David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

Size: px

Start display at page:

Download "David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017"

Harvey Poole
6 years ago
Views:

1 David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

2 Privacy and security of patient information held by health care providers remains a concern of the federal government. More resources than ever are directed toward ensuring privacy and security of PHI. Increased penalties for violations, availability of whistleblower benefits, increased audits by the government. It s imperative for providers to secure patient information in their possession

3 HITECH Act Became law in 2009, but implementing regulations were not finalized until Compliance with the various requirements of the Act by September 23, 2013 The major change contained within HITECH dealt with the government s decision to place affirmative obligations on Covered Entities to advise patients when their information has been breached, and to self-disclose those breaches to the government

4 Review requirement to report breaches under HITECH Act Determine whether a reportable breach has occurred Review procedures for reporting a breach Understand new enforcement initiatives from Government and major risk areas for providers Discuss ways to minimize the occurrence of breaches

5 Basic Privacy Rule Unless required or allowed by law, disclosure of protected health information (PHI) is permitted only with consent or authorization of the patient. Examples of PHI Name Social security number Address Date of birth Photograph/Video/Image Health information in medical record PHI includes many common identifiers Includes Medicare number of patient

6 Breach Notification HITECH requires covered entities to notify individuals if their unsecured PHI has been breached Key terms Breach: the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of the PHI Unsecured PHI: PHI that isn t secured through use of a technology or methodology specified by the Secretary of Health or Human Services (i.e. Encryption of electronic PHI) Doesn t apply to PHI that has been secured!

7 Breach analysis Breach is presumed Unless there is a low probability that PHI was compromised Analysis is highly-fact specific Must address, at a minimum, the following four factors: 1. Nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; Did the disclosure involve information that is of a more sensitive nature (financial information, such as SSN or credit card numbers, or clinical information, such as diagnosis or test results)? 2. Unauthorized person who used the PHI or to whom the disclosure was made; Was the disclosure made to another covered entity or business associate?

8 Breach analysis, continued Factors: 3. Whether PHI was actually acquired or viewed; and Or did there only exist an opportunity to view or acquire? 4. The extent to which any risk to PHI has been mitigated Was the information retrieved or were satisfactory assurances requested/received? Document, document, document! If you are going to conclude that no breach has occurred, then you must be able to support that determination

9 Exceptions - a breach does not include: Unintentional acquisition, access or use of PHI by a workforce member E.g., nurse mistakenly sends a billing employee an with resident PHI; Contrast - receptionist decides to look through a patient s file to learn of her friend s treatment An inadvertent disclosure to another authorized person at the same covered entity or business associate Disclosure where the covered entity or business associate had a good-faith belief that the unauthorized person to whom the information was disclosed would not reasonably be able to retain such information. E.g., nurse mistakenly hands a patient the discharge papers belonging to another patient, but she quickly realizes the mistake and recovers the PHI from the patient If it fits within an exception, then it s not a breach and therefore not reportable

10 Breach Notification Send individual notice of breach via first-class mail or e- mail (if individual specifies as a preference) within 60 days from the date the breach is discovered Special rules for big breaches involving 500 or more individuals Notice to media Must notify the Secretary of all breaches true selfreporting! Timing varies depending on the number of individuals affected: 500 or more notify within 60 days Less than 500 within 60 days of the end of the calendar year in which breach was discovered Notice is to be provided using online tool found on OCR website

11 Breach Notification Notice must written in plain language and must contain: Brief description of what happened, including the date of breach and date of discovery Description of the types of unsecured PHI that were involved in the breach Any steps individuals should take to protect themselves from potential harm resulting from the breach Brief description of what the covered entity is doing to investigate the breach, mitigate the harm to the individual, and protect against further breaches Contact procedures for individuals to ask questions or learn additional information, which must include a toll-free number, an address, Web site, or postal address

12 Nurse takes unauthorized photograph of resident and posts it on social media Note potential abuse impact under Survey & Certification Letter S&C: NH Resident documentation is mailed to erroneous address To another health care provider? To a private individual Facility posts/uses picture/video of resident in marketing materials or other publications without Authorization

13 Loss/theft of laptop or cell phone containing resident information Hacking of s or computer systems of provider Improper access of resident PHI by persons not authorized to view Discussions of resident PHI in presence of third parties

14 HHS Office of Civil Rights (OCR) responsible for HIPAA enforcement OCR conducts investigations based on received complaints and through its own compliance reviews of covered entities Since the compliance date of April 2003, OCR has received over 125,641HIPAA complaints. OCR resolved 96% of complaints received: through investigation and enforcement through investigation and finding no violation; through early intervention and providing technical assistance without the need for investigation and through closure of cases that were not eligible for enforcement

15 The compliance issues investigated most are, compiled cumulatively, in order of frequency: Impermissible uses and disclosures of PHI; Lack of safeguards of PHI; Lack of patient access to their PHI; Lack of administrative safeguards of electronic PHI; and Uses or disclosures of more than the minimum necessary PHI The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency: Private Practices; General Hospitals; Outpatient Facilities; Health Plans (group health plans and health insurance issuers); and, Pharmacies

16 HITECH requires HHS to conduct periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. Phase 1 Audits OCR piloted a program to perform 115 audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase began November 2011 and concluded in December

