Presentation is loading. Please wait.

Presentation is loading. Please wait.

Texas Privacy Update Ana E. Cowan, Associate Deborah C. Hiser, Partner Brown McCarroll LLP A Look at HITECH and H.B.300 Developments.

Similar presentations


Presentation on theme: "Texas Privacy Update Ana E. Cowan, Associate Deborah C. Hiser, Partner Brown McCarroll LLP A Look at HITECH and H.B.300 Developments."— Presentation transcript:

1 Texas Privacy Update Ana E. Cowan, Associate Deborah C. Hiser, Partner Brown McCarroll LLP A Look at HITECH and H.B.300 Developments

2 H.B. 300 How are Things Different? H.B. 300  Effective September 1, 2012 Completely New Framework for Enforcement –Audits –AG initiated action –Hefty fines –If you did not take HIPAA seriously before—it is time Update Policies and Procedures –Training –Breach Notification –Marketing –Sale of PHI –NPP –Update of Business Associate Contracts –Authorization for Electronic Disclosure –Access to Medical Record

3 3 Complaints Received by OCR

4 4 Top 5 Issues in Investigated Cases Closed with Corrective Action YearIssue 1Issue 2Issue 3Issue 4Issue Impermissible Uses & DisclosuresSafeguardsAccess Minimum NecessaryNotice 2009 Impermissible Uses & DisclosuresSafeguardsAccess Minimum Necessary Complaints to Covered Entity 2008 Impermissible Uses & DisclosuresSafeguardsAccess Minimum Necessary Complaints to Covered Entity 2007 Impermissible Uses & DisclosuresSafeguardsAccess Minimum NecessaryNotice 2006 Impermissible Uses & DisclosuresSafeguardsAccess Minimum NecessaryNotice 2005 Impermissible Uses & DisclosuresSafeguardsAccess Minimum NecessaryMitigation 2004 Impermissible Uses & DisclosuresSafeguardsAccess Minimum NecessaryAuthorizations Partial 2003 Safeguards Impermissible Uses & DisclosuresAccessNoticeMinimum Necessary

5 5 Breach Notification:500+ Breaches by Type of Breach 5

6 6 OCR Enforcement Cases OCR has stated that they will investigate every reported breach Rite Aid Take away: Must dispose of PHI correctly. –Rite Aid pharmacies disposed of labeled prescription bottles containing PHI in containers accessible by the public. $1 million – Entered into a 3 year CAP and a 20 year FTC Order which requires Rite Aid to: Develop Privacy and Security policies to safeguard PHI during the disposal process, Train employees on how to properly dispose of PHI, Sanction offending employees, and Obtain external assessments of Rite Aid’s compliance. 6

7 7 OCR Enforcement Cases Cignet Health Take away: Must give patients their medical records within 15 days of request. Always comply with OCR’s requests. –Cignet denied 41 patients access to their medical records. During OCR investigation, Cignet ignored OCR’s requests to produce records. $4.3 Million 7

8 8 Take Away: »Small providers must comply »Pay attention to fundamentals of security—standards are flexible and scalable »Security in the “Cloud” –Failed to secure appointment calendaring app –Failed to have risk analysis and risk management process under Security Rule $100,000 –Entered into a Corrective Action Plan (CAP) which requires a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules. Phoenix Cardiac Surgery OCR Enforcement Cases

9 9 Section of the HITECH Act The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements. Authority for HIPAA Audits

10 10 The Initial 20 Audits Quick OCR/KPMG HIPAA AUDIT UPDATE – 1ST 20 Audits Quick OCR/KPMG HIPAA AUDIT UPDATE – 1ST 20 Audits Large providers/ payors with more than $1 billion in revenue and/ or assets Large regional hospital systems/ Regional payor with between $300 million and $ 1 billion in revenue and/ or assets. Community hospitals ambulatory surgery centers, regional pharmacies (with between $50 million) Small providers and community pharmacies with less than $50 million in revenue and/ or assets

11 11 Audits: What to Expect

12 12 Audits: What to Expect

13 13 Audits: What to Expect The Questions HHS Might Ask: Lessons Learned From Piedmont 1.Establishing and terminating user’s access to systems housing ePHI 2.Emergency access to electronic information systems 3.Inactive computer sessions (periods of inactivity) 4.Recording and examining activity in information systems that contain or use ePHI 5.Risk assessments and analysis of relevant information that house or process ePHI data. 6.Employee sanction policies 7.Incident reports 8.Audit logs and access reports 9.Listing of all network perimeter devices, i.e. firewalls and routers

