1. HIPAA/ HITECH: Relief for the Newest Regulatory Headache
Kippy L. Wroten Founding Shareholder, Wroten & Associates
Darryl A. Ross Shareholder, Wroten & Associates

2. Scope of the Omnibus Rule
Research uses of data – compound, more general authorizations.
Patients’ right to restrict data sharing with payors.
Requirements to modify and redistribute notices of privacy practices.
Inclusion of limitations on use of genetic information for underwriting.
Clarifies HHS Secretary’s role in enforcement, imposition of civil money penalties (CMPs) and CMP liability for acts of agents.

3. What’s Not in the Omnibus Rule
Accounting of Disclosures – still in process.
Methodology for giving individuals “harmed” by HIPAA violations a percentage of any civil monetary penalties or settlements collected.
Guidance for implementation of minimum necessary standard.
HITECH also mandated study of definition of “psychotherapy notes” – no specific deadline for the study.

4. HIPAA - Privacy vs. Security
HIPAA Privacy Rule
The need to protect medical records and other health information in any form (electronic, paper, or out of our mouths) from being shared, viewed, distributed, etc.
HIPAA Security Rule
The need to develop and maintain security of all electronic health information, including storage and transmission.
The purpose of the HIPAA privacy rule is to protect health information from disclosure and the purpose of the HIPAA security rule is maintain secure storage and transmission. The HITECH Act adds the strength of enforcement for security breaches. 4 4

5. Privacy Rule

6. Security Rule

7. Health Information Technology for Economic and Clinical Health Act (2009) Expands Protection

8. How Do HIPAA & HITECH Apply to Me?
Covered Entities
Hybrid Entities
Business Associates (Vendors)

9. Protected Health Information
What is it?
Identifies the individual
Transmitted or maintained by a CE or BA
Relates to individual's physical or mental health or payment for health care
Demographic information

10. PHI
Did You Know?
Vehicle ID & Serial Numbers - license plate numbers
Device ID & serial numbers
Universal Resource Locators (URLs)
Internet Protocol (IP) addresses
Biometric identifiers, including finger and voice prints
Full face photographic images and any comparable images
Any other unique identifying number, characteristic, or code
Common
Names
SSN
Medical record #s
Account numbers
Dates of treatment
Probably Aware
Telephone numbers
Fax numbers
Electronic mail addresses
Certificate/license numbers

12. Covered Entities Health Plans
An individual or group plan that provides or pays the cost of medical care
Health care clearinghouses
A public or private entity, including a billing service, re-pricing company, community health management information system or community health information system, and “value added” networks and switches that either process or facilitate the processing of health information
Health care providers
Care, services, or supplies related to the health of an individual, including (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
+ …who electronically transmit any health information

13. Hybrid Entities
A single legal entity that is a covered entity, performs business activities that include both covered and non-covered functions, and designates its health care components as provided in the Privacy Rule. If a covered entity is a hybrid entity, the Privacy Rule generally applies only to its designated health care components. However, non-health care components of a hybrid entity may be affected because the health care component is limited in how it can share PHI with the non-health care component. The covered entity also retains certain oversight, compliance, and enforcement responsibilities.

14. Who is a Business Associate?
Claims Processing
Data Analysis
Utilization Review
Billing
Legal (including litigation counsel)
Actuarial
Accounting
Consulting
Data Aggregation
Management
Administrative
Accreditation
Financial Services
E-Discovery Vendors
Copier Technicians (if your copier has memory)
Shredding Services
Computer Support Services
Records subpoenas/duplication services

15. Business Associates HITECH Expands Privacy and Security
Expanded definition of "business associate“ - “Business associate” means one who, on behalf of a Covered Entity
creates, receives, maintains or transmits PHI
"Business associate" now also means "subcontractor of business associate“ who creates, receives, maintains or transmits PHI on behalf of a business associate
Status as Business Associate based upon role and responsibilities, not upon who are the parties to the contract

16. Business Associate Definition Clarifications
Rule clarifies definition of "business associate” -- included:
Patient Safety Organizations
Health information exchange organizations, e-prescribing gateways, covered entities' personal health record vendors (not all PHRs)
Data transmission providers that require access to PHI on a routine basis
Not included – those who just provide transmission services, like digital couriers or “mere conduits.”
However, those who store PHI, even if they don’t intend to actually view it, are BAs (implications for cloud model EHRs).

