Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2014 Jonathan P. Tomes, EMR Legal, Veterans Press

Similar presentations

Presentation on theme: "© 2014 Jonathan P. Tomes, EMR Legal, Veterans Press"— Presentation transcript:

1 © 2014 Jonathan P. Tomes, EMR Legal, Veterans Press
GSOP 2014 Annual Meeting HIPAA, HITECH, and Omnibus Rule: What You Need to Know to Avoid Liability © 2014 Jonathan P. Tomes, EMR Legal, Veterans Press

2 Introduction & Overview of HIPAA and the HITECH Act
1996 Privacy Rule Security HITECH Act 2009 Omnibus 2013

3 Why Have “Administrative Simplification?”
Standardize the claims processes for efficiency and auditing Patient privacy concerns People they know will use the information against them People they don’t know will use the information against them (ID theft) Inaccurate information could result in adverse consequences 3

4 The Sensitive Nature of Medical Information
Medical records contain a vast amount of personal information: Demographic information. Financial information. Medical information. Lifestyle information. 4

5 Concerns with Automated Records
Collect more information Obtain more sophisticated information Broader commercial use of collected information Computers make the information more useful - Do computers really increase risks of breach of confidentiality? 5

6 So, We Have HIPAA! Health information- Any information, whether oral or recorded, in any form or medium that is created or received by a health care provider, etc. and related to : Past, present or future physical or mental health or condition of an individual, The provision of health care to an individual, or, To the past, present, or future payment for the provision of health care to an individual. 6

7 Under HIPAA Health care providers who maintain or transmit health information must maintain reasonable and appropriate administrative, technical, and physical safeguards— To ensure integrity and confidentiality of the information. To protect against reasonably anticipated— Threats or hazards to the security or integrity of the information. Unauthorized uses or disclosures of the information. 7

8 Under HIPAA Organizational commitment to privacy and security.
Ensure compliance by the organization’s officers and employees. 8

9 Criminal Enforcement of HIPAA

10 HIPAA’s Criminal Penalties
Knowingly obtains or discloses individually identifiable health information: $50,000 fine and imprisonment for one year. Same done under false pretenses: $100,000 fine and imprisonment for five years With the intent to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm. maximum fine of $250,000 and/or up to 10 years in prison 10

11 Who is liable? Employees who obtain or disclose such information without authorization Certain directors, officers, and employees of [covered] entities may be liable for failing to be HIPAA compliant, thereby encouraging the perpetrator to commit the HIPAA crime or, at least, failing to prevent it Business Associates: i.e. companies you contract with to provide services like document shredding, data storage, copy services, if they do not have adequate security protections The HITECH Act extended HIPAA’s criminal liability to employees and other individuals. 11

12 Civil Enforcement of HIPAA
On the Rise

13 OIG Audits/OCR Complaints
HITECH Act requires DHHS to conduct periodic audits of both covered entities and business associates. Approximately one-third of providers’ and insurers’ noncompliance problems stemmed from lack of awareness of requirements 47 out of 61 health care providers audited haven’t done a satisfactory security risk analysis, either. 77,277 OCR complaints since enforcement began in April 2003. Individuals whose PHI was the subject of an OCR enforcement action will get a percentage of any penalties

14 Examples Massachusetts Eye and Ear Infirmary: $1.5 million for theft of unencrypted employee laptop Affinity Health Plan, Inc.: $1,215,780 for impermissibly disclosing PHI (returned copiers to a leasing agent without erasing the data on the copier hard drives.) Idaho State University: $400,000 for leaving a server firewall down. Cignet Health: $4.3 million for denying patient access and obstructing the investigation. WellPoint, Inc.: $1.7 million for not adequately implementing policies for authorizing access /for failing to have technical safeguards in place to verify the person or entity seeking access to electronic protected health information (“EPHI”) maintained in its application database. Shasta Regional Medical Center: $275,000 for improper disclosure of PHI and failure to sanction workforce members for HIPAA violations. MN AG v. Accretive Health, Inc.: $2.5 million (stolen, unencrypted laptop)

