David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

Similar documents
HIPAA-HITECH: Privacy & Security Updates for 2015

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

Security and Privacy Breach Notification

QUALITY HIPAA December 23, 2013

The ABCs of HIPAA Security

University of Wisconsin-Madison Policy and Procedure

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

HIPAA & Privacy Compliance Update

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

Breach Notification Remember State Law

Federal Breach Notification Decision Tree and Tools

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

HIPAA Federal Security Rule H I P A A

HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

A Panel Discussion. Nancy Davis

HIPAA Security Manual

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

HIPAA FOR BROKERS. revised 10/17

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Privacy & Information Security Protocol: Breach Notification & Mitigation

The Relationship Between HIPAA Compliance and Business Associates

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

PRIVACY-SECURITY INCIDENT REPORT

Cyber Security Issues

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC


Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

HIPAA Privacy, Security and Breach Notification

Audits Accounting of disclosures

The HIPAA Omnibus Rule

Putting It All Together:

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

HIPAA Faux Pas. Lauren Gluck Physician s Computer Company User s Conference 2016

What s New with HIPAA? Policy and Enforcement Update

ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?

Hospital Council of Western Pennsylvania. June 21, 2012

HIPAA and HIPAA Compliance with PHI/PII in Research

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Lesson Three: False Claims Act and Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Compliance Checklist

HIPAA Tips and Advice for Your. Medical Practice

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

HIPAA Security & Privacy

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

HIPAA 101: What All Doctors NEED To Know

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

Privacy Breach Policy

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Data Compromise Notice Procedure Summary and Guide

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

Overview of Presentation

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

HIPAA Security and Privacy Policies & Procedures

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Compliance A primer. Surveys indicate that 80% of the spend on IT security technology is driven by the need to comply with regulatory legislation.

HIPAA UPDATE. Michael L. Brody, DPM

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

Red Flags/Identity Theft Prevention Policy: Purpose

HIPAA Security and Research VALERIE GOLDEN, HIPAA SECURITY OFFICER

The simplified guide to. HIPAA compliance

All Aboard the HIPAA Omnibus An Auditor s Perspective

Beam Technologies Inc. Privacy Policy

Employee Security Awareness Training Program

HIPAA For Assisted Living WALA iii

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

HIPAA Privacy, Security and Breach Notification 2017

Not Just Another Day of HIPAA

NMHC HIPAA Security Training Version

Presented by: Jason C. Gavejian Morristown Office

View the Replay on YouTube

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

Data Backup and Contingency Planning Procedure

HIPAA Privacy, Security and Breach Notification 2018

Compliance & HIPAA Annual Education

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

Information Technology Standards

WASHINGTON UNIVERSITY HIPAA Privacy Policy # 7. Appropriate Methods of Communicating Protected Health Information

HIPAA & HITECH Training 2018

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

When the Other Brother Steps Up: State Privacy Enforcement Actions

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

Transcription:

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

Privacy and security of patient information held by health care providers remains a concern of the federal government. More resources than ever are directed toward ensuring privacy and security of PHI. Increased penalties for violations, availability of whistleblower benefits, increased audits by the government. It s imperative for providers to secure patient information in their possession. 1464795 2

HITECH Act Became law in 2009, but implementing regulations were not finalized until 2013. Compliance with the various requirements of the Act by September 23, 2013 The major change contained within HITECH dealt with the government s decision to place affirmative obligations on Covered Entities to advise patients when their information has been breached, and to self-disclose those breaches to the government. 1464795 3

Review requirement to report breaches under HITECH Act Determine whether a reportable breach has occurred Review procedures for reporting a breach Understand new enforcement initiatives from Government and major risk areas for providers Discuss ways to minimize the occurrence of breaches 1464795 4

Basic Privacy Rule Unless required or allowed by law, disclosure of protected health information (PHI) is permitted only with consent or authorization of the patient. Examples of PHI Name Social security number Address Date of birth Photograph/Video/Image Health information in medical record PHI includes many common identifiers Includes Medicare number of patient 1464795 5

Breach Notification HITECH requires covered entities to notify individuals if their unsecured PHI has been breached Key terms Breach: the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of the PHI Unsecured PHI: PHI that isn t secured through use of a technology or methodology specified by the Secretary of Health or Human Services (i.e. Encryption of electronic PHI) Doesn t apply to PHI that has been secured! 1464795 6