17 Phase 2 Audits July 11, 2016 OCR selected 167 covered entities and business associates for audit; Ultimately, entities will be selected for audit Primarily desk audits, but some site reviews OCR will review policies, procedures, training materials; Focusing on: Notice of Privacy Practices Right to Access Policy Breach Notification (timeliness and content of notice) Security Rule Risk Analysis and Risk Management Training on policies and procedures Device and media controls On-site audits to begin in early

18 Notable Settlements Memorial Healthcare System, a nonprofit health system with 6 hospitals, paid $5.5 million to resolve issues relating to the impermissible disclosure of PHI of 115,143 individuals had been inappropriately accessed by its current and former employees Login credentials of a former employee not changed, so PHI was inappropriately accessed externally and internally MHS had no procedures regarding termination of access to information upon cessation of employment

19 Notable settlements New York and Presbyterian Hospital and Columbia University Disclosure of ephi of 6,800 individuals resulting from a physician attempting to deactivate a personally-owned computer server on the network In addition to the impermissible disclosure, OCR also found that neither entity Made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections Conducted an accurate and thorough risk analysis and therefore neither had developed an adequate risk management plan that addressed potential threats to security of ephi $4.8 million settlement

20 Notable settlements, continued Dermatology practice Unencrypted thumb drive containing ephi of approximately 2,200 individuals was stolen from staff member s vehicle OCR found that the practice: Hadn t conducted an accurate and thorough analysis of the potential risk to the confidentiality of ephi and Didn t comply with the requirements of the Breach Notification Rule to have in place written policies and procedures to train workforce members $150,000 settlement

21 Notable settlements, continued Idaho State University Breach of ephi of approximately 17,500 patients, which was unsecured for at least 10 months due to the disabling of firewall protections on the servers $400,000 settlement Hospice provider Unencrypted laptop containing ephi of 441 patients had been stolen OCR found that the provider hadn t conducted a risk analysis to safeguard ephi and didn t have policies or procedures to address mobile device security First settlement involving a breach of ephi affecting fewer than

22 Use of mobile devices is a big risk area HHS/OCR Wall of Shame shows that since the breach reporting requirement became law, 372 reported thefts or losses of laptops or other portable electronics HHS/OCR takes particular interest in these types of cases In 2014, Concentra paid HHS $1,725,220 to resolve potential violations stemming from stolen, unencrypted laptop OCR says, Encryption is your best defense

23 What is it? Method of converting an original message of regular text into encoded text. The text is encrypted by means of an algorithm (type of formula). If information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (translate) the text and convert it into plain, comprehensible text. If PHI is encrypted, there is no breach and no breach notification is required

24 BUT, encryption is not mandated by the Security Rule. The encryption implementation specification is addressable meaning it must be implemented if reasonable and appropriate If it s not, then must choose another alternative that is reasonable and appropriate Cost issues!

25 Perform an annual risk assessment OCR has published a security risk assessment tool, available at its website. Designed to help providers conduct and document a risk assessment in a thorough, organized fashion at their own pace by allowing them to assess security risks in their organizations Allows providers to uncover potential weaknesses and address vulnerabilities, potentially preventing data breaches or other adverse security events

26 Update policies and procedures, as needed, and train staff on any changes If HIPAA policies/procedures were last updated before 2009, they are not compliant Consider encryption of electronic transmissions, mobile devices and media containing electronic protected health information, particularly USB/thumb drives. Before sending a Fax containing PHI, confirm that the recipient is authorized to receive PHI Evaluate your mobile devices, data destruction, and data transmission policies and practices Educate employees on not leaving electronic devices or paper records unattended

27 Laptops, ipads and Smart Phones All devices should have passwords Do not store PHI on the hard drive of device Do not leave in car or unattended Immediately report theft or loss Must be able to erase access to /records system, and be able to determine if anyone can gain access to PHI through the device Can you remotely wipe the lost/stolen device? This is the #1 type of HIPAA violation being enforced now

28 Avoid Unintended Disclosures Do not leave PHI open on desk for non-facility personnel to view Do not leave PHI open on your computer for nonfacility personnel to view turn off at night Lock office doors at night if leaving PHI out; File PHI so it s not left open on desks Make sure computer is password protected; If viewing PHI on screen, make sure to shut off if you leave desk for a period of time

29 Removing Physical Files from Office How can you secure the information outside of office? Will others be able to view the materials? Do not leave in car or otherwise unattended Immediately report loss of a file Working Remotely from Home Is your home computer password protected? Does your home computer have virus protection? The same issues you have at work would apply at home when you are working remotely Home encryption capability?

30 Thoroughly document the investigation of potential breaches Make sure that breach notification is provided timely and includes all of the required elements Both to the resident and to OCR Internal risk assessments/audits and followup training are key to HIPAA compliance

31 David C. Marshall, Esq. Latsha Davis & McKenna, P.C Bent Creek Blvd., Suite 140 Mechanicsburg, PA Phone (717)

HIPAA-HITECH: Privacy & Security Updates for 2015

South Atlantic Regional Annual Conference Orlando, FL February 6, 2015 1 HIPAA-HITECH: Privacy & Security Updates for 2015 Darrell W. Contreras, Esq., LHRM Gregory V. Kerr, CHPC, CHC Agenda 2 OCR On-Site