15 Increased Penalties under HITECH
$1,000 per violation for a violation due to “reasonable cause and not to willful neglect” (max $100,000) $10,000 for each violation that was due to willful neglect and is corrected ($250,000 max) $50,000 for each violation if the violation is not corrected properly (max $1.5 mill per year). These changes are immediately effective

16 Security Rule

17 Five Categories of Security Requirements
General Rules. Administrative Safeguards. Physical Safeguards. Technical Safeguards. Documentation Requirement. Each category has a number of standards, and most standards have a number of implementation specifications, either required or addressable. 17

18 1. General Provisions § 164.306(a)
Ensure confidentiality, integrity, and availability of electronic PHI (“EPHI”). Protect against reasonably anticipated threats or hazards to the security or integrity of EPHI. Protect against uses or disclosures not permitted by Privacy Rule. Ensure compliance by workforce. Applies to all EPHI regardless of format. Internal and external communications. 18

19 Security Considerations
Size, complexity, and capabilities of your organization Your technical infrastructure, hardware, and software security capabilities. Costs of security measures Probability and importance of potential risks to EPHI. 19

20 Standards A covered entity must comply with all of the standards.
Implementation specifications tell how to meet the standard. A covered entity must comply with all required implementation specifications. Addressable specifications may or may not require the covered entity to follow them. 20

21 Addressable Specifications
The covered entity must assess whether each addressable specification is a reasonable and appropriate safeguard in its environment with reference to its likely contribution to protecting EPHI; and Implement it if reasonable and appropriate, or if implementing it is not reasonable or appropriate— Document why it would not be reasonable and appropriate to implement it; and Implement an equivalent alternative measure if reasonable and appropriate. 21

22 2. Administrative Safeguards § 164.308
Security management process. Assigned security responsibility. Workforce security. Information access management. Security awareness and training. Security incident procedures. Contingency plan. Evaluation. Business associate contracts and other arrangements. 22

23 Security Management Process
Implement policies and procedures to prevent, detect, contain, and correct security violations. Implementation specifications: Risk analysis (required). Risk management (required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. Sanction Policy (required). Apply appropriate sanctions to workforce members who fail to comply with security policies and procedures. Information System Activity Review (required). Implement procedures to regularly review records of system activity, such as audit logs, access reports, and security incident tracking reports. 23

24 Assigned Security Responsibility
Identify the security official who is responsible for the development and implementation of the policies and procedures required by the Security Rule. No implementation specifications—that is, no particular credentials required. 24

25 Workforce Security Implement policies and procedures to ensure that all workforce members have appropriate access to EPHI and to prevent those who do not have access from obtaining access. Implementation specifications: Authorization and/or supervision (addressable). Implement procedures for the authorization and/or supervision of workforce members who work with EPHI. Workforce Clearance Procedure (addressable). Implement procedures to determine whether access of a workforce member is appropriate. Termination Procedures (addressable). Implement procedures for terminating access to EPHI upon end of employment or end of need for access. 25

26 Information Access Management
Implement policies and procedures for authorizing access to EPHI. Implementation specifications: Isolating health care clearinghouse functions (required). If a clearinghouse is a member of a larger organization, it must implement policies and procedures that protect EPHI from unauthorized access by the larger organization. Access authorization (addressable). Implement policies and procedures for granting access to EPHI, such as through access to a workstation, transaction, program, process, or other mechanism. Access establishment and modification (addressable). Implement policies and procedures based on access authorization policies that establish, document, review, and modify a user’s right of access. 26

27 Security Awareness and Training
Implement a security awareness and training program for all members of the workforce, including management. Implementation specifications: Security reminders (addressable). Periodic security updates. Protection from malicious software (addressable). Procedures for guarding against, detecting, and reporting malicious software. Log-in monitoring (addressable). Procedures for monitoring log-in attempts and reporting discrepancies. Password management (addressable). Procedures for creating, changing, and safeguarding passwords. 27

