3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

Size: px

Start display at page:

Download "3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/"

Roland Morris
5 years ago
Views:

Compliance Institute Session 501: Implementing a System-Wide Access Monitoring Program Brian D. Annulis Meade, Roach & Annulis, LLP Aegis Compliance & Ethics Center, LLP 4147 N.

1 Compliance Institute Session 501: Implementing a System-Wide Access Monitoring Program Brian D. Annulis Meade, Roach & Annulis, LLP Aegis Compliance & Ethics Center, LLP 4147 N. Ravenswood Avenue Suite 200 Chicago, Illinois (773) (Direct) (773) (Fax) (312) (Cell) bannulis@meaderoach.com April 1, 2014 Agenda & Objectives Background and Regulatory Overlay OCR Statistics/ UCLAHS Resolution Agreement Practical Considerations & Solutions 2 HIPAA Security Rule Administrative Safeguards (45 CFR (a)(4)) A CE/BA must implement p&ps for authorizing access to ephi that are consistent with the Privacy Rule Addressable implementation specifications include access authorization and access establishment and modification 3 1

2 HIPAA Security Rule Technical Safeguards (45 CFR (a), (b), (c), (d) A CE/BA must implement technical p&ps for electronic information systems that maintain ephi to allow access only to the persons or programs that have been granted access rights Implementation specifications include unique user IDs (required), emergency access (required), automatic logoff (addressable) and encryption/decryption (addressable) 4 HIPAA Security Rule Technical Safeguards (45 CFR (a), (b), (c), (d) A CE/BA must also implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use ephi A CE/BA must implement p&ps to protect ephi from improper alteration or destruction A CE/BA must implement p&ps to verify that a person or entity seeking access to ephi is the one claimed 5 Accounting of Disclosures HITECH Act Changes HITECH Act expanded the accounting of disclosure right for individuals to include disclosures made through an electronic health record ( EHR ) for treatment, payment and health care operation ( TPO ) purposes. When a covered entity uses or maintains an electronic health record with respect to PHI: Disclosures for TPO must be logged for accounting requests Right to accounting of disclosures associated with EHR PHI applies only for 3 years prior to the date of the request Accounting for other accountable disclosures applies for 6 years Note: Does not withdraw other exceptions in Does not require covered entity or BA to account for disclosures that it does not make itself Allows fee: Not greater than the entity s labor costs in responding to the request. 2

3 Privacy Rule Accounting of Disclosures HITECH Act Changes Effective date: Not earlier than January 1, 2011 Depends on when EHR is acquired: If covered entity acquired an EHR as of January 1, 2009, then applies to disclosures on and after January 1, 2014 If covered entity acquires an EHR after January 1, 2009, then applies to disclosures on and after the later of January 1, 2011; or Date covered entity acquires an EHR HHS option to change tiered effective dates to not later than 2018 or 2014 Privacy Rule Accounting of Disclosures HITECH Final Rule did NOT address the expanded accounting of disclosures provision under the HITECH Act; to be addressed in later rulemaking However, on May 31, 2011, HHS published a regarding the expanded accounting of disclosure right for individuals If finalized as proposed, the changes would be significant Despite the plain language of the HITECH Act, the does not expand the disclosure accounting right to include TPO activities; Rather, OCR creates a new access report right that would govern all accesses of an individual s PHI (whether for use or disclosure) if that PHI is maintained in an electronic DRS 3

4 Expansion of the Accounting of Disclosure Right under the The disclosure accounting right would only apply to PHI maintained in a DRS The would explicitly list the types of disclosures that must be tracked and accounted for The would eliminate the need to account for disclosures made as part of IRB-approved research projects The would expand upon the information that must be provided in a disclosure accounting report (e.g., if exact date of disclosure is unknown, month and year must be provided, at a minimum); Responses to requests for an accounting of disclosures must be provided within 30 days. Under the current rule, responses are due within 60 days. An opportunity for an extension would still be available. New Access Report Right HHS proposes to expand an individual s HIPAA rights to include an access report addressing both disclosure and use of all PHI in an electronic DRS The access report would need to include: The date of access; The time of access; The name of the person accessing the information (if available), otherwise the name of the entity accessing the electronic designated record set; A description of the information accessed; and A description of the action taken (e.g., create, modify, access, delete). New Access Report Right Responses to a request for an access report must be made within 30 days (with an opportunity for an extension). Access reports must address uses and disclosures by the covered entity s business associates of electronic DRS information maintained by the business associates. An individual has the right to one access report every 12-months without charge. The covered entity may charge a reasonable, cost-based fee for additional reports 4

