hpaa update
TRANSCRIPT
HIPAA Update:Avoiding Penalties
Kim C. Stanger
IHCA(7/15)
Protected Health
Info
Preliminaries
This presentation is similar to any other legal education materials designed to provide general information on pertinent legal topics. The statements made as part of the presentation are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the speaker. This presentation is not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of law to your activities, you should seek the advice of your legal counsel.
True or False?• I don’t have to worry about HIPAA because
I live in Idaho and the government would never go after us.
• The Office for Civil Rights (“OCR”) must impose a $10,000 fine per HIPAA violation if I act with willful neglect.
• Under HIPAA, residents may sue our facility for HIPAA violations.
• Long term care facilities are vicariously liable for HIPAA violations by their business associates.
• HIPAA does not apply to resident names so long as we do not disclose medical information.
True or False?• We must have the resident’s authorization
before disclosing protected health information to family members.
• Under HIPAA, residents have a right to access all information concerning the resident.
• HIPAA prohibits e-mailing or texting residents, family, or providers unless the e-mail or text is encrypted.
• We must self-report all HIPAA violations to the resident and the government.
• We only have to self-report breaches of unsecured protected health info if the breach would result in significant harm to the resident.
HIPAA: Hot Topics• Enforcement actions
– Recent settlements– Private causes of action
• Security rule concerns– Security rule
compliance– E-mails and texts
• Business associate liability• Breach notification
– Applicable standards– Applying the standards
Preliminaries• Written materials
– Stanger, HIPAA Update: How and Why You Must Comply• Summarizes what you need to do to
comply.• Checklists for required privacy and
security rule policies.• This is overview of some “hot
topics”.– Does not cover all HIPAA rules.
• Feel free to ask questions or comment.– But don’t share protected health info.
That would be awkward…
HIPAA: Terminology• Covered entities:
– Healthcare providers who engage in e-transactions.
– Health plans, including group health plans with 50+ participants or administered by third party.
• Protected health info (“PHI”): individually identifiable info concerning a resident’s health, healthcare, or payment for care.
• Business associates: create, receive, maintain or transmit PHI on behalf of covered entity.
HIPAA History• 2003: Privacy Rule, 45 CFR 164.500 et seq.
– Requires covered entities and business associates to protect the confidentiality of protected health information (“PHI”)
– Gives residents certain rights concerning their PHI.
• 2005: Security Rule, 45 CFR 164.300 et seq.– Requires covered entities to implement certain
safeguards to protect e-PHI.• 2009: HITECH Act
– Breach Notification Rule, 45 CFR 164.400 et seq.
– Enforcement Rule, 45 CFR 160.400 et seq.• 2013: Omnibus Rule.
– Requires updates to HIPAA policies and forms.
HIPAA Overview
Privacy Rule• Covered entities may not access, use or
disclose PHI unless:– For purposes of treatment, payment or
healthcare operations.• Per Jamie, obtain info from prior facilities.
– To a family member or other person involved in healthcare or payment so long as:• Resident has not objected;• Is in resident’s best interest; and• Limit disclosure to scope of recipient’s
involvement.– For certain safety or government functions.– Have valid authorization.
• Do not disclose more than is minimally necessary.
(45 CFR 164.500 to .514)
Privacy Rule• Resident or their personal representative
has the right to:– Receive notice of privacy practices.– Request that disclosures of PHI for
purposes of treatment, payment or healthcare operations be limited.
– Request communication by alternative means or at alternative locations.
– Access their PHI.– Request amendment of their PHI.– Obtain accounting of improper
disclosures of PHI.(45 CFR 164.520 to .528)
Privacy Rule• Covered entity must:
– Designate privacy and security officer.– Train staff.– Implement policies and procedures.– Implement reasonable safeguards.– Document and respond to complaints.– Sanction workforce members who violate
HIPAA.– Mitigate violations.– Not retaliate.– Maintain HIPAA documents for 6 years.
