HIPAA Update:Avoiding Penalties

Kim C. Stanger

IHCA(7/15)

Protected Health

Info

Preliminaries

This presentation is similar to any other legal education materials designed to provide general information on pertinent legal topics. The statements made as part of the presentation are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the speaker. This presentation is not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of law to your activities, you should seek the advice of your legal counsel.

True or False?• I don’t have to worry about HIPAA because

I live in Idaho and the government would never go after us.

• The Office for Civil Rights (“OCR”) must impose a $10,000 fine per HIPAA violation if I act with willful neglect.

• Under HIPAA, residents may sue our facility for HIPAA violations.

• Long term care facilities are vicariously liable for HIPAA violations by their business associates.

• HIPAA does not apply to resident names so long as we do not disclose medical information.

True or False?• We must have the resident’s authorization

before disclosing protected health information to family members.

• Under HIPAA, residents have a right to access all information concerning the resident.

• HIPAA prohibits e-mailing or texting residents, family, or providers unless the e-mail or text is encrypted.

• We must self-report all HIPAA violations to the resident and the government.

• We only have to self-report breaches of unsecured protected health info if the breach would result in significant harm to the resident.

HIPAA: Hot Topics• Enforcement actions

– Recent settlements– Private causes of action

• Security rule concerns– Security rule

compliance– E-mails and texts

• Business associate liability• Breach notification

– Applicable standards– Applying the standards

Preliminaries• Written materials

– Stanger, HIPAA Update: How and Why You Must Comply• Summarizes what you need to do to

comply.• Checklists for required privacy and

security rule policies.• This is overview of some “hot

topics”.– Does not cover all HIPAA rules.

• Feel free to ask questions or comment.– But don’t share protected health info.

That would be awkward…

HIPAA: Terminology• Covered entities:

– Healthcare providers who engage in e-transactions.

– Health plans, including group health plans with 50+ participants or administered by third party.

• Protected health info (“PHI”): individually identifiable info concerning a resident’s health, healthcare, or payment for care.

• Business associates: create, receive, maintain or transmit PHI on behalf of covered entity.

HIPAA History• 2003: Privacy Rule, 45 CFR 164.500 et seq.

– Requires covered entities and business associates to protect the confidentiality of protected health information (“PHI”)

– Gives residents certain rights concerning their PHI.

• 2005: Security Rule, 45 CFR 164.300 et seq.– Requires covered entities to implement certain

safeguards to protect e-PHI.• 2009: HITECH Act

– Breach Notification Rule, 45 CFR 164.400 et seq.

– Enforcement Rule, 45 CFR 160.400 et seq.• 2013: Omnibus Rule.

– Requires updates to HIPAA policies and forms.

HIPAA Overview

Privacy Rule• Covered entities may not access, use or

disclose PHI unless:– For purposes of treatment, payment or

healthcare operations.• Per Jamie, obtain info from prior facilities.

– To a family member or other person involved in healthcare or payment so long as:• Resident has not objected;• Is in resident’s best interest; and• Limit disclosure to scope of recipient’s

involvement.– For certain safety or government functions.– Have valid authorization.

• Do not disclose more than is minimally necessary.

(45 CFR 164.500 to .514)

Privacy Rule• Resident or their personal representative

has the right to:– Receive notice of privacy practices.– Request that disclosures of PHI for

purposes of treatment, payment or healthcare operations be limited.

– Request communication by alternative means or at alternative locations.

– Access their PHI.– Request amendment of their PHI.– Obtain accounting of improper

disclosures of PHI.(45 CFR 164.520 to .528)

Privacy Rule• Covered entity must:

– Designate privacy and security officer.– Train staff.– Implement policies and procedures.– Implement reasonable safeguards.– Document and respond to complaints.– Sanction workforce members who violate

HIPAA.– Mitigate violations.– Not retaliate.– Maintain HIPAA documents for 6 years.

