Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA UPDATE Georgia Hospital Association Compliance Officer Meeting September 3-5, 2014 Gina G. Greenwood, J.D. Baker, Donelson, Bearman, Caldwell & Berkowitz,

Similar presentations


Presentation on theme: "HIPAA UPDATE Georgia Hospital Association Compliance Officer Meeting September 3-5, 2014 Gina G. Greenwood, J.D. Baker, Donelson, Bearman, Caldwell & Berkowitz,"— Presentation transcript:

1 HIPAA UPDATE Georgia Hospital Association Compliance Officer Meeting September 3-5, 2014 Gina G. Greenwood, J.D. Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Monarch Plaza | 3414 Peachtree Road, N.E. Atlanta, Georgia ggreenwood@bakerdonelson.com (404) 589-0009 office (404) 909-0665 cell

2 2 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC OCR Enforcement Trends OCR received 97,702 complaints between April 14, 2003 and May 31, 2014. 32,795 of those complaints have been investigated (over 57,000 were not eligible for OCR enforcement action). Corrective action has been obtained in 22,613 cases (69%). No violation was found in 10,182 cases (31%). OCR settled 21 cases (reserved for serious cases).

3 3 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC OCR Enforcement Trends Common Problem Areas Under OCR / Governmental Scrutiny: − Failure to conduct adequate (or any) risk analysis − Failure to have appropriate policies and procedures (e.g., portable devices) − Unencrypted hardware: laptops, thumb drives, etc. − Sending unencrypted emails containing PHI − Sending emails to unsecure accounts (e.g., Gmail) − Making ePHI accessible on the Internet − Failing to properly dispose of PHI

4 4 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Latest Threats Chinese hackers who hack for huge profit Identify theft Terrorism !!! Ugh!!

5 5 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Recent OCR Enforcement Actions August 2014: Federal investigation is underway after Community Health Systems, a 206-hospital system, announced that hackers accessed data, including Social Security numbers, for approximately 4.5 million patients. June 2014: $800,000 settlement with Parkview Health System, Inc. for allegations that Parkview employees left 71 cardboard boxes of patient medical records in the driveway of a retiring physician’s home. − Primary Issue: Failure to appropriately and reasonably safeguard all protected health information, from acquisition through disposition.

6 6 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Recent OCR Enforcement Actions May 2014: $4.8 million settlement, the largest HIPAA settlement to date, with New York and Presbyterian Hospital and Columbia University for allegations that patient information on the institutions’ shared data network became accessible by internet search engines when a Columbia employee attempted to deactivate a server on the network. − Primary Issues: Failure to conduct an accurate and thorough risk analysis and lack of technical safeguards. April 2014: $1,725,220 settlement with Concentra Health Services and $250,000 settlement with QCA Health Plan, Inc., both for allegations that unencrypted laptops containing patient information were stolen. Concentra had previously identified lack of encryption as a major risk, but had failed to take sufficient corrective measures. QCA encrypted its devices following the breach, but had failed to comply with HIPAA’s requirements since the compliance date. − Primary Issue: Failure to encrypt data on computer hardware.

7 7 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Recent OCR Enforcement Actions March 2014: $215,000 settlement with Skagit County, Washington after an investigation revealed that PHI of nearly 1,600 individuals was exposed when it was inadvertently moved to a publicly accessible server maintained by the County. The files included information related to testing and treatment of infectious diseases. − Primary Issue: Failure to store data on a secure server. December 2013: $150,000 settlement with Adult & Pediatric Dermatology, P.C. for not having policies and procedures in place to address the breach notification provisions of HITECH when an unencrypted thumb drive containing ePHI of 2,200 individuals was stolen from an employee’s car. − Primary Issues: Failure to conduct an accurate and thorough risk analysis of security management policies and failure to have breach notification policies and procedures in place.

8 8 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Recent OCR Enforcement Actions August 2013: $1,215,780 settlement with Affinity Health Plan for failing to erase PHI of up to 344,579 individuals from photocopier hard drives when it returned the copiers to leasing agents. − Primary Issues: Failure to incorporate the ePHI stored on copier hard drives into the required risk analysis and failure to properly clear electronic hard drives before returning them. July 2013: $1.7 million settlement with WellPoint Inc. for a security weakness in an online application database during a systems upgrade that made ePHI of 612,402 individuals accessible online. − Primary Issues: Failure to implement policies and procedures for authorizing access to the database, failure to perform an appropriate technical evaluation after a software upgrade, and failure to have safeguards in place to verify identities of users.

