Presentation on theme: "September 27, 2013 Deborah C. Hiser Julianne P. Story"— Presentation transcript:
1September 27, 2013 Deborah C. Hiser Julianne P. Story HIPAA IN THE WORKPLACESeptember 27, 2013Deborah C. HiserJulianne P. Story
2Agenda HIPPA/HITECH overview. Employee conduct posing risk. Social media (photography, posting, blogging).Snooping.Lost laptops.Communicating with patients ( , texting).Best practices to minimize risk.Penalties.
3HIPAA/HITECH Overview: How are Things Different? HITECH Omnibus Final Rule Changes:Business Associate RequirementsLimits on Fundraising and MarketingSale of PHIExpanded Patient Rights (NPP, Restrictions, Access, Gina)Breach NotificationPenalties
4BIG Changes for Business Associates and Subcontractors Chain of Trust ConceptA subcontractor means a person to whom a business associate delegates a function, activity, or service, other than in the capacity of the workforce of such business associateCovered Entity*First Step KBusiness Associate*SUB BAContractLets start with what I consider to be one of the biggest changes to the HIPAA regulations since they were first published.Taking a look at this chart. HIPPAA has always required that a CE enter into a BA Agreement with vendors that provide services, use, or disclose PHI on their behalf. What is new under the MegaRule, is that Business Associates must now enter into SUB BA Agreements with their vendors.This creates an automatic “chain of trust” following the use and disclosure of PHI. Each entity in the chain is required by regulation and by contract to protect the PHI and administer it consistently with the obligations of the Covered Entity at the top of the chain.What is also important, is that this is a “chain of trust with teeth.” Each entity in this chain will be subject to Business Associate Contractual obligations, and therefore subject to both civil monetary penalties and contractual remedies for violations which is an area I really want to focus on.Sub-BA* Sub-Enters into K with Sub-SUB BA
5BIG Changes for Business Associates and Subcontractors Subcontractors MustComply with the technical, administrative, and physical safeguard requirements under the Security Rule and are liable for Security Rule violationsComply with use or disclosure limitations expressed in its contract and those in the Privacy Rule and criminal and civil liabilities attach for violationsNot a completely new concept for Texas BUT……Liability flows to all subcontractorsCE under an obligation to get written assurances from their BAsFIRST GO THROUGH SLIDE INFOSo, the new rule does a couple of things in terms of liability:Under the old rule, Subcontractors were only regulated second-hand by contract. Subcontractors are now full-fledged Business Associates- as are their subcontractors in turn.Current Business Associates are directly exposed to regulatory penalties and are directly liable under HIPAA for things like:Impermissible uses and disclosuresFor a failure to provide breach notification to the CEFor a failure to provide access to a copy of EPHI either to covered entity, individual or designee (whichever is spec ified in BAA)For a failure to disclose PHI where required by the Secretary to investigateFailure to provide an accountingFailure to comply with requirements of Security RuleEverything else is based on contract!!Covered entities and business associates re-assess their legal risks and compliance strategies. They should also review and revise their subcontracting strategies. While ideally existing Business Associates should have been staying abreast the developing law, the reality is that many probably have not, and will need to be advised and supported in understanding their new obligations and exposures.