OCR Breach Notification Highlights September 2009 through February 20, 2013 Unauthorized/improper access has consistently been one of the top 5 issues investigated by OCR Top types of large breaches

5 OCR Breach Notification Highlights September 2009 through February 20, 2013 Unauthorized/improper access has consistently been one of the top 5 issues investigated by OCR Top types of large breaches Theft Unauthorized Access/Disclosure Loss 13 OCR Spotlight on Largest Breaches of 2012 Hacking network server 780,000 affected Backup tapes stored at hospital cannot be found and are presumed lost 315,000 affected Unencrypted s sent to employee s unsecured address ,435 affected Theft of laptop from employee s vehicle 116,506 affected Unauthorized access to e-phi stored in database-- 105,646 affected Hacking database stored on network server 70,000 affected 14 Breach Notification: 500+ Breaches by Type of Breach Hacking/IT Incident 7% Loss 14% Improper Disposal Unknown 5% 3% Unauthorized Access/ Disclosure 20% Theft 51% Data as of January

Overview of Findings from Initial Audits Security 16 The UCLAHS Case (Resolved 2011) Approximately 850 employees of the University of California at Los Angeles Health Systems (UCLAHS) obtained PHI

6 Overview of Findings from Initial Audits Security 16 The UCLAHS Case (Resolved 2011) Approximately 850 employees of the University of California at Los Angeles Health Systems (UCLAHS) obtained PHI about two celebrity patients by using UCLAHS electronic medical record data bases. The employees had no work-related need for the celebrities PHI as they were not involved in the treatment of either celebrity (i.e., snooping). Upon a referral by OCR, the Department of Justice (DOJ) conducted a criminal investigation which resulted in one UCLAHS employee pleading guilty to obtaining PHI for commercial advantage. OCR negotiated a Resolution Agreement and a Corrective Action Plan with UCLAHS. 17 Covered Conduct by UCLAHS OCR s investigation indicated that UCLAHS had engaged in the following covered conduct: Throughout the period from 2005 through2008, UCLAHS failed to provide and/or document necessary and appropriate Privacy and Security Rule training for all members of its workforce to carry out their functions within UCLAHS; During the period from 2005 through 2008, UCLAHS failed to apply appropriate sanctions on workforce members who impermissibly examined ephi; and During the period from 2005 through 2009, UCLAHS failed to implement security measures sufficient to reduce the risks of impermissible access to ephi of its patients by unauthorized users to a reasonable and appropriate level. 18 6

7 Resolution of UCLAHS Case In July, 2011, UCLAHS executed a Resolution Agreement and Corrective Action Plan with OCR. These documents are on OCR s website. UCLAHS paid $865,000 as a resolution amount. The Corrective Action Plan (CAP) that UCLAHS executed required it to create new or revised policies and procedures. These policies must include a need to know approach to records access so as the prevent a recurrence of the massive breach that occurred in this case. UCLAHS was also required to appoint an Independent Monitor, subject to OCR s approval, who will evaluate UCLAHS s compliance with the CAP for three years. 19 Lessons Learned from the UCLAHS Case Management of health care providers which rely strongly on electronic medical records must take affirmative steps to secure those records internally. Management needs to adopt a need to know strategy for allowing access to electronic PHI and implement that strategy throughout its electronic data systems. Only workforce members with a bona fide work-related reason to access a particular patient s electronic records should be able to do so. 20 Lessons Learned from the UCLAHS Case Management, especially the compliance department, must be vigilant in testing the reliability of its security systems for the safeguarding of electronic PHI. Clear and well documented administrative and physical safeguards are necessary for the storage devices and removable media which handle ephi. Encryption of data at rest on any desktop or portable device/media storing ephi is essential. 21 7

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Update on HIPAA Administration and Enforcement Marissa Gordon-Nguyen, JD, MPH October 7, 2016 Updates Policy Development Breaches Enforcement Audit 2 POLICY DEVELOPMENT RECENTLY PUBLISHED: RIGHT OF ACCESS,