17. Business Associates

18. Do They Know Who They Are?
Implications for subcontractor relationships
Contract between the covered entity's BA and that BA's
Subcontractor must satisfy the BAA requirements
Subcontractor of subcontractor is also a BA, and so on
As a result, HIPAA/HITECH obligations that apply to BAs also directly apply to subcontractors

19. BAs – Uses of PHI Uses of PHI – Must pass along in subcontracts
BAs may use or disclose PHI only as permitted by BAA or required by law
BAs may not use or disclose PHI in manner that would violate Privacy Rule
Subcontractors subject to limits in initial CE-BA agreement
– Must pass along in subcontracts
BAs not making a permitted use or disclosure if not
Follow minimum necessary rules
BA does not comply if it knows of subcontractor's material noncompliance and does not take reasonable steps to cure the breach or, if such steps fail, to terminate the relationship
BAs (incl. subcontractors) subject to civil money penalties for HIPAA violations
BA/subs remain liable under contract to CE/BA
Secretary authorized to receive and investigate complaints against BAs (including subcontractors), and to take action regarding complaints and noncompliance
BAs (incl. subs) required to maintain records and submit compliance reports to Secretary, cooperate in complaint investigations and compliance reviews, give Secretary access to information
BAA - Generally, compliance required 180 days following Omnibus Rule’s effective date (3/26/13), which is 9/23/13

20. Omnibus Rules Compliance
Omnibus Rules Compliance Date: September 23, 2013

21. Compliance Plan - Step One
Have you established an executive/board-level responsibility for HIPAA compliance?
Have you designated yourself as a (a hybrid entity, or (b) a single affiliated covered entity with other legally separate covered entities under common ownership or control?
Have you taken the necessary follow-up steps to document?
Have you designated responsible persons for Privacy?  For Security?  Do you have job descriptions?
Have you distributed a Notice of Privacy Practices with the identification of the Privacy and Security Officers?
Have you posted information and trained staff?
Has the staff signed confidentiality agreements related to privacy and security?
Do you have Business Associate Agreements in place?
Cover new rules re governing body responsibility
Facility level Privacy & Security Officers
Required NPP re-distribution
HealthIT.gov
BAAs

22. Compliance Plan - Step Two
Is HIPAA privacy and security included in new employee orientation?
Is your Governing Body/Board trained?
Are volunteers and clergy trained?
How do you facilitate privacy and security awareness?
Includes reporting concerns: hot lines, confidential reporting
No retaliation! Remember whistle blowers are waiting to report you.
Self reporting – do it often.

23. Risk Assessment Administrative Safeguards Physical Safeguards
Technical Safeguards
Ct #148983

24. Risk Assessment - PHI Flow Chart

25. Security Risk Assessment- Organizational Requirements
Business Associates Identified
Policies & Procedures adopted
Documentation procedures adopted
Refer to dt # for assessment outline

26. Security Risk Assessment
Security Awareness and Training
Security Incident Procedures
Workstation Use
Device and Media Controls
Access Control
Integrity
Person/Entity Authentication
Transmission Security
Ct # (62 pages) for regulatory crosswalk

27. Access Controls
Limit physical access to its electronic information systems, including facilities where data housed. § (a)(1).
Workstation Security - physical safeguards for all workstations that access ePHI. § (c).
Must assure authorized users have access.

28. Workstation Security Compliance Practices
Identify desktop/laptops containing ePHI
Lock down procedures.
Policies to prevent unencrypted ePHI from being stored on portable electronic devices and laptops.
Encryption practices.

