key legal issues in emr, emr subsidy and hipaa and privacy ... · • the security rule –requires...
TRANSCRIPT
www.mcguirewoods.com
Click to edit Master title style
www.mcguirewoods.com
Key Legal Issues in EMR, EMR
Subsidy and HIPAA and Privacy
Issues
July 27, 2016
McGuireWoods | 2
CONFIDENTIAL
Introductions
Holly Carnell
McGuireWoods LLP
312-849-3687
Meggan Bushee
McGuireWoods LLP
704-343-2360
McGuireWoods | 3
CONFIDENTIAL
Key Legal Issues in EMR, EMR Subsidy and
HIPAA and Privacy Issues: Part 1
McGuireWoods | 4
CONFIDENTIAL
Part 1 Agenda
• Review of HIPAA and the HITECH Act
– What are HIPAA and the HITECH Act?
– Who do these laws apply to?
• Business Associates
– What are Business Associates?
– Pitfalls of Business Associates
– Diligence of Business Associates
– Business Associate Agreements
• 2015/2016 HIPAA Enforcement Actions
McGuireWoods | 5
CONFIDENTIAL
“No, it's not a female Hippopotamus, anyone else know?”
Cartoon by Dave Harbaugh
Recap of HIPAA and the HITECH Act
McGuireWoods | 6
CONFIDENTIAL
What is HIPAA?
• HIPAA stands for the Health Insurance Portability &
Accountability Act of 1996.
• Provides a framework for the establishment of standards to
protect patient confidentiality, to ensure the security of
electronic systems, and to facilitate the secure electronic
transmission of health information.
• HIPAA creates federal privacy floor (minimum requirement)
– Must comply with the more restrictive of HIPAA or state
law
• Covered Entities and Business Associates are required to
comply with HIPAA.
McGuireWoods | 7
CONFIDENTIAL
Core Elements of HIPAA
HIPAA has four key parts:
• The Privacy Rule – establishes patients’ privacy rights and addresses the use and disclosure of protected health information (“PHI”) by covered entities and business associates.
• The Security Rule – requires the adoption of administrative, physical, and technical safeguards to protect electronic PHI (“ePHI”).
• The Breach Notification Rule – requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI.
• The Enforcement Rule – establishes both civil monetary penalties and federal criminal penalties for the knowing use or disclosure of PHI in violation of HIPAA.
McGuireWoods | 8
CONFIDENTIAL
What is the HITECH Act?
• The HITECH Act (“Health Information Technology for
Economic and Clinical Health Act of 2009”, part of the
“American Recovery and Reinvestment Act of 2009”) expanded
the scope of HIPAA
• HITECH made changes to HIPAA in these areas:
– Breach Notification Rules
– Increased Penalties
– Mandated Audits by Office of Civil Rights
– More rights for individual patients
– Directly applied the Security Rule and certain aspects of
Privacy Rule to Business Associates
McGuireWoods | 9
CONFIDENTIAL
Who Must Comply?
• Covered Entities
– Health Care Providers
• Hospitals
• Physician practices
• Laboratories
• Pharmacies
– Health Plans
• Health insurance issuers
• HMOs
• Group Health Plans
• Medicare, Parts A and B
• Medicare + Choice
• Medicaid
• Includes employer-sponsored health plans
– Health Care Clearinghouses
• Billing companies
• Business Associates
– Persons or organizations that perform certain functions or activities on behalf of, or provide certain
services to, a Covered Entity that involve the use or disclosure of protected health information or PHI
• Includes downstream contractors
McGuireWoods | 10
CONFIDENTIAL
Business Associates
McGuireWoods | 11
CONFIDENTIAL
Who is a Business Associate?
• An individual or entity that provides services on behalf of the Covered
Entity or another business associate that require the entity to create,
receive, maintain, or transmit protected health information (PHI).
– Includes downstream contractors
• Examples:
– Billing companies
– IT consultants
– Law firms
– PHI disposal companies
– Transcriptionists
– Hosting companies
McGuireWoods | 12
CONFIDENTIAL
Who is NOT a Business Associate?