9 9 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Recent OCR Enforcement Actions June 2013: $275,000 settlement with Shasta Regional Medical Center after senior hospitals leaders disclosed patient information to media outlets and the entire workforce without a valid authorization. − Primary Issues: Disclosure of patient information without authorization and failure to sanction workforce members for such disclosure pursuant to the hospital’s internal sanction policy. May 2013: $400,000 settlement with Idaho State University for disabling of firewall protections at servers maintained by ISU resulting in vulnerability of ePHI for approximately 17,500 patients for at least 10 months. − Primary Issues: Failure to conduct a complete and adequate risk analysis of ISU clinics and failure to apply proper security measures to firewall protection, which could have detected the breach much sooner.

10 10 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Interesting Non–Healthcare Industry Breach: Target in Numbers December 2013: Big-box retailer Target spent $61,000,000 in the final months of 2013 and its CEO resigned, after a data breach exposed the personal data of approximately 110,000,000 customers who used their debit and credit cards at the store during the holiday season. Legal action is still ongoing. − Thieves stole 40,000,000 credit and debit card numbers and other information about 70,000,000 customers. − Target’s profits dropped 46% in the fourth quarter of 2013. − The estimated cost to banks and credit unions for reissuing just half of the compromised cards has been $200,000,000. − Target says it will spend $100,000,000 upgrading payment terminals to support Chip-and-PIN enabled cards. − Between 1,000,000 and 3,000,000 cards were successfully sold on the black market and used for fraud. Thieves made over 50,000,000 in profit.

11 11 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC OCR Enforcement: General Advice “As we say in healthcare, an ounce of prevention is worth a pound of cure.” - Former OCR Director Leon Rodriguez Conduct privacy and security audits proactively Thorough training programs Get insurance and carve HIE out if can Assess and manage all risks under the written plan Maintain documentation that you reported the risk to your supervisor and Board

12 12 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC OCR Enforcement: General Advice What to Do if You Think You May be Dealing with a Breach:  DON’T ignore it. Get out in front of a potential HIPAA breach and manage it. Carefully document.  DON’T wait 60 days to notify/report. The 60-day reporting deadline is is too late. OCR often says 60 days is too long. Some laws relating to identify theft require much faster reporting.  BUT, DO conduct a forensic audit. Where applicable and possible, make reasonably sure a breach occurred before reporting. Don’t report it if you can ethically disprove it!

13 13 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC OCR Enforcement: General Advice Don’t Forget About State Requirements: − State consumer protection and data breach notification laws often contain different disclosure requirements than federal. − Beware of particularly onerous state laws. For example:  Connecticut (*regulated by the Dept. of Insurance)  Florida (*this law is new)  California  Texas  Massachusetts

14 14 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Business Associate Agreement Requirements The deadline to revise Business Associate Agreements (“BAAs”) for compliance with the HIPAA – HITECH Omnibus Rule is September 23, 2014. − In the January 2013 Omnibus Rule, OCR released new requirements for BAAs with a compliance date of September 23, 2013. − The rule grandfathered BAAs already in place as of January 25, 2013 until the earlier of:  Their renewal or modification, if after September 23, 2013, or  September 23, 2014.

15 15 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC HIPAA Amendment Regarding CLIA Laboratories As of October 6, 2014 (compliance date), a patient’s right to access his or her medical records includes the right to request and receive laboratory test results directly from any laboratory that is a “covered entity” under HIPAA. − This new rule removes the HIPAA access exemption for CLIA labs and CLIA exempt labs. A “covered entity” laboratory must update its Notice of Privacy Practices to “inform individuals of their right to obtain reports directly from the laboratory, provide a brief description of how to exercise this right, and... remove any statements to the contrary.” This amendment preempts Georgia law, stating test results to “be reported only to or as directed by the licensed physician, dentist, or other authorized person requesting such test.” (O.C.G.A. § 31-22-4(c))

16 16 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC MU Audits and Electronic Health Information Incentives Meaningful Use post- and pre-payment audits are underway. Example Meaningful Use Stage 2 Objective: − “Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities.” Accompanying Stage 2 Measure: − “Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process for EPs.”