(45 CFR 164.530-.538)

Security Rule• Covered entity and business associates

must:– Perform risk analysis.– Implement safeguards:

• Administrative• Technical• Physical

– Execute business associate agreements.(45 CFR 164.300-.318)

* More about this later…

Breach Notification Rule• If there is breach of unsecured PHI:

– Covered entity must:• Notify affected individuals.• Notify HHS.• Notify media, if breach involves > 500

persons in a state.– Business associate must notify covered

entity.(45 CFR 164.400-.414)

HIPAA Enforcement

Covered Entities

Business AssociatesHIPAA

EnforcementCriminal Penalties

• Applies if employees or other individuals obtain or disclose protected health info from covered entity without authorization.

Conduct Penalty

Knowingly obtain info in violation of the law • $50,000 fine• 1 year in prison

Committed under false pretenses • 100,000 fine• 5 years in prison

Intent to sell, transfer, or use for commercial gain, personal gain, or malicious harm

• $250,000 fine• 10 years in prison

EnforcementCivil Penalties

Conduct Penalty

Did not know and should not have known of violation

• $100 to $50,000 per violation• Up to $1.5 million per type per year• No penalty if correct w/in 30 days • OCR may waive or reduce penalty

Violation due to reasonable cause • $1000 to $50,000 per violation• Up to $1.5 million per type per year• No penalty if correct w/in 30 days• OCR may waive or reduce penalty

Willful neglect, but correct w/in 30 days

• $10,000 to $50,000 per violation• Up to $1.5 million per type per year• Penalty is mandatory

Willful neglect,but do not correct w/in 30 days

• At least $50,000 per violation• Up to $1.5 million per type per year• Penalty is mandatory

Enforcement: 2014• Anchorage Community Mental Health

Services pays $150,000 for failing to maintain patches on software.

• New York hospitals pay $4.8 million for leaving electronic medical records vulnerable to searches.

• Concentra pays $1.7 million for lost unencrypted laptop.

• QCA Health Plan pays $250,000 for lost unencrypted laptop.

• Skagit County, WA pays $215,000 because PHI was available on public database.

• Parkview Community Health: fined $800,000 for leaving 71 boxes of records in physician’s driveway.

All involved security rule violations

Enforcement: IdahoIdaho is not exempt!• In 2013, Hospice of North Idaho had to pay

$50,000 for theft of unencrypted laptop that contained PHI of 441 patients.– Investigation showed failure to comply

with security rule.• In 2013, Idaho State University had to pay

$400,000 because firewall failure left PHI of 17,500 patients exposed.

Remember: OCR must impose penalty if you are determined to act with willful neglect.

Enforcement• HHS purportedly to resume audits in 2015.• OIG workplan for 2015 includes HIPAA

issues.• State attorney general can bring lawsuit

under HIPAA.– $25,000 fine per violation + fees and

costs– Some of biggest cases brought by AGs.

• In the future, affected individuals may recover percentage of fines or penalties.– Enacted as part of HITECH.– Still waiting for regulations.

• Must impose sanctions against employees who violate HIPAA.

Enforcement• No private cause of action under HIPAA.• Affected individuals may sue under

common law tort theories.– Negligence.– Negligence per se.– Privacy torts.

• Unreasonable, highly offensive intrusion into solitude or seclusion.

• Public disclosure of private facts.• Infliction of emotional distress.

– Vicarious liability of employer.

Standard of care = HIPAA?

Enforcement

• Lessons learned:–Beware state laws in

addition to HIPAA.–Not enough to simply

implement policies and train staff; you must ensure that data is protected if you really want to be safe.

Security Rule Compliance

Security Rule Compliance• Risk analysis.• Implement

safeguards.– Administrative– Technical– Physical

• Execute business associate agreements.

Intended to ensure:• Confidentiality• Integrity• Availabilityof ePHI.

Security Rule Compliance

Administrative Safeguards

Physical Safeguards

TechnicalSafeguards

Standards

ImplementationSpecifications• Required

• Addressable

Standards Standards

ImplementationSpecifications• Required

• Addressable

ImplementationSpecifications• Required

• Addressable

Implementation Specifications

• “Required”: implement the specification.

• “Addressable”: – Assess reasonableness of specification.– If spec is reasonable, implement it.– If spec is not reasonable,

• Document why it is not reasonable (e.g., size, cost, risk factors, etc.), and

• Implement alternative if reasonable.• Must review and modify as needed.