• When the services performed are not for or on behalf
of a Covered Entity
• The postal service or wireless carrier where PHI is
transferred across the country or the network, as
applicable
– Deemed “mere courier” of PHI
• Payors, where a provider sends PHI for purposes of
receiving reimbursement
• Persons receiving PHI inadvertently, i.e., a person or
vendor that overhears PHI while on-site at a client’s
health care facility
• A provider, where another provider sends PHI for
treatment of an individual
McGuireWoods | 13
CONFIDENTIAL
Pitfalls with Business Associates
• When a Business Associate violates a material term of a BAA,
covered entities still must take reasonable steps to cure breach
• If unsuccessful in curing breach, covered entity must terminate
the BAA
• Business associates may have less concern with the privacy and
security of a covered entity’s PHI because they are further
removed
• It is the covered entity’s reputation and patient relationships on
the line
McGuireWoods | 14
CONFIDENTIAL
Importance of Protecting ePHI
• The principal goal of every health care provider and every health
insurer, from a privacy and security perspective, is to avoid a
data breach.
• In turn, this becomes the goal of every business associate, and
every downstream contractor, that creates, receives, maintains or
transmits PHI on behalf of a covered entity.
• Despite these objectives, CEs and BAs often know very little
about the downstream entities to whom they are entrusting data.
– What security safeguards have they implemented?
– What is the company’s operating history?
– Are they passing on data to subcontractors?
– Are they housing data offshore?
McGuireWoods | 15
CONFIDENTIAL
Proper Diligence of Business Associates
• Often see Business Associates that have taken no steps towards
HIPAA Compliance
• Start by conducting diligence on the Business Associate’s
compliance
• Seek references from other clients
• Ask questions of leadership
• Consider a third-party review of Business Associate’s
compliance with HIPAA
• Need to assess vendor’s compliance in light of the work they will
be doing and the extent of PHI involved
McGuireWoods | 16
CONFIDENTIAL
Conducting Effective Vendor Due Diligence
• Key Administrative Safeguards and Requirements (45 CFR
164.308; 45 CFR 164.530)
– Does the vendor have a HIPAA Privacy Officer and a Security
Official to implement and oversee HIPAA-related policies and
procedures?
– Does the vendor have policies and procedures that comply with the
Privacy Rule and Security Rule?
– The CE should ask for either a copy of the policies and procedures
or a narrative description of their contents.
McGuireWoods | 17
CONFIDENTIAL
Conducting Effective Vendor Due Diligence
Security Risk Assessments (45 CFR
164.308(a)(1)(ii))
– Has the vendor conducted a risk
assessment in accordance with the
HIPAA Security Rule?
– The CE or BA should request
information regarding the vendor’s
most recent risk assessment and ensure
that the vendor has a policy requiring
the periodic performance of risk
assessments.
McGuireWoods | 18
CONFIDENTIAL
Conducting Effective Vendor Due Diligence
• Security Training (45 CFR 164.308(a)(5); 45 CFR
164.530(b)(1))
– Does the vendor conduct HIPAA compliance training for its
workforce, and in particular for workforce members who have
access to ePHI?
• The Security Rule requires CEs and BAs to implement security
awareness and training programs for all members of their workforce
(including management).
– How often does the vendor conduct training and who is required to
participate?
McGuireWoods | 19
CONFIDENTIAL
Conducting Effective Vendor Due Diligence
• Data Security Implementation Specifications (45 CFR 164.308-312)
– What is the vendor’s password management policy?
– What is the vendor’s data encryption policy?
– What is the vendor’s policy regarding portable media?
– Does the vendor have a data backup plan and a disaster recovery
plan?
McGuireWoods | 20
CONFIDENTIAL
Conducting Effective Vendor Due Diligence
• Response and Reporting (45 CFR 164.308(a)(6))
– Does the vendor have a protocol for investigating and responding to
actual or potential breaches of ePHI?
