mind on privacy and security (FTP site, data encrypted, data scrubbed, etc.)
• Don’t leave sensitive information laying around at anytime
• Err on being overprotective of computer
• Limit data on your hard drive and follow Organization policy
Other Protections
51
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
• HIPAA, privacy, security are just good common sense
• Understand what HIPAA requires – we all are responsible to know and understand
• Know when a breach may have occurred (covered entity or business associate)
• Is our business associate HIPAA compliant? – can we help?
• Organization policy is in place to HELP and not there to HINDER our resident service and productivity
• More to come and breaches and fines are starting to ramp up
• Risk is out there - Do your part and promote privacy and security of PHI and remember it is really – good business sense
Recap And What We Have Learned Today
52
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
53
©2
01
4 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
twitter.com/ CLAconnect
facebook.com/ cliftonlarsonallen
linkedin.com/company/ cliftonlarsonallen
Chad D. Kunze, CPA Principal [email protected] 602-604-3534 Office 314-42-6512 Cell
53