Jeremy A. Ball

Surviving HIPAA - 2016

222

Outline

> HIPAA Basics – A Refresher

> Avoiding the Threats

> Fundamentals of Compliance

> Responding to a Breach

> 2016 OCR Audits

333

HIPAA Basics – A Refresher

> Privacy Rule

– Requires covered entities and business associates to protect the confidentiality of protected health information (PHI)

– Limits the use and disclosure of PHI

– Gives patients certain rights concerning PHI

> Security Rule

– Requires covered entities to implement safeguards to ensure the confidentiality and security of e-PHI

> Breach Notification Rule

– Requires covered entities and business associates to self-report breaches of unsecured PHI

444

Avoiding the Threats

Date Fine Provider Allegations

Jun. 2015 $218,400 St. Elizabeth’s Medical Center

Storage of PHI in cloud without risk assessment; Failure to investigate

Aug. 2015 $750,000 Cancer Care Group, P.C.

Stolen laptop with unencrypted PHI; No policies; No risk assessment

Dec. 2015 $750,000 Univ. of Washington Medicine

Failure to implement a securitypolicy; Inadequate risk assessment

Feb. 2016 $25,000 Complete P.T. Posted patient names, photos, and testimonials to website without permission; No policies

Apr. 2016 $750,000 Raleigh OrthopaedicClinic, P.A.

Failure to execute a BAA – 17,300 records disclosed to vendor

Apr. 2016 $2,200,000 N.Y. Presbyterian Hospital

Disclosure of PHI to movie film crews

Recent HIPAA Settlements*

* OCR News Releases & Bulletins, HHS.gov

555

Fundamentals of Compliance

666

Fundamentals of Compliance

> Appoint a HIPAA Privacy & Security Officer

> Conduct a security risk assessment

> Implement policies and procedures

– Notice of Privacy Practices

– Written policies and procedures for privacy & security

> Address technical safeguards, physical safeguards, and administrative safeguards

> Train employees, and document the training

> Obtain and maintain business associate agreements

> Investigate and report breaches

> Maintain required records – 6 years

777

Fundamentals – Risk Assessment

> No methodology prescribed by Security Rule

> Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI

> This is the starting point for developing safeguards!

– Vulnerability – a flaw or weakness in system security procedures, design, implementation, or controls that could result in breach

– Risk – the net mission impact considering the probability of a threat triggering a vulnerability, and the resulting impact on the organization

888

999

Physician Breach

> “Stung by Yelp Reviews, Health Providers Spill Patient Secrets”

– ProPublica/Washington Post, May 27, 2016

Yelp post by dentist-

“Due to your clenching and grinding habit, this is not the first molar tooth you have lost due to a fractured root.”

101010

Fundamentals – Risk Assessment

> Elements of the assessment

– Scope – all forms of e-PHI, regardless of storage medium or location

– Data collection – identify e-PHI subject to analysis

– Identify and document potential threats and vulnerabilities

– Assess current security measures

– Determine the likelihood of potential threats

– Determine the impact of potential threats

– Assign levels of risk to threat/impact combinations

111111

Document Results of Risk Assessment

> Goal is to document the findings from the risk analysis into an official document

> Presents a systematic and analytical approach to assessing risk with three objectives:

– Gain understanding of the risks in the environment

– Identify resources to reduce or correct threats to e-PHI

– Demonstrates compliance with HIPAA Security requirements

> Must maintain HIPAA documentation for 6 years

121212

Risk Assessment References

> OCR’s Guidance on Risk Analysis Requirements

> OCR Security Rule FAQ’s

> SRA Tool – http://www.healthit.gov

131313

Responding to a Breach

141414

1. Stop the Breach!

151515

2. Report to Privacy Officer

> All covered entities must have a privacy officer and security officer designated in writing

> Train staff to immediately report suspected breaches

– Immediate response may help avoid breach reporting obligations

– May avoid penalties if violation corrected within 30 days

– Must report breach within 60 days

> Privacy officer or legal counsel should investigate

161616

3. Check on Insurance

> Cyber Liability Insurance or Data Breach Insurance may cover response costs, as well as penalties

> Check with insurance broker

> When in doubt, report

– Delayed reporting can result in denial

– Insurer may provide resources for response

> Document communications with the insurer

171717

4. Investigate Promptly

> Confirm facts with person(s) involved

– Person “responsible” for breach

– Person who received PHI

– Witnesses

> Confirm reason for use or disclosure

> Confirm what information accessed, used, or disclosed

> Confirm scope of access, use or disclosure

> Determine steps to mitigate or correct situation

> Document investigation

181818

Investigative Process

> Does HIPAA apply?