• The Security Rule requires the implementation of policies and
procedures to “identify and respond to suspected or known security
incidents; mitigate, to the extent practicable, harmful effects of security
incidents that are known to the [CE or BA]; and document security
incidents and their outcomes.”
– The CE or BA should review a copy of the vendor’s breach protocol
or obtain a description of their breach identification and response
processes.
McGuireWoods | 21
CONFIDENTIAL
Conducting Effective Vendor Due Diligence
• Subcontractors
– Does the vendor use one or more subcontractors in connection with
the services provided to the CE?
– If so, the CE should determine whether these subcontractors will
have access to ePHI and request information as to how the BA will
evaluate the security and privacy practices of each subcontractor
prior to retention.
– In general, BAs and BA subcontractors that store or transmit ePHI
outside of the CE’s own IT infrastructure present more risk than
BAs or subcontractors that simply access data on the premises of
the CE or within the CE’s information systems (cloud provider vs.
software vendor).
McGuireWoods | 22
CONFIDENTIAL
Business Associate Agreements
• A covered entity and a business associate are required to enter into a
written agreement referred to as a “Business Associate Agreement.”
• The Business Associate Agreement provides that the business associate
will safeguard individuals’ PHI when it is in the business associate’s
possession.
• The Business Associate Agreement must provide for termination by the
non-breaching party in the event of a violation that is not cured.
• This is different from an NDA or other confidentiality agreement.
• Any use or disclosure of an individuals’ PHI by the business associate
must be within the scope of the Business Associate Agreement and the
HIPAA Privacy Rule.
• Includes regulatory requirements and negotiated provisions
McGuireWoods | 23
CONFIDENTIAL
Negotiating with Business Associates
• Covered Entities can protect themselves against breach by a
Business Associate with certain strategies
– Pre-contract diligence
– Audit Rights; annual review of vendors
– Require consent for downstream subcontractors
– Indemnification
– Insurance
– Covenant to encrypt PHI
– Return or destruction of PHI; Certifications
– Restrictions on off shore Use/Access/Disclosure of PHI
McGuireWoods | 24
CONFIDENTIAL
HIPAA and Business Associate Enforcement Actions
McGuireWoods | 25
CONFIDENTIAL
Raleigh Orthopaedic Clinic, P.A. (April 2016)
• Raleigh Orthopaedic Clinic, P.A.– April 20, 2016
– Agreed to settle potential violations for $750,000
– The practice had released x-ray films and related PHI of
17,300 patients to a vendor for them to transfer the images
to electronic media.
– Failed to execute a business associate agreement with the
vendor!
– “HIPAA’s obligations on covered entities to obtain business
associate agreements is more than a mere check-the-box
paperwork exercise. It is critical for entities to know to
whom they are handling PHI and to obtain assurances that
the information will be protected.” said OCR Director
Jocelyn Samuels.
McGuireWoods LLP | 26
North Memorial Healthcare (March 2016)
• North Memorial Healthcare of Minnesota – March 2016
– Agreed to settle potential violations of HIPAA for $1.55 million
– Theft of unencrypted laptop from a business associate’s locked
vehicle
– No business associate agreement with a vendor that had access to
North Memorial’s patient database!
McGuireWoods LLP | 27
Triple-S Management Corp. (November 2015)
• Triple-S Management Corp.– November 30, 2015
– Triple-S (formerly American Health Medicare, Inc.) agreed
to settle potential violations of HIPAA for $3,500,000.
– Triple-S made multiple breach notifications to OCR resulted
in investigation.
– Failure to conduct an accurate and thorough risk analysis.
– Failure to have appropriate BAAs in place with vendors.
– Failure to implement appropriate security safeguards.
– “OCR remains committed to strong enforcement of the
HIPAA Rules,” said OCR Director Jocelyn Samuels. “This
case sends an important message for HIPAA Covered
Entities not only about compliance with the requirements of
the Security Rule, including risk analysis, but compliance
with the requirements of the Privacy Rule, including those
addressing business associate agreements and the minimum
necessary use of protected health information.”