17 17 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC State Privacy and Data Laws: Florida Florida Information Protection Act of 2014, effective July 1, 2014 Applies to all businesses possessing Floridians’ personal information Replaces Florida’s existing data breach law − Shortens the breach notification deadline from 45 to 30 days − Requires businesses to notify the Florida Department of Legal Affairs of breaches affecting 500 or more individuals in Florida − Requires notice to individuals, but notice in accordance with rules of the business’s primary federal regulating agency satisfies the requirement Requires businesses to take reasonable steps to dispose of consumer records in any form that contain personal information when those records are “no longer to be retained.” − No specific length of time for retention is mandated − Destruction means “shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable.”

18 18 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Patient Portals Launched Patient Portals are being launched -- − Policy and procedures for provisioning users ? − Disclaimers in place ? − Factored into risk assessment / management plan ? − Reviewed your Terms of Use ? − Trained staff who will be monitoring not to practice medicine without a license and how to risk manage ? − Service Agreement and BAA in place with vendor ?

19 19 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC 42 C.F.R. Part 2 Data IMPOSSIBLE TO DEAL WITH Do you know how you could get pulled into this law? Have you assessed risks??? Payer disclosure issues Consent needed Re-disclosure notices DO YOU HAVE A PART 2 POLICY???

20 20 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Health Information Exchanges When linking data to other Health Information Exchange, consider: − Whether the Notice of Privacy Practices informs patients of the relationship with the Health Information Exchange − What indemnification provisions and procedures are in place − Whether your EHR / Health Information Exchange should be set up as a separate and distinct legal entity − Who will have access to data and procedures for protection of sensitive data

21 21 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC OCR Audits Are Here!! OCR is responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules The HITECH Act requires DHHS to perform periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules − Audited CEs − Supposedly auditing BAs in 2014

22 22 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC OCR Audits The OCR HIPAA Audit Program:  Processes  Controls  Policies The Audit Focuses On:  The seven fundamental practices of the Privacy Rule  The administrative, physical, and technical safeguards of the Security Rule  The requirements of the Breach Notification Rule

23 23 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC OCR Audits Areas of Review:  Risk assessment (last three years but OCR breach investigations are going back 6 plus years)  Workforce training  Access control – user activity monitoring  Workstation security  Business Associate contracts  Minimum necessary  Patient access to records  Authorizations

24 24 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Preparing For and Responding to Audit / Investigation CE / BA should -- − Ensure that is risk assessment and risk management plan and privacy, security and breach notification policies/procedures/audit plans are up to date; retain old versions − Perform self-assessments of compliance program using the OCR Audit Protocols and NIST security risk tool − Create a file/binder with all key documents needed for response − Train workforces annually and after breaches − Conduct mock interviews of workforce to ensure appropriate knowledge and preparedness

25 25 www.bakerdonelson.com © 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC Gina Ginn Greenwood, J.D. (404) 589-0009 office ggreenwood@bakerdonelson.com Gina Greenwood practices from the Atlanta/Macon offices of Baker Donelson and concentrates her practice on a wide range of matters, including cyber liability and identity theft; HIPAA Privacy and Security Rule compliance and breach notification; IT and certified EHR implementation; meaningful use; fraud and abuse (Stark Law, Anti-Kickback Statute, and FCA) compliance and investigations; EMTALA compliance, CMS and State licensure survey plans of correction responses and hearings; Joint Commission training and compliance; self reporting; risk management strategies; peer review; corporate health care transactions; contract drafting and general business advice; and many other regulatory matters pertinent to all types of health care entities and companies. Gina has authored numerous health care materials and is a frequent speaker for Georgia Hospital Association and professional compliance organizations on fraud and abuse, HIPAA compliance, breaches & EMTALA compliance. Gina was recognized by Chambers USA as a leading health care lawyer in America (2011 and 2012). Voted Georgia Trend Legal Elite in Healthcare. Served as 2014 expert witness on EMTALA and mental health to US Congressional Committee in Washington, DC.


Download ppt "HIPAA UPDATE Georgia Hospital Association Compliance Officer Meeting September 3-5, 2014 Gina G. Greenwood, J.D. Baker, Donelson, Bearman, Caldwell & Berkowitz,"

Similar presentations


Ads by Google