Importance of the Information Risk Assessment

Compliance Programs are intended to proactively audit and assess an organization’s operations to detect and prevent improper or illegal activities. Effective Compliance Programs can support mitigation of fines and penalties, but it must be effective within the organization

HIPAA requires organizations that handle protected health information to regularly review: administrative, physical; and technical safeguards they have in place to protect the security of the information

On March 28, 2014, a new security risk assessment (SRA) tool to help guide health care providers in small to medium sized offices conduct risk assessments of their organizations was made available from HHS. assessment

The scope of risk analysis that the Security Rule encompasses includes the potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits. (45 C.F.R. § (a)

Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information

 Security Management Process  Assigned Security Responsibility  Workforce Security  Information Access Management  Security Awareness and Training  Security Incident Procedures  Contingency Plan Evaluation  Business Associate Contracts and Other Arrangements

physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion

 Facility Access Controls  Device and Media Controls  Workstation Use  Workstation Security

the technology and the policy and procedures for its use that protect electronic protected health information and control access to it

 Access Control  Audit Controls  Integrity  Person or Entity Authentication  Transmission Security

Business Associates Security Breach Notification

Certain entities now explicitly included in definition of “business associate” ◦ Health Information Organizations, E-prescribing Gateways and other persons that provide data transmission services to a covered entity that require access on a routine basis to PHI ◦ Patient Safety Organizations ◦ Any person offering PHRs on behalf of a covered entity Data transmission organization that acts as a mere conduit for the transport of PHI and does not access PHI other than on a random or infrequent basis is NOT a business associate (transient vs. persistent analysis) Subcontractors of BAs are considered BAs if they handle PHI 13

A “subcontractor” is any person to whom BA delegates a function, activity or service, other than as a member of BA’s workforce Subcontractor is a BA if it creates, receives, maintains or transmits PHI on behalf of a business associate Person who receives or accesses PHI to assist BA with BA’s own management and administration or legal responsibilities is not a subcontractor and therefore not a BA ◦ But BA must obtain “reasonable assurances” Status as business associate flows “down the chain” 14

Comply with applicable requirements of Security Rule Provide security breach notification to CE Use and disclose PHI only as permitted by BA Agreement Not use or disclose PHI in a way that would violate the HIPAA Privacy Rule if done by covered entity (subject to narrow exceptions) Execute BA Agreements with subcontractors that create, receive or maintain PHI on BA’s behalf If subcontractor engages in pattern or practice in material breach of its BA Agreement, take reasonable steps to cure breach or terminate if feasible Use reasonable efforts to limit PHI to minimum necessary Disclose PHI ◦ To covered entity, individual or individual’s designee when required to provide electronic copy of PHI ◦ To Secretary of HHS when required Provide accounting of disclosures 15

New elements ◦ BA must comply with applicable provisions of Security Rule ◦ BA must report any use or disclosure not in compliance with agreement (existing requirement), specifically including breaches of unsecured PHI ◦ BA must ensure that any subcontractor that creates, receives or maintains PHI on its behalf enters into BA Agreement ◦ To the extent BA is to carry out CE’s obligations under Privacy Rule, BA must comply with requirements of Privacy Rule that apply to CE in performing obligations Compliance deadlines ◦ BA Agreements must comply by 9/23/13 unless grandfathered ◦ Grandfathered agreements:  If prior to 1/25/13, had BA or subcontractor agreement in place that was compliant with pre-HITECH standards, and agreement not renewed or modified between 3/26/13 and 9/23/13, agreement is deemed compliant until earlier of (i) renewed or modified or (ii) 9/22/14  Automatic or “evergreen” renewal does not end deemed compliance period 16

Breach Notification 17

 Security provisions of HIPAA now apply to a Business Associate of a Covered Entity in the same manner that such sections apply to the Covered Entity.  Business associates subject to same penalties as Covered Entities  Also applies to vendors of personal health records Security and Notice Requirements 18