(45 CFR 164.530-.538)
Security Rule• Covered entity and business associates
must:– Perform risk analysis.– Implement safeguards:
• Administrative• Technical• Physical
– Execute business associate agreements.(45 CFR 164.300-.318)
* More about this later…
Breach Notification Rule• If there is breach of unsecured PHI:
– Covered entity must:• Notify affected individuals.• Notify HHS.• Notify media, if breach involves > 500
persons in a state.– Business associate must notify covered
entity.(45 CFR 164.400-.414)
HIPAA Enforcement
Covered Entities
Business AssociatesHIPAA
EnforcementCriminal Penalties
• Applies if employees or other individuals obtain or disclose protected health info from covered entity without authorization.
Conduct Penalty
Knowingly obtain info in violation of the law • $50,000 fine• 1 year in prison
Committed under false pretenses • 100,000 fine• 5 years in prison
Intent to sell, transfer, or use for commercial gain, personal gain, or malicious harm
• $250,000 fine• 10 years in prison
EnforcementCivil Penalties
Conduct Penalty
Did not know and should not have known of violation
• $100 to $50,000 per violation• Up to $1.5 million per type per year• No penalty if correct w/in 30 days • OCR may waive or reduce penalty
Violation due to reasonable cause • $1000 to $50,000 per violation• Up to $1.5 million per type per year• No penalty if correct w/in 30 days• OCR may waive or reduce penalty
Willful neglect, but correct w/in 30 days
• $10,000 to $50,000 per violation• Up to $1.5 million per type per year• Penalty is mandatory
Willful neglect,but do not correct w/in 30 days
• At least $50,000 per violation• Up to $1.5 million per type per year• Penalty is mandatory
Enforcement: 2014• Anchorage Community Mental Health
Services pays $150,000 for failing to maintain patches on software.
• New York hospitals pay $4.8 million for leaving electronic medical records vulnerable to searches.
• Concentra pays $1.7 million for lost unencrypted laptop.
• QCA Health Plan pays $250,000 for lost unencrypted laptop.
• Skagit County, WA pays $215,000 because PHI was available on public database.
• Parkview Community Health: fined $800,000 for leaving 71 boxes of records in physician’s driveway.
All involved security rule violations
Enforcement: IdahoIdaho is not exempt!• In 2013, Hospice of North Idaho had to pay
$50,000 for theft of unencrypted laptop that contained PHI of 441 patients.– Investigation showed failure to comply
with security rule.• In 2013, Idaho State University had to pay
$400,000 because firewall failure left PHI of 17,500 patients exposed.
Remember: OCR must impose penalty if you are determined to act with willful neglect.
Enforcement• HHS purportedly to resume audits in 2015.• OIG workplan for 2015 includes HIPAA
issues.• State attorney general can bring lawsuit
under HIPAA.– $25,000 fine per violation + fees and
costs– Some of biggest cases brought by AGs.
• In the future, affected individuals may recover percentage of fines or penalties.– Enacted as part of HITECH.– Still waiting for regulations.
• Must impose sanctions against employees who violate HIPAA.
Enforcement• No private cause of action under HIPAA.• Affected individuals may sue under
common law tort theories.– Negligence.– Negligence per se.– Privacy torts.
• Unreasonable, highly offensive intrusion into solitude or seclusion.
• Public disclosure of private facts.• Infliction of emotional distress.
– Vicarious liability of employer.
Standard of care = HIPAA?
Enforcement
• Lessons learned:–Beware state laws in
addition to HIPAA.–Not enough to simply
implement policies and train staff; you must ensure that data is protected if you really want to be safe.
Security Rule Compliance
Security Rule Compliance• Risk analysis.• Implement
safeguards.– Administrative– Technical– Physical
• Execute business associate agreements.
Intended to ensure:• Confidentiality• Integrity• Availabilityof ePHI.
Security Rule Compliance
Administrative Safeguards
Physical Safeguards
TechnicalSafeguards
Standards
ImplementationSpecifications• Required
• Addressable
Standards Standards
ImplementationSpecifications• Required
• Addressable
ImplementationSpecifications• Required
• Addressable
Implementation Specifications
• “Required”: implement the specification.
• “Addressable”: – Assess reasonableness of specification.– If spec is reasonable, implement it.– If spec is not reasonable,
• Document why it is not reasonable (e.g., size, cost, risk factors, etc.), and
• Implement alternative if reasonable.• Must review and modify as needed.