14 14 Audits: What to Expect The Questions HHS Might Ask (continued) 10. Remote access activity (network infrastructure platform, access servers, authentication and encryption software) 11. Password and server configurations 12. Antivirus software 13. Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas

15 15 Audits: What to Expect Additional Questions HHS Might Ask (continued) 1.Information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process, or transmit ePHI 2.Terminated employees 3.New Hires 4.Outsourced individuals and contractors with access to ePHI. Provide a copy of the contract for these individuals 5.Organizational Charts 6.List of all users with access to ePHi data 7.Identify each user’s access rights and privileges 8.List of systems administrators, backup operators, and users 9.List of all users with remote access capabilities 10.Regularly review OCR website and review CAPs

16 16 Audits: What to Expect Step 3: Site Visits Personal Interviews with CE leadership Up Close and Personal Examination Policy Consistency Observation

17 17 Audits: What to Expect Step 4: Auditor Reports Auditors will develop a draft report Final report submitted to OCR OCR may initiate compliance review for serious issues If they do, you will be subject to a CAP

18 18 New Civil Monetary Penalty System Accidental –$100 each violation –Up to $25,000 for identical violations, per year Not Willful Neglect, but Not Accidental –$1,000 each violation –Up to $100,000 for identical violations, per year Willful Neglect, Not Corrected –$50,000 each violation –Up to $1.5 million per year

19 19 And…Don’t forget about Criminal Penalties “ Knowingly" –$50,000 –Imprisonment up to one year. False pretenses –Up to $100,000 fine –Up to five years in prison. Intent to sell, transfer, or use for commercial advantage, or for personal gain or malicious harm –$250,000 –Imprisonment for up to ten years.

20 20 H.B. 300 Audits H.B. 300  TX Health & Safety Code § Audits of Covered Entities If there appears to be a pattern of violations, the Texas Commission of HHS may: –Require the covered entity to submit a risk analysis regarding the potential risks and vulnerabilities to the confidentiality, integrity, and availability of PHI, and –If the covered entity is licensed by a Texas agency, request the agency to conduct an audit.

21 21 Texas H.B. 300 AG Action H.B. 300  TX Health & Safety Code § AG Initiated Action AG may sue a covered entity for violation of the Texas Privacy Law. AG may bring an action only if the agency the entity is licensed by refers the violation to the AG. AG may retain a reasonable amount of the civil penalty.

22 22 H.B. 300 Texas Attorney General Enforcement In May 2011, OCR invited the 50 state attorneys for in person HIPAA training so that they may properly enforce HIPAA and HITECH in their respective state.

23 23 Texas H.B. 300 It comes down to $$$$ H.B. 300  TX Health & Safety Code § Civil Penalties in Addition to Injunctive (May Not Exceed) $5,000 per violation per year  negligently $25,000 per violation per year  knowingly or intentionally $250,000 per violation per year  financial gain

24 24 Texas H.B. 300 It comes down to $$$$ Civil penalties may not exceed $25K for violation(s) of authorization and notice requirements for disclosure of PHI if the disclosure was only made to another covered entity and was only for the purposes of treatment, payment, operations, or insurance, and the PHI was: –Encrypted or transmitted using encryption technology, –PHI recipient did not use or release PHI, and –At time of disclosure, the covered entity had developed, implemented, and maintained security policies, including education and training of employees responsible for PHI security.

25 25 Texas H.B. 300 It comes down to $$$$ If court finds violations occurred enough times to constitute a pattern, a fine not to exceed $1.5 million may be assessed. In determining the penalty amount, the court should consider: –Seriousness of the violation, –Covered entity's compliance history and effort to correct the violation, –If the violation poses a significant risk of financial, reputational, or other harm to individual, –The required amount to deter future violations, and –If the covered entity was THSA certified at time of the violation.