Breach analysis Breach is presumed Unless there is a low probability that PHI was compromised Analysis is highly-fact specific Must address, at a minimum, the following four factors: 1. Nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; Did the disclosure involve information that is of a more sensitive nature (financial information, such as SSN or credit card numbers, or clinical information, such as diagnosis or test results)? 2. Unauthorized person who used the PHI or to whom the disclosure was made; Was the disclosure made to another covered entity or business associate? 1464795 7

Breach analysis, continued Factors: 3. Whether PHI was actually acquired or viewed; and Or did there only exist an opportunity to view or acquire? 4. The extent to which any risk to PHI has been mitigated Was the information retrieved or were satisfactory assurances requested/received? Document, document, document! If you are going to conclude that no breach has occurred, then you must be able to support that determination 1464795 8

Exceptions - a breach does not include: Unintentional acquisition, access or use of PHI by a workforce member E.g., nurse mistakenly sends a billing employee an email with resident PHI; Contrast - receptionist decides to look through a patient s file to learn of her friend s treatment An inadvertent disclosure to another authorized person at the same covered entity or business associate Disclosure where the covered entity or business associate had a good-faith belief that the unauthorized person to whom the information was disclosed would not reasonably be able to retain such information. E.g., nurse mistakenly hands a patient the discharge papers belonging to another patient, but she quickly realizes the mistake and recovers the PHI from the patient If it fits within an exception, then it s not a breach and therefore not reportable 1464795 9

Breach Notification Send individual notice of breach via first-class mail or e- mail (if individual specifies as a preference) within 60 days from the date the breach is discovered Special rules for big breaches involving 500 or more individuals Notice to media Must notify the Secretary of all breaches true selfreporting! Timing varies depending on the number of individuals affected: 500 or more notify within 60 days Less than 500 within 60 days of the end of the calendar year in which breach was discovered Notice is to be provided using online tool found on OCR website 1464795 10

Breach Notification Notice must written in plain language and must contain: Brief description of what happened, including the date of breach and date of discovery Description of the types of unsecured PHI that were involved in the breach Any steps individuals should take to protect themselves from potential harm resulting from the breach Brief description of what the covered entity is doing to investigate the breach, mitigate the harm to the individual, and protect against further breaches Contact procedures for individuals to ask questions or learn additional information, which must include a toll-free number, an e-mail address, Web site, or postal address 1464795 11

Nurse takes unauthorized photograph of resident and posts it on social media Note potential abuse impact under Survey & Certification Letter S&C: 16-33-NH Resident documentation is mailed to erroneous address To another health care provider? To a private individual Facility posts/uses picture/video of resident in marketing materials or other publications without Authorization 1464795 12

Loss/theft of laptop or cell phone containing resident information Hacking of emails or computer systems of provider Improper access of resident PHI by persons not authorized to view Discussions of resident PHI in presence of third parties 1464795 13

HHS Office of Civil Rights (OCR) responsible for HIPAA enforcement OCR conducts investigations based on received complaints and through its own compliance reviews of covered entities Since the compliance date of April 2003, OCR has received over 125,641HIPAA complaints. OCR resolved 96% of complaints received: through investigation and enforcement through investigation and finding no violation; through early intervention and providing technical assistance without the need for investigation and through closure of cases that were not eligible for enforcement. 1464795 14

The compliance issues investigated most are, compiled cumulatively, in order of frequency: Impermissible uses and disclosures of PHI; Lack of safeguards of PHI; Lack of patient access to their PHI; Lack of administrative safeguards of electronic PHI; and Uses or disclosures of more than the minimum necessary PHI The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency: Private Practices; General Hospitals; Outpatient Facilities; Health Plans (group health plans and health insurance issuers); and, Pharmacies. 1464795 15

HITECH requires HHS to conduct periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. Phase 1 Audits OCR piloted a program to perform 115 audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase began November 2011 and concluded in December 2012. 1464795 16

Phase 2 Audits July 11, 2016 OCR selected 167 covered entities and business associates for audit; Ultimately, 200-250 entities will be selected for audit Primarily desk audits, but some site reviews OCR will review policies, procedures, training materials; Focusing on: Notice of Privacy Practices Right to Access Policy Breach Notification (timeliness and content of notice) Security Rule Risk Analysis and Risk Management Training on policies and procedures Device and media controls On-site audits to begin in early 2017 1464795 17

Notable Settlements Memorial Healthcare System, a nonprofit health system with 6 hospitals, paid $5.5 million to resolve issues relating to the impermissible disclosure of PHI of 115,143 individuals had been inappropriately accessed by its current and former employees Login credentials of a former employee not changed, so PHI was inappropriately accessed externally and internally MHS had no procedures regarding termination of access to information upon cessation of employment 1464795 18