Administrative Safeguards
1. Security management process 2. Assigned security responsibility3. Workforce security4. Information access management5. Security awareness and training6. Security incident procedures7. Contingency plan8. Evaluation9. Business associate contracts
Physical Safeguards1. Facility access controls2. Workstation use3. Workstation security4. Device and media controls
Technical Safeguards1. Access controls2. Audit controls3. Integrity of e-PHI4. Person or entity authorization5. Transmission security
Data Privacy and Security
Risk Analysis• Security rule requires that covered entities
and business associates “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of [ePHI]…” (45 CFR 164.308(a)).– Frequently cited in recent violations.
• Periodically reevaluate analysis.– New systems or equipment.– Every few (very few?) years.– Include mobile devices.
Risk Analysis
• Additional materials are available at www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html– Final Guidance on Risk Analysis– OCR Guidance re Risk Analysis– NIST Publications
Encryption• Encryption is an addressable standard per 45
CFR 164.312:(e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to [ePHI] that is being transmitted over an electronic communications network.(2)(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
• ePHI that is properly encrypted is “secured”.– Not subject to breach reporting.
• OCR presumes that loss of unencrypted laptop, USB, mobile device is breach.
Communicating by E-mail or Text
• HIPAA Privacy Rule allows resident to request communications by alternative means or at alternative locations.– Including unencrypted e-mail or text.
(45 CFR 164.522(b)).• Omnibus Rule commentary states that covered
entity or business associate may communicate via unsecured e-mail so long as they warn resident of risks and resident elects to communicate via unsecured e-mail or text.
(78 FR 5634)
Business Associates
Business Associates• Entities that create, receive, maintain, or transmit
PHI on behalf of a covered entity to perform:– A function or activity regulated by HIPAA (e.g.,
healthcare operations, payment, covered entity function), or
– Certain identified services (e.g., billing or claims management, legal, accounting, or consulting services).
– Health information organizations and e-prescribing gateways.
– Data transmission companies if they routinely access PHI.
– Data storage companies (e.g., cloud computing, off-site storage facilities) even if they do not access PHI.
– Patient safety organizations.• Subcontractors of business associates.• Covered entities acting as business associates.(45 CFR 160.103; 78 FR 5570-75)
Business AssociatesBusiness Associates• Management company• Billing company• EMR / IT specialist• Consultant• Accountant• Attorney• Malpractice insurer• Interpreters• Data storage entities• Data transmission
services if have routine access to info
• Subcontractors of forgoing
NOT Business Associates• Workforce members, i.e.,
if you have right to control
• Other providers when they are providing treatment
• Members of organized healthcare arrangement
• Insurance companies unless acting for you
• Mere conduits of information, e.g., mailman
• Janitors
Business Associate Agreements (“BAA”)
Business Associate
BAACovered Entity
(Healthcare Provider or Health Plan)
Business Associate
Subcontractor(s)
BAA
Subcontractor BAA must mirror the BAA with the
covered entity
BAA
BAA
Covered Entity must ensure there is BAA
Business Associate must ensure there is
BAA
BAA Required Terms
• Identify permitted uses and disclosures.
• Prohibit use or disclosure of PHI in a manner that would violate the HIPAA rules.
• Require business associate to cooperate with covered entity in fulfilling covered entity’s duties.
• Allow for termination in event of breach.
• Others.(45 CFR 164.504(e))
BAA: Pro-Covered Entity Terms
• Covered entities may want to add these terms:– Business associate must report or act within x days.– Business associate must implement policies.– Business associate must encrypt or implement other
safeguards.– Business associate must to carry data breach insurance.– Business associate notifies individuals of breaches and/or
reimburses covered entity for costs of the notice.– Business associate defends and indemnifies for losses,
claims, etc.– Business associate is an independent contractor, not agent.– Business associate assumes liability for subcontractors.– Allow termination of underlying agreement.– Must have consent to operate outside the United States.– Covered entity has right to inspect and audit.– Cooperate in HIPAA investigations or actions.
BAA: Pro-BA Terms• Business associates probably want to add these
terms:– Covered entity will not disclose PHI unless necessary.– Covered entity will not request action that violates HIPAA.– Covered entity will not agree to restrictions on PHI that will
adversely affect business associate.– Covered entity will notify business associate of all such
restrictions.– Covered entity will reimburse for additional costs.– Blanket reporting for security incidents– Specify business associate does not maintain designated
record set.– Reserve the right to terminate based on restrictions or other
change that adversely affects business associate.– Subcontractors are independent contractor, not agent.– Mutual indemnification.– Limitation or cap on damages.