26 26 Texas H.B. 300 Training H.B. 300  TX Health & Safety Code § Training Requirements Covered Entities are required to train employees on state and federal laws as they related to: –The CE in its particular course of business –The employee’s scope of employment 60 day Requirement Must provide for Training at least once every 2 years Employees must attest to being trained H.B. 300 Action Item  Update your policy and procedures

27 Texas H.B. 300 Access H.B. 300  TX Health & Safety Code § Access Requirements Electronic Health Records System Provide record electronically within 15 days of written request H.B. 300 Action Item  Update your policy and procedures

28 28 Texas H.B. 300 Sale of PHI H.B. 300  TX Health & Safety Code § Sale of PHI Covered entities may not disclose PHI in exchange for direct or indirect remuneration, unless the disclosure is for treatment, payment, health care operations, or insurance. The remuneration the covered entity receives may not exceed the covered entity's reasonable costs for preparing or transmitting the PHI. NPRM: Provides that CE disclose in NPP

29 Texas H.B. 300 Sale of PHI H.B. 300  TX Health & Safety Code § (b) If a covered entity uses or discloses protected health information to send a written marketing communication through the mail, the communication must be sent in an envelope showing only the names and addresses of sender and recipient and must: 1. state the name and toll-free number of the entity sending the marketing communication; and 2. explain the recipient’s right to have the recipient’s name removed from the sender’s mailing list. (c) A person who receives a request under subsection (b)(2) to remove a person’s name from a mailing list shall remove the person’s name not later than the 45 th day after the date the person receives the request. 29

30 Texas H.B. 300 Sale of PHI This is complicated—Don’t try to figure it out on your own. EVEN THE FEDS DON’T KNOW HOW TO DEFINE TREATMENT H.B. 300 Action Item  Update policy and procedures. Texas law stricter. Need to be on look out for NPRM  NPP statement

31 31 Texas H.B. 300 Notice and Authorization TX Health & Safety Code § Notice and Authorization Required for Electronic Disclosure of PHI CE must Post Notice: –Written notice in covered entity's place of business, –Notice on covered entity's website, or –Notice in any other place where individuals are likely to see the notice. Obtain Authorization: Even if the above notice is posted, CE may not electronically disclose an individual’s PHI without the individual’s authorization. –EXCEPTION: Disclosure is to another CE for the purpose of treatment, payment, operations, or insurance.

32 Texas H.B. 300 Notice and Authorization TX Health & Safety Code § Notice and Authorization Required for Electronic Disclosure of PHI H.B. 300 Action Items  –Update policy and procedures –Update HIPAA authorization form to take electronic disclosure into consideration –Post Notice (either in office or NPP) 32

33 Texas H.B. 300 Breach H.B. 300  TX Business and Commerce Code § Breach A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information must disclose any breach of system security. “Breach of system security" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data. Applies only if the individual whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person is a resident of this state or another state that does not have notification laws. H.B. 300 Action Item  Update policy and procedures-Texas law is different than HITECH 33

34 Sobering Thoughts Sec DISCIPLINARY ACTION In addition to the penalties prescribed by this chapter, a violation of this chapter by a covered entity that is licensed by an agency of this state is subject to investigation and disciplinary proceedings, including probation or suspension by the licensing agency. If there is evidence that the violations of this chapter are egregious and constitute a pattern or practice, the agency may: 1. Revoke the covered entity’s license; or 2. refer the covered entity’s case to the attorney general for the institution of an action for civil penalties under Section (b). 34

35 Sobering Thoughts Sec EXCLUSION FROM STATE PROGRAMS In addition to the penalties prescribed by this chapter, a covered entity shall be excluded from participating in any state-funded health care program if a court finds the covered entity engaged in a pattern or practice of violating this chapter. 35

36 Texas H.B. 300 Business Associate Contracts Business Associate Contracts – Contract between a HIPAA covered entity and a HIPAA business associate. The contract protects personal health information (PHI) in accordance with HIPPA guidelines. Remember that Your Business Associates are considered a CE under Texas law H.B. 300 Action Items  Need to Update BA –Provisions to prohibit the sale and marketing of PHI –Update Training provisions –Update Access provisions –Update breach provisions (HITECH and H.B. 300) –DON’T FORGET TO INDEMNIFY 36

37 37 Final Thoughts Change in Enforcement Landscape Update Policies and Procedures for HB 300 Changes –Training Policy –Notice of Privacy Practices –Authorization –Business Associate Contracts –Access Policy –Marketing –Breach Policy –Do Not Ignore Security Rules Train, Train, Train

38 Questions? Thank You 38

39 Contact Ana E. Cowan Deborah C. Hiser Congress Suite 1400 Austin, Texas


Download ppt "Texas Privacy Update Ana E. Cowan, Associate Deborah C. Hiser, Partner Brown McCarroll LLP A Look at HITECH and H.B.300 Developments."

Similar presentations


Ads by Google