6Expanded Rights: Notice of Privacy Practices NPP to Include a Statement That:Uses and disclosure of PHI for marketing requires authorizationDisclosures that constitute a sale of PHI require authorizationIf CE intends to contact an individual to raise funds, patient has the right to opt outIf health plan uses PHI for underwriting, CE is prohibited from using genetic information for those purposesCE has to agree to certain restrictions if patient has paid in full, out-of-pocketCE must notify affected patients following a breach (check state laws of breach!)The regulations require modifications and redistribution of the NPPIn terms of updating, a CE needs to update their NPP to include a statement that1. Disclosure of psychotherapy notes require authorization:
7Expanded Rights: Requests for Restriction Change of LawCE must agree to a requested disclosure restriction if:Disclosure is for payment or health care operations purposes and is not otherwise required by law; andThe PHI pertains solely to a health care item or service for individual, or person other than the health plan on his/her behalf, has paid covered entity in full.Action ItemUpdate policies and proceduresUpdate BA AgreementsNormally, A CE does not have to agree if an individual requests restrictions related to use or disclosure of PHI. However, as a result of the Mega Rule, a CE must now agree to a request to restrict the disclosure of PHI if the disclosure is for payment or health care operations and the PHI relates to a health care item or service that the individual has paid in full.Health care providers do not need to create a separate medical record or otherwise segregate PHI subject to a restricted health care item or service. However, a CE does need somehow employ some method to flag or make notation in the record of PHI that has been restricted. It is important to do this so that PHI is not inadvertently accessible to a health plan during otherwise normal payment or health care operations – for example during audits by a health plan.There were also quite a few comments about Medicare??? The comments make clear that If a provider is required by State or other law to submit a claim to a health plan for covered service, and there is no exception or procedure for individuals wishing to pay out of pocket, then the disclosure is required by law and the CE is not required to comply with the restriction. With respect to Medicare, it is our understanding that when a physician furnishes a service that is covered by Medicare, then it is subjection to the mandatory claim submission which requires that if a physician or supplier charges or attempts to charge a beneficiary any remuneration for a service that is covered by Medicare, then the physician must submit claim to Medicare. However, there is an exception to this rule where the beneficiary refuses, of his own free will, to authorize submission of a bill to Medicare. In such cases, a provider is not required to submit a claim to Medicare for the covered services and may accept out of pocket payment.
8Expanded Rights: Access Change of LawIf CE uses or maintains an EHR with PHI of an individual, individual shall have the right to obtain from CE a copy of such information in electronic format and individual may direct CE to transmit such copy directly to the individual’s designee, provided that any choice is clear, conspicuous, and specific.TX Law: H.B. 300 has a faster turnaround time!Action ItemsUpdate policies and proceduresUpdate patient formsUpdate BAIf an individual requests PHI that is maintained electronically in a designated record set, the final rule provides that the CE must provide the individual with electronic access in a form and format requested by the individual, if the information is readily producible in such format. If the CE cannot provide that format, then the CE and the individual can agree on another electronic form. Texas HB 300 also provides similar provisions.There are A couple of things to consider:First, If the designated record set includes electronic links or images or other data, the images or other data that is linked to the designated record set must also be included in the electronic copy provided to the individual. The electronic copy must contain all PHI electronically maintained in the designated record set AT THE TIME THE REQUEST IS FULFILLED.Second, a CE is not required to scan paper documents to provide electronic copies of records maintained in hard copy.There were also a lot of questions about portable devices??? The idea is that a patient comes to office, requests their record electronically and provides a flash drive or CD. The concern here is that the patient’s portable device can introduce viruses or other security concerns for the CE. As we all know, a CE is under an obligation to maintain the security and integrity of PHI under the Security Rule.SO WHAT ARE YOU TO DO?The Department acknowledges that A CE is not required to accept the external media if it determines there is an unacceptable level of risk. (so everyone should be documenting a risk assessment at this point).It is important to note that if a CE decides the risk is too high, a CE can’t turn around and then require individuals to purchase portable medical device from the CE if the individual does not wish to. However, The individual may opt to receive an alternative form of the electronic copy, such as through . In regarding the comments, I found it interesting that the Department suggested informing patient that there is a riski to unencrypted .