Notable settlements New York and Presbyterian Hospital and Columbia University Disclosure of ephi of 6,800 individuals resulting from a physician attempting to deactivate a personally-owned computer server on the network In addition to the impermissible disclosure, OCR also found that neither entity Made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections Conducted an accurate and thorough risk analysis and therefore neither had developed an adequate risk management plan that addressed potential threats to security of ephi $4.8 million settlement 1464795 19

Notable settlements, continued Dermatology practice Unencrypted thumb drive containing ephi of approximately 2,200 individuals was stolen from staff member s vehicle OCR found that the practice: Hadn t conducted an accurate and thorough analysis of the potential risk to the confidentiality of ephi and Didn t comply with the requirements of the Breach Notification Rule to have in place written policies and procedures to train workforce members $150,000 settlement 1464795 20

Notable settlements, continued Idaho State University Breach of ephi of approximately 17,500 patients, which was unsecured for at least 10 months due to the disabling of firewall protections on the servers $400,000 settlement Hospice provider Unencrypted laptop containing ephi of 441 patients had been stolen OCR found that the provider hadn t conducted a risk analysis to safeguard ephi and didn t have policies or procedures to address mobile device security First settlement involving a breach of ephi affecting fewer than 500 1464795 21

Use of mobile devices is a big risk area HHS/OCR Wall of Shame shows that since the breach reporting requirement became law, 372 reported thefts or losses of laptops or other portable electronics HHS/OCR takes particular interest in these types of cases In 2014, Concentra paid HHS $1,725,220 to resolve potential violations stemming from stolen, unencrypted laptop OCR says, Encryption is your best defense 1464795 22

What is it? Method of converting an original message of regular text into encoded text. The text is encrypted by means of an algorithm (type of formula). If information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (translate) the text and convert it into plain, comprehensible text. If PHI is encrypted, there is no breach and no breach notification is required 1464795 23

BUT, encryption is not mandated by the Security Rule. The encryption implementation specification is addressable meaning it must be implemented if reasonable and appropriate If it s not, then must choose another alternative that is reasonable and appropriate Cost issues! 1464795 24

Perform an annual risk assessment OCR has published a security risk assessment tool, available at its website. Designed to help providers conduct and document a risk assessment in a thorough, organized fashion at their own pace by allowing them to assess security risks in their organizations Allows providers to uncover potential weaknesses and address vulnerabilities, potentially preventing data breaches or other adverse security events 1464795 25

Update policies and procedures, as needed, and train staff on any changes If HIPAA policies/procedures were last updated before 2009, they are not compliant Consider encryption of electronic transmissions, mobile devices and media containing electronic protected health information, particularly USB/thumb drives. Before sending a Fax containing PHI, confirm that the recipient is authorized to receive PHI Evaluate your mobile devices, data destruction, and data transmission policies and practices Educate employees on not leaving electronic devices or paper records unattended 1464795 26

Laptops, ipads and Smart Phones All devices should have passwords Do not store PHI on the hard drive of device Do not leave in car or unattended Immediately report theft or loss Must be able to erase access to email/records system, and be able to determine if anyone can gain access to PHI through the device Can you remotely wipe the lost/stolen device? This is the #1 type of HIPAA violation being enforced now. 1464795 27

Avoid Unintended Disclosures Do not leave PHI open on desk for non-facility personnel to view Do not leave PHI open on your computer for nonfacility personnel to view turn off at night Lock office doors at night if leaving PHI out; File PHI so it s not left open on desks Make sure computer is password protected; If viewing PHI on screen, make sure to shut off if you leave desk for a period of time 1464795 28

Removing Physical Files from Office How can you secure the information outside of office? Will others be able to view the materials? Do not leave in car or otherwise unattended Immediately report loss of a file Working Remotely from Home Is your home computer password protected? Does your home computer have virus protection? The same issues you have at work would apply at home when you are working remotely Home encryption capability? 1464795 29

Thoroughly document the investigation of potential breaches Make sure that breach notification is provided timely and includes all of the required elements Both to the resident and to OCR Internal risk assessments/audits and followup training are key to HIPAA compliance 1464795 30

David C. Marshall, Esq. Latsha Davis & McKenna, P.C. 1700 Bent Creek Blvd., Suite 140 Mechanicsburg, PA 17050 Phone (717) 620-2424 Email: dmarshall@ldylaw.com 1464795 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback