Presentation is loading. Please wait.

Presentation is loading. Please wait.

Long-Term Care and the Law Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Care Providers February 20, 2013 Diane Felix, Anthony Munns, Suzanne.

Similar presentations


Presentation on theme: "Long-Term Care and the Law Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Care Providers February 20, 2013 Diane Felix, Anthony Munns, Suzanne."— Presentation transcript:

1 Long-Term Care and the Law Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Care Providers February 20, 2013 Diane Felix, Anthony Munns, Suzanne Sheldon

2 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Myth #1 – The government is only after the big guys and the huge breaches.

3 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Reality: 1 stolen lap-top with unencrypted PHI of 441 hospice patients = $50,000 penalty 5-physician cardiothoracic practice sending unencrypted PHI via emails + using publicly-accessible appointment calendar = $100,000 penalty 41-bed hospital with 1 stolen lap-top with unencrypted PHI = $1,500,000 penalty

4 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Myth #2 – We don’t have an EMR system, so we don’t need to worry about ePHI security.

5 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Reality: If you have PHI on laptops or other portable devices, or staff texting or emailing information that includes PHI, then security requirements are an issue for you.

6 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Myth #3 – Business Associate Agreements are just forms we need to get signed and have in our files to satisfy the government.

7 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Reality: The terms of those agreements – or what’s not there – could cost you big time if there is a data breach.

8 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Points to ponder: Size doesn’t matter. Loss or theft of laptop = likely OCR investigation. Failure to perform risk analysis + failure to implement policies and procedures + breach = likely big penalty. Encryption is a critical factor. Increased penalties under HIPAA Final Omnibus Rule have substantially increased your risks.

9 PRIVACY A Brief Overview Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon

10 Key Concepts Covers protected health information (PHI) in any form Applies to covered entities (health care providers, health plans and health care clearinghouses) and business associates Patient rights Civil and criminal liabilities

11 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Protected Health Information PHI: Individually identifiable health information (IIHI) that is: ▫Transmitted by electronic media; ▫Maintained in electronic media; or ▫Transmitted or maintained in any other form or medium

12 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon HIPAA Privacy Rule Requires Covered Entities (CEs) and Business Associates (BAs) to have safeguards in place to ensure the privacy of PHI Denotes under what circumstances a CE or BA may use or disclose PHI Gives individuals the right to examine, request a copy and make corrections to their PHI

13 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon HIPAA Basics - cont’d Minimum Necessary Rule: When using, disclosing or requesting PHI, CEs and BAs must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request

14 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon USE and DISCLOSURE Required Disclosures ▫To the individual when requested ▫To HHS in matters relating to the investigation or determination of compliance with the Privacy Rule Permitted Disclosures ▫Individual (with some exceptions) ▫TPO (Treatment/Payment/Health Care Operations) ▫Opportunity to Agree or Object ▫Public Policy ▫Incidental (as long as comply with minimum necessary requirements and used reasonable safeguards) ▫Limited Data Set ▫Authorized

15 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon BREACH An impermissible use, acquisition or disclosure that compromises the security or privacy of the protected health information. Before HFOR, a breach was defined to “compromise security or privacy” only if it posed a “significant risk of financial, reputational, or other harm” to the individual.

16 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon BREACH FINAL RULE FINAL RULE: An impermissible use or disclosure of PHI is presumed to be a breach and notification is required unless the CE or BA demonstrates there is a low probability that the PHI was compromised. “Low probability” must be demonstrated and documented with a risk assessment. Burden of proof of “low probability” lies with the CE and/or BA, as appropriate.

17 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon BREACH RISK ASSESSMENT A risk assessment must include at least the following factors: ▫Nature and extent of the PHI involved, including types of identifiers and chance of re-identification ▫The unauthorized person who used the PHI or to whom the disclosure was made ▫Whether the PHI was actually acquired or viewed ▫The extent to which the risk to the PHI has been mitigated

18 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon BREACH RISK ASSESSMENT – cont’d HHS expects the risk assessments to be “thorough, completed in good faith and for the conclusions reached to be reasonable” A CE or BA may, at their discretion, provide notifications without performing the risk assessment HHS plans to provide additional guidance in the future for the handling of “frequently occurring” situations

19 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon BREACH NOTIFICATION RULE CEs must notify both the U.S. Department of Health & Human Services (HHS) + the affected individual of the loss, theft, or other impermissible use or disclosure of PHI Breaches that affect 500 or more individuals must be promptly reported to the media and HHS ▫Breaches that affect 500 or more are publicly reported on the HHS/Office of Civil Rights (OCR) website OCR has discretion to investigate even where there’s no willful neglect

