HIPAA-HITECH: Privacy & Security Updates for 2015

Size: px

Start display at page:

Download "HIPAA-HITECH: Privacy & Security Updates for 2015"

Sherilyn Griffith
5 years ago
Views:

South Atlantic Regional Annual Conference Orlando, FL February 6, 2015 1 HIPAA-HITECH: Privacy & Security Updates for 2015 Darrell W. Contreras, Esq., LHRM Gregory V.

1 South Atlantic Regional Annual Conference Orlando, FL February 6, HIPAA-HITECH: Privacy & Security Updates for 2015 Darrell W. Contreras, Esq., LHRM Gregory V. Kerr, CHPC, CHC Agenda 2 OCR On-Site HIPAA Privacy Audits: A Look Ahead for 2015 HIPAA Breach Requirements and Florida Law OCR Investigations, Settlements and Civil Monetary Penalties Q & A 1

2 Regulatory Background The HITECH Act mandated that HHS conduct periodic audits of both covered entities and business associates to confirm compliance with the HIPAA Privacy, Security, and Breach Notification Rules (Phase 1) OCR established a pilot audit program. Audits began in 2011 and continued through CE audits were carried out by a contractor 47 health plans, 61 healthcare providers, and 7 health care clearinghouses. No penalties or resolution agreements 3 HIPAA Audit Phase 2: Delayed & Revised! Previous Plans for Phase 2 Was scheduled to begin Summer of 2014 Conduct a pre-audit survey of 800 CEs and 400 BAs Use survey results to select 350 CEs and 50 BAs to be audited in Phase 2. Audits of BAs were scheduled to begin in 2015 Focused on risk analysis and risk management (Security Rule) and breach reporting to the covered entity (Breach Notification Rule). At the time, OCR had also indicated that the audits would be desk audits i.e., document-only audits, without follow-up. 4 Source: Linda Sanches, Privacy Senior Advisor, OCR: HIMSS Privacy Security Forum, September

3 The New Plan OCR s advisor of the HIPAA audit program has not confirmed when the surveys would be issued or when Phase 2 would begin. OCR to have a new portal to streamline the audit process: Conduct the pre-audit survey screening tool CE enter data for the audits. Collect and analyzing audit data. Instead of conducting 400 desk audits, now planning to conduct fewer than 200 desk audits Larger number of on-site comprehensive audits 5 Source: Linda Sanches, Privacy Senior Advisor, OCR: HIMSS Privacy Security Forum, September 2014 OCR s Advice to Prepare for an Audit 6 Entities will be responsible for showing compliance with the Security Rule, the Privacy Rule and the Breach Notification Rule. OCR advises CEs to have a current/active list of their BAs. Contact information and the services provided Comprehensive, periodic risk analyses, and documentation of appropriate follow-up risk management activities. Policies & Procedures Implementation, enforcement (imposition of sanctions consistent with sanction policies for violations Breach notification Policy and reporting documentation Encryption of devices 3

4 OCR Is On Your Side 7 OCR is not out to get you! But. OCR will expect to find a good-faith effort to comply with the HIPAA compliance regulations. I had no idea is not a defense for non-compliance Audits are a vehicle to monitor HIPAA compliance across the healthcare industry Findings help to improve the overall privacy and security of patient data Be Prepared! 8 Breach Requirements HIPAA and Florida 4

5 HIPAA Breach Notification 9 Omnibus Rule Changes New test under the Omnibus Rule Compliance date: September 23, 2013 Presumption that breaches are reportable Regulations established the risk assessment factors Breach Notification NEW To have a reportable breach there must be: 1. A privacy breach 2. Unsecured PHI 10 Presumptive reportable breach unless there is a Low probability of compromise. 5

6 Privacy Breach 11 Not permitted under the Privacy Rule Unauthorized acquisition, access, use, or disclosure of PHI Unsecured PHI PHI not secured through technology or a method specified by the Secretary through guidance Federal Register /Vol. 74, No. 79 /Monday, April 27, 2009: two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals: encryption and destruction. 12 6

7 NEW Rule Low Probability of Compromise Presumptively reportable UNLESS: Low probability of compromise of the Privacy and Security of the PHI Still requires a risk assessment Risk Assessment Factors: Content What PHI was included? Person To whom was the PHI disclosed? Access Was the PHI actually accessed? Mitigation To what extent has the risk of harm been lessened? Assess each factor on a scale to determine overall risk 13 Breach Notification Requirements 14 A covered entity or BA is on notice of a breach on the first day anyone, other than the employee committing the breach, in the organization knows of the breach or with the exercise of reasonable diligence should have known of the breach. The covered entity or BA must notify the individual, their next-of-kin or personal representative without unreasonable delay but no later than 60 days after breach is discovered. (45 CFR ) 7

8 Florida Breach Notification 15 Florida Information Protection Act of 2014 ( FIPA ) Applies to data for people in Florida Effective date: July 1, 2014 Trigger Personal Information Notice to the State if more than 500 people Notice to the individual Some deference to HIPAA No private cause of action Florida Unfair and Deceptive Trade Practices Act Definitions: Florida Breach Notification Breach Unauthorized access of electronic data containing personal information Does not include good faith access Covered Entity Any business that acquires, maintains, stores, or uses personal information 16 Customer Records Any material that has personal information provided by a covered entity to a person in Florida for products or services. 8

