Presentation on theme: "Texas Privacy Update Ana E. Cowan, Associate Deborah C. Hiser, Partner Brown McCarroll LLP A Look at HITECH and H.B.300 Developments."— Presentation transcript:
Texas Privacy Update Ana E. Cowan, Associate Deborah C. Hiser, Partner Brown McCarroll LLP A Look at HITECH and H.B.300 Developments
H.B. 300 How are Things Different? H.B. 300 Effective September 1, 2012 Completely New Framework for Enforcement –Audits –AG initiated action –Hefty fines –If you did not take HIPAA seriously before—it is time Update Policies and Procedures –Training –Breach Notification –Marketing –Sale of PHI –NPP –Update of Business Associate Contracts –Authorization for Electronic Disclosure –Access to Medical Record
5 Breach Notification:500+ Breaches by Type of Breach 5
6 OCR Enforcement Cases OCR has stated that they will investigate every reported breach Rite Aid Take away: Must dispose of PHI correctly. –Rite Aid pharmacies disposed of labeled prescription bottles containing PHI in containers accessible by the public. $1 million – Entered into a 3 year CAP and a 20 year FTC Order which requires Rite Aid to: Develop Privacy and Security policies to safeguard PHI during the disposal process, Train employees on how to properly dispose of PHI, Sanction offending employees, and Obtain external assessments of Rite Aid’s compliance. 6
7 OCR Enforcement Cases Cignet Health Take away: Must give patients their medical records within 15 days of request. Always comply with OCR’s requests. –Cignet denied 41 patients access to their medical records. During OCR investigation, Cignet ignored OCR’s requests to produce records. $4.3 Million 7
8 Take Away: »Small providers must comply »Pay attention to fundamentals of security—standards are flexible and scalable »Security in the “Cloud” –Failed to secure appointment calendaring app –Failed to have risk analysis and risk management process under Security Rule $100,000 –Entered into a Corrective Action Plan (CAP) which requires a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules. Phoenix Cardiac Surgery OCR Enforcement Cases
9 Section 13411 of the HITECH Act The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements. Authority for HIPAA Audits
10 The Initial 20 Audits Quick OCR/KPMG HIPAA AUDIT UPDATE – 1ST 20 Audits Quick OCR/KPMG HIPAA AUDIT UPDATE – 1ST 20 Audits Large providers/ payors with more than $1 billion in revenue and/ or assets Large regional hospital systems/ Regional payor with between $300 million and $ 1 billion in revenue and/ or assets. Community hospitals ambulatory surgery centers, regional pharmacies (with between $50 million) Small providers and community pharmacies with less than $50 million in revenue and/ or assets
13 Audits: What to Expect The Questions HHS Might Ask: Lessons Learned From Piedmont 1.Establishing and terminating user’s access to systems housing ePHI 2.Emergency access to electronic information systems 3.Inactive computer sessions (periods of inactivity) 4.Recording and examining activity in information systems that contain or use ePHI 5.Risk assessments and analysis of relevant information that house or process ePHI data. 6.Employee sanction policies 7.Incident reports 8.Audit logs and access reports 9.Listing of all network perimeter devices, i.e. firewalls and routers
14 Audits: What to Expect The Questions HHS Might Ask (continued) 10. Remote access activity (network infrastructure platform, access servers, authentication and encryption software) 11. Password and server configurations 12. Antivirus software 13. Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas
15 Audits: What to Expect Additional Questions HHS Might Ask (continued) 1.Information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process, or transmit ePHI 2.Terminated employees 3.New Hires 4.Outsourced individuals and contractors with access to ePHI. Provide a copy of the contract for these individuals 5.Organizational Charts 6.List of all users with access to ePHi data 7.Identify each user’s access rights and privileges 8.List of systems administrators, backup operators, and users 9.List of all users with remote access capabilities 10.Regularly review OCR website and review CAPs
16 Audits: What to Expect Step 3: Site Visits Personal Interviews with CE leadership Up Close and Personal Examination Policy Consistency Observation
17 Audits: What to Expect Step 4: Auditor Reports Auditors will develop a draft report Final report submitted to OCR OCR may initiate compliance review for serious issues If they do, you will be subject to a CAP
18 New Civil Monetary Penalty System Accidental –$100 each violation –Up to $25,000 for identical violations, per year Not Willful Neglect, but Not Accidental –$1,000 each violation –Up to $100,000 for identical violations, per year Willful Neglect, Not Corrected –$50,000 each violation –Up to $1.5 million per year
19 And…Don’t forget about Criminal Penalties “ Knowingly" –$50,000 –Imprisonment up to one year. False pretenses –Up to $100,000 fine –Up to five years in prison. Intent to sell, transfer, or use for commercial advantage, or for personal gain or malicious harm –$250,000 –Imprisonment for up to ten years.
20 H.B. 300 Audits H.B. 300 TX Health & Safety Code § 181.206 Audits of Covered Entities If there appears to be a pattern of violations, the Texas Commission of HHS may: –Require the covered entity to submit a risk analysis regarding the potential risks and vulnerabilities to the confidentiality, integrity, and availability of PHI, and –If the covered entity is licensed by a Texas agency, request the agency to conduct an audit.
21 Texas H.B. 300 AG Action H.B. 300 TX Health & Safety Code § 181.154 AG Initiated Action AG may sue a covered entity for violation of the Texas Privacy Law. AG may bring an action only if the agency the entity is licensed by refers the violation to the AG. AG may retain a reasonable amount of the civil penalty.
22 H.B. 300 Texas Attorney General Enforcement In May 2011, OCR invited the 50 state attorneys for in person HIPAA training so that they may properly enforce HIPAA and HITECH in their respective state.
