Presentation on theme: "HIPAA The New HIPAA Laws Now Have REAL Penalties; Criminal & Civil Legal Information Is Not Legal Advice This site provides information about the law designed."— Presentation transcript:
HIPAA The New HIPAA Laws Now Have REAL Penalties; Criminal & Civil Legal Information Is Not Legal Advice This site provides information about the law designed to help users safely cope with their own legal needs. But legal information is not the same as legal advice -- the application of law to an individual's specific circumstances. Although we go to great lengths to make sure our information is accurate and useful, we recommend you consult a lawyer if you want professional assurance that our information, and your interpretation of it, is appropriate to your particular situation.
ARRA & HITECH Act Increased Bureaucracy Overlap
The Old HIPAA Shredded Old Medical Records Added Silly Screen Privacy Devices Removed The Fax From Patient HallwayDisaster Recovery Plan? The OLD HIPPA Sheriff No private right of action
HIPAA Reboot There Is A Real Sheriff In Town Feds to Train State AGs To Enforce HIPAA Breaking News, March 10, 2011 The Department of Health and Human Services' Office for Civil Rights will host four regional meetings to train staff from state and territorial attorneys general offices on enforcement of the HIPAA privacy and security rules. The HITECH Act gives attorneys general authority to enforce the privacy and security rules through civil actions. In a statement on its Web site, OCR welcomes collaboration with attorneys general seeking to bring actions to enforce the rules, and will provide information upon request about pending or concluded OCR actions against covered entities or business associates related to state investigations. The training sessions will provide an overview of the privacy and security rules and related HITECH Act provisions, investigative techniques for identifying and prosecuting potential violations, a review of HIPAA and state laws, OCR's enforcement role, state attorneys general roles and responsibilities under HIPAA and HITECH, resources for states in pursuing alleged violations, and HIPAA enforcement support and results.
What Is New In The HIPAA Reboot? New Enforcement Rules New HIPAA Penalties Breach Notifications to Consumers BAs Must Comply with HIPAA Security Rule No Selling of PHI New Restrictions on Marketing & Fundraising HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Ac t Summary Summary of Recent HIPAA Changes What You Dont Know CAN Hurt You.
New Enforcement Rules The Sheriff Has A Posse! Mandatory investigations for willful neglect cases. Mandatory civil penalties for willful neglect violations. Periodic compliance audits for CEs and BAs. Fines & penalties paid will go to OCR for increased investigations & enforcement. Harmed individuals will get a percent (t.b.d.) of CMP or settlement. In addition to CEs, individuals now made subject to HIPAA criminal provisions. State AGs can bring civil suits in federal courts on behalf of state residents.
New HIPAA Penalties Sheriff Has A Cash Jail Four tiers of penalties, depending on nature of offense… Tier A - Offender didnt know, and by reasonable diligence would not have known, that he or she violated the law. $100 per violation $25,000 annual maximum total per violator Tier B - Violation due to reasonable cause and not willful neglect. $1,000 per violation $100,000 annual maximum total per violator Tier C - Violation due to willful neglect but was corrected. $10,000 per violation $250,000 annual maximum total per violator Tier D - Violation due to willful neglect and was not corrected. $50,000 per violation $1,500,000 annual maximum total per violator
Breach Notifications to Consumers Sheriff Wants The Word Out Breach Notifications to Consumers CEs, BAs, and PHR Vendors are subject to breach notification requirements. Notify consumers if unsecured PHI was accessed, acquired, or disclosed in breach. Unsecured essentially means unencrypted data, including all physical media. Notices must be sent without reasonable delay – no later than 60 days after breach. Minimum content of notifications is specified in the regs. Notices sent by 1st class mail – only if consumer stated a preference for . If 10 or more victims cant be located, notice on website or in media must be posted. Breaches involving > 500 victims: Mandatory, immediate reporting to HHS. Breaches involving < 500 victims. Entity keeps log, provides to HHS annually. If over 500 victims, HHS will publicly post on Internet. PHR breaches get reported to FTC, and FTC in turn notifies HHS. LA State breach requirements also in effect encrypted or unencrypted
Business Associates Must Comply with HIPAA Security Rule Sheriff Sees Guilt By Association Business Associates Must Comply with HIPAA Security Rule BAs subject to same civil & criminal penalties as CEs. BAs must comply with Administrative, Technical, and Physical Safeguards. BAs must establish and maintain appropriate policies and procedures. BAs must document all Security Rule compliance activities. BAs must report breaches just like CEs. BA Contracts must be created or amended to include new requirements. BAs dont comply with Privacy Rule, but are restricted from PHI uses and disclosures not incompliance with BA contract. This represents de-facto Privacy compliance. PHR Vendors and Health Information Exchanges become Business Associates
Does The New Sheriff Have A Bite? One Breach occurred at Stanfords Lucile Packard Childrens Hospital in January 2010, when a desktop computer holding the medical records of 532 patients was stolen from the heart center by an employee. Hospital officials said at the time that no patient information was compromised. But Californias Department of Public Health fined the hospital $250,000, the maximum allowed, for failing to report the breach within five days of discovery, as is required under state law. State officials contend it took the hospital 19 days to disclose.
Does The New Sheriff Have A Bite? Massachusetts General Hospital in Boston, which trains Harvard medical students, agreed this year to pay a $1 million federal fine after an employee left paper medical records on a subway train while commuting to work. The pages contained the names of 192 patients, and diagnoses for about a third of them, including for H.I.V./AIDS. They were never recovered. The Department of Health and Human Services viewed the breach as a potential violation of the Health Insurance Portability and Accountability Act, the 1996 law that requires protection of medical records.