20 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon BREACH NOTIFICATION REQUIREMENTS Individual Notice ▫In written form by first-class mail, or email if individual has agreed to receive communications electronically ▫Within 60 days of the discovery of the breach Media Notice ▫If breach affects >500 residents of a State or Jurisdiction ▫No later than 60 days Notice to the Secretary ▫Via the HHS web site  No later than 60 days if > 500  If < 500, may notify on an annual basis

21 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon TOP 5 ISSUES IN INVESTIGATED CASES 1.Impermissible uses and disclosures of protected health information 2.Lack of safeguards of protected health information 3.Lack of patient access to their protected health information 4.Uses or disclosures of more than the minimum necessary protected health information 5.Lack of administrative safeguards of electronic protected health information

22 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Penalties – 4 Tiers 1.If CE/BA didn’t know of a violation, and wouldn’t have known by exercising due diligence = $100 - $50,000 per violation 2.If CE/BA knew, or with “reasonable diligence” would have known an act or omission violated requirement, but did not act with “willful negligence” = $1,000 - $50,000 per violation 3.If there was “conscious, intentional failure or reckless indifference to the obligation to comply with the provision violated,” but it was corrected = $10,000 - $50,000 per violation 4.If there was “conscious, intentional failure or reckless indifference to the obligation to comply with the provision violated,” and it was not corrected = $50,000 per violation

23 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Factors In Penalty Amount HHS will determine penalty amounts on case-by-case basis and may consider factors such as: ▫Number and extent of violations, which may include # of individuals affected, and time period involved. ▫Nature and extent of harm resulting from violation, which may include whether violation caused physical or financial harm, harm to reputation, or hindered individual’s ability to obtain healthcare.

24 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Penalty Amount – cont’d ▫CE/BA’s prior compliance, which may include whether:  Current violation is same or similar to previous “indications of noncompliance”  Correction of previous “indications of noncompliance”

25 Security Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon

26 Basic Security Requirements Designate a security officer (can also be the privacy officer) Implement policy on workplace use and dissemination of PHI Implement policy on workstation use, procedures for storage and disposal of PHI Implement procedures for data backup and disaster recovery Develop and implement data access control procedures

27 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Basic Security Requirements – cont’d Implement an audit trail for access to PHI Sign and amend contracts with business associates to protect the security of PHI Provide security awareness training to all designated personnel Implement technical security mechanisms to prevent unauthorized access Establish a reporting and response system for security violations

28 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Security Rule Implementation Specifications Safeguards identified as either “Required” or “Addressable” ▫“Addressable” doesn’t = optional. Choices are:  Implement it,  Implement alternative measure(s) that accomplish purpose, OR  Don’t implement anything – but must have written documentation of factors considered and results of risk assessment.

29 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Security Standards Matrix - examples StandardsSections Implementation Specifications (R) = Required, (A) = Addressable Administrative Safeguards Security Management Process164.308(a)(1) Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility 164.308(a)(2)(R) Workforce Security164.308(a)(3 Authorization and/or Supervision (A) Workforce Clearance Procedure Termination Procedures (A) Information Access Management 164.308(a)(4) Isolating Healthcare Clearinghouse Function (R) Access Authorization (A) Access Establishment and Modification (A) Physical Safeguards Facility Access Controls164.310(a)(1) Contingency (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) Workstation Use164.310(b)(R) Workstation Security164.310(c)(R) Device and Media Controls164.310(d)(1) Disposal (R) Media Re-use (R) Accountability (A) Data Backup and Storage (A)

30 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Factors to take into account in deciding which security measures to use Size, complexity, and capabilities of the Covered Entity or Business Associate; CE’s and BA’s technical infrastructure, hardware, and software security capabilities; Costs of security measures; Likelihood and impact of potential risks to ePHI; and Preamble to the Security Rule states: “Cost is not meant to free covered entities from this responsibility.”

31 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Is Encryption Required? No, but... Encrypted data is considered “secure” under HIPAA, and thus is exempted from breach notification requirements. Consider: ▫BitLocker – supplied with MS-Windows 7 and later ▫Use HTTPS or secure messaging systems ▫Use encrypted USB drives or block their use

32 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Useful information Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) For more information about encryption, see NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices, National Institute of Standards and Technology, (Nov., 2007)

33 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Risk Analysis Scope – potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits. Data Collection – identify where e-PHI is stored, received, maintained or transmitted. Identify & Document Potential Threats and Vulnerabilities. Assess Current Security Measures.

34 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Risk Analysis Determine Likelihood of Threat Occurrence. Determine Potential Impact of Threat Occurrence. Determine the Level of Risk. Finalize Documentation. Periodic Review & Updates to the Risk Assessment.

35 Vendor Management Programs Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon

36 Even before HFOR, there have been frequent reminders of how badly things can go wrong when CEs fail to do due diligence with vendors who have access to PHI, and when BA Agreements are inadequate – or missing altogether.

