We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byChrista Burnworth
Modified about 1 year ago
HIPAA UPDATE Georgia Hospital Association Compliance Officer Meeting September 3-5, 2014 Gina G. Greenwood, J.D. Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Monarch Plaza | 3414 Peachtree Road, N.E. Atlanta, Georgia firstname.lastname@example.org (404) 589-0009 office (404) 909-0665 cell
2 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC OCR Enforcement Trends OCR received 97,702 complaints between April 14, 2003 and May 31, 2014. 32,795 of those complaints have been investigated (over 57,000 were not eligible for OCR enforcement action). Corrective action has been obtained in 22,613 cases (69%). No violation was found in 10,182 cases (31%). OCR settled 21 cases (reserved for serious cases).
3 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC OCR Enforcement Trends Common Problem Areas Under OCR / Governmental Scrutiny: − Failure to conduct adequate (or any) risk analysis − Failure to have appropriate policies and procedures (e.g., portable devices) − Unencrypted hardware: laptops, thumb drives, etc. − Sending unencrypted emails containing PHI − Sending emails to unsecure accounts (e.g., Gmail) − Making ePHI accessible on the Internet − Failing to properly dispose of PHI
4 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Latest Threats Chinese hackers who hack for huge profit Identify theft Terrorism !!! Ugh!!
5 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Recent OCR Enforcement Actions August 2014: Federal investigation is underway after Community Health Systems, a 206-hospital system, announced that hackers accessed data, including Social Security numbers, for approximately 4.5 million patients. June 2014: $800,000 settlement with Parkview Health System, Inc. for allegations that Parkview employees left 71 cardboard boxes of patient medical records in the driveway of a retiring physician’s home. − Primary Issue: Failure to appropriately and reasonably safeguard all protected health information, from acquisition through disposition.
6 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Recent OCR Enforcement Actions May 2014: $4.8 million settlement, the largest HIPAA settlement to date, with New York and Presbyterian Hospital and Columbia University for allegations that patient information on the institutions’ shared data network became accessible by internet search engines when a Columbia employee attempted to deactivate a server on the network. − Primary Issues: Failure to conduct an accurate and thorough risk analysis and lack of technical safeguards. April 2014: $1,725,220 settlement with Concentra Health Services and $250,000 settlement with QCA Health Plan, Inc., both for allegations that unencrypted laptops containing patient information were stolen. Concentra had previously identified lack of encryption as a major risk, but had failed to take sufficient corrective measures. QCA encrypted its devices following the breach, but had failed to comply with HIPAA’s requirements since the compliance date. − Primary Issue: Failure to encrypt data on computer hardware.
7 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Recent OCR Enforcement Actions March 2014: $215,000 settlement with Skagit County, Washington after an investigation revealed that PHI of nearly 1,600 individuals was exposed when it was inadvertently moved to a publicly accessible server maintained by the County. The files included information related to testing and treatment of infectious diseases. − Primary Issue: Failure to store data on a secure server. December 2013: $150,000 settlement with Adult & Pediatric Dermatology, P.C. for not having policies and procedures in place to address the breach notification provisions of HITECH when an unencrypted thumb drive containing ePHI of 2,200 individuals was stolen from an employee’s car. − Primary Issues: Failure to conduct an accurate and thorough risk analysis of security management policies and failure to have breach notification policies and procedures in place.
8 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Recent OCR Enforcement Actions August 2013: $1,215,780 settlement with Affinity Health Plan for failing to erase PHI of up to 344,579 individuals from photocopier hard drives when it returned the copiers to leasing agents. − Primary Issues: Failure to incorporate the ePHI stored on copier hard drives into the required risk analysis and failure to properly clear electronic hard drives before returning them. July 2013: $1.7 million settlement with WellPoint Inc. for a security weakness in an online application database during a systems upgrade that made ePHI of 612,402 individuals accessible online. − Primary Issues: Failure to implement policies and procedures for authorizing access to the database, failure to perform an appropriate technical evaluation after a software upgrade, and failure to have safeguards in place to verify identities of users.