Does The New Sheriff Have A Bite? A former UCLA Health System employee became the first person in the nation to be sentenced to federal prison for violating HIPAA. Huping Zhou, 47, of Los Angeles, was sentenced to four months in prison on April 27 after pleading guilty in January to four misdemeanor counts of accessing and reading the confidential medical records of his supervisors and high-profile celebrities, according to the U.S. Attorneys Office for the Central District of California. Zhou was also fined $2,000.U.S. Attorneys Office
Does The New Sheriff Have A Bite? Sheriff Has Deputies! (Secondary Liability) A recent decision by an appellate court in North Carolina, however, demonstrates that HIPAA may form the basis of a lawsuit by a patient, notwithstanding the absence of a private right of action created by Congress. In the case, Acosta v. Byrum, 638 S.E.2d 246 (Ct. App. December 19, 2006), a patient sued her doctor on the theory of negligent infliction of emotional distress. The trial court dismissed the patient's claim in part on the ground that HIPAA did not provide for a private right of action. The appellate court reversed, however, stating that the patient had not asserted her claim under HIPAA, but had merely used HIPAA to define the standard of care that the physician should have followed to protect her medical information. In other words, the claim is based on the theory that a violation of HIPAA's privacy regulations is negligence per se, which would make unnecessary a jury's determination of the reasonableness of the doctor's conduct.
Does The New Sheriff Have A Bite? Sheriff Has Deputies! (Secondary Liability) The use of HIPAA privacy violations as a standard of care for negligence under common law theories of liability is likely to be adopted by other patients whose healthcare information is disclosed, inadvertently or otherwise. This additional litigation risk suggests that strict adherence to HIPAA regulations is important not only to avoid regulatory enforcement, but also to avoid individual lawsuits, which pose a more prevalent and expensive risk. Annual Report to Congress on Breaches of Unsecured Protected Health Information Coping with Breaches, Coping with Breaches, Enforcement, and Other Fallout under HITECHs Breach Reporting & Enforcement Rules Louisiana Database Security Breach Notification Law
What Constitutes A BREACH Of Personal Information? "Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when the name or the data element is not encrypted or redacted: (i)Social security number. (ii) Driver's license number. (iii) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. (b) "Personal information" shall not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. Under Louisiana Law: Once The Breach Occurs Notification Requirements Start Some States Now Require You To Pay For Credit Monitoring For Each Patient In The Breached Data Base
Types Of Data Breaches Hackers Breaching Security Poor Internal Network Security Web Based Phishing, Virus, Worms Insider Theft Insiders Cause %48 Of All Breaches Stolen Hardware Lost Hardware Laptops, Thumb Drives, Etc. Third Party Breach Business Associates From Insider Abuse To Insider Accountability
Types Of Data Breaches The Social Web Based Threat An aggressive worm known for stealing sensitive information was found on the computer network for the agencies handling unemployment claims in Massachusetts. W32.QAKBOT is a worm that spreads through network drives and removable drives. After the initial infection, usually the result of clicking on a malicious link on a Web page, it can download additional files, steal information and open a back door on the compromised machine. The worm also contains a rootkit that allows it to hide its presence and it works slowly to avoid detection. Its ultimate goal is clearly theft of information, said Shunichi Imano, a Symantec researcher. Qakbot is especially aggressive and normally targets online banking, although it has the ability to mutate itself to switch targets and change its methods. The cyber-criminals behind the infection could have remotely instructed the virus to go after names, addresses and Social Security numbers stored in the state systems instead of focusing on banking sites. In a nutshell, if your computer is compromised, every bit of information you type into your browser will be stolen, according to Patrick Fitzgerald, a senior security response manager at Symantec. Where Are Employees Surfing On YOUR Computers? Cyber-criminals used malware to steal personal informationmalware to steal personal information from the Massachusetts unemployment offices, according to the state agency
The Cost Of Data Breaches $ Per Record Breached! How much could a data breach incident cost your company?
Know Your business Associates Your In It With Them Billing Service Collection Service Lawyers IT Vendor Medical Record Disposal Co. EHR Vendor Answering Service Transcriptionist Labs Imaging Centers Private Payers Medical Transport Co. Cleaning Service And The List Goes On HIPAA Now Requires Comprehensive Business Associates Agreements
Basic Remedial Action Performing a new risk assessment Revising policies and procedures Improving physical security by installing new security systems or by relocating equipment or records to a more secure area Training or retraining workforce members who handle protected health information; Adopting encryption technologies Establish Acceptable Use Rules For Internet Imposing sanctions on workforce members who violated policies and procedures primarily in response to serious employee errors, removing protected health information from the facility against policy, and unauthorized access Changing passwords Revising business associate contracts to more explicitly require protection for confidential information. In both Contact Your Liability/Malpractice Insurance Company REMEMBER If It Is Not Documented It Did Not Happen. HIPAA Will Want It In Writing.
Synergy Solutions 3200 Ridgelake Dr. Suite 203 Metairie LA Telephone (504) Facsimile (504) Toll Free John Daigle: Ext 115 Frank J Davis ext 116 Legal Information Is Not Legal Advice This site provides information about the law designed to help users safely cope with their own legal needs. But legal information is not the same as legal advice -- the application of law to an individual's specific circumstances. Although we go to great lengths to make sure our information is accurate and useful, we recommend you consult a lawyer if you want professional assurance that our information, and your interpretation of it, is appropriate to your particular situation.