37 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Four Massachusetts pathology practices were fined $110,000 for failing to have appropriate safeguards in place regarding PHI provided to a billing firm. A newspaper photographer for the Boston Globe found medical records at a recycling station after dropping off his own trash.

38 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Kaiser Permanente gave patient medical records to a couple to store The couple’s document storage firm kept the records in a warehouse shared with a party rental business, and in a Ford Mustang. Kaiser’s lawsuit against the couple claimed that the couple left two computer hard drives in their garage with the door open. State and Federal agencies are investigating.

39 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Costs of vendors behaving badly can be crippling Aside from the costs to an organization’s reputation, the costs of investigating, and the notification costs, there are the costs of mitigating the effects of a data breach. ▫For example, credit monitoring at $20 per month, per individual, means that if a stolen laptop with unencrypted data has PHI for only a 100 individuals, that’s still $24,000 for a year’s worth.

40 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Changed obligations for BAs and independent contractors under HITECH and HFOR make adequate vendor management even more important. Business Associates are now directly responsible for compliance with HIPAA as modified by HITECH, and have direct responsibility for penalties. The definition of Business Associate has been expanded to cover: ▫Subcontractors of BAs. ▫Entities that create, receive, maintain, or transmit PHI in connection with services provided to a CE. The “primary” BA is required to obtain “satisfactory assurances” from subcontractors that the subcontractor will appropriately safeguard the PHI.

41 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Examples of “Due Diligence” Questions to Consider Do you or the vendor have sufficient resources or insurance coverage to cover the costs that will be involved in responding to any breach? Does your BA Agreement make clear how quickly notification must be made to the CE of a suspected breach, to whom the notice must go, and what information must be provided?

42 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Questions- cont’d Is the vendor’s access to and use and disclosure of PHI limited to the minimum necessary to accomplish the specific purpose? Is there any mechanism for monitoring compliance by the vendor with HIPAA/HITECH requirements? Have the responsibilities/liabilities of subcontractors been taken into consideration?

43 Preparing for OCR HIPAA Compliance Audits Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon

44 The Security Rule details areas that require the following of CEs: ▫Policies ▫Procedures ▫Documentation (think audit trail) The first institution audited – Atlanta’s Piedmont Hospital – was presented with a list of 42 items that HHS wanted within 10 days.

45 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Piedmont was asked for 24 specific policies and procedures, including: Establishing and terminating users' access to systems housing ePHI. Emergency access to electronic information systems. Inactive computer sessions (periods of inactivity). Recording and examining activity in information systems that contain or use ePHI.

46 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Risk assessments and analyses of relevant information systems that house or process ePHI data. Employee violations (sanctions). Electronically transmitting ePHI. Preventing, detecting, containing and correcting security violations (incident reports). Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports.

47 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Section 13411 of the HITECH Act requires HHS to provide for periodic audits to ensure that covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.

48 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon To implement this mandate, OCR piloted a program to perform 115 audits of covered entities to assess privacy and security compliance. KPMG was then retained to perform the audits. Audits conducted during the pilot phase began November 2011 and concluded in December 2012. So far, all the audits have been of Covered Entities.

49 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.

50 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon The audit protocol covers: Privacy Rule requirements: ▫notice of privacy practices for PHI, ▫rights to request privacy protection for PHI, ▫access of individuals to PHI, ▫administrative requirements, ▫uses and disclosures of PHI, ▫amendment of PHI, and ▫accounting of disclosures. Security Rule requirements for administrative, physical, and technical safeguards. Requirements for the Breach Notification Rule.

51 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon There are 169 audit tests: Privacy has 81, Security 78 and Breach 10. So far the protocol has not been updated for the HIPAA Omnibus Rule.

52 Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Providers – Felix/Munns/Sheldon Speakers’ Contact Information Diane E. Felix, J.D. - Partner Armstrong Teasdale LLP 7700 Forsyth Blvd., Suite 1800 St. Louis, MO 63105 (314) 342.8001 (314) 612.2243 (fax) dfelix@armstrongteasdale.com Anthony J. Munns, CISA, FBCS, CITP - Partner, Risk Services Brown Smith Wallace LLC 1050 N. Lindbergh Blvd. St. Louis, MO 63132 314.983.1297 Direct / 314.614.6582 Cell 314.983.1200 Main / 314.983.1300 Fax tmunns@bswllc.com Suzanne Sheldon, J.D. – Director of Risk Management and Corporate Compliance Lutheran Senior Services 1150 Hanley Industrial Ct. St. Louis, MO 63144 (314) 446.2577 (314) 446.2550 (fax) ssheldon@LSSLiving.org


Download ppt "Long-Term Care and the Law Analyzing and Minimizing HIPAA/HITECH Risks for Post-Acute Care Providers February 20, 2013 Diane Felix, Anthony Munns, Suzanne."

Similar presentations


Ads by Google