overview of hipaa and other privacy and security laws in health … · 2019. 4. 4. · •notice of...
TRANSCRIPT
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Overview of HIPAA and Other Privacy
and Security Laws in Health Care
Craig Sieverding
Davis Brown Law Firm
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Outline
• HIPAA fundamentals
– Privacy Rule = with focus on uses and disclosures of health information
– Security Rule
– Breach Notification Rule
– Enforcement Rule
• Other Privacy and Security Rules
– Which may provide greater protections for health information
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Why Is Privacy Important in Health Care Today?
• Privacy and security of health information is a grave concern
– To patients, the public and regulators
• Medicine is and remains data driven
– Emerging technology in health care today (e.g. telemedicine, mobile health devices)
• Increased threat of data breaches and ransomware
• One solution = Good compliance to identify and mitigate risk
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
HIPAA
• Health Insurance Portability and Accountability Act (HIPAA) (1996)
– Title 2 = administrative simplifications, including security standards and privacy
– Strengthened through HITECH (2009), which incl. breach notification and enforcement
• Generally speaking, these are the federal confidentiality provisions relating to health information
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
The Four “Rules” of HIPAA
• Privacy Rule (2002)
– Use and disclosure of health information
– A patient’s rights in health information
• Security Rule (2003)
– Safeguarding electronic health information
• Notification (2009)
– Notification of breach of health information
• Enforcement (2009)
– Agency enforcement and penalties for violations with health information
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
When Does HIPAA Govern Health Information?
• HIPAA does not govern the use and disclosure of all health information
– E.g., patients can share their health information with employers; employers can share internally
• Need to ask two basic questions:
– Who? What type of entity / individual is using or disclosing the information?
– What? What information is such entity using or disclosing?
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Who Is Governed by HIPAA?
• “Covered Entities”
– Health care providers
– Health plans
– Health care clearinghouses
• Business Associates
7
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Business Associates
• Who is a Business Associate?
– A person who performs a function or activity on behalf of a Covered Entity, whose work involves the use/disclosure of PHI
• Claims processing
• Data analysis
• Billing and coding services
– Note: Business Associates can have subcontractors who, by extension, are its “business associates”
8
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Exceptions -- Who’s Not a Business Associate?
• Healthcare providers when receiving PHI for treatment
• “Conduits”
– Entities that pass on PHI but have no way to access, store or utilize it
– E.g., the US Postal Service
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Business Associate Agreements (BAAs)
• Covered Entity has to obtain “satisfactory assurances” from Business Associate regarding the safeguarding of PHI
– Need a Business Associate Agreement
• Contains several specific provisions regarding data privacy and security
– Note: What if non-BA such as a provider receives your PHI?
• Can get data-use agreements for security and other assurances
10
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Liability of Business Associates
• Business Associates are directly liable for
– Impermissible uses and disclosures
– No breach notification to the Covered Entity
– Failure to provide for certain patient rights (e.g. access to ePHI or accounting)
– Violation of HIPAA security rule
– Breach of BAA
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Monitor Business Associates
• If a Covered Entity knows that a Business Associate’s activity constitutes a material HIPAA breach
– Take reasonable steps to cure the breach or end the violation
– If such steps were unsuccessful, have to terminate the relationship
12
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
What Information Is Protected?
• HIPAA governs “protected health information” or “PHI,” which is information that
– Relates to physical or mental condition of individual, provision of care to individual, or payment for health care
– Identifies or reasonably could be used to identify patient
13
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
De-Identification
• If common identifiers removed (“de-identification”), HIPAA does not apply
– Remove 18 identifiers and have no reason to believe that the individual could be identified
• Names, geographical info (smaller than state), telephone numbers, birth date
• Dates of service (smaller than year)
• SSN, MRN, account numbers
– Note: Also can use expert determination that certain data set has very low risk
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Other “Health Information” Not Covered by HIPAA
• Deceased Patients
– Information of patient who has been dead for fifty (50) years is no longer protected
• This does not mean that a provider has to keep records for 50 years; use record retention policy
• Information maintained in capacity other than as a provider
– Employer / human resources (e.g. return-to-work information)
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
The Privacy Rule (recap)
• Required and permitted uses and disclosures
• Notice of privacy practices
• Patient rights
• Also ….