9Expanded Rights: Genetic Information GINA Provisions:Requires “Genetic Information” be treated as PHIProhibits Health Plans from using/disclosing genetic information for underwriting purposesTerms and definitions track regulations prohibiting discrimination in provision of health insurance based on genetic information
10Marketing Change In Law Authorization required for all treatment and health care operation communications where CE receives financial remuneration for making communicationsExceptions (refill reminders, treatment, case management)Action ItemsUpdate policies and proceduresDon’t forget to incorporate state law, if anyUpdate authorization formThe mega rule significantly modified the proposed rules’ approach to marketing. Under the new rule, marketing includes communications about a product or service that encourages recipients to purchase or use the product or service. There are exceptions. For example, refill reminders so long as the financial remuneration is for the cost of the communication are ok. In addition, treatment and certain healthcare operations are not considered marketing if there is NO financial remuneration.For me, What is really significant under the new rule is that authorization is required for all treatment and healthcare operations where the CE receives financial remuneration. For those of you who find this terribly exciting and have been following all of the changes to HIPAA, this change is directly related to comments and responses where there was significant confusion as to what constitutes treatment is or what constitutes health care operation.For example, the NPRM indicated that population based activities did not constitute treatment and were considered a health care operation. Rather than having a grey area, The Department did away with that discussion by just saying that if a CE receives financial remuneration, specific authorization is required.“Financial remuneration” means direct and indirect payment from or on behalf a third party whose product or service is being described. Two things are noteworthy here. First, the term financial remuneration does not include non-financial benefits, such as in-kind benefits provided to a covered entity. In addition, financial remuneration only includes payments made in exchange for making the communication. For example, if a third party provides financial remuneration to a CE to implement a disease management program, the CE does not need authorization as long as the communication are about the CE’s program itself. In this example, the communication is only encouraging individuals to participate in the CE disease management program and is not encouraging individuals to use or purchase a third party’s product or service.Texas Considerations: H.B 300 and Mega rule define “marketing” the same; (2) Exceptions the same with respect to treatment and case management (3) Refill reminders are a bit different and require analysis;
11Prohibition on Sale Of PHI UpdatePHI cannot be sold without patient authorizationMany exceptions-Public healthResearch (limited to cost-based fee)Treatment/PaymentSale, transfer, merger/consolidationCEs/BAs need to evaluate all situation where PHI is soldIn addition to the Marketing provisions, HITECH Act prohibits the sale of PHI with certain exceptionsA covered entity or business associate may not disclose PHI in exchange for in kind benefits, unless the disclosure falls within an exception. Exceptions to the authorization requirement: include GO THROUGH LISTIn terms of definitions, it is noteworthy that the term “sale of PHI” includes disclosures of PHI where the CE or BA receives direct or indirect remuneration from the recipient in exchange for the PHI. This is different than marketing. Remember that marketing refers to financial remuneration. So there is a definite distinction.
12BREACHThe interim final regulation clarified that statute incorporated a “risk of harm” threshold – notice is required where there is a “significant risk of financial, reputational or other harm.”CEs have been reporting breaches under this standard for two yearsDEBBIE
13Two significant changes: BREACH The Big NewsTwo significant changes:Modified the “presumption” for breach reportingNotification is required to affected individuals unless CE/BA- “demonstrate there is a low probability that the PHI has been compromised based on a risk assessment.”DEBBIEImpermissible use or disclose = breach unless low probability that compromisedProvider to provider = low probability that data has been compromise.
14BREACH Risk Assessment CE/BA must perform a “risk assessment” to determine if there is a low probability of a “compromise” of the PHI.If risk assessment reveals a low probability of compromise, notification is not required.CE/BA can provide notice without a risk assessment.DEBBIE
15BREACH: Elements of Risk Assessment The nature and extent of PHI involved, including types of identifiers and likelihood of re-identification;The unauthorized person who used the protected health information or to whom the disclosure was made;Whether the protected health information was actually acquired or viewed; andThe extent to which the risk to the protected health information has been mitigated—Can it be used, for example, for ID theft, Medical ID Fraud, hackers to destroy integrity, can forensics say it was accessed/used?DEBBIEFinancial sensitive – credit card #, SS#, or other information that increases the risk of identity theftDHS indicated that it will provide additional guidance
16Employee Conduct Posing Risk: Social Media Many benefits:Easy & effective mode of communicationMarketing opportunityBolster professional relationshipsDownside: Immediate and broad dissemination of information. Disgruntled employees use social media to criticize employers/patientsDeliberate vs. inadvertent disclosure
17Employee Conduct Posing Risk: Social Media – Examples: Innovis Health – use of Facebook to communicate unauthorized shift change updates to co-workers;Westerly Hospital – Rhode Island physician posted information on personal Facebook page regarding trauma patient.Byrnes v. Johnson County Community College – nursing student posted photo of placenta on FB.Nurse fired for posting on personal FB page she treated a “cop killer” after many news accounts named the accused shooter and the hospital at which he was treated.