28 Security Incident Reporting
Implement policies and procedures to address security incidents. Implementation specification: Response and reporting (required): Identify and respond to suspected or known security incidents. Mitigate, to the extent possible, harmful effects of security incidents known to the covered entity. Now must notify the subject of the breach of unsecured PHI if your risk analysis demonstrates a risk of harm from the breach—compliance date was September 24, 2010. Document security incidents and their outcomes. 28

29 Security Incident: Secured PHI and Risk Assessment
The DHHS Interim Final Rule specifies encryption and destruction as the only “safe harbor” methods for making PHI secure. Must perform a risk assessment and determine and document whether the breach has compromised PHI security or privacy. Nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. Unauthorized person who used the PHI or to whom the disclosure was made. Whether the PHI was actually acquired or viewed. Extent to which the risk to the PHI has been mitigated.

30 Security Incident: Breach defined
The unauthorized acquisition, access, use, or disclosure of PHI that compromises the security, privacy, or integrity of PHI. The term does not include any unintentional acquisition, access, use, or disclosure by an employee or agent of the covered entity or business associate if it was done in good faith and within the scope of employment and if it was not further acquired, accessed, used, or disclosed by such employee or agent.

31 Security Incident Reporting
Breach involving 500 or more patients: Must be immediately reported to DHHS, who will then post the name of the provider on its public website. If the patients reside in the same area, must be reported to the local media. If fewer than 500 individuals: must report all breaches to the Secretary of Health and Human Services, but the report may be in the form of a log on an annual basis. Providers and health plans must comply with state security breach laws “to the extent that they exceed the new security breach notifications provisions of the [HITECH Act].” Business associates must report a notice of a breach, to provider, including the identity of the patient(s)

32 Security Incident: Patient Notice
First-class mail to individual or next of kin at last known address or, if specified by the individual, by Substitute method if contact information is insufficient A conspicuous posting (if 10+ affected) on the home page of the covered entity or notice in major media in the geographic area where the individuals likely reside. If urgency exists because of imminent misuse of PHI, may use telephone or other means of notice. Content: Description of information involved Description of investigation, loss mitigation and future protection Contact information for questions or additional information (toll- free number, address, website or postal address)

33 Contingency Plan Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence that damages systems that contain EPHI. Implementation specifications: Data backup plan (required). Establish and implement procedures to create and maintain retrievable exact copies of EPHI. Disaster recovery plan (required). Establish (and implement as needed) procedures to restore any loss of data. Emergency mode operation plan (required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of EPHI while operating in emergency mode. Testing and revision procedures (addressable). Implement procedures for periodic testing and revision of contingency plans. Application and data criticality analysis (addressable). Implement procedures for periodic testing and revision of contingency plans. 33

34 Evaluation Perform periodic technical and nontechnical evaluations that establishes the extent to which an entity’s security policies and procedures meet the Security Rule’s requirements. based initially upon the standards implemented under this rule; and subsequently in response to environmental or operational changes affecting the security of EPHI No implementation specifications—that is, you determine how often to update your risk analysis. 34

35 Business Associates A covered entity may permit a business associate to create, receive, maintain, or transmit EPHI on the covered entity’s behalf only if it obtains satisfactory assurances that the business associate will appropriately safeguard the information. Business associates may also have business associates (sub-contractors) which are subject to the same requirements Note that covered entities are not required to get business associate contracts in place with their business associates’ subcontractors. Covered entities and business associates are liable for the acts of their business associate agents if they have control over performance of the service 35

36 3. Physical Safeguards § 164.310 Facility access controls.
Workstation use. Workstation security. Device and media controls. 36