– Develop policies and procedures
– Training of workforce
– Appointing Privacy Officer
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Required and Permitted Disclosures
• Covered Entity may not use or disclose PHI, except as required or permitted
– HIPAA only requires disclosures in two instances
• To the individual (patient requests access)
• To the Secretary of HHS
– HIPAA permits uses and disclosures of PHI for multiple purposes
17
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
A Note on “Minimum Necessary”
• Disclosures generally limited to minimum amount necessary for the intended purpose
– Only use what you need
– Only disclose what the requestor needs
• Several exceptions
– To the individual
– For treatment purposes
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Notice of Privacy Practices
• The notice to patients describing how a Covered Entity may uses or disclose the patient’s PHI
– In plain English
– The Notice also
• Outlines the Covered Entity’s HIPAA obligations
• Identifies a patient’s rights
• Obtains permission to leave voice mail messages, talk to family members, use PHI for fundraising, etc.
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Common Permitted Uses and Disclosures
• To the individual
– Requiring the individual to agree or object
• With authorization
• Treatment, payment and health care operations
• For certain safety or government and public policy reasons
20
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
To the Individual
• Patients have right to own protected health information
– Right to access
• May disclose to individual
– E.g., during treatment
– Note: Exception wheredisclosure may lead to harm of patientor others
21
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Personal Representatives
• “Personal representatives” are treated as the “individual”
– Administrators or executors of a decedent’s estate
– Parents or legal guardians
• Sometimes questions as to who has legal custody (specifically for medical decisions)
• Professional judgment to deny (e.g. with reasonable belief of abuse or neglect)
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Family & Friends
• May share PHI with family or friends in certain circumstances
• Capacity to make health care decisions?
– Yes: can share if family / friend is involved in care, unless patient objects
– No: can share if family / friend is involved in care, and if in the patient’s best interests
23
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Facility Directory
• May disclose PHI in facility directory
– Limited to name, location and general condition
– Need to give patient notice (e.g. in Notice of Privacy Practices) and no objection
– Requestor asks patient by name
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Patient Authorizes a Disclosure
• Core elements of an authorization:
– Who releases / who receives
– Scope of records (timeframe, type)
– Purpose of disclosure
– Expiration date
– Required statements
• Cannot condition treatment on authorization
• That information may be redisclosed
• That authorization is revocable
– Signature 25
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Treatment
• For your own treatment purpose or for another health care provider’s treatment purposes
– E.g. continuity of care, referral to specialist, internal consult
– For mental health records, butnot for psychotherapy notes
26
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Payment
• Facilitate payment of the item/service
– E.g., data to insurance providers, data for payment, contract review, collection actions
27
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Operations
• Administrative functions:
– Peer review, utilization review, statistical analysis and reporting
– Training health care and non-health care professionals
– Legal, consulting orbilling assistance
28
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Safety or Government and Public Policy Purposes
• May disclose PHI (without authorization)
– As required by law (reporting injuries, etc.)
– For judicial proceedings
– For law enforcement purposes
– About victims of abuse, neglect or domestic violence
– About decedents (to coroners, med examiners, funeral directors)
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Required Reporting to Law Enforcement
• If required by law to report certain information, may disclose PHI containing such information
– Child and adult abuse
– Certain types of wounds and injuries
– Certain deaths in hospitals
– Gross deviations of licensure standards
– Certain threats to mental health providers
30
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Duty to Warn / Protect
• Duty to warn / protect where there is reasonable cause to believe patient is dangerous to self or others
– Threat must be towards a specific identifiable victim
– The threat has to be believable; it should be explicit, not vague
31
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Court Order
• May disclose in response to court or other administrative order
– Order issued by judge or judicial officer
– Including grand jury subpoena
– Note: Non-HIPAAconsequences for not disclosing
32
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Subpoena
• May disclose if requestor engaged in effort to notify patient or if requestor sought protective order
– Subpoena = usually signed by an attorney; commands someone to testify or to produce documents
– Note: Often not sufficient under other, more stringent protections
33
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
A Note on Workers’ Compensation
• Statutory requirement to provide copies of medical records
– Provide employer / insurance carrier the initial and final clinical assessment to help determine liability for payment
– Provide other records, with allowable cost, $20 for 1-20 pages; $20 plus $1 per page for 21-30 pages; etc.