23 Texas H.B. 300 It comes down to $$$$ H.B. 300 TX Health & Safety Code § 181.154 Civil Penalties in Addition to Injunctive (May Not Exceed) $5,000 per violation per year negligently $25,000 per violation per year knowingly or intentionally $250,000 per violation per year financial gain
24 Texas H.B. 300 It comes down to $$$$ Civil penalties may not exceed $25K for violation(s) of authorization and notice requirements for disclosure of PHI if the disclosure was only made to another covered entity and was only for the purposes of treatment, payment, operations, or insurance, and the PHI was: –Encrypted or transmitted using encryption technology, –PHI recipient did not use or release PHI, and –At time of disclosure, the covered entity had developed, implemented, and maintained security policies, including education and training of employees responsible for PHI security.
25 Texas H.B. 300 It comes down to $$$$ If court finds violations occurred enough times to constitute a pattern, a fine not to exceed $1.5 million may be assessed. In determining the penalty amount, the court should consider: –Seriousness of the violation, –Covered entity's compliance history and effort to correct the violation, –If the violation poses a significant risk of financial, reputational, or other harm to individual, –The required amount to deter future violations, and –If the covered entity was THSA certified at time of the violation.
26 Texas H.B. 300 Training H.B. 300 TX Health & Safety Code § 181.101 Training Requirements Covered Entities are required to train employees on state and federal laws as they related to: –The CE in its particular course of business –The employee’s scope of employment 60 day Requirement Must provide for Training at least once every 2 years Employees must attest to being trained H.B. 300 Action Item Update your policy and procedures
Texas H.B. 300 Access H.B. 300 TX Health & Safety Code § 181.102 Access Requirements Electronic Health Records System Provide record electronically within 15 days of written request H.B. 300 Action Item Update your policy and procedures
28 Texas H.B. 300 Sale of PHI H.B. 300 TX Health & Safety Code § 181.153 Sale of PHI Covered entities may not disclose PHI in exchange for direct or indirect remuneration, unless the disclosure is for treatment, payment, health care operations, or insurance. The remuneration the covered entity receives may not exceed the covered entity's reasonable costs for preparing or transmitting the PHI. NPRM: Provides that CE disclose in NPP
Texas H.B. 300 Sale of PHI H.B. 300 TX Health & Safety Code § 181.153 (b) If a covered entity uses or discloses protected health information to send a written marketing communication through the mail, the communication must be sent in an envelope showing only the names and addresses of sender and recipient and must: 1. state the name and toll-free number of the entity sending the marketing communication; and 2. explain the recipient’s right to have the recipient’s name removed from the sender’s mailing list. (c) A person who receives a request under subsection (b)(2) to remove a person’s name from a mailing list shall remove the person’s name not later than the 45 th day after the date the person receives the request. 29
Texas H.B. 300 Sale of PHI This is complicated—Don’t try to figure it out on your own. EVEN THE FEDS DON’T KNOW HOW TO DEFINE TREATMENT H.B. 300 Action Item Update policy and procedures. Texas law stricter. Need to be on look out for NPRM NPP statement
31 Texas H.B. 300 Notice and Authorization TX Health & Safety Code § 181.154 Notice and Authorization Required for Electronic Disclosure of PHI CE must Post Notice: –Written notice in covered entity's place of business, –Notice on covered entity's website, or –Notice in any other place where individuals are likely to see the notice. Obtain Authorization: Even if the above notice is posted, CE may not electronically disclose an individual’s PHI without the individual’s authorization. –EXCEPTION: Disclosure is to another CE for the purpose of treatment, payment, operations, or insurance.
Texas H.B. 300 Notice and Authorization TX Health & Safety Code § 181.154 Notice and Authorization Required for Electronic Disclosure of PHI H.B. 300 Action Items –Update policy and procedures –Update HIPAA authorization form to take electronic disclosure into consideration –Post Notice (either in office or NPP) 32
Texas H.B. 300 Breach H.B. 300 TX Business and Commerce Code § 521.002-521.053 Breach A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information must disclose any breach of system security. “Breach of system security" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data. Applies only if the individual whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person is a resident of this state or another state that does not have notification laws. H.B. 300 Action Item Update policy and procedures-Texas law is different than HITECH 33
Sobering Thoughts Sec. 181.202. DISCIPLINARY ACTION In addition to the penalties prescribed by this chapter, a violation of this chapter by a covered entity that is licensed by an agency of this state is subject to investigation and disciplinary proceedings, including probation or suspension by the licensing agency. If there is evidence that the violations of this chapter are egregious and constitute a pattern or practice, the agency may: 1. Revoke the covered entity’s license; or 2. refer the covered entity’s case to the attorney general for the institution of an action for civil penalties under Section 181.201(b). 34
Sobering Thoughts Sec.181.203. EXCLUSION FROM STATE PROGRAMS In addition to the penalties prescribed by this chapter, a covered entity shall be excluded from participating in any state-funded health care program if a court finds the covered entity engaged in a pattern or practice of violating this chapter. 35
Texas H.B. 300 Business Associate Contracts Business Associate Contracts – Contract between a HIPAA covered entity and a HIPAA business associate. The contract protects personal health information (PHI) in accordance with HIPPA guidelines. Remember that Your Business Associates are considered a CE under Texas law H.B. 300 Action Items Need to Update BA –Provisions to prohibit the sale and marketing of PHI –Update Training provisions –Update Access provisions –Update breach provisions (HITECH and H.B. 300) –DON’T FORGET TO INDEMNIFY 36
37 Final Thoughts Change in Enforcement Landscape Update Policies and Procedures for HB 300 Changes –Training Policy –Notice of Privacy Practices –Authorization –Business Associate Contracts –Access Policy –Marketing –Breach Policy –Do Not Ignore Security Rules Train, Train, Train