Security and Notice Requirements Applies to any Covered Entity or BA/vendor that:  Accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses, or discloses unsecured protected health information  Applies directly to vendors, regardless of whether a business associated agreement is executed 19

Security and Notice Requirements  Unsecured Protected Health Information means (Section 13402(h)) ◦ protected health information that is not secured through the use of a technology or methodology specified by the Secretary in the guidance issued under this section 20

Security and Notice Requirements  Obligation to notify triggers upon discovery of a breach ◦ Discovery determined to be the first day on which such breach is known or should reasonably have been known to such entity or associate to have occurred ◦ Knowledge by any person that is an employee, officer or other agent of the entity or associate 21

Security and Notice Requirements  Notice to Individual must include: ◦ Identification of each individual whose unsecured protected health information has been, or is reasonably believed to have been accessed, acquired, or disclosed during such breach ◦ Brief description of what happened, including the date of the breach and the date of discovery of the breach ◦ Description of the types of unsecured protected health information that were involved 22

Security and Notice Requirements Steps the individual should take to protect themselves from potential harm resulting from the breach Description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches Contact procedures for individuals to ask question or learn additional information

Security and Notice Requirements  Notice to the Secretary by Covered Entities:  For breaches impacting 500 or more individuals, notify the Secretary immediately  For breaches impacting fewer than 500 individuals, maintain a log and notify the Secretary annually submit such log 24

Security and Notice Requirements Notice Process  Notice Timing:  Notice must be made without unreasonable delay and in no case later than 60 calendar days after discovery of a breach  Delay allowed if a law enforcement official determines that a notification, notice or posting would impede a criminal investigation or cause damage to national security  Methods of Notice:  Written notification by first class mail to individual  Substitute notice process for insufficient or out of date contact information  Media notice information for 500 individuals or more 25

“Safe Harbor”  Safe Harbor from Notification Requirement is to ensure the data is maintained in a “secure” manner.  June Requested comments on the proposed form of “secure” data. ◦ Encryption ◦ De-Identification 26

 Of the 90,000 complaints investigated most are, compiled cumulatively, in order of frequency:  Impermissible uses and disclosures of protected health information;  Lack of safeguards of protected health information;  Lack of patient access to their protected health information;  Uses or disclosures of more than the minimum necessary protected health information; and  Lack of administrative safeguards of electronic protected health information. 28

The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:  PRIVATE PRACTICES;  General Hospitals;  Outpatient Facilities;  Health Plans (group health plans and health insurance issuers); and,  Pharmacies. 29

 $800,000 HIPAA Settlement in Medical Records Dumping Case - June 23, 2014 $800,000 HIPAA Settlement in Medical Records Dumping Case  Data Breach Results in $4.8 Million HIPAA Settlements - May 7, 2014 Data Breach Results in $4.8 Million HIPAA Settlements  Concentra Settles HIPAA Case for $1,725,220 - April 22, 2014 Concentra Settles HIPAA Case for $1,725,220

 QCA Settles HIPAA Case for $250,000 – April 22, 2014 QCA Settles HIPAA Case for $250,000  County Government Settles Potential HIPAA Violations - March 7, 2014 County Government Settles Potential HIPAA Violations

Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts (APDerm) -$150, Affinity Health Plan, Inc. will settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for $1,215,780. WellPoint Inc. has agreed to pay the U.S. Department of Health and Human Services $1.7 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules 32

33 Michele Madison, Partner, Morris, Manning & Martin, LLP Healthcare & Healthcare IT Practices Direct:

 The materials and information presented and contained within this document are provided by MMM as general information only, and do not, and are not intended to constitute legal advice.  Any opinions expressed within this document are solely the opinion of the individual author(s) and may not reflect the opinions of MMM, individual attorneys, or personnel, or the opinions of MMM clients.  The materials and information are for the sole use of their recipient and should not be distributed or repurposed without the approval of the individual author(s) and Morris, Manning & Martin LLP.  This document is Copyright ©2011 Morris, Manning & Martin, LLP. All Rights Reserved worldwide. 34