18Employee Conduct Posing Risk: Snooping Kaiser Permanente’s Bellflower Hospital – (2009) fined $250,000 for failing to prevent employees from accessing Octomom’s records.Cedars Sinai Medical Center – (2013) 6 employees terminated after accessing records of Kardashian baby.UCLA Health System settlement with OCR (2011) after employees snooped into celebrity medical records.Monetary payment of $865,000Implement new security privacy rulesImprove employee trainingDiscipline employees for violationsDesignate independent compliance monitor
19Employee Conduct Posing Risk: Camera Phones Photography is easy.Photos can be easily shared, including on social media.Once shared cannot be deleted (breach can be ongoing)Can be done surreptitiously.Photos can be PHI (even without patient name).Examples:Rady Children’s Hospital – San Diego (2006) – child pornographyMayo Clinic’s Phoenix Hospital – inappropriate photograph of a patient under anesthesia.University of New Mexico Hospital – photos of ER patient’s injuries posted on MySpace.Martin Medical Center in Florida – photos of shark attack victim shared with friends (2010)
20National Labor Relations Act Employees have the right to self-organization, to form, join or assist labor unions, to bargain collectively, and to engage in “concerted activities” for mutual aid or protection (Section VII).It shall be an unfair labor practice for an employer to interfere with, restrain or coerce employees in the exercise of the rights guaranteed by Section VII.NLRB standard: Whether the rule would unreasonably tend to chill employees in the exercise of their Section VII rights.
21NLRB: Social Media Can Be “Concerted Activity” Employees have a legal right under the NLRA to discuss their working conditions on social media websites.Concerted activity v. individual employee rights.Unique tension in Healthcare environment.
22Employee Conduct: Communications With Patients and TextingApril 2012 survey: 73% of physicians text other physicians at work.Do texts constitute “medical record”.Security-Privacy/preservation concerns.Check state law
23Employee Conduct: Lost or Stolen Laptop ANAIn a March 2012 interview with Leon Rodriguez, he was asked to provide some guidance on some of the most common compliance issues that have been identified in the first 20 initial audits. He declined to provide any guidance as to the initial 20 audits and instead referenced what is going on in terms of breach notifications.As you are all aware, the HITECH act requires HIPAA covered entities to notify affected individuals, the Secretary, and in some cases the media following the discovery of a breach of UNSECURED PROTECTED HEALTH INFORMATION2010 was the first full calendar year for reportingTHEFT was the #1 common reported case of large breaches in 2009 and 2010The majority of theft incidents involve the THEFT OF PAPER RECORDS or ELECTRONIC MEDIA—ESPECIALLY LAPTOPIt will be interesting to see if the audits fall in line with what we are seeing with breach notification and enforcement.
24First HIPAA breach settlement involving less than 500 patients Hospice of North Idaho$50,000Stolen laptop with ePHI of 441 patientsFailed to include laptops and other mobile devices in security risk assessmentJanuary 2, 2013The HHS Office for Civil Rights (OCR) began its investigation after HONI reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June Laptops containing ePHI are regularly used by the organization as part of their field work. Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI. Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”The Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals must be reported to the Secretary on an annual basis. A new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information, has been launched by OCR and the HHS Office of the National Coordinator for Health Information Technology (ONC) that offers health care providers and organizations practical tips on ways to protect their patients’ health information when using mobile devices such as laptops, tablets, and smartphones.
25Best Practices: Laptops No PHI on personal laptopsAll PHI on laptops is encryptedIf company issued laptops are removed, check in-check out systemAll laptops have kill switchSame policies re: mobile phones & iPads/Notebooks
27Best Practices: Policies Employee DisciplineClearly specific prohibited conductClearly specify consequences of violationFollow throughSocial MediaClearly describe protection for PHIProhibit posting or discussing patient information on social media (even if name is not used)Use specific examplesConsider banning access to social media on work computersCannot prohibit use of logoBe mindful of NLRA protectionsComputer use
28Employee Training When: What: New hires Periodic/regular update Follow-up trainingCheck state lawWhat:Confidentiality obligationsDefine PHISocial media/computer useDiscipline – set forth disciplinary consequences for violationsAllow for discretion in enforcementEnforce consistently
29Audits: What to ExpectWhen a covered entity is selected for an audit, OCR will notify the covered entity in writing.OCR notifies selected covered entities between 30 and 90 days prior to the anticipated onsite visit. According to the OCR, Onsite visits should take between 3 and 10 business days depending upon the complexity of the organization and the auditor’s need to access materials and staff. However, according to a KPMG representative, onsite visits typicall ran up to 7 days on the field.After fieldwork is completed, the auditor provided the covered entity with a draft final report; a covered entity will have 10 business days to review and provide written comments back to the auditor. The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR.
