Breach SHOULD Be a Four Letter Word HIPAA Omnibus

Objectives Recall two examples of recently reported breaches Define breach and post event risk analysis guidance. List three strategies a practice can implement to reduce the likelihood of a breach. 4/28/2015

Breaking News QCA Health Plan has agreed to pay a $250,000 monetary settlement. o Breach in February an unencrypted laptop computer containing the ePHI of 148 individuals was stolen. o After the breach data on equipment was encrypted by QCA. o QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June Concentra has agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan to evidence their remediation of these findings. o Breach – stolen laptop from a PT facility. o Several risk analysis’ had identified the risk. 4/28/2015

Breaches Advocate Medical Group in Chicago had 4 desktop computers taken in a burglary that contained the personal information of over 4 million patients. A St. Louis orthodontist office was burglarized and company computers were taken with the data for over 10,000 patients. A physician practice at the University of Texas Health Science Center at Houston discovers a laptop has been stolen containing data for nearly 600 patients. 4/28/2015

Protected Health Information Includes Health information whether oral or recorded in any form or medium Names All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death Fax numbers Electronic mail addresses Social Security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images; and Any other unique identifying number, characteristic, or code

BREACH

What is a Breach? The unauthorized acquisition, access, use, or disclosure of PHI not permitted under the privacy rule, which compromises the security or privacy of such information. An acquisition, access, use, or disclosure of protected health information in a manner not permitted under the privacy rule is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised. Compliance date September 23, 2013.

Breach Exclusions Worker who has the authority to access information accidentally accesses a record in which they are not involved in the care of that patient. Worker who has the authority to access information inadvertently shares the information with another worker who is not involved in the care of the patient. Information is shared with an individual/entity who is not authorized but the unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

Risk Analysis Must Be Completed 1)The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification. 2)The unauthorized person who used the protected health information or to whom the disclosure was made. 3)Whether the protected health information was actually acquired or viewed. 4)The extent to which the risk to the protected health information has been mitigated.

Breach Notification Patients must be notified without reasonable delay and no later than 60 days of the discovery of the breach. Breaches involving 500 or more individuals: Notify prominent media outlets serving the State or jurisdiction with the notification sent to the individual. Notify the Secretary of HHS concurrently with the notification sent to the individual. Breaches involving less than 500 individuals: Maintain a log or other documentation of the breaches and report no later than 60 days after the end of each calendar year in which the breach was discovered. Provide the notification as listed on HHS website.

Reporting Breach Information

Breaches Impacting 500 or More 4/28/2015

Breach Notification and Business Associates Must provide notice to the covered entity (CE) without reasonable delay and no later than 60 days from the discovery of a breach. MUST address timing of reporting either known breaches or suspect situations in the BA contract. It is the CE ultimate responsibility to report the breach to impacted individuals. o Reporting of the incident may be delegated by contract to the BA. o Does not lessen the responsibility of the CE. o Both parties should NOT report.

What Does This Mean? All events must be documented; this includes exclusion events and why they are determined to meet the definition. CE and BA have the burden of proof: To demonstrate that all breach notifications were provided. An impermissible use or disclosure did not constitute a breach such as by demonstrating through a risk assessment that there was a low probability that the protected health information had been compromised. Must maintain documentation sufficient to meet that burden of proof. CRITICAL QUESTION: How will BAs communicate potential breach scenarios?

Patient Notification Process Written notice to affected individuals, provided by first class mail or by electronic mail is specified as the preferred method by the individual. o May be provided in one or MORE mailings as information becomes available. o Phone notice is allowed in an urgent situation, but must be followed by written notice. Substitute notice to affected individuals if contact information is insufficient or out-of-date must be provided. This may be provided via . Insufficient contact information for 10 or more individuals, the notice must be a conspicuous posting on the home page of the covered entity’s Web site for 90 days or notice in major print or broadcast media in the geographic areas where the affected individuals likely reside. o Toll-free number must be included where individuals can learn whether their information was included in the breach.

Patient Notification to Include Brief description of what happened. Description of the types of unsecured PHI that were involved in the breach (name, Social Security Number, etc.). Steps individuals should take to protect themselves from potential harm. Brief description of what the covered entity is doing to investigate the breach, mitigate damage, and protect against further breaches. Contact information at the covered entity for questions by patients. Must make a decision on credit monitoring services.