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Serious Threat of Harm
• May disclose PHI if good faith belief that disclosure
– Is necessary to prevent or lessen a serious and imminent threat
– To person able to prevent or lessen the threat, including law enforcement (so not just to law enforcement)
• Includes psychotherapy notes
35
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Other Disclosures to Law Enforcement
• Crime victims
• Decedents
• Identification and Location
• Crime and Premises
36
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Crime Victims
• May disclose information about crime victim if:
– Patient (the crime victim) agrees, or
– Patient unable to consent due to incapacitation or emergency and:
• Police need information to determine if someone other than patient committed a crime
• Immediate need for law enforcement action
• Disclosure is in best interest of the patient
37
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Decedents
• Permitted to disclose PHI about decedent
– For the purpose of alerting law enforcement of the death of the individual
– If there is a suspicion that such death may have resulted from criminal conduct
38
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Identification and Location
• Permitted to disclose to law enforcement certain information to identify or locate a suspect
– Name, date of birth, general condition, social security number, contact data
– NOT test results for substances, genetics, HIV/AIDS, blood tests
39
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Crime on Premises
• Permitted to disclose evidence of criminal conduct if good faith belief that crime occurred on premises
– E.g., patient charges services on a stolen credit card
40
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
A Note on Marketing
• Generally need authorization to encourage use of service, unless
– Of service / product by covered entity
– For treatment of patient
– Case management (e.g. recommend other treatment)
• If provider receives money for marketing, then generally need authorization
• More latitude for fundraising, with opt-out in notice of privacy practices
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Selling PHI?
• General rule = may not sell PHI to a third party without patient authorization
– Some common sense exceptions, e.g. part of sale of covered entity, for cost of transmittal of PHI (e.g. for disease reporting)
– Note: How then has big data monetized PHI? Not getting patient consent; using de-identified data and data from non-covered entities (e.g. fitbit, certain medical devices)
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Special Treatment Under HIPAA – Psychotherapy Notes
• “Psychotherapy notes” only type of record with additional HIPAA protections
– Notes kept separate from a patient’s standard medical file
• Contents of counseling session
• Not medication prescription / monitoring, session times, clinical test results, etc.
– Requires specific consent
– No right of access
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Patient’s Right to Access
• Patient has right to review / copy records
– Medical records (e.g., records used to make decisions about individuals)
– Billing records (incl. enrollment, payment, claims, management systems)
• Process
– Some form of verification required
– Accommodate options for access
– Timelines for production (generally 30 days)
– Fees to charge records44
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Other Patients’ Rights to PHI?
• Patients have the right to …
– Receive an accounting of disclosures
– Amend incorrect data
– File a complaint
– Request restrictions
– And more …
45
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Privacy of Treatment
• If an individual requests privacy regarding certain treatment and pays for that treatment out-of-pocket …
– Required to respect that request and may not provide that information even to the insurer
46
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
The Security Rule
• The Security Rule establishes national standards to protect ePHI
– Requiring appropriate reasonable safeguards to protect ePHI
• Administrative
• Physical
• Technical
– Covered entities and businessassociates must conduct riskassessments
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Administrative Safeguards
• Assign security responsibilities
– Who is the Security Officer?
• Security management processes
– Measures to reduce risks
– Audits and responses?
• Security awareness and training
• Procedures for security incident responses
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Physical Safeguards
• Facility access controls
• Workstation use
• Workstation security
• Device and media controls
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Technical Safeguards
• Access control
• Audit controls
• Person or entity authentication
• Transmission security
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Common Security Problems
• PHI left in high traffic areas
• Staff not aware of surroundings
• Improper destruction policies
• Theft / loss
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Common Security Safeguards
• Limit access to computer and records
• Keep password secure and private
• Turn over or remove records from plain sight
• Pick up, remove or shred items and records
• Remind colleagues and co-workers to abide by security procedures and practices if see potential violations
• Report any HIPAA violations
• If transport PHI, keep safe and secure (not visible or accessible to others)
• Minimize the PHI forwarded to any third party
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Breach Notification Rule
• Essentially a four-step inquiry as to whether a (potential) impermissible use is a reportable breach
– Was there an impermissible use or disclosure?
– Was the PHI unsecured?
– Was the PHI compromised?
– Does an exception apply?
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
What is a Breach?
• Breach = impermissible use that compromises the privacy / security of PHI
• Breach presumed, unless the there is a low probability of compromise based, on a risk assessment of at least these factors:
– Nature and extent of PHI involved
– The unauthorized person(s) involved
– Whether PHI was acquired or viewed
– Extent to which risk has been mitigated
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Why Encryption Is So Important?
• “Unsecured” protected health information is information not secured through the use of technology or methodology specified by HHS
– Which renders the information “unusable, unreadable or indecipherable to unauthorized individuals”
• If secured, generally there is low probability that PHI accessed and that breach occurred
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
The Exceptions –What Is Not a Breach?
