U NDERSTANDING HIPAA C OMPLIANCE I N 2014: E THICS, T ECHNOLOGY, H EALTHCARE & LIFE J ULIE M EADOWS -K EEFE G ROSSMAN, F URLOW, AND B AYÓ, LLC R AYMOND D IEHL R D. T ALLAHASSEE, FL (850) J. MEADOWS - GFBLAWFIRM. COM

D OES IT P UT Y OU I N A B AD M OOD ?

H OW M UCH P RIVACY D O Y OU H AVE ? How Much Privacy Are You Willing To Give Up?

P ERCEIVED B ARRIERS ?

W IRED M AGAZINE  The age of the password has come to an end; we just haven’t realized it yet. And no one has figured out what will take its place. What we can say for sure is this: Access to our data can no longer hinge on secrets—a string of characters, 10 strings of characters, the answers to 50 questions—that only we’re supposed to know. The Internet doesn’t do secrets. Everyone is a few clicks away from knowing everything.

S O W E R ECOGNIZE W E A RE A LL V ULNERABLE

 “A stolen medical identity has a $50 street value – whereas a stolen social security number, on the other hand, only sells for $1.00” said Kirk Herath, Nationwide Chief Privacy Officer.

F ACTS A BOUT M EDICAL I DENTITY T HEFT  1.5 Million American Affected  Average cost to restore identity is over $20,000.  Medical identity theft comprises 3% of all identity thefts  Nearly half of victims lose their coverage  Can take a year to discover  Healthcare was most breached industry in 2011

S O W HAT D OES HIPAA D O ?  HIPAA sets a national standard for accessing and handling medical information  Access to your own medical records, prior to HIPAA, was not guaranteed by federal law.  Notice of privacy practices about how your medical information is used and disclosed must now be given to you.  An accounting of disclosures

HIPAA 1996

1996 M AC

P OPULAR S ONG & D ANCE IN 1996

I N 1996  Google.com didn’t exist yet.  In January 1996 there were only 100,000 websites, compared to more than 160 million in  The web browser of choice was Netscape Navigator, followed by Microsoft Internet Explorer as a distant second (Microsoft launched IE 3 in 1996).  Most people used dial-up Internet connections

ARRA  February 17, ARRA Signed into Law. Also known as the “Stimulus” $ 25.8 Billion for Health IT  Increased Regulation of Organizations Contracting with Covered Entities  Covered Entities Must Carefully Monitor Disclosures of PHI  Increased Limitations on use of PHI  Increased Penalties and Enforcement Mechanisms  Breach notification and reporting requirements.

E VIDENCE B ASED M EDICINE  Conscientious, explicit and judicious use of current best evidence in making decisions about the care of individual patients  Use of mathematical estimates of the risk of benefit and harm, derived from high-quality research on population samples, to inform clinical decision- making in the diagnosis, investigation or management of individual patients."

B IG D ATA How much regulation is needed for electronic health records and systems? How much is too much? Does technology harm patients? How much risk do patients face in the era of "big data?“ Can data reach level of necessary granularity to only show minimum amount of data necessary to provide a particular treatment?

E XPRESS S CRIPTS H AS B IG D ATA  Provides Pharmacy Benefits to over 100 million people.  They see 1.4 billion prescriptions a year, each one of which generates adds a little more data to their pile.  They now have 100 people sorting through that information trying to detect fraud. They've got nurses and pharmacists and forensic accountants, along with a group of data nerds investigating thousands of cases of shady dealings a year.

S OME F EAR

W HAT IS A “B REACH ?”  A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.  There are three exceptions to the definition of “breach.” The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member acting under the authority of a covered entity or business associate. The second exception applies to the inadvertent disclosure of protected health information from a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception to breach applies if the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information.

T AKE -A WAY  PLEASE MAKE SURE ALL STAFF ARE UTILIZING ENCRYPTION FOR TRANSMISSION OF PHI.

B REACHES B IG IN O MNIBUS  the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification  the unauthorized person who used the protected health information or to whom the disclosure was made  whether the protected health information was actually acquired or viewed  the extent to which the risk to the protected health information has been mitigated

B REACHES S O F AR  January, 2013-First HIPAA breach settlement involving less than 500 patients (Idaho Hospice)  April 2012 HHS settles case with Phoenix Cardiac Surgery for lack of HIPAA safeguards

A LASKA D EPARTMENT OF H EALTH AND H UMAN S ERVICES  Settled for 1.7 million dollars.  One lost unencrypted flash drive from an employee’s car led to extensive HHS investigation.  Insufficient training and risk assessment.

2013 V ERIZON B REACH R EPORT  THREAT ACTORS  External 92%  Internal 14%  Partners 1%

T HREAT A CTIONS  Malware10%  Hacking52%  Social29%  Misuse13%  Physical35%  Error2%

A TTACKED ENTITIES  Financial Organizations37%  Utilities24%  Manufacturing, transportation20%  Healthcare organizations0.90%

B USINESS A SSOCIATE R EQUIREMENTS Extends HIPAA’s requirements, not just to business associates, but to subcontractors that handle protected health information on behalf of business associates

N OTICE OF P RIVACY P RACTICES  Need to revise to reflect patient’s right to receive breach notifications.

R EQUEST FOR R ESTRICTIONS  Specifically, covered entities must agree to restrict disclosures of protected health information about the individual if the disclosure is for payment or healthcare operations purposes, is not required by law, and the protected health information pertains solely to a healthcare item or service for which the individual, or someone on the individual's behalf other than the health plan, has paid the covered entity in full.

J ULIE ’ S S TORY  Real-life experience with too much data being included in an EHR.  y5j9Q

L ICENSURE  Licensure involves providing a full explanation and record documenting any affirmative responses to health questions, including emotional/mental illness, chemical dependency.

J ULIE M EADOWS -K EEFE G ROSSMAN, F URLOW, AND B AYÓ R AYMOND D IEHL RD. T ALLAHASSEE, FL (850) J. MEADOWS - GFBLAWFIRM. COM THANK YOU