37 Facility Access Controls
P/P to limit physical access to EPHI systems and facilities in which they are housed, while ensuring that properly authorized access is allowed. Implementation specifications: Contingency operations (addressable). P/P to support restoration of lost data under the disaster recovery/emergency plans Facility security plan (addressable). P/P to safeguard the facility and equipment from unauthorized physical access. Access control and validation procedures (addressable). P/P to control and validate a person’s access to facilities based on the person’s role or function, including visitor control. Maintenance records (addressable). P/P to document repairs and modifications to the physical components of a facility that are related to security, such as hardware, walls, doors, and locks. 37

38 Workstation Use and Security
Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstations that can access EPHI. No implementation specifications. I.e., you determine how to do this. Implement physical safeguards for all workstations that access EPHI to restrict access to authorized users. No implementation specifications. I.e., you determine how to do this. 38

39 Device and Media Controls
Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain EPHI into and out of a facility and the movement of EPHI within the facility. Implementation specifications: Disposal (required). Implement policies and procedures to address the final disposition of EPHI and/or the hardware or electronic media on which it is stored. Affinity Health Plan, Inc., settled HIPAA violations for $1,215,780 (failure to wipe copy machines). 39

40 4. Technical Safeguards Access control. Audit controls. Integrity.
Person or entity authentication. Transmission security. 40

41 Access Control P/P for electronic information systems that maintain EPHI to allow access only to those persons or software programs that have been granted access rights Implementation: Unique user identification (required). Emergency access procedure (required). Establish (and implement as necessary) procedures for obtaining necessary EPHI during an emergency. Automatic logoff (addressable). P/P that terminate an electronic session after a predetermined time of inactivity. Encryption and decryption (addressable). Implement a mechanism to encrypt and decrypt EPHI. 41

42 Audit Controls, Integrity, Authentication
Audit Controls: Implement mechanisms that record and examine activity in information systems that contain or use electronic PHI. Integrity: P/P to protect EPHI from improper alteration or destruction. Implementation specification: Mechanism to authenticate EPHI (addressable). Implement electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner. Person/Entity Authentication: P/P to verify that each person or entity seeking access to EPHI is the one claimed. 42

43 Transmission Security
Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network. Implementation specifications: Integrity controls (addressable). Implement security measures to ensure that EPHI is not improperly modified without detection until disposed of. Encryption (addressable). Implement a mechanism to encrypt EPHI whenever deemed appropriate. 43

44 5. P/P and Documentation Requirements
Must implement reasonable and appropriate written policies and procedures If changes needed, document and implement them If an action, activity, or assessment is required by this Rule, maintain a written (may be electronic) record it Implementation specifications: Time limit (required). Retain the documentation for six (6) years from the date of its creation or the date that it was last in effect, whichever is later. Availability (required). Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains. Updates (required). Review documentation periodically and update, as needed, in response to environmental or operational changes affecting the security of EPHI. 44

45 Privacy Rule

46 Privacy Update Applies to all PHI, not just EPHI. Applies to covered entities and business associates. Don’t use or disclose except as the rule provides! Under the modified regulations, covered entities may use protected information: With individual authorization (of course) and without authorization: For treatment, payment, and health care operations, or, For specific public and public policy purposes, or, When required by law. 46

47 HIPAA Gives Specific Rights
Some of these rights can be more comprehensive than existing state law. These rights include the following: Right of access (inspect and copy). Right to an accounting of nonroutine disclosures. Notice of information practices. Right to request restrictions on use and disclosure. Right to alternate communications. Right to request correction/amendment. 47

48 HITECH Changes Regarding Patient Rights
Right to request restriction is now a right to restrict if the disclosure is to a health plan for purposes of carrying out payment or health care operations (not treatment) and the PHI pertains solely to an item or service for which the provider has been paid in full. Example: Mental health client doesn’t want his PHI to go to his employer’s self-funded health plan and pays entire amount himself.