Liability for Business Associates
Liability for Business Associate
• Covered entity or business associate violates HIPAA if:– Knew of a pattern of activity or practice of
the business associate/subcontractor that constituted a material breach or violation of the business associate’s/subcontractor’s obligation under the contract or other arrangement;
– Failed to take reasonable steps to cure the breach or end the violation, as applicable; or
– Failed to terminate the contract or arrangement, if feasible.
(45 CFR 164.504(e)(1))
Liability for Business Associate
• Covered entity or business associate is liable, in accordance with the Federal common law of agency, for the acts or omissions of a business associate/subcontractor acting with the scope of the agency.
(45 CFR 160.402(c))• Test: right or authority of a covered entity to
control the business associate’s conduct.– Contract terms.– Right to give interim directions or control
details.– Relative size or power of the entities.
• Maintain independent contractor status!(78 FR 5581-82)
Responding to a Breach
Responding to Breach• Timely response important because:
– Required to mitigate breach.– May minimize risk that data is
compromised and avoid breach notification requirements.
– May avoid penalties if do not act with willful neglect and correct the situation within 30 days.
• Train employees to report immediately.
• Sanction workforce members for violations.
• Document your actions.
Responding to a Breach• If you think there is a breach:
– Act immediately to stop disclosure and retrieve PHI.
– Confirm scope of breach.• Persons who may have received PHI.• Type of PHI involved.• Additional redisclosures.
– Obtain confirmation from recipient[s] that they have not and will not further use or disclose the info, and warn them of penalties.
– Document in writing, e.g., letter to recipients.
Breach Notification
Breach Notification• If there is “breach” of “unsecured
PHI”,– Covered entity must notify:
• Each individual whose unsecured PHI has been or reasonably believed to have been accessed, acquired, used, or disclosed.
• HHS.• Local media, if breach involves > 500
persons in a state.– Business associate must notify covered
entity.(45 CFR 164.400 et seq.)
Currently, only two methods to secure PHI:
• Encryption of electronic PHI– Transform data into a form in which there is a
low probability of assigning meaning without use of a confidential process or key.
– Notice provides processes tested and approved by Nat’l Institute of Standards and Technology (NIST).
• Destruction of PHI.– Paper, film, or hard copy media is shredded or
destroyed such that PHI cannot be read or reconstructed.
– Electronic media is cleared, purged or destroyed consistent with NIST standards.
• Guidance updated annually.(74 FR 42742 or www.hhs.gov/ocr/privacy)
“Secured” PHI
“Breach” of Unsecured PHI
• Acquisition, access, use or disclosure of PHI in violation of privacy rules is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the info has been compromised based on a risk assessment of the following factors:– nature and extent of PHI involved;– unauthorized person who used or
received the PHI;– whether PHI was actually acquired or
viewed; and– extent to which the risk to the PHI has
been mitigated.unless an exception applies.
(45 CFR 164.402)
• “Breach” excludes the following:– Unintentional acquisition, access or use by
workforce member if made in good faith, within scope of authority, and PHI not further disclosed in violation of HIPAA privacy rule.
– Inadvertent disclosure by authorized person to another authorized person at same covered entity, business associate, or organized health care arrangement, and PHI not further used or disclosed in violation of privacy rule.
– Disclosure of PHI where covered entity or business associate have good faith belief that unauthorized person receiving info would not reasonably be able to retain info.
(45 CFR 164.402)
“Breach” of Unsecured PHI
“Breach” of Unsecured PHI
• Determine the probability that the data has been “compromised” by assessing:1. Nature and extent of PHI involved,
including types of identifiers and the likelihood of re-identification.
2. Unauthorized person who used PHI or to whom disclosure was made.
3. Whether PHI was actually acquired or viewed.
4. Extent to which the risk to the PHI has been mitigated.
5. Other factors as appropriate under the circumstances.
(45 CFR 164.402)
Breach Notification: Summary
• No breach notification required if:– No privacy rule violation
• “Incidental” disclosures are not violations.– PHI is “secured”
• Encrypted per HHS standards.– Exception applies
• Unintentional internal disclosure and no re-disclosure.