30Audits: What to Expect Lessons Learned From Piedmont Establishing and terminating user’s access to systems housing ePHIEmergency access to electronic information systemsInactive computer sessions (periods of inactivity)Recording and examining activity in information systems that contain or use ePHIRisk assessments and analysis of relevant information that house or process ePHI data.Employee sanction policiesIncident reportsAudit logs and access reportsListing of all network perimeter devices, i.e. firewalls and routersIn February of 2007, HHS through the Office of Inspector General conducted a random HIPAA audit of Piedmont hospital.The Piedmont audit letter also included an enclosure asking for a list of documents and information to be provided. Over 40 questions or requests for documentation were asked in the Piedmont case.The types of information requested during the Piedmont audit are certainly fair game in the KPMG audits.When preparing for an audit, use Piedmont as base for what to expect and designate specific individuals within you entity to take the lead on these issues.On June 26, HHS' Office for Civil Rights released the protocol it is using to audit compliance with various requirements under HIPAA.Each module includes a number of specific performance measures, which cite specific sections of the HIPAA rules, against which KPMG assesses the covered entity.The Privacy Rule module includes 78 performance measures;the Security Rule module includes 77 performance measures; and the Breach Notification module includes 10 performance measures, for a total of 165 performance measures.Each performance measure includes a "key activity" and an "audit procedure" that describes the actions the KPMG auditors take in reviewing compliance with the measure.Sample Performance Measure: "§ (a)(1) -- A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies and is limited to the relevant requirements of such law. § (a)(2) -- A covered entity must meet the requirements described in paragraph (c), (e), or (f) of this section for uses or disclosures required by law."Key Activity: Uses and Disclosures Required by LawAudit Procedure: Inquire of management as to whether the requirements to use or disclose PHI required by law are met. Obtain and review Notice of Privacy Practices and evaluate the content in relation to the specified criteria to determine if the entity identifies the disclosures required by law. Obtain and review policies and procedures and evaluate the content in relation to the specified criteria for uses and disclosures required by law.
31Audits: What to Expect(continued)10. Remote access activity (network infrastructure platform, access servers, authentication and encryption software)11. Password and server configurations12. Antivirus software13. Maintenance and repairs of hardware, walls, doors, and locks in sensitive areasNotice that the information requested is specific such as in #11 which requires disclosure of password and server configurationsReaction to the audit protocol has been mixed.Some have criticized the protocol as providing significant details related to certain requirements and not others. Others have criticized it as lacking specificity and simply parroting back the HIPAA rules with little additional information.For example, some have criticized the protocol for calling for determining if the covered entity risk assessment has been conducted on a "periodic basis" without defining what periodic basis means.In response to these criticisms, OCR officials said that while they understand stakeholders' desire for specificity, the HIPAA rules were not designed as a set of one-size-fits-all requirements. OCR also has stressed that it is not attempting to set new standards through the protocol.Others, however, suggest that the protocol can help serve as a useful rubric for assessing the status of a covered entities' HIPAA compliance efforts. For example, John Halamka -- co-chair of the Health IT Standards Committee, an advisory group to the Office of the National Coordinator for Health IT, and CIO at Beth Israel Deaconess Medical Center -- has recommended supplementing the audit protocol with the HIPAA implementation guides developed by the National Institutes for Standards and Technology, which are designed to aid covered entities in understanding the security concepts included in the HIPAA Security Rule.
32Audits: What to Expect Personal Interviews with CE leadership (continued)Site VisitsPersonal Interviews with CE leadershipUp Close and Personal ExaminationPolicy ConsistencyObservationDEBBIEStep 3 consists of Site Visits.Site visits are conducted by audit teams of 3 to 5 auditors (or 2 to 3 auditors for small, noncomplex practices) with expertise in compliance auditing, HIPAA privacy and security, and IT auditing.The visits will include interviews with leadership(e.g., chief information officer, legal counsel, health information management director);examination of physical features,operations, and adherence to policies; andobservation of compliance with HIPAA regulatory requirements.Security ModuleSample Performance Measure: "§ (a)(1) -- Security Management Process § (a)(1)(ii)(a) -- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the covered entity."Key Activity: Develop and Deploy the Information System Activity Review ProcessAudit Procedure: Inquire of management as to whether formal or informal policy and procedures exist to review information system activities, such as audit logs, access reports and security incident tracking reports. Obtain and review formal or informal policy and procedures and evaluate the content in relation to specified performance criteria to determine if an appropriate review process is in place of information system activities. Obtain evidence for a sample of instances showing implementation of covered entity review practices. Determine if the covered entity policy and procedures have been approved and updated on a periodic basis.