49 Administrative Requirements
Covered entities must do the following: Have a Privacy Officer. Develop a privacy training program. Implement safeguards to protect health information from misuse. Establish a complaint system. Develop a sanction system. 49

50 Privacy Rule Problem Areas
Right of access. Communications with family members. Overreaction to perceived potential breaches.

51 Do You Provide Patients/Clients Their Right of Access?
Probably the right that is most likely to generate a complaint to DHHS. Too many complaints, and . . . Failure to provide copies to patients cost Cignet $4.3 million in fines! 51

52 Right to Inspect and Copy PHI
Notice of Privacy Practices must inform the individual of this right and the procedures for exercising this right. Covered entity may charge a reasonable cost-based fee for copies. 52

53 Can You Ever Deny Access?
A covered entity may deny access to an individual if the information was obtained from someone other than a health care provider under a promise of confidentiality and the access would be reasonably likely to reveal the source of the information or a licensed health care professional has determined that the access is reasonably likely to endanger the life or physical safety of the individual or another person. Denials of access require the covered entity to permit the person to obtain review of the decision to deny access. 45 C.F.R. § 53

54 Disclosures to Family Members
May disclose PHI to family members involved in the patient’s care and for notification purposes under § (b) unless the patient objects. Not only family members, but also other relatives or close personal friends. May disclose PHI that is directly relevant to that care or payment for that care. May also disclose to notify such persons of the patient’s location, condition, or death. Emphasize this practice in your Notice of Privacy Practices. Under Omnibus Rule, may communicate with family members after the patient’s death. 54

55 Overreaction to Perceived Potential Breaches
Have you heard? You can’t call out patient names in the waiting room. You can’t place a chart in the box outside the doctor’s office. All containing PHI must be encrypted. Others? 55

56 None of These Concerns Is Necessarily True!
Rather, you perform a risk analysis to determine whether a risk of improper disclosure exists in, for example, calling out a patient’s name. If a risk exists, then what is a reasonable, cost-effective way to protect against it? This question leads to our final topic— how to perform that risk analysis. 56

57 Risk Analysis

58 Risk Analysis The key to cost‑effective compliance.
And even more important with the final Security Rule! Now essential with the dramatic effects of the HITECH Act on HIPAA. If you haven’t done a formal, written risk analysis, any breach would result from willful neglect! 58

59 Importance of Risk Analysis
Besides risk analysis being a required implementation specification in the Security Management Process standard, it is how you decide whether you must implement an addressable implementation specification. § requires risk analysis to “reduce risks and vulnerabilities to a reasonable and appropriate” level to comply with § (a). 59

60 And Don’t Forget the Security Provisions of the Privacy Rule
§ (c)(1) of the final privacy regulations require covered entities to have reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. You cannot select “appropriate safeguards” without first having performed a good risk analysis. 60

61 How Do You Perform Risk Analysis?
A methodology. Assemble a good team. Identify assets. Determine what risks exist. Evaluate the likelihood of the risks occurring and the harm if they do. Select security measures to guard against those risks. Test and revise. 61

62 Assemble a Good Team Consider involving the following individuals:
Director of information management. Director of health information. Risk manager. Representatives of the medical staff and nursing staff. Patient representative. General counsel or other lawyer. Technical representative. Human resources representative. Business office personnel. Quality assurance. 62

63 Identify Assets Often a real eye‑opener . . .
Identify information that you must protect. Identify components of the system that the information resides in. Identify all system assets, not just hardware. Identify existing security assets. 63

64 Identify Risks What are the risks to your system and its assets, including the data residing therein? Consider risks in the following areas: Threats to patient information. In both proper and improper use. In both proper and improper disclosure. Electronic threats. System threats. The combined threats of the above. 64

65 Consider Potential Threats
Consider threats in three major areas: Threats to the availability of the data. Threats to the integrity of the data. Threats to the confidentiality of the data. Any particular risk that you identify, such as a virus, may be a threat to one, two, or all three of the above areas. 65

66 Evaluate Each Risk Identified
Increasing Risk High Probability Low Risk High Probability High Risk Decreasing Probability Increasing Probability Low Probability Low Risk Low Probability High Risk 66

67 Select Security Measures
Multiply the number of expected occurrences by the expected cost of each occurrence to calculate annual loss expectancy (“ALE”). Where the cost is high, select control measures to protect against the exposure. Compare the cost of the control measure(s) against the ALE to find the true cost. ALE may even be a negative number. 67

68 Test and Revise Remember the Security Rule’s Evaluation Standard:
Periodic review of security measures to ensure that they remain reasonable and appropriate.