Administrative Safeguards

1. Security management process 2. Assigned security responsibility3. Workforce security4. Information access management5. Security awareness and training6. Security incident procedures7. Contingency plan8. Evaluation9. Business associate contracts

Physical Safeguards1. Facility access controls2. Workstation use3. Workstation security4. Device and media controls

Technical Safeguards1. Access controls2. Audit controls3. Integrity of e-PHI4. Person or entity authorization5. Transmission security

Data Privacy and Security

Risk Analysis• Security rule requires that covered entities

and business associates “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of [ePHI]…” (45 CFR 164.308(a)).– Frequently cited in recent violations.

• Periodically reevaluate analysis.– New systems or equipment.– Every few (very few?) years.– Include mobile devices.

Risk Analysis

• Additional materials are available at www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html– Final Guidance on Risk Analysis– OCR Guidance re Risk Analysis– NIST Publications

Encryption• Encryption is an addressable standard per 45

CFR 164.312:(e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to [ePHI] that is being transmitted over an electronic communications network.(2)(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

• ePHI that is properly encrypted is “secured”.– Not subject to breach reporting.

• OCR presumes that loss of unencrypted laptop, USB, mobile device is breach.

Communicating by E-mail or Text

• HIPAA Privacy Rule allows resident to request communications by alternative means or at alternative locations.– Including unencrypted e-mail or text.

(45 CFR 164.522(b)).• Omnibus Rule commentary states that covered

entity or business associate may communicate via unsecured e-mail so long as they warn resident of risks and resident elects to communicate via unsecured e-mail or text.

(78 FR 5634)

Business Associates

Business Associates• Entities that create, receive, maintain, or transmit

PHI on behalf of a covered entity to perform:– A function or activity regulated by HIPAA (e.g.,

healthcare operations, payment, covered entity function), or

– Certain identified services (e.g., billing or claims management, legal, accounting, or consulting services).

– Health information organizations and e-prescribing gateways.

– Data transmission companies if they routinely access PHI.

– Data storage companies (e.g., cloud computing, off-site storage facilities) even if they do not access PHI.

– Patient safety organizations.• Subcontractors of business associates.• Covered entities acting as business associates.(45 CFR 160.103; 78 FR 5570-75)

Business AssociatesBusiness Associates• Management company• Billing company• EMR / IT specialist• Consultant• Accountant• Attorney• Malpractice insurer• Interpreters• Data storage entities• Data transmission

services if have routine access to info

• Subcontractors of forgoing

NOT Business Associates• Workforce members, i.e.,

if you have right to control

• Other providers when they are providing treatment

• Members of organized healthcare arrangement

• Insurance companies unless acting for you

• Mere conduits of information, e.g., mailman

• Janitors

Business Associate Agreements (“BAA”)

Business Associate

BAACovered Entity

(Healthcare Provider or Health Plan)

Business Associate

Subcontractor(s)

BAA

Subcontractor BAA must mirror the BAA with the

covered entity

BAA

BAA

Covered Entity must ensure there is BAA

Business Associate must ensure there is

BAA

BAA Required Terms

• Identify permitted uses and disclosures.

• Prohibit use or disclosure of PHI in a manner that would violate the HIPAA rules.

• Require business associate to cooperate with covered entity in fulfilling covered entity’s duties.

• Allow for termination in event of breach.

• Others.(45 CFR 164.504(e))

BAA: Pro-Covered Entity Terms

• Covered entities may want to add these terms:– Business associate must report or act within x days.– Business associate must implement policies.– Business associate must encrypt or implement other

safeguards.– Business associate must to carry data breach insurance.– Business associate notifies individuals of breaches and/or

reimburses covered entity for costs of the notice.– Business associate defends and indemnifies for losses,

claims, etc.– Business associate is an independent contractor, not agent.– Business associate assumes liability for subcontractors.– Allow termination of underlying agreement.– Must have consent to operate outside the United States.– Covered entity has right to inspect and audit.– Cooperate in HIPAA investigations or actions.

BAA: Pro-BA Terms• Business associates probably want to add these

terms:– Covered entity will not disclose PHI unless necessary.– Covered entity will not request action that violates HIPAA.– Covered entity will not agree to restrictions on PHI that will

adversely affect business associate.– Covered entity will notify business associate of all such

restrictions.– Covered entity will reimburse for additional costs.– Blanket reporting for security incidents– Specify business associate does not maintain designated

record set.– Reserve the right to terminate based on restrictions or other

change that adversely affects business associate.– Subcontractors are independent contractor, not agent.– Mutual indemnification.– Limitation or cap on damages.