33Audits: What to Expect Auditor Reports Auditors will develop a draft reportFinal report submitted to OCROCR may initiate compliance review for serious issuesIf they do, you will be subject to a CAPAuditor ReportsDEBBIEAfter the site visit, the auditors and the CE sit down and talk about the findings. A CE may provide further information to mitigate a finding or clarify something it thinks was misinterpreted. IT IS IMPORTANT TO NOTE THAT ONCE THIS DISCUSSION PERIOD ENDS, TIME IS UP FRO TRYING TO PROVE COMPLICANE. There were instances were covered entities contacted KPMG 30 days of the field saying they corrected the whole process and requested that a particular finding be removed from the report. KPMG basically took the attitude of Sorry—we were there—we saw it-- too late.The final report for each audit is required to include, at a minimum:Identification and description of the audited entity (including full name, address, employer identification number, and contact person)The methods used to conduct the auditThe defect or noncompliant status observed (including evidence)A clear demonstration that each negative finding is a potential violation of the privacy or security rules, with citationThe reason that the condition exists, along with identification of supporting documentation usedThe risk or noncompliant status resulting from the findingRecommendations for addressing each findingEntity corrective actions taken, if anyAcknowledgment of any best practices or successesAn overall conclusion paragraph
34PenaltiesHIPAA CivilCivil - $100 per violation to maximum of $1.5M per year.State StatutoryState common law tort actionInvasion of privacyIntentional/negligent infliction of emotional distress
35New Civil Monetary Penalty System Accidental$100 each violationUp to $25,000 for identical violations, per yearNot Willful Neglect, but Not Accidental$1,000 each violationUp to $100,000 for identical violations, per yearWillful Neglect, Not Corrected$50,000 each violationUp to $1.5 million per year
36And…Don’t forget about Criminal Penalties Up to $250,000 fineImprisonment up to 10 years“Knowingly”$50,000Imprisonment up to one yearFalse pretensesUp to $100,000 fineUp to five years in prisonIntent to sell, transfer, or use for commercial advantage, or for personal gain or malicious harm$250,000Imprisonment for up to ten years
37Recent OCR Enforcement Cases Mass. Gen. Hosp. – Employee left 192 patient files containing HIV/AIDs PHI on subway that were never recorded. $ penalty and 3 year CAP Phoenix Cardiac Surgery – failed to secure Patient Calendar Appointment App. $ , 3 year CAP
38Recent OCR Enforcement Cases WellPoint Inc. Managed Care CompanyImportant message for CEs to take caution when implementing changes to information systems, especially when changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.HHS began investigation following breach report from WellPoint as required by HITECH indicating security weaknesses in an online application database that left ePHI of 612,402 individuals accessible to unauthorized individuals over the Internet.$1.7 million penaltyOCR’s investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule.
39WellPoint (continued) Whether systems upgrades are conducted by covered entities or their BA’s, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information – especially information that is accessible over the Internet.
40Recent OCR Enforcement Cases Affinity Health Plan, Inc. - settled potential violations of HIPAA Privacy and Security Rules for $1,215,780.Affinity impermissibly disclosed PHI of up to 344,579 individuals when it returned multiple photocopiers to leasing agent without erasing data contained on copier hard drives. Affinity failed to incorporate ePHI stored in copier’s hard drives in its analysis of risks and vulnerabilities under Security Rule, and failed to implement policies and procedures when returning hard drives to leasing agents.
412012 Ponemon Institute Study Healthcare industry loses $7 billion a year due to HIPAA data breachesAverage economic impact of a data breach has increased by $400,000 to a total of $2.4 million since 201094% of CEs have had at least one data breach in the last two yearsAverage number of lost or stolen records per breach is 2,769Top 3 causes of data breaches:Lost or stolen computing device (46%)Employee mistakes or unintentional actions (42%)Third party snafus (42%)18% of CEs say medical identity theft was a result of a data breachAnnual security risk assessments are done by less than half (48%) of CEs48% of data breaches in 2012 involved medical filesPrimary activity by CEs to comply with HIPAA training is awareness training of all staff (56%), followed by vetting and monitoring of third parties, including business associates (49%)