9 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Recent OCR Enforcement Actions June 2013: $275,000 settlement with Shasta Regional Medical Center after senior hospitals leaders disclosed patient information to media outlets and the entire workforce without a valid authorization. − Primary Issues: Disclosure of patient information without authorization and failure to sanction workforce members for such disclosure pursuant to the hospital’s internal sanction policy. May 2013: $400,000 settlement with Idaho State University for disabling of firewall protections at servers maintained by ISU resulting in vulnerability of ePHI for approximately 17,500 patients for at least 10 months. − Primary Issues: Failure to conduct a complete and adequate risk analysis of ISU clinics and failure to apply proper security measures to firewall protection, which could have detected the breach much sooner.
10 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Interesting Non–Healthcare Industry Breach: Target in Numbers December 2013: Big-box retailer Target spent $61,000,000 in the final months of 2013 and its CEO resigned, after a data breach exposed the personal data of approximately 110,000,000 customers who used their debit and credit cards at the store during the holiday season. Legal action is still ongoing. − Thieves stole 40,000,000 credit and debit card numbers and other information about 70,000,000 customers. − Target’s profits dropped 46% in the fourth quarter of 2013. − The estimated cost to banks and credit unions for reissuing just half of the compromised cards has been $200,000,000. − Target says it will spend $100,000,000 upgrading payment terminals to support Chip-and-PIN enabled cards. − Between 1,000,000 and 3,000,000 cards were successfully sold on the black market and used for fraud. Thieves made over 50,000,000 in profit.
11 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC OCR Enforcement: General Advice “As we say in healthcare, an ounce of prevention is worth a pound of cure.” - Former OCR Director Leon Rodriguez Conduct privacy and security audits proactively Thorough training programs Get insurance and carve HIE out if can Assess and manage all risks under the written plan Maintain documentation that you reported the risk to your supervisor and Board
12 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC OCR Enforcement: General Advice What to Do if You Think You May be Dealing with a Breach: DON’T ignore it. Get out in front of a potential HIPAA breach and manage it. Carefully document. DON’T wait 60 days to notify/report. The 60-day reporting deadline is is too late. OCR often says 60 days is too long. Some laws relating to identify theft require much faster reporting. BUT, DO conduct a forensic audit. Where applicable and possible, make reasonably sure a breach occurred before reporting. Don’t report it if you can ethically disprove it!
13 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC OCR Enforcement: General Advice Don’t Forget About State Requirements: − State consumer protection and data breach notification laws often contain different disclosure requirements than federal. − Beware of particularly onerous state laws. For example: Connecticut (*regulated by the Dept. of Insurance) Florida (*this law is new) California Texas Massachusetts
14 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Business Associate Agreement Requirements The deadline to revise Business Associate Agreements (“BAAs”) for compliance with the HIPAA – HITECH Omnibus Rule is September 23, 2014. − In the January 2013 Omnibus Rule, OCR released new requirements for BAAs with a compliance date of September 23, 2013. − The rule grandfathered BAAs already in place as of January 25, 2013 until the earlier of: Their renewal or modification, if after September 23, 2013, or September 23, 2014.
15 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC HIPAA Amendment Regarding CLIA Laboratories As of October 6, 2014 (compliance date), a patient’s right to access his or her medical records includes the right to request and receive laboratory test results directly from any laboratory that is a “covered entity” under HIPAA. − This new rule removes the HIPAA access exemption for CLIA labs and CLIA exempt labs. A “covered entity” laboratory must update its Notice of Privacy Practices to “inform individuals of their right to obtain reports directly from the laboratory, provide a brief description of how to exercise this right, and... remove any statements to the contrary.” This amendment preempts Georgia law, stating test results to “be reported only to or as directed by the licensed physician, dentist, or other authorized person requesting such test.” (O.C.G.A. § 31-22-4(c))
16 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC MU Audits and Electronic Health Information Incentives Meaningful Use post- and pre-payment audits are underway. Example Meaningful Use Stage 2 Objective: − “Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities.” Accompanying Stage 2 Measure: − “Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process for EPs.”
17 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC State Privacy and Data Laws: Florida Florida Information Protection Act of 2014, effective July 1, 2014 Applies to all businesses possessing Floridians’ personal information Replaces Florida’s existing data breach law − Shortens the breach notification deadline from 45 to 30 days − Requires businesses to notify the Florida Department of Legal Affairs of breaches affecting 500 or more individuals in Florida − Requires notice to individuals, but notice in accordance with rules of the business’s primary federal regulating agency satisfies the requirement Requires businesses to take reasonable steps to dispose of consumer records in any form that contain personal information when those records are “no longer to be retained.” − No specific length of time for retention is mandated − Destruction means “shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable.”