29. Device Controls and Re-Use
§ (d)(2)(ii) - Re-Use
§ (d)(1) - Controls
P&Ps governing removal of ePHI before device re-used.
P&Ps to assure ePHI is unusable and/or inaccessible prior to re-using device.
All storage devices or all ePHI records must be overwritten multiple times, in accordance with NIST guidelines.
Movement within facility.
Removal of hardware from facility.
P&Ps to address final disposition of ePHI and/or medium where stored
National Institute of Standards and Testing 29

30. Disposal Compliance Practices
ePHI on must be rendered unusable and/or inaccessible prior to disposal.
When portable media is discarded, it should either be overwritten multiple times, in accordance with NIST guidelines.
Maintain a record of where the hardware is, and the person responsible for it. § (d)(2)(iii).
hardware and electronic media, including copiers, faxes, printers, etc., is
Applies to business associates 30

31. Accountability Practices for Compliance
Identify types of hardware and electronic media that must be tracked.
Create record / log to track where devices are.
Portable devices should not ordinarily contain ePHI and must be individually identified in the tracking system in order to contain ePHI.
Possession of portable device with ePHI must be consistent with the individual’s position.
Inventory should be physically confirmed at least annually.

32. Data Backup and Storage
Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. § (d)(2)(iv)
Establish a process for documenting or verifying its creation.

33. 4 Components of Compliant Technical P&P’s
§ (a)(2)(i) Unique name / identifier to track users.
§ (a)(2)(iii) Automatic logoff procedures
§ (a)(2)(iv) Encryption and decryption procedures
§ (a)(2)(ii) Emergency access procedures.
§ mandates that a covered entity "implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights 33 33

34. Step 1: User ID
Unique account for each user including unique username and password if access to ePHI.
Verification procedures
P&Ps to map permissions
Generic or shared accounts are not permitted for access to ePHI.
Verification procedures to assure individual or entity who is authorized to access ePHI and that the identity is correctly bound to a unique user identification (“sign-on”) for access to ePHI. 34

35. Step 2: Emergency Controls
Protocol should be written
Do not rely on availability of a single individual.
Identify roles that may require special access during an emergency.
Proper ID of individuals required Access to power or a network?
If electronic systems are a copy of the medical record and access to the system is not necessary for safe patient care, use of medical records while the systems is unavailable is acceptable
Do You Know What You Will Do If The Lights Go Out?

36. Step 3: Auto Logoff Compliance Practices
Best practice: require electronic to be terminated.
If terminating session isn’t possible, implement automatic workstation lockout as a compensating control.
What’s an appropriate amount of inactivity before automatic lockout?
10 MINUTES

37. Step 4: Encryption Technical Standards
HITECH references NIST encryption standards
Enforce complex passwords where possible
Protection from malicious software for details)
Ensure secure remote access
Implement correctly configured firewalls (hardware and/or software)
, specifically the Federal Information Processing Standard FIPS identifies requirements for specific encryption algorithms and modules that are tested and approved to protect information ranging in various levels of sensitivity. Healthcare organizations should look for IT products that state conformance with FIPS 37 37

38. Step 4: Encryption – Decryption: P&Ps
Unique user ID’s
Frequent changes to ID’s
Prohibit unencrypted ePHI will not be stored on portable electronic devices, including laptops.
Remote wipe procedures
Incorrect Password
IT Personnel
, specifically the Federal Information Processing Standard FIPS identifies requirements for specific encryption algorithms and modules that are tested and approved to protect information ranging in various levels of sensitivity. Healthcare organizations should look for IT products that state conformance with FIPS 38 38

39. Common Sense & Security
Log off your system if you are not in front of it.
Remove patient/resident/employee data from view.
Make sure others cannot see your computer screen.
Don’t place patient/resident/employee data on a flash drive, CD, diskette, or even your C: drive if you have PC.
Don’t give anyone your password
Any device /laptop used to store/transmit PHI must be encrypted – don’t store/transmit PHI on personal devices.
“Secure” all PHI when sent outside of secure environment s
Texts
Emphasize the use of common sense in securing PHI. Any company hard drive should be encrypted, and all PHI transmitted from the server to a third party must be “Secure”. Contact the IT security mailbox for help with the request. 39 39

40. Mobile Devices & Security
Enterprise issued mobile devices
Password protected
Encrypted
Remote monitoring
Remote wiping (destruction)
BYOD
Are they secure?
Dealing with physicians who insist on texting
Difference between sending and receiving
Education & Training - materials
healthit.gov/providers-professionals/downloadable-materials