Four Tiered Penalty Structure For violations involving unknown violations (that is, where entity did not know of the violation and would not have known of it if exercising reasonable diligence): o The penalty for each violation will be between $100 and $50,000. For violations involving reasonable cause (that is, where circumstances would make it unreasonable to comply with HIPAA, despite exercising ordinary business care and prudence): o The penalty for each violation will be between $1,000 and $50,000. Maximum annual penalties for same violations: $1.5 million 4/28/2015

Willful Neglect Violation was due to willful neglect and was timely corrected, an amount not less than $10,000 or more than $50,000 for each violation. Violation in which it is established that the violation was due to willful neglect and was not timely corrected, an amount not less than $50,000 for each violation. Penalty for violations of the same requirement or prohibition under any of these categories may not exceed $1,500,000 in a calendar year. Secretary of HHS has waiver authority.

How Much of a Fine and Investigations Nature and extent of the violation. Number of individuals impacted. Nature and extent of harm, including reputational harm. Indications of non-compliance – Broadly includes past issues around compliance. Investigations: o Indications of willful neglect will result by law in an investigation. o Civil money penalties will NOT be imposed if the violation is corrected within 30 days from when the entity is aware of the violation UNLESS due to willful neglect.

Calculation of Penalties Where multiple individuals are affected by an impermissible use or disclosure, such as in the case of a breach of unsecured protected health information, it is anticipated that the number of identical violations of the Privacy Rule standard regarding permissible uses and disclosures would be counted by the number of individuals affected. Continuing violations, such as lack of appropriate safeguards for a period of time, it is anticipated that the number of identical violations of the safeguard standard would be the number of days the entity did not have appropriate safeguards in place to protect the protected health information. Reference: Federal Register January 25, 2013

Individual Employee Liability (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, o A person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation) and the individual obtained or disclosed such information without authorization. 4/28/2015

OCR Enforcement Example The Hospice of North Idaho (HONI) has agreed to pay HHS $50,000 to settle potential violations of the HIPAA Security Rule. First settlement involving a breach of unsecured ePHI affecting fewer than 500 individuals. Unencrypted laptop computer containing the ePHI of 441 patients had been stolen in June OCR discovered that o HONI had not conducted a risk analysis to safeguard ePHI. o Did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule.

Tips to Protect Information

Use or Release Information For treatment, payment and healthcare operations after providing a Notice of Privacy Practices. To the individual or legal representative. To friends and family with informal approval or for emergencies. o May ask the patient for permission to discuss healthcare if accompanied by another person during exam. As authorized by the patient. Based on professional judgment of the healthcare provider which is in the best interest of the patient.

ePHI – Think Broader Than Your Computer Laptops, office PCs, servers Smartphones Thumb or flash drives Back up devices CD/DVD Equipment such as fax or copiers ePHI during transmission o o Healthcare providers o Personal health records

Risk Analysis and Audits Risk Analysis required by the Security Rule Audits o Logons outside usual business hours o Remote access report o File update or change reports o Review of daily activity o Review of employees logged in o Record access. o Logon when person is out of office o Change report o Exceptional access or print o VIP record access

What Can Others See or Hear? Be mindful of hallway conversations which may be overheard. Know what you can discuss with who in patient care areas when others are brought back into the exam area. What information is viewable on your computer screen? Are the appointments for the day posted? Is patient information in the regular trash? When PHI is printed out, double check whose information it is before it is given to a patient (common problem!). Conversations outside of the work environment?

Safeguarding ePHI Access information with personal login and password. o Passwords must not be shared! Log off or lock computer when moving away from work area. Be mindful of the physical security of especially mobile devices containing ePHI (laptops, smart phones). Only open /attachments from reliable sources. Access only approved internet sites. Patient information should not be mentioned on personal social media accounts. Data encryption – back-up devices, phones, servers, computers.

containing PHI must be sent in a secure manner. o This includes ing information for referral purposes. o ing between employees within the practice is acceptable if the system is secure. Means of protection include: o Patient portal. o Encryption. At the patient’s request, PHI may be sent unsecured if you have informed the patient of the risk. o Request should be in writing using the Authorization for Release - Compound Release form. 4/28/2015

Training Train all employees o Including Admin staff o Physicians Baseline training for all new employees o Train specific job functions on targeted areas of need Priority to train employees regarding breach o Definition Protection strategies o Minimum necessary o Logins/passwords o Computer protections – physical security o Social media o Acceptable information sharing sites o Remote access

Quotes from HHS Attorneys If you find you have a problem, report it. If you hinder the investigation by hiding the facts, they will bring the heaviest fines. They don’t care how sorry you are, or how you will do things differently next time. The facts will always speak for themselves. Simply, did you have a good compliance program, and have an incident that happened, or did you have nothing, and did nothing? The real cold comment the Federal attorney made in closing, “ I don’t care if a company or practice goes out of business because of the fine.” 4/28/2015

Thank you! Bill Fivek President & CEO