Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA in a Post-HITECH World

Similar presentations

Presentation on theme: "HIPAA in a Post-HITECH World"— Presentation transcript:

1 HIPAA in a Post-HITECH World
Stephen L. Page RegionalCare Hospital Partners (615) Elizabeth Warren Bass Berry Sims PLC (615)


3 2014 HIPAA TOPICS Overview of HIPAA Basics
Liability Risks with Business Associates OCR Enforcement 2014 OCR 2014 Guidance HIPAA Audits Data Breaches New Frontiers (and some old ones)

4 HIPAA 101 HIPAA refers to the Health Insurance Portability and Accountability Act of 1996 HIPAA prohibits the unauthorized use or disclosure of protected health information unless an exception applies HIPAA impacts covered entities and business associates of covered entities HITECH Act of 2009 revised certain parts of HIPAA

5 HIPAA 101 - What is PHI? Individually identifiable information
Relating to condition, treatment, or payment Created or received by a provider, plan, employer, or clearinghouse Transmitted or stored electronically or in any other form

6 HIPAA 101 - Who is covered by HIPAA?
Covered Entities (CEs) Health Plans (including group health plans) Clearinghouses Providers Business Associates of Covered Entities (BAs) Including law firms that handle PHI for clients who are CEs or BAs

7 HIPAA 101 – Uses and Disclosures
The Privacy Rule defines and limits how an individual’s PHI may be used or disclosed by CEs The CE may not use or disclose PHI except: as the Privacy Rule permits or requires (without an authorization), OR as authorized in writing by the individual who is subject of the information

8 HIPAA 101 – HIPAA Authorizations
A HIPAA authorization is a specific type of written permission Must contain a number of mandatory elements (who, what, why, etc.) A “2 sentence” type permission is not compliant May not be combined with other types of permission (with very narrow exceptions such as for research)

9 HIPAA 101 – HIPAA Patient Rights
Access Amendment Accounting of certain disclosures Privacy notice Restrictions and confidential communications Complaints

10 HIPAA 101 – Additional Requirements:
Minimum necessary Safeguards (all PHI) Business associate agreements Privacy officer Policies and procedures Training

11 Liability Risks with Business Associates
HITECH: increased risk of being held liable for BA acts Actions of business associate vendors can create breach notification obligations for covered entities Client view may be: “we didn’t cause this so, not our problem.” Wrong response OCR view: “no get out of jail free card for covered entity.”

12 Liability Risks with Business Associates
How to prevent/mitigate issues with BA compliance? Consider indemnification clauses Consider reviewing key BA security safeguards—but watch out for risks Confirm policies address process for providing access to BAs      

13 Liability Risks with Business Associates
Risks for BA oversight: If you know about issues and don’t address them . . . Be careful what you ask for and how wide of a net you cast Will your oversight trigger the BA being viewed as an agent?

14 Enforcement Since April 2003, HHS has received over 99,957 HIPAA complaints OCR has resolved 96% of complaints received (over 96,741 cases) OCR found violations of HIPAA in over 22,927 cases OCR found no violation in 10,390 cases OCR found 63,424 cases that were not eligible for enforcement

15 Enforcement Jail time for HIPAA criminal violations: still happening
-10/2013 nursing assistant in Florida sentenced to 3 years for stealing and selling patient records First penalty for failure to have breach notification policies: $150,000 penalty imposed on dermatology practice (involved stolen unencrypted thumb drive)

16 Enforcement Don’t leave PHI on the curb:$800,000 Settlement for 2009 conduct (Parkview; June 2014) Don’t post PHI on the internet: $4.8 Million record settlement (NY Presby/Columbia; May 2014) Do encrypt laptops -$1,725,220 (Concentra; April 2014) -$250,000 (QCA; April 2014)

17 Enforcement: Lawsuits
West Virginia case allowed to proceed based on state law Many class actions based on breaches still dismissed FCRA claims?

18 Enforcement: Lessons Learned or Not
Hard to predict amount of penalties or when conduct gets penalized Enforcement actions may take years Increasing pressure to allow private causes of action Criminal penalties may help with internal training Sources of complaints/investigations broadening -unions -covered entity in response to BA breach notice -payers

19 New OCR Guidance Guidance on lawfully married same sex spouses
Sharing Information related to Mental Health Security Risk Assessment tool released

20 On the Horizon: New Audits
Audits of some 350 healthcare providers and another 50 of their business associates will likely start in early 2015; they were originally set to begin in October 2014 Per OCR, will ask audited CEs for list of BAs and draw from that pool for the 50 audited BAs Per OCR, will be tied to enforcement

21 Breach Notification Standard
Presumption of breach applies to any non-permissible use or disclosure Risk assessment using at least 4 factors Nature and extent of PHI Who received? Accessed or not? Mitigated? Little guidance on how to apply these 4 factors

22 Data Breach

23 Data Breaches OCR investigated since September 2009:
Breach involving greater than 500 individuals -1,176 incidents Breaches involving fewer than 500 individuals-122,000 incidents 60% of data breaches could have been prevented if Covered Entities or Business Associates had encrypted data

24 Recent Notable Data Breaches and Issues
CHS -new concern: hacking Concentra (laptops) Identity theft a real risk (not just dealing with mistakes but with deliberate acts) HR issues often result in breaches The “social media defense” breach risk

25 State Law Privacy Risks
State law risks California: 5 day standard; AG has brought lawsuits-Alere case Florida: new, stricter breach notification law (30 days timing requirement) Massachusetts: not limited to enforcing within its borders (RI case)

26 New Frontiers False Claims Liability
Medicare Number certifications relating to Business Associate Agreements Meaningful Use Certifications FDA Issues Cybersecurity Guidelines for Medical Devices FTC enforcement

27 New Frontiers HIPAA as barrier to technology innovation
The remote use documentation on HHS’s website pre-dates Apple’s iPhone rollout (last updated in December 2006) It does not include information on any new Apple iOS or Android phones or tablets, making it challenging for developers that want to ensure their apps meet HIPAA regulations

28 Old Frontiers BAA templates still lacking for many Covered Entities
Still battles of the forms Still working to get BAAs in place where needed Some CEs still lack comprehensive HIPAA policies or awareness BAs often are still behind the curve

29 Questions?

Download ppt "HIPAA in a Post-HITECH World"

Similar presentations

Ads by Google