41. Risks Mobile Devices Mobile devices produced for consumer use.
Can store massive amounts of data.
Lack security and operational controls to enable management of the device from a centralized system.
Easily lost or stolen and pose increased risks to the confidentiality and security of patient health information.
Loss or theft may result in breach notification.
As a result, incidents can arise from not being able to adequately detect, manage, or provision and de-provision the device. 41

42. WHERE IS YOUR DATA?

43. A N D T H I S OR TH I S
WHAT IS THIS?
SAY HELLO TO YOUR DATA

44. ePHI & Text Messaging – P&Ps
Appropriate use of work-related texting.
Prohibiting texting of ePHI
Requiring medical records be updated if ePHI received via text.
Identifying retention period for any ePHI received via text.
An inventory of all mobile devices used for texting ePHI (whether provider-owned or personal devices).
Complicated by litigation holds. 44

45. Device Ownership. BYOD Considerations
Written authorization before storing ePHI.
A clear definition of data ownership.
Define what is acceptable use.
Annual acknowledgment of organization P&Ps
Reservation of rights to examine devices
Procedures during employee or contractor separation
Define data belong to the organization and data that may belong to the individual user.
Make clear that in the event of potential breach or employee separation, organization will act to protect its interests.

46. BYOD Policies To Consider
Appropriate use of texting
Appropriate use of camera and video
Appropriate use of sensitive information
Requirements for password protection and lock-out features.
Prohibition on altering factory defaults and operating systems (i.e., jail-breaking)
Appropriate use of applications and conditions of downloading software.
Define data belong to the organization and data that may belong to the individual user.
Make clear that in the event of potential breach or employee separation, organization will act to protect its interests.

47. Technology Solutions for Mobile Devices
Password protection and encryption for mobile devices that create, receive or maintain text messages with ePHI.
Enterprise control to oversee communication use
Enterprise control to wipe information from lost devices and/or separated employees
Use of a secure messaging application.
Audit trail system.

48. Security Assessment Exemplars

49. Event Management: Breach
Ready or not, expect there will be a breach

50. Risk Assessment: Breach
CE/BA should perform risk assessment post-breach discovery and must consider at least the following:
Nature and extent of PHI involved, including types of
Identifiers and likelihood of re-identification
Who was the recipient of the PHI
Was the PHI actually acquired or viewed
The extent to which the risk to misuse of the PHI has been
Mitigated

51. Risk Analysis Criteria
Likelihood of identification or re-identification:
a list of patient names – not low probability
patient discharge data, patient not specified – can patients be re-identified? – could be low probability (depends on the circumstances)
Who is the unauthorized recipient:
a HIPAA covered entity – low probability, as long as you have evidence the risk has been mitigated
an employer – may be able to use personnel records to re-identify – not low probability
PHI actually acquired or viewed:
untampered with laptop – low probability
information mailed to wrong person – not low probability
Has improper use been mitigated:
satisfactory assurances of destruction from a known person – low probability

52. Risk of Harm Analysis To whom was the PHI disclosed? RISK EVALUATION
Did the breach pose a significant risk of financial, reputational, or other harm to the individual?
To whom was the PHI disclosed? RISK EVALUATION
Another employee/BA? Low risk
Wrong fax number/unauthorized family member? Moderate risk
PHI lost or stolen? High risk
In what form was the PHI accessed, used, or disclosed?
Verbal? Low risk
Paper? Moderate risk
Electronic? High risk
What event caused the access, use, or disclosure of PHI?
Unintentional disclosure? Low risk
Intentional disclosure? Moderate risk
Hacking/theft? High risk
What type of PHI was impermissibly accessed, used, or disclosed?
Limited data set? Low risk
Non-sensitive PHI? Moderate risk
Treatment provided? Potentially higher risk
Substance abuse, mental health, contagious disease? High risk
SSN’s, Tax ID, Account #s, Passwords / Digital Signatures Very high risk
What steps were taken to mitigate potential harm related to
the impermissible access, use, or disclosure?
PHI returned before accessed? Low risk
PHI properly destroyed? Low risk
Recipient signed a confidentiality agreement? Low risk
Immediate steps taken to reduce risk of harm? Low – moderate risk

53. Definition of “Breach”
Definition changed from the interim rule definition
An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates there is low probability that the PHI has been “compromised”

54. Has A Breach Occurred? Is the information unsecured PHI?
Was the PHI de-identified?
Was the PHI acquired, accessed, used, or disclosed in accordance with the Privacy Rule?
Was the PHI encrypted?
Was the PHI properly destroyed?
If any of the above answers is "yes", then the information is not unsecured PHI therefore no breach has occurred and notification is not required.