McGuireWoods | 28
CONFIDENTIAL
Senior Health Partners Business Associate Breach
(January 2015)
• Senior Health Partners’
business associate Premier
Home Health caused the breach
• Registered Nurse working for
Premier Home Health had her
laptop and smart phone stolen
• Laptop was encrypted, but
encryption key was stolen with
laptop, and phone was not
password protected or
encrypted
– Contained “potentially
accessible” e-mail
containing ePHI
• Result:
– 2,700 Members of Senior
Health Partners affected
– Senior Health Partners
forced to contact all health
plan members who were
affected
McGuireWoods | 31
CONFIDENTIAL
Part 2 Agenda
• EMR/IT System Enforcement Actions
– EMR Data Security Risks
• Other Data Security Hot Topics
– Text Messaging
– Social Media
McGuireWoods | 32
CONFIDENTIAL
EMR/IT System Enforcement Actions
McGuireWoods | 33
CONFIDENTIAL
EMR Data Security Risks
• Open workstations/EMR terminals
– Workstations left unattended
and station does not log the
user out
– Users not informed or forget to
log out immediately after use
• Improper deletion of information
on previously used equipment
• Data governance issues
• Personal Devices (laptops, tablets, and
smartphones)
– Devices containing PHI are stolen
– Failure to destroy or delete all
information before disposal/ re-use
of device
– One of most common ways for
ePHI breach
• Lack of Encryption
– Use encryption so that even if
ePHI is lost on something like a
device, it is undecipherable and
unusable
• Malicious Software
McGuireWoods LLP | 34
Security Rule Compliance
• University of Washington Medicine– December 14,
2015
– UWM agreed to settle potential violations of HIPAA for
$750,000.
– Potential violations of the Security Rule were discovered
after UWM breach report that ePHI of 90,000 patients was
accessed after an employee downloaded an email attachment
containing malware that compromised the UWM IT system.
– “All too often we see covered entities with a limited risk
analysis that focuses on a specific system such as the
electronic medical record or that fails to provide appropriate
oversight and accountability for all parts of the enterprise,”
said OCR Director Jocelyn Samuels. “An effective risk
analysis is one that is comprehensive in scope and is
conducted across the organization to sufficiently address the
risks and vulnerabilities to patient data.”
McGuireWoods LLP | 35
Encryption
• Cancer Care Group PC– September 2, 2015
– Cancer Care Group agreed to settle potential violations of
HIPAA for $750,000.
– An employee’s laptop was stolen and accessed; contained
PHI for 55,000 patients.
– Failure to conduct a company wide risk analysis following
the breach.
– No policies dealing with the removal of hardware and
electronic media.
– "Proper encryption of mobile devices and electronic media
reduces the likelihood of a breach of protected health
information.“ said OCR Director Jocelyn Samuels.
McGuireWoods | 36
CONFIDENTIAL
UCLA Health Breach (July 17, 2015)
• Four-hospital UCLA health
was attacked by cyber
criminals potentially starting
as early as September 2014
• Suspicious activity on the
network was discovered in
October 2014, but not until
May 5, 2015 did UCLA
realize attackers had access
to its system
• UCLA can not yet tell if
information was physically
moved from the system
• Result:
– The medical records of an
estimated 4.5 million
people were potentially
exposed
– Hackers had access to part
of system where records
could be accessed
McGuireWoods | 37
CONFIDENTIAL
St. Elizabeth’s Medical Center Enforcement Action
(settled July, 2015)
• SEMC is a tertiary care hospital
offering inpatient and outpatient
services
• OCR received complaint alleging
workforce members used internet-
based document sharing application
to store documents containing ePHI
of 498 individuals
– SEMC did not analyze the
risks associated with such
practice
• SEMC failed to timely identify and
respond to the incident, mitigate its
harmful effects, and document it
and its outcome
• Resolution:
– Settlement of $218,400
with HHS
– SEMC must also institute a
corrective action plan to
cure gaps in the
organization’s HIPAA
compliance program
McGuireWoods | 39
CONFIDENTIAL
Three Principles
1. All it takes is a phone and the press of a button to
cause a HIPAA Breach
2. News travels in an instant
3. Retrieval of PHI is almost always impossible
McGuireWoods | 40
CONFIDENTIAL
• Unable to verify identity of sender or receiver
• Unable to keep original message to verify order
• No assurance of delivery – dependent on phone
service
• Important to complete a risk assessment to determine
whether texting fits into overall security profile
• Telling doctors not to text will probably not resolve
the issue – need to evaluate alternatives
Texting Issues
McGuireWoods | 41
CONFIDENTIAL
• Joint Commission:
“not acceptable for physicians or licensed
independent practitioners to text orders for
patients to the hospital or other healthcare
provider setting.”