9 Florida Breach Notification Personal Information = 1 of these: First name or initial with last name PLUS one or more of: SSN Govt Issued ID Number 17 Credit/Debit card, bank account plus PIN or security code Health Information Health insurance policy Number plus unique identifier User name or address with password or security question that would permit access to an online account Requirements Florida Breach Notification 1. Reasonable measures to protect and secure electronic data containing Personal Information 2.Notice to the State 3.Notice to the Individual 18 Notice must be give within 30 days Additional 15 days may be requested for State notification Law enforcement may request a delay for investigation 9

10 Florida Breach Notification State Notification Requirements: 1. Notice to the State Access of records for 500 or more individuals Must meet 5 elements Summary of event 19 Number of individuals affected Services offered by CE to individuals without charge A copy of the notice to the individual Contact person Make available additional information upon request Some State departments may post Notice on website instead Florida Breach Notification Individual Notification Requirements: 1. Notice to the Individual Any Access By or mail Notice components: Date of the breach Description of the information breached Contact information 1,000 or More: Notify all consumer reporting agencies Third-parties agents must notify the CE within 10 days Agent may notify, but CE is responsible 20 10

11 Exceptions: Florida Breach Notification 1. Notice is not required if the breach is not likely to result in identity theft or financial harm Requires investigation AND 21 Consultation with law enforcement 2. State notification requirements are satisfied IF compliant HIPAA Breach Notification Provide copy of notice to State 60 day notification requirement? 3. Internet notice or media notification is permitted instead IF: Cost of notification exceeds $250,000 for > 500,000 persons No or mailing address for individuals Penalties: Florida Breach Notification 1.$1,000/day Each day after the 30 day notice deadline expires for up to 30 days 2.$50,000 Each portion of a 30 day period following the first 30-day deadline up to 180 days 3.Beyond 180 days not to exceed $500, Penalty Cap = $500,000 11

12 Review and Practice 23 Company is a BA of Hospital and uses Hospital s PHI that includes payment and diagnosis (paper and electronic) to perform its duties. Company maintains approximately 1,000 patient records in paper, stored off-site at Off-Site Co., and 1,000 patient records in electronic form, stored remotely at Cloud Co. A disgruntled Off-Site Co. employee stole boxes of records, including Company s records, and spread them across a park where they were discovered by people the following day. Simultaneously, Cloud Co. experienced a glitch whereby it accidentally directed Company s encrypted files to another company s server. The records were accessible by the other company once the records were on the other server. The PHI includes payment, diagnosis and treatment information for Florida patients. Company and Off-Site Co. are located in Florida, but Cloud Co. is located in Tennessee. Review and Practice 1. Is this a reportable breach under HIPAA? a. Violation of the Privacy regulations? b. Unsecured data? c. More than a low probability of compromise? i. Content ii. Person iii. Access iv. Mitigation d. Timeframe to report? 24 12

13 Review and Practice 2. Is this a reportable breach under FIPA? a. Notification to the individual? i. Electronic and paper records? ii. Based on number of people affected? iii. Critical test? iv. Timeframe for notification? b. Notification to the State? i. Electronic and paper records? ii. Based on number of people affected? iii. Critical test? iv. Timeframe for notification? c. Other notification required? d. When must Company notify hospital? 25 Review and Practice Assume the Cloud Co. breach is a reportable breach under HIPAA, but investigation was delayed such that notification to the individual and State is not sent out until 75 days after original discovery. 1.Under FIPA, what penalties apply? a. 30 days free b. $1,000/day for next 30 days 26 c. $50,000 for each portion of a 30 day period for the next 180 days, not to exceed $500,000 d. Total: $30,000 + $50,000 = $80,000 e. Could it be doubled? i. or 2.Which entity is responsible for the penalties? 13

14 Integrating HIPAA and FIPA 1. FIPA focuses on access and identity theft a. Electronic records only b. Similar to a HIPAA breach c. If reportable under HIPAA, then reportable under FIPA 27 d. Develop a State notification letter 2. FIPA Clock runs faster than HIPAA a. Satisfied if HIPAA Breach notification is followed (60 days) 3. Review your BAA a. Does it include 10-day notice of breach? b. Should require security safeguards under HITECH c. Should apply to subcontractors under Omnibus 28 Settlements and Penalties 14

Recent Settlements and Penalties DATE ENTITY Amount Comments 29 June 2014 Parkview Health System, Inc. $800,000 Custody of 5-8k MR from retiring Dr. To be transitioned to new practices.

15 Recent Settlements and Penalties DATE ENTITY Amount Comments 29 June 2014 Parkview Health System, Inc. $800,000 Custody of 5-8k MR from retiring Dr. To be transitioned to new practices. Employees left 71 boxes of MR on the driveway of the Dr. May 2014 New York and Presbyterian Hospital (NYP) $3,000,000 Disclosed ephi of 6,800 patients to Google and other Internet search engines. No Risk Analysis or P&P for access April 2014 Concentra Health Services $1,725,220 Theft of unencrypted laptop from facility. Unknown number of patients affected. Risk Assessment listed critical risk for encryption

Breach Notification Remember State Law

Breach Notification Remember State Law Breach Notification HITECH: First federal law mandating breach notification for health care industry Applies to covered entities, business associates, PHR vendors, and PHR service providers FTC regulates