Liability for Business Associates

Liability for Business Associate

• Covered entity or business associate violates HIPAA if:– Knew of a pattern of activity or practice of

the business associate/subcontractor that constituted a material breach or violation of the business associate’s/subcontractor’s obligation under the contract or other arrangement;

– Failed to take reasonable steps to cure the breach or end the violation, as applicable; or

– Failed to terminate the contract or arrangement, if feasible.

(45 CFR 164.504(e)(1))

Liability for Business Associate

• Covered entity or business associate is liable, in accordance with the Federal common law of agency, for the acts or omissions of a business associate/subcontractor acting with the scope of the agency.

(45 CFR 160.402(c))• Test: right or authority of a covered entity to

control the business associate’s conduct.– Contract terms.– Right to give interim directions or control

details.– Relative size or power of the entities.

• Maintain independent contractor status!(78 FR 5581-82)

Responding to a Breach

Responding to Breach• Timely response important because:

– Required to mitigate breach.– May minimize risk that data is

compromised and avoid breach notification requirements.

– May avoid penalties if do not act with willful neglect and correct the situation within 30 days.

• Train employees to report immediately.

• Sanction workforce members for violations.

• Document your actions.

Responding to a Breach• If you think there is a breach:

– Act immediately to stop disclosure and retrieve PHI.

– Confirm scope of breach.• Persons who may have received PHI.• Type of PHI involved.• Additional redisclosures.

– Obtain confirmation from recipient[s] that they have not and will not further use or disclose the info, and warn them of penalties.

– Document in writing, e.g., letter to recipients.

Breach Notification

Breach Notification• If there is “breach” of “unsecured

PHI”,– Covered entity must notify:

• Each individual whose unsecured PHI has been or reasonably believed to have been accessed, acquired, used, or disclosed.

• HHS.• Local media, if breach involves > 500

persons in a state.– Business associate must notify covered

entity.(45 CFR 164.400 et seq.)

Currently, only two methods to secure PHI:

• Encryption of electronic PHI– Transform data into a form in which there is a

low probability of assigning meaning without use of a confidential process or key.

– Notice provides processes tested and approved by Nat’l Institute of Standards and Technology (NIST).

• Destruction of PHI.– Paper, film, or hard copy media is shredded or

destroyed such that PHI cannot be read or reconstructed.

– Electronic media is cleared, purged or destroyed consistent with NIST standards.

• Guidance updated annually.(74 FR 42742 or www.hhs.gov/ocr/privacy)

“Secured” PHI

“Breach” of Unsecured PHI

• Acquisition, access, use or disclosure of PHI in violation of privacy rules is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the info has been compromised based on a risk assessment of the following factors:– nature and extent of PHI involved;– unauthorized person who used or

received the PHI;– whether PHI was actually acquired or

viewed; and– extent to which the risk to the PHI has

been mitigated.unless an exception applies.

(45 CFR 164.402)

• “Breach” excludes the following:– Unintentional acquisition, access or use by

workforce member if made in good faith, within scope of authority, and PHI not further disclosed in violation of HIPAA privacy rule.

– Inadvertent disclosure by authorized person to another authorized person at same covered entity, business associate, or organized health care arrangement, and PHI not further used or disclosed in violation of privacy rule.

– Disclosure of PHI where covered entity or business associate have good faith belief that unauthorized person receiving info would not reasonably be able to retain info.

(45 CFR 164.402)

“Breach” of Unsecured PHI

“Breach” of Unsecured PHI

• Determine the probability that the data has been “compromised” by assessing:1. Nature and extent of PHI involved,

including types of identifiers and the likelihood of re-identification.

2. Unauthorized person who used PHI or to whom disclosure was made.

3. Whether PHI was actually acquired or viewed.

4. Extent to which the risk to the PHI has been mitigated.

5. Other factors as appropriate under the circumstances.

(45 CFR 164.402)

Breach Notification: Summary

• No breach notification required if:– No privacy rule violation

• “Incidental” disclosures are not violations.– PHI is “secured”

• Encrypted per HHS standards.– Exception applies

• Unintentional internal disclosure and no re-disclosure.