• Need to consider how this fits into electronic
medical record
• Patient may be entitled to accounting of
disclosures
Texting Issues
McGuireWoods | 42
CONFIDENTIAL
Patients are making Healthcare decisions based
upon Social Media Information
In a survey of more than a thousand consumers, more
than two-fifths of individuals said social media
affected their choice of a provider or organization.
Forty-five percent said it impacted their decision to
seek a second opinion; 34 percent said it influenced
their decisions regarding medication selection and 32
percent said it would impact their choice of a health
insurance plan.
Source: PWC and HRI Social Media Consumer Survey, 2012
McGuireWoods | 43
CONFIDENTIAL
Benefits of Social Networking in Healthcare
• Single biggest risk is failure to participate
• Era of accountable care will require new strategies
to engage patient populations and to manage
population health
• Tools for collaboration and support with key
internal and external customers
• Opportunities to build and support your brand
McGuireWoods | 44
CONFIDENTIAL
Risks of Social Media
• Safety and security of
patient information
• Discoverability and
liability
• Patient consent issues
• Employment issues
including administrative
bullying
• Physician credentialing
and licensing issues
• Boundary violations
• Ethical issues regarding
the use of social media
McGuireWoods | 45
CONFIDENTIAL
• Comments about patient care or clinical situations on
• BLOGS about patient safety in hospitals
• TWEETS about cutting edge procedure in OR
• VIDEO of consent process, postoperative instructions or
procedure on YOUTUBE
• EMAILS between providers regarding patient care or
incident
• VIDEO of patient taken by family member on YOUTUBE
• PHOTOS that intentionally or inadvertently disclose patient
information
Current Privacy Issues Caused by New Technology
McGuireWoods | 46
CONFIDENTIAL
Dr. Tran
• Physician posted information about a patient on
Facebook – no name, but enough information to
identify the patient
• OUTCOME:
Fired by hospital
Reprimanded by licensure board for
“unprofessional conduct”
McGuireWoods | 47
CONFIDENTIAL
Do I “Need” a Social Media Policy?
• Purposes of social media policy:
– Educate on proper uses of social media
– Establish guidelines to protect patient rights
– Reduce liability for provider organization and its
employees
– Reduce risk of “willful neglect”
• However, a social media policy will not absolve all liability
in the event of a significant breach
• Who should be involved in creating and maintaining
policy?
McGuireWoods | 48
CONFIDENTIAL
Elements of a Social Media Policy
• Definition of “social media”
• Guidelines for use of social media
• Penalties for HIPAA violations
• Address “rogue employee” conduct
• Provide for appropriate training at regular intervals
• Review of existing HIPAA-compliant communications
policies & procedures
• Consistency and strict enforcement
• NLRB Guidance
• Review and revision of policy periodically
McGuireWoods | 49
CONFIDENTIAL
Strategies to reduce liability
• Block access to social networking sites
• Develop policies and procedures
• Educate staff on policy and implications
• Routinely monitor the online presence of staff
• Define and disseminate information regarding disciplinary action
for inappropriate use
– On hospital network; or
– From PDA
• Enforcement of policies
McGuireWoods | 50
CONFIDENTIAL
Questions or Comments?
www.mcguirewoods.com