David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017
Privacy and security of patient information held by health care providers remains a concern of the federal government. More resources than ever are directed toward ensuring privacy and security of PHI. Increased penalties for violations, availability of whistleblower benefits, increased audits by the government. It s imperative for providers to secure patient information in their possession. 1464795 2
HITECH Act Became law in 2009, but implementing regulations were not finalized until 2013. Compliance with the various requirements of the Act by September 23, 2013 The major change contained within HITECH dealt with the government s decision to place affirmative obligations on Covered Entities to advise patients when their information has been breached, and to self-disclose those breaches to the government. 1464795 3
Review requirement to report breaches under HITECH Act Determine whether a reportable breach has occurred Review procedures for reporting a breach Understand new enforcement initiatives from Government and major risk areas for providers Discuss ways to minimize the occurrence of breaches 1464795 4
Basic Privacy Rule Unless required or allowed by law, disclosure of protected health information (PHI) is permitted only with consent or authorization of the patient. Examples of PHI Name Social security number Address Date of birth Photograph/Video/Image Health information in medical record PHI includes many common identifiers Includes Medicare number of patient 1464795 5
Breach Notification HITECH requires covered entities to notify individuals if their unsecured PHI has been breached Key terms Breach: the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of the PHI Unsecured PHI: PHI that isn t secured through use of a technology or methodology specified by the Secretary of Health or Human Services (i.e. Encryption of electronic PHI) Doesn t apply to PHI that has been secured! 1464795 6
Breach analysis Breach is presumed Unless there is a low probability that PHI was compromised Analysis is highly-fact specific Must address, at a minimum, the following four factors: 1. Nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; Did the disclosure involve information that is of a more sensitive nature (financial information, such as SSN or credit card numbers, or clinical information, such as diagnosis or test results)? 2. Unauthorized person who used the PHI or to whom the disclosure was made; Was the disclosure made to another covered entity or business associate? 1464795 7
Breach analysis, continued Factors: 3. Whether PHI was actually acquired or viewed; and Or did there only exist an opportunity to view or acquire? 4. The extent to which any risk to PHI has been mitigated Was the information retrieved or were satisfactory assurances requested/received? Document, document, document! If you are going to conclude that no breach has occurred, then you must be able to support that determination 1464795 8
Exceptions - a breach does not include: Unintentional acquisition, access or use of PHI by a workforce member E.g., nurse mistakenly sends a billing employee an email with resident PHI; Contrast - receptionist decides to look through a patient s file to learn of her friend s treatment An inadvertent disclosure to another authorized person at the same covered entity or business associate Disclosure where the covered entity or business associate had a good-faith belief that the unauthorized person to whom the information was disclosed would not reasonably be able to retain such information. E.g., nurse mistakenly hands a patient the discharge papers belonging to another patient, but she quickly realizes the mistake and recovers the PHI from the patient If it fits within an exception, then it s not a breach and therefore not reportable 1464795 9
Breach Notification Send individual notice of breach via first-class mail or e- mail (if individual specifies as a preference) within 60 days from the date the breach is discovered Special rules for big breaches involving 500 or more individuals Notice to media Must notify the Secretary of all breaches true selfreporting! Timing varies depending on the number of individuals affected: 500 or more notify within 60 days Less than 500 within 60 days of the end of the calendar year in which breach was discovered Notice is to be provided using online tool found on OCR website 1464795 10
Breach Notification Notice must written in plain language and must contain: Brief description of what happened, including the date of breach and date of discovery Description of the types of unsecured PHI that were involved in the breach Any steps individuals should take to protect themselves from potential harm resulting from the breach Brief description of what the covered entity is doing to investigate the breach, mitigate the harm to the individual, and protect against further breaches Contact procedures for individuals to ask questions or learn additional information, which must include a toll-free number, an e-mail address, Web site, or postal address 1464795 11
Nurse takes unauthorized photograph of resident and posts it on social media Note potential abuse impact under Survey & Certification Letter S&C: 16-33-NH Resident documentation is mailed to erroneous address To another health care provider? To a private individual Facility posts/uses picture/video of resident in marketing materials or other publications without Authorization 1464795 12
Loss/theft of laptop or cell phone containing resident information Hacking of emails or computer systems of provider Improper access of resident PHI by persons not authorized to view Discussions of resident PHI in presence of third parties 1464795 13
HHS Office of Civil Rights (OCR) responsible for HIPAA enforcement OCR conducts investigations based on received complaints and through its own compliance reviews of covered entities Since the compliance date of April 2003, OCR has received over 125,641HIPAA complaints. OCR resolved 96% of complaints received: through investigation and enforcement through investigation and finding no violation; through early intervention and providing technical assistance without the need for investigation and through closure of cases that were not eligible for enforcement. 1464795 14
The compliance issues investigated most are, compiled cumulatively, in order of frequency: Impermissible uses and disclosures of PHI; Lack of safeguards of PHI; Lack of patient access to their PHI; Lack of administrative safeguards of electronic PHI; and Uses or disclosures of more than the minimum necessary PHI The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency: Private Practices; General Hospitals; Outpatient Facilities; Health Plans (group health plans and health insurance issuers); and, Pharmacies. 1464795 15
