DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

Size: px

Start display at page:

Download "DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE"

George Nichols
5 years ago
Views:

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE Melodi (Mel) M. Gates mgates@pattonboggs.

1 DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE Melodi (Mel) M. Gates (303) October 25, 2013 THE CHANGING PRIVACY CLIMATE z HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA) HISTORY 1996: HIPAA Enacted 2000: Privacy Rule Issued (Amended in 2002) 2003: Security Rule, Enforcement Rule (Interim) Issued 2006: Enforcement Rule Issued 2009: Health Information Technology for Economic and Clinical Health (HITECH) Act Enacted Increases Patient Rights & Provider Obligations Heightens Enforcement through Increased Penalties & Proactive Audits 2009: HITECH Enforcement (Interim) and Breach Notification (Interim) Rules Issued 2010: HITECH Changes to HIPAA Regulations Proposed 2013: Final Omnibus HIPAA Regulations Issued 1

2 HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA) BASICS Regulations are Organized into Four Key Rules 1. The Security Rule establishes requirements for safeguarding PHI. 2. The Breach Notification Rule sets requirements for notifying affected patients, the HHS Secretary, and the media in the event of certain data breaches. 3. The Privacy Rule defines regulations regarding permitted uses & disclosures of PHI and patient rights. 4. The Enforcement Rule defines administrative processes for investigations and sanctions. THE HIPAA OMNIBUS RULE EFFECTIVE SEPT 23, 2013 Four Sets of Regulations Final Modifications to the HIPAA Privacy, Security, and Enforcement Rules, as called for under the Health Information Technology for Economic & Clinical Health (HITECH) Act, and proposed in July 2010; Final adoption of changes to the HIPAA Enforcement Rule s increased and tiered civil monetary penalties, as required under the HITECH Act and issued as an interim final rule in October 2009; Final Breach Notification Rule, also authorized under HITECH and published as an interim final rule in August 2009; and The final rules implementing added protections for genetic information to the Privacy Rule, as required by the Genetic Information Nondiscrimination Act (GINA). KEY HITECH ISSUES Regulatory authority extended to Business Associates & Subcontractors Service providers who create, receive, maintain or transmit protected health information (PHI) on behalf of HIPAA covered entities. Updated Business Associate Agreements should be in place by Sept. 23, 2013 (with an extra year for certain existing agreements) Sales of PHI prohibited Restrictions on Marketing Uses of PHI without Patient Authorization Certain Requests for Restrictions by Patients Must be Honored Disclosures regarding self-pay services to payers Changes to Patient Access Rights Electronic Health Records 2

KEY HITECH ISSUES Breach Notification The acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA regulations which compromises the security or privacy of the PHI.

3 KEY HITECH ISSUES Breach Notification The acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA regulations which compromises the security or privacy of the PHI. Events are PRESUMED to be breaches unless risk assessment demonstrates otherwise, by considering: (1) the actual PHI involved, including the data elements and likelihood of identifying an individual; (2) the unauthorized person who used or received the PHI; (3) whether the PHI was actually acquired or viewed; and (4) whether and to what extent any risks have been mitigated. Exceptions may apply: (1) Unintentional, good faith access to PHI by a workforce member (2) Inadvertent disclosure within a Covered Entity or Business Associate organization (3) Disclosures where the Covered Entity or Business Associate has a good faith belief that the recipient would not have been able to retain the PHI FIVE THINGS YOU CAN DO NOW TO ENHANCE COMPLIANCE & LOWER RISK 1. Inventory the locations and manner in which protected health information is stored. 2. Perform a periodic risk analysis and follow up on identified issues. 3. Know your Business Associates by maintaining a detailed listing and engaging in reasonable governance/oversight. 4. Prepare your Breach Response & Notification Plan. 5. Organize and maintain program documentation. Carrie Harding, MPH, CHC, CHPS CTL Consulting Group carrieharding@ctlconsulting.net 3

4 NOTABLE NOTIFICATIONS AFFINITY HEALTH PLAN Photocopier Breach Up to 344,579 individuals $1,215,780 Resolution Amount HOSPICE OF NORTH IDAHO Laptop computer theft 441 individuals $50,000 Resolution Amount NOTABLE NOTIFICATIONS WELLPOINT, INC. Website glitch Approx. 612,000 individuals $1,700,000 Resolution Amount CVS PHARMACY, INC. Non-secure Disposal of PHI Individuals from over 6,300 pharmacies $2,250,000Resolution Amount BREACH Breach NOTIFICATION Response Identification Investigations Operational considerations Working with regulatory agencies 4

5 BREACH RESPONSE Documentation Risk Assessment Interaction with Individuals Mitigation Notification BAA WHAT ABOUT Breach Drill(s) Compliance Team Management Team Other Departments/Teams Vendor Review Who can help when breach occurs? 5

ALSO CONSIDER Case Studies/Education Resources Other Departments Media Office for Civil Rights (OCR) Professional Associations RESOURCES HHS/Office for Civil Rights (OCR) http://www.hhs.

6 ALSO CONSIDER Case Studies/Education Resources Other Departments Media Office for Civil Rights (OCR) Professional Associations RESOURCES HHS/Office for Civil Rights (OCR) Audit Protocols: Breach Notification & Encryption Guidance: Nat l Institute of Standards & Technology (NIST) Standards & Guidance Documents: Cybersecurity Framework: 6

HIPAA-HITECH: Privacy & Security Updates for 2015

South Atlantic Regional Annual Conference Orlando, FL February 6, 2015 1 HIPAA-HITECH: Privacy & Security Updates for 2015 Darrell W. Contreras, Esq., LHRM Gregory V. Kerr, CHPC, CHC Agenda 2 OCR On-Site