55. Privacy & Security Exceptions
Did a CE/BA workforce member unintentionally access or use the PHI while acting within the scope of their duties?
Was the impermissible use and/or disclosure stopped before further disclosure occurred?
Did a CE/BA workforce member inadvertently disclose PHI to another workforce member where all were otherwise authorized to access/use PHI?
Was the use/disclosure of PHI incident to an otherwise permissible use or disclosure where the minimum necessary requirement was followed?
Was the PHI impermissibly disclosed to an unauthorized person but there is a good faith belief exists that the recipient would not be able to retain the PHI?
If any of the above answers is "yes", then no breach has occurred and notification is not required.

56. Breach Decision Tree No No No Yes No Yes No
No Notification under HITECH: Determine if state breach notification laws apply
Is the information PHI? No
Yes
No Notification under HITECH: Determine if accounting and mitigation obligations under HIPAA
Is the PHI unsecured? No
Yes
Is there an impermissible acquisition, access, use or disclosure of PHI?
No Notification under HITECH No
Yes
Does the impermissible acquisition, access, use or disclosure compromise the security or privacy of PHI? Has a written risk assessment been completed?
No Notification under HITECH: Determine if accounting and mitigation obligations under HIPAA No
Yes
Does an exemption apply? No
Notification Required; Determine methods for notification for affected individuals, the Secretary of HHS and, if necessary, media

58. Breach Notification Notification of Breach
Data breach notification requirements imposed for unauthorized uses and disclosures of "unsecured PHI."
Patients must be notified of any unsecured breach.
If a breach impacts 500 patients or more, HHS must also be notified, and breaching entity's name will be published on HHS' website.
Under certain conditions local media will also need to be notified.
Notification is triggered whether the unsecured breach occurred externally or internally.
The HITECH Act requires notification of security breaches and establishes enforcement mechanisms (and the potential for staggering fines) for security breaches of electronic PHI. 58 58

59. Notice of Privacy Practices
Redistribution required!

60. Notice of Privacy Practices (NPP)
NPPs must include:
Statements regarding certain uses and disclosures requiring authorization
Psychotherapy notes (where appropriate);
Marketing;
Sales of PHI;
Right to restrict disclosures to health plans (provider only); and
Right to be notified of breach.
General statement that all uses and disclosures not described in NPP also require authorization

61. Notice of Privacy Practices
Does it contain all the required elements?
“This notice describes how medical information about you may be used and disclosed and how you can get access to this information please review it”.
Include examples of types of use and disclosures.
List of uses and disclosures allowed without authorization.
List of individual’s rights.
Privacy Officer contact information.
Do you use PHI for marketing?
Do you use PHI for research?

62. Covered Entity - Privacy Obligations
Is NPP posted?
Has NPP been translated?
What is your process for delivery?
What is your process to re-distribute when there are changes
Is your NPP posted on websites?

63. Omnibus Rule – NPPs must be Revised
Changes in rule are material
For plans that post on website, post revised NPP by effective date and in next annual mailing
If no web site, plans must provide within 60 days of material revision
For providers, must post and make available upon request; must provide to (and seek acknowledgement from) new patients
Can send by if individual agrees

64. Important Next Steps Review policies, procedures, forms, and update
Train staff on new provisions
Inventory BAs and update BAAs
Update breach response plan; in particular, update risk assessment and address encryption

65. Components Of An Effective Security Plan
Policies & Procedures governing hardware and software.
Testing
Auditing
Contingency Plans
Combination of hardware, firmware and software components that are designed to provide critical security functions with a very high degree of assurance that they will behave correctly;
An application programming interface that allows operating systems and applications to use the security functions provided by the roots of trust; and
A policy enforcement engine to enable the processing, maintenance and policy management of the mobile device. 65 65

66. Compliance Date
September 23, 2013