• Unintentional use (or acquisition or access) that was done in good faith and is not redisclosed
• Inadvertent disclosure from one authorized person to another and not re-disclosed
• Disclosure to unauthorized person who would not be able to retain such information
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Common Examples of Potential Breach
• Disclosing more PHI than authorized
• Laptop / flashdrive containing PHI stolen
• PHI left in garbage, driveway, back of truck, etc.
• Patient chart is missing internally or lost in shipping
• Disabled firewall (technology safeguard)
• PHI in social media
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Notification
• To each patient whose unsecured PHI was breached
– “Without unreasonable delay” or no later than 60 days
• To HHS, through annual reporting / log
– BUT, if breach of 500 or more patients, then notify without unreasonable delay
• To Media
– If breach involves 500 or more; same timeframe as with patients
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
What to Tell the Patient?
• The content and nature of the notification
– Description of the event
– Description of the types of PHI
– Steps individual should take
– A brief description of the steps taken by entity
– Contact information to learn more
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
The Enforcement Rule
• Enforcement (i.e. penalties and punishment) for any violation of HIPAA, and its Privacy, Security and Notification Rules
– Intentional or inadvertent conduct
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Who Enforces?
• Office of Civil Rights (OCR)
– Primary agency, through complaint investigations and compliance reviews
• Department of Justice
– Criminal enforcement
• State Attorney General
– Civil actions on behalf of residents
• No private right of action
– But other privacy laws / torts that can create such liability
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Is HIPAA Really Enforced?
• Office of Civil Rights (CY 2016):
– Received more than 21,381 complaints
– Investigates approx. 1% of cases
• 999 cases resulted in corrective action
• 13 settlements with civil monetary penalties
– Also performed 334 compliance reviews
– Enforcement continues to rise
• Approx. 70% increase in complaints since 2013
• Over 100% increase in CMPs
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Monetary Penalties
• Tiered penalty for each violation, based upon relative culpability:
– Unknowingly: $100 - $50,000
– Reasonable cause: $1,000 - $50,000
– Willful neglect but with 30 day correction: $10,000 - $50,000
– Willful neglect and no correction: $50,000 per violation
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Penalty for Each Violation?
• A separate violation occurs each day, the covered entity or BA is in violation of the provision
– OCR takes into consideration actions taken to mitigate damage and assess cure
• Annual maximum for identical violations is $1.5 million
– Note: Health care has highest reported cost per capita in event of a data breach
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
What’s Being Investigated
• Most complaints are about
– Lack of patient access
– Impermissible use and disclosure
• But enforcement typically also includes
– Lack of safeguards (e.g. no risk assessment)
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Consequences for a Violation?
• For the Covered Entity
– Notification & enforcement (civil and criminal penalties)
– Reputational harm
• For the individual
– Employee discipline
– Licensure implications
– Private lawsuits (invasion of privacy, defamation, breach of contract)
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Other Privacy / Security Rules
• Must comply with other privacy / security laws that provide greater protection
– E.g. regulations for genetic information, mental health, HIV/AIDS, and substance abuse information
– Licensing regulations
– Ethics standards
– Common law duties(invasion of privacy)
67
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
GINA
• HITECH restates that genetic information is a type of health information
– Prohibits health plans (other than long-term care plans) from utilizing such information for underwriting and similar purposes
– Does not provide significant direction or issues relating to healthcare providers
68
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Iowa Protections for Mental Health Records
• Iowa law (Iowa Code§228) also protects “mental health information”
– Need authorization (for most disclosures)
– Need to log disclosures
– May disclose in limited circumstances without an authorization
• Emergencies, court order, civil commitments, administrative disclosures, care coordination
• No re-disclosure69
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Sharing PHI with Family and Friends in Iowa
• Can a provider share data with family?
– General rule (HIPAA): If the patient does not object
– Mental Health Records (s. 228.8): If necessary, where family has direct involvement in care, and with notification
70
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Substance Abuse Records
• Federal regulation provides more stringent protection than HIPAA
– Records of patient maintained in connection with drug abuse / alcohol treatment
– Applies to specialty clinic or program or provider
• Disclosure very limited
– E.g., with specific authorization, in bona fide medical emergency (to medical personnel), court order
71
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
How to Avoid HIPAA and Other Privacy Issues
• Implement policies and safeguards in place
– Execute Business Associate Agreements
• Educate and train personnel
• Respond immediately and correct any violation
• Report breaches timely
©2017 DAVIS BROWN KOEHN SHORS & ROBERTS P.C.
Thank you
Craig Sieverding
Davis Brown Law Firm
515-246-7843
73