HITECH requires HHS to conduct periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. Phase 1 Audits OCR piloted a program to perform 115 audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase began November 2011 and concluded in December 2012. 1464795 16
Phase 2 Audits July 11, 2016 OCR selected 167 covered entities and business associates for audit; Ultimately, 200-250 entities will be selected for audit Primarily desk audits, but some site reviews OCR will review policies, procedures, training materials; Focusing on: Notice of Privacy Practices Right to Access Policy Breach Notification (timeliness and content of notice) Security Rule Risk Analysis and Risk Management Training on policies and procedures Device and media controls On-site audits to begin in early 2017 1464795 17
Notable Settlements Memorial Healthcare System, a nonprofit health system with 6 hospitals, paid $5.5 million to resolve issues relating to the impermissible disclosure of PHI of 115,143 individuals had been inappropriately accessed by its current and former employees Login credentials of a former employee not changed, so PHI was inappropriately accessed externally and internally MHS had no procedures regarding termination of access to information upon cessation of employment 1464795 18
Notable settlements New York and Presbyterian Hospital and Columbia University Disclosure of ephi of 6,800 individuals resulting from a physician attempting to deactivate a personally-owned computer server on the network In addition to the impermissible disclosure, OCR also found that neither entity Made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections Conducted an accurate and thorough risk analysis and therefore neither had developed an adequate risk management plan that addressed potential threats to security of ephi $4.8 million settlement 1464795 19
Notable settlements, continued Dermatology practice Unencrypted thumb drive containing ephi of approximately 2,200 individuals was stolen from staff member s vehicle OCR found that the practice: Hadn t conducted an accurate and thorough analysis of the potential risk to the confidentiality of ephi and Didn t comply with the requirements of the Breach Notification Rule to have in place written policies and procedures to train workforce members $150,000 settlement 1464795 20
Notable settlements, continued Idaho State University Breach of ephi of approximately 17,500 patients, which was unsecured for at least 10 months due to the disabling of firewall protections on the servers $400,000 settlement Hospice provider Unencrypted laptop containing ephi of 441 patients had been stolen OCR found that the provider hadn t conducted a risk analysis to safeguard ephi and didn t have policies or procedures to address mobile device security First settlement involving a breach of ephi affecting fewer than 500 1464795 21
Use of mobile devices is a big risk area HHS/OCR Wall of Shame shows that since the breach reporting requirement became law, 372 reported thefts or losses of laptops or other portable electronics HHS/OCR takes particular interest in these types of cases In 2014, Concentra paid HHS $1,725,220 to resolve potential violations stemming from stolen, unencrypted laptop OCR says, Encryption is your best defense 1464795 22
What is it? Method of converting an original message of regular text into encoded text. The text is encrypted by means of an algorithm (type of formula). If information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (translate) the text and convert it into plain, comprehensible text. If PHI is encrypted, there is no breach and no breach notification is required 1464795 23
BUT, encryption is not mandated by the Security Rule. The encryption implementation specification is addressable meaning it must be implemented if reasonable and appropriate If it s not, then must choose another alternative that is reasonable and appropriate Cost issues! 1464795 24
Perform an annual risk assessment OCR has published a security risk assessment tool, available at its website. Designed to help providers conduct and document a risk assessment in a thorough, organized fashion at their own pace by allowing them to assess security risks in their organizations Allows providers to uncover potential weaknesses and address vulnerabilities, potentially preventing data breaches or other adverse security events 1464795 25
Update policies and procedures, as needed, and train staff on any changes If HIPAA policies/procedures were last updated before 2009, they are not compliant Consider encryption of electronic transmissions, mobile devices and media containing electronic protected health information, particularly USB/thumb drives. Before sending a Fax containing PHI, confirm that the recipient is authorized to receive PHI Evaluate your mobile devices, data destruction, and data transmission policies and practices Educate employees on not leaving electronic devices or paper records unattended 1464795 26
Laptops, ipads and Smart Phones All devices should have passwords Do not store PHI on the hard drive of device Do not leave in car or unattended Immediately report theft or loss Must be able to erase access to email/records system, and be able to determine if anyone can gain access to PHI through the device Can you remotely wipe the lost/stolen device? This is the #1 type of HIPAA violation being enforced now. 1464795 27
Avoid Unintended Disclosures Do not leave PHI open on desk for non-facility personnel to view Do not leave PHI open on your computer for nonfacility personnel to view turn off at night Lock office doors at night if leaving PHI out; File PHI so it s not left open on desks Make sure computer is password protected; If viewing PHI on screen, make sure to shut off if you leave desk for a period of time 1464795 28
Removing Physical Files from Office How can you secure the information outside of office? Will others be able to view the materials? Do not leave in car or otherwise unattended Immediately report loss of a file Working Remotely from Home Is your home computer password protected? Does your home computer have virus protection? The same issues you have at work would apply at home when you are working remotely Home encryption capability? 1464795 29
Thoroughly document the investigation of potential breaches Make sure that breach notification is provided timely and includes all of the required elements Both to the resident and to OCR Internal risk assessments/audits and followup training are key to HIPAA compliance 1464795 30
David C. Marshall, Esq. Latsha Davis & McKenna, P.C. 1700 Bent Creek Blvd., Suite 140 Mechanicsburg, PA 17050 Phone (717) 620-2424 Email: dmarshall@ldylaw.com 1464795 31