> Is PHI involved?

> Was the PHI secured, i.e., encrypted or destroyed?

> Proper access, use, disclosure?

> Minimum necessary?

> Any exceptions apply?

> “Low probability of data compromise”?

– Requires risk analysis

191919

Breach – Risk Assessment

> Determine the probability, i.e., likelihood, that the data has been “compromised”

– Nature and extent of PHI involved?

– Unauthorized person who used or accessed PHI, or to whom PHI was disclosed?

– Was the PHI actually acquired or viewed?

– Extent to which the risk of harm has been mitigated?

– Other factors as appropriate

202020

5. Mitigate Harm

> A covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure by the covered entity or its business associate

– Retrieve, delete, and/or destroy disclosed PHI

– Contact recipients to confirm confidentiality and limited use

– Terminate access; change passwords

– Remote wipe of lost or stolen devices

– Retrain employees

212121

5. Sanction Employees

> A covered entity must have policies and apply appropriate sanctions against members of its workforce who fail to comply with HIPAA rules or privacy policies

> The sanction should fit the crime:

– Written warning

– Suspension

– Mandatory training

– Termination

– Report to Department of Health Professions

> Consider intent, seriousness of breach, cooperation, other misconduct or poor performance

222222

6. Correct the Violation

THIS IS REALLY IMPORTANT!!

> It is an affirmative defense to HIPAA civil penalties if the covered entity or business associate:

– Did not act with willful neglect, and

– Corrected the violation within 30 days.

> HHS examples of willful neglect:

– Failure to implement policies and procedures

– Failure to respond to reported breach/violation

> “Correct the violation” is interpreted broadly, permitting a wide variety of mitigating actions to minimize harm and prevent a future breach.

232323

6. Log the Improper Disclosure

> Create a HIPAA log that includes the following:

– Date of disclosure

– Name and address of the entity that received the PHI

– Brief description of the PHI disclosed

– Brief statement of the purpose of the disclosure

242424

6. Report per Breach Notification Rule

> Not every breach requires a report

> No breach notification required if:

– No violation of the Privacy Rule

– PHI is secured, i.e., encrypted or destroyed

– Exception applies

– Low probability that data has been compromised

> Covered entity has burden of proof

252525

Breach – Notification Not Required

> If a report is required, must report to:

– Each individual whose unsecured PHI has been or reasonably believed to have been accessed, acquired, used, or disclosed

• “Without unreasonable delay” and no later than 60 days

• Content and method of notice detailed in rules

– HHS• >500 persons – contemporaneous with individual notices

• <500 persons – not later than 60 days after end of calendar year

– Local “prominent media outlets,” if breach involves >500 persons in state or jurisdiction

• “Without unreasonable delay” and no later than 60 days

262626

Beware of Audits

> 2016 Phase 2 HIPAA Audit Program

– Purpose is to “enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits.”

– Starts with an email from OCR verifying contact information

272727

2016 Phase 2 HIPAA Audit Program

> Pre-audit screening questionnaire

– Requires list of business associates

> OCR will use random sampling of audit pool

> Process begins with desk audits – completed by December 2016

> Auditors will share draft findings with the entity, and the entity’s written responses will be included in the final report

> “Serious compliance issues” may result in a further OCR “compliance review”

282828

OCR Audits – Prepare Now!

> Start with an internal audit – the Big Seven

1. Designated HIPAA Privacy and Security Officer?

2. Current Notice of Privacy Practices?

3. Recent completion/update of Security Risk Assessment?

4. Written policies and procedures covering the Privacy, Security, and Breach Notification Rules?

5. Documentation of employee training on policies and procedures?

6. Current business associate agreements?

7. Active HIPAA documentation file

292929

OCR – HIPAA Guidance Materials

> Understanding Some of HIPAA’s Permitted Uses and Disclosures

> Guidance on Significant Aspects of the Privacy Rule

> Guidance on Individuals' Right to Access Health Information

> Guidance on HIPAA and Workplace Wellness Programs

> Provider Guide: Communicating With a Patient's Family, Friends, or Other Persons Identified by the Patient

> Frequently Asked Questions About Family Medical History Information

> Frequently Asked Questions About the Disposal of Protected Health Information

303030

Please note: This presentation contains general, condensed summaries of actual legal matters, statutes and opinions for information purposes. It is not meant to be and should not be construed as legal advice. Individuals with particular needs onspecific issues should retain the services of competent counsel.

Surviving HIPAA 2016

Questions?

Jeremy A. Ball

jball@williamsmullen.com

(804) 420-6406