19 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC 42 C.F.R. Part 2 Data IMPOSSIBLE TO DEAL WITH Do you know how you could get pulled into this law? Have you assessed risks??? Payer disclosure issues Consent needed Re-disclosure notices DO YOU HAVE A PART 2 POLICY???
20 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Health Information Exchanges When linking data to other Health Information Exchange, consider: − Whether the Notice of Privacy Practices informs patients of the relationship with the Health Information Exchange − What indemnification provisions and procedures are in place − Whether your EHR / Health Information Exchange should be set up as a separate and distinct legal entity − Who will have access to data and procedures for protection of sensitive data
21 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC OCR Audits Are Here!! OCR is responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules The HITECH Act requires DHHS to perform periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules − Audited CEs − Supposedly auditing BAs in 2014
22 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC OCR Audits The OCR HIPAA Audit Program: Processes Controls Policies The Audit Focuses On: The seven fundamental practices of the Privacy Rule The administrative, physical, and technical safeguards of the Security Rule The requirements of the Breach Notification Rule
23 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC OCR Audits Areas of Review: Risk assessment (last three years but OCR breach investigations are going back 6 plus years) Workforce training Access control – user activity monitoring Workstation security Business Associate contracts Minimum necessary Patient access to records Authorizations
24 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Preparing For and Responding to Audit / Investigation CE / BA should -- − Ensure that is risk assessment and risk management plan and privacy, security and breach notification policies/procedures/audit plans are up to date; retain old versions − Perform self-assessments of compliance program using the OCR Audit Protocols and NIST security risk tool − Create a file/binder with all key documents needed for response − Train workforces annually and after breaches − Conduct mock interviews of workforce to ensure appropriate knowledge and preparedness
25 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Gina Ginn Greenwood, J.D. (404) 589-0009 office email@example.com Gina Greenwood practices from the Atlanta/Macon offices of Baker Donelson and concentrates her practice on a wide range of matters, including cyber liability and identity theft; HIPAA Privacy and Security Rule compliance and breach notification; IT and certified EHR implementation; meaningful use; fraud and abuse (Stark Law, Anti-Kickback Statute, and FCA) compliance and investigations; EMTALA compliance, CMS and State licensure survey plans of correction responses and hearings; Joint Commission training and compliance; self reporting; risk management strategies; peer review; corporate health care transactions; contract drafting and general business advice; and many other regulatory matters pertinent to all types of health care entities and companies. Gina has authored numerous health care materials and is a frequent speaker for Georgia Hospital Association and professional compliance organizations on fraud and abuse, HIPAA compliance, breaches & EMTALA compliance. Gina was recognized by Chambers USA as a leading health care lawyer in America (2011 and 2012). Voted Georgia Trend Legal Elite in Healthcare. Served as 2014 expert witness on EMTALA and mental health to US Congressional Committee in Washington, DC.
PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial.
HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.
What do you need to know?. DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments.
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.
THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.
HIPAA Training. What information is considered PHI (Protected Health Information) Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
MU and HIPAA Compliance 101 Robert Morris VP Business Services Ion IT Group, Inc
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.
Florida Information Protection Act of 2014 (FIPA).
Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.
AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc
HIPAA PRIVACY AND SECURITY AWARENESS. Introduction The Health Insurance Portability and Accountability Act (known as HIPAA) was enacted by Congress in.
Understanding Meaningful Use Presented by: Allison Bryan MS, CHES December 7, 2012 Purdue Research Foundation 2012 Review of Stage 1 and Stage 2.
HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by? The Affordable Care Act Health Insurance companies United States Congress United States.
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Chapter seven Privacy, Security, Confidentiality, and Legal Issues.
HIPAA REVIEW Western Asset Protection. At Western Asset Protection, we are committed to building and maintaining respectful and productive relationships.
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Rhonda Anderson, RHIA, President …is a PROCESS, not a PROJECT 2.
© 2017 SlidePlayer.com Inc. All rights reserved.