– Low probability that data has been compromised based on:
• Nature of PHI disclosed.• Person who received the PHI.• Whether PHI actually viewed.• Mitigation.
Hypothetical• Your facility faxed a resident’s medical
records to the wrong physician’s office. A records clerk at the other physician’s office called to alert you to same. The clerk confirmed that they would shred the info. The record contains the following info:– Name– Diagnosis– Description of care– Other similar info
Hypothetical• The family of one of your residents
maintains a Facebook page in which she shares information about the resident. One of your CNAs, who is close to the family, posted comments about the resident on the page, including info that confirms the resident is in your facility and her general condition.
Hypothetical• Your social services director routinely
photographs residents engaging in activities and posts it on your website as well as on a bulletin board in the facility. The photos simply show the residents engaged in activities, but does not include names.
Hypothetical• You are missing an unencrypted
laptop or USB containing the following info concerning residents:– Name– Birthdate– Account number– Dates of service– Diagnosis
Breach Notification• According to HHS, the following constitutes
“willful neglect”, requiring mandatory penalties: “A covered entity’s employee lost an unencrypted laptop that contained unsecured PHI…. [T]he covered entity feared its reputation would be harmed if info about the incident became public and, therefore, decided not to provide notification as required by 164.400 et seq.”
(75 FR 40879)• Beware missing PHI or devices containing
PHI.
Breach NotificationIf breach is reportable, notify:• Individual
– No more than 60 days from discovery.– By mail.– Contain required elements.
• HHS– If < 500 persons, by March 1 of next
year.– If > 500 persons, no more than 60 days
from discovery.– Electronic report from OCR website
www.hhs.gov/ocr/privacy/hipaa/administrative/brinstructions.html.
• Media if breach > 500 persons in a state.(45 CFR 164.400 et seq.)
Breach Notification• New breach reporting portal requires additional info.• If wait to report, ensure you are tracking required info.
Avoiding HIPAA Problems
HIPAA Top 10 List
HIPAA Action Items1. Assign and document HIPAA responsibility.
• Privacy officer• Security officer
2. Ensure the officers understand the rules.3. Review security rule compliance.
• Conduct and document security risk assessment.• Beware electronic devices.
4. Ensure you have required policies.• Privacy rule.• Security rule.• Breach notification rule.
HIPAA Action Items5. Develop and use compliant forms.
– Authorization, privacy notice, patient requests, etc.6. Execute BAAs with business associates.
– Ensure they are independent contractors.– Follow up if there are problems with business associate.
7. Train members of workforce and document training.
– Upon hiring.– Periodically thereafter.
8. Use appropriate safeguards.– Confidentiality agreements with workforce members.– Reasonable administrative, technical and physical
safeguards
HIPAA Action Items9. Respond immediately to any potential breach.
– Immediately take appropriate steps to mitigate.– Retrieve PHI.– Obtain assurances of no further use or disclosure.– Warn of penalties of violations.– Investigate facts to determine if there was a reportable
breach.– Sanction workforce member as appropriate.– Implement corrective action, additional training, etc.– Document foregoing.
10. Timely report breaches as required.– To patient or personal representative.– To HHS
Remember your employee benefit plan
• HIPAA applies to employee benefit plans if:– Administered by a third party, or– Have 50+ participants.
• Employee benefit plan must comply with HIPAA– Required policies.– Required notices.– Others.
Additional Resources
HIPAA Resources• OCR website: www.hhs.gov/ocr/hipaa
– Regulations– Summary of regulations
• Frequently asked questions– Guidance regarding key aspects of
privacy rule– Sample business associate agreement– Breach notification to HHS portal
• OCR listserve– Notice of HIPAA changes
Holland & Hart Resources
• Available on our website– Checklists
• Privacy rule• Security rule• Omnibus rule• Notice of privacy practices• Business associate agreements• Authorization
– Practice guides• Free webinars• Free client alerts• Sample privacy policies
To receive these, contact me at kcstanger@
hollandhart.com
Questions?
Kim C. StangerHolland & Hart LLP
(208) 383-3913