69 What Are Standards? The regulations call them by many different names—policies, procedures, controls. Regardless of what you call them, they differ from the general overall guidance expressed in your security policy. Rather, standards consist of the detailed instructions as to how to comply with the goals of your security policy. 69

70 The Requirement to Have Standards
The security regulations require plans, policies, procedures, and controls, such as these: Sanction policy (also required by the Privacy Rule). Data backup plan. Disaster recovery plan and emergency mode operation plan. Facility security plan. Testing and revision procedure. The privacy rules require other standards, such as how patients may request correction of inaccurate information and how the facility will handle the request. 70

71 DHHS Audit Protocols The OCR HIPAA Audit program analyzes processes, controls, and policies of covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review. The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures. The protocol covers Security Rule requirements for administrative, physical, and technical safeguards. The protocol covers requirements for the Breach Notification Rule. For the entire audit protocol go to “Audit Program Protocol" at

72 Unavoidable Employee Misconduct Defense
No HIPAA decisions on this defense as yet. Other federal compliance areas have, however, recognized the unavailable employee misconduct defense. It can be a defense for liability for Occupational Health and Safety Act (“OSHA”). For an organization charged with an OSHA violation to prove the defense of unavoidable employee misconduct, it must show that the organization— Established work rules to prevent safety violations. Adequately informed employees of the rules. Effectively enforced the rules upon discovering a violation. These elements of the defense are consistent with our guidance: Screen your employees before giving them access. Train them and retain training records (adequately inform them). Conduct a risk analysis and implement reasonable and appropriate security measures, including policies and procedures (establish work rules). Enforce your security measures and policies (effectively enforce the rules). Conduct compliance audits (effectively enforce the rules).

73 Release of Information Policy
Verify the identity of the requester and the requester’s authority to receive the information. If you cannot verify the authority, deny the request. Compare the facts and circumstances of the request to the detailed criteria of the relevant category or categories under § of the DHHS privacy regulations (see relevant appendices to Release of Information Policy). 73

74 Appendix D. Victims of a crime
[Name of organization] may disclose PHI in response to a law enforcement official’s request for such information about an individual who is suspected to be a victim of a crime if (1) the individual agrees to the disclosure or (2) [name of organization] is unable to obtain the individual’s agreement because of incapacity or other emergency circumstance, provided that the following conditions apply: 74

75 Appendix D. Victims of a crime (cont’d)
Law enforcement official represents that such information is needed to determine whether a violation of law by a person other than the victim has occurred and that such information is not intended to be used against the victim. Law enforcement official represents that immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure. Disclosure is in the best interests of the individual as determined by [name of organization], in the exercise of professional judgment. 75

76 Release of Information Policy (cont’d)
If the facts and circumstances do not meet all of the relevant criteria of at least one category under § of the privacy regulations, do not release the information. If the facts and circumstances do meet all of the relevant criteria of at least one category under § , do not release the information until after you have determined whether another state or federal law prohibits or restricts the disclosure. 76

77 Good Luck! For additional information call 855.341.8783 x 311or
Please sign up for my free blog on 77

78 Resources & Tools for HIPAA Compliance
HIPAA Compliance Library Resources & Tools for HIPAA Compliance 78

Download ppt "© 2014 Jonathan P. Tomes, EMR Legal, Veterans Press"

Similar presentations

Ads by Google