– Low probability that data has been compromised based on:

• Nature of PHI disclosed.• Person who received the PHI.• Whether PHI actually viewed.• Mitigation.

Hypothetical• Your facility faxed a resident’s medical

records to the wrong physician’s office. A records clerk at the other physician’s office called to alert you to same. The clerk confirmed that they would shred the info. The record contains the following info:– Name– Diagnosis– Description of care– Other similar info

Hypothetical• The family of one of your residents

maintains a Facebook page in which she shares information about the resident. One of your CNAs, who is close to the family, posted comments about the resident on the page, including info that confirms the resident is in your facility and her general condition.

Hypothetical• Your social services director routinely

photographs residents engaging in activities and posts it on your website as well as on a bulletin board in the facility. The photos simply show the residents engaged in activities, but does not include names.

Hypothetical• You are missing an unencrypted

laptop or USB containing the following info concerning residents:– Name– Birthdate– Account number– Dates of service– Diagnosis

Breach Notification• According to HHS, the following constitutes

“willful neglect”, requiring mandatory penalties: “A covered entity’s employee lost an unencrypted laptop that contained unsecured PHI…. [T]he covered entity feared its reputation would be harmed if info about the incident became public and, therefore, decided not to provide notification as required by 164.400 et seq.”

(75 FR 40879)• Beware missing PHI or devices containing

PHI.

Breach NotificationIf breach is reportable, notify:• Individual

– No more than 60 days from discovery.– By mail.– Contain required elements.

• HHS– If < 500 persons, by March 1 of next

year.– If > 500 persons, no more than 60 days

from discovery.– Electronic report from OCR website

www.hhs.gov/ocr/privacy/hipaa/administrative/brinstructions.html.

• Media if breach > 500 persons in a state.(45 CFR 164.400 et seq.)

Breach Notification• New breach reporting portal requires additional info.• If wait to report, ensure you are tracking required info.

Avoiding HIPAA Problems

HIPAA Top 10 List

HIPAA Action Items1. Assign and document HIPAA responsibility.

• Privacy officer• Security officer

2. Ensure the officers understand the rules.3. Review security rule compliance.

• Conduct and document security risk assessment.• Beware electronic devices.

4. Ensure you have required policies.• Privacy rule.• Security rule.• Breach notification rule.

HIPAA Action Items5. Develop and use compliant forms.

– Authorization, privacy notice, patient requests, etc.6. Execute BAAs with business associates.

– Ensure they are independent contractors.– Follow up if there are problems with business associate.

7. Train members of workforce and document training.

– Upon hiring.– Periodically thereafter.

8. Use appropriate safeguards.– Confidentiality agreements with workforce members.– Reasonable administrative, technical and physical

safeguards

HIPAA Action Items9. Respond immediately to any potential breach.

– Immediately take appropriate steps to mitigate.– Retrieve PHI.– Obtain assurances of no further use or disclosure.– Warn of penalties of violations.– Investigate facts to determine if there was a reportable

breach.– Sanction workforce member as appropriate.– Implement corrective action, additional training, etc.– Document foregoing.

10. Timely report breaches as required.– To patient or personal representative.– To HHS

Remember your employee benefit plan

• HIPAA applies to employee benefit plans if:– Administered by a third party, or– Have 50+ participants.

• Employee benefit plan must comply with HIPAA– Required policies.– Required notices.– Others.

Additional Resources

HIPAA Resources• OCR website: www.hhs.gov/ocr/hipaa

– Regulations– Summary of regulations

• Frequently asked questions– Guidance regarding key aspects of

privacy rule– Sample business associate agreement– Breach notification to HHS portal

• OCR listserve– Notice of HIPAA changes

Holland & Hart Resources

• Available on our website– Checklists

• Privacy rule• Security rule• Omnibus rule• Notice of privacy practices• Business associate agreements• Authorization

– Practice guides• Free webinars• Free client alerts• Sample privacy policies

To receive these, contact me at kcstanger@

hollandhart.com

Questions?

Kim C. StangerHolland & Hart LLP

kcstanger@hollandhart.com

(208) 383-3913