HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

Transcription

1 HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

2 PURPOSE OF PRESENTATION To Discuss Laws Governing Use and Disclosure of Medical and Personal Information HIPAA/HITECH Act Privacy and Security Rules Breach Notification Rules 42 CFR Part 2 Substance Abuse Rhode Island Health Information Privacy Laws Identity Theft Protection Act Confidentiality of Health Care Communications Act STDs Mental Health Law HIV/Aids Genetic information Enforcement Best Practices

3 REAL STORIES: Laptop of auditor stolen from apartment 358 names, addresses, dates of birth and SSNs Breach of 1.7 million records Farrah Fawcett s diagnosis of cancer published by National Enquirer Long-time employee accessing health records of Board Member of hospital Hacking incident of website Misaddressed health benefits excel spreadsheet

4 IDENTIFYING HIGH-RISK DATA Personally Identifiable Information Includes SS #, state-issued ID #, mother s maiden name, driver s license #, passport #, credit history, criminal history Name & Contact Information Includes initials, address, telephone number, address, mobile number, date of birth Personal Characteristics Includes age, gender, marital status, nationality, sexual orientation, race, ethnicity, religious beliefs 4

5 IDENTIFYING HIGH-RISK DATA (CONT D) Financial Institution Data Includes credit, ATM, debit card #s, bank accounts, payment card information, PINs, magnetic stripe data, security codes, access codes, passwords Health & Insurance Account Information Includes health status and history, disease status, medical treatment, diagnoses, prescriptions, insurance account #, Medicare and Medicaid information HIPAA compliance 5

6 IDENTIFYING HIGH-RISK DATA (CONT D) Website Traffic Notice of Privacy Practices Terms and Conditions of Use Employment Information Includes income, salary, service fees, compensation information, background check information IP Information 6

7 LEGAL FRAMEWORK FOR HIPAA Purpose of the Health Insurance Portability and Accountability Act of 1996: Confidentiality of personal and health information Protection against identity theft and medical theft HIPAA Privacy and Security Rules (45 C.F.R. Parts 160, 162 and 164) The Omnibus Rule revised HIPAA rules and enacted new provisions regarding privacy and security particularly related to business associates and enforcement Compliance date: September 23, 2013

8 COVERED ENTITIES Covered Entities are the types of entities that are directly subject to HIPAA regulation of privacy and security: Health Plans Health Care Providers (EMTs) Health Care Clearinghouses

9 BUSINESS ASSOCIATES A business associate is any service provider that receives PHI: Claims processing, data analysis, quality assurance, billing, practice management Legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity

10 PRIVACY RULE AND SECURITY RULE The Privacy Rule: Grants patient rights Sets limitations on use and disclosure Establishes administrative due process and procedural requirements What does the Privacy Rule require? The disclosure and use of PHI (paper or electronic) only as permitted by the Rule Implementation of administrative systems by covered entities Mandatory contractual provisions with business associates Notice of Privacy Practices for covered entities

11 PRIVACY RULE AND SECURITY RULE (CONT D) The Security Rule: e-phi Establishes a national set of security standards for protecting e-phi Requires administrative, technical, and physical safeguards for protecting e- PHI Required vs. Addressable Requires risk analysis

12 PRIVACY RULE DEFINITION OF PROTECTED HEALTH INFORMATION Individually identifiable health information means information: Collected from an individual; Created or received by a covered entity; That relates to the past, present or future physical or mental health or condition of an individual; provision of health care to an individual; or the past present or future payment for the provision of health care; and That identifies the individual or can be used to identify the individual.

13 USES AND DISCLOSURES OF PHI BY CES AND BAS General Principle: May not use or disclose protected health information, except As the Privacy Rule permits or requires, including Treatment, Payment or Health Care Operations (TPO); or Pursuant to a written authorization of the individual (or the individual s personal representative) obtained by a covered entity Required Disclosures: To individuals (or their personal representatives) specifically when they submit a request to a covered entity for access to, or an accounting of disclosures of, their protected health information; and To HHS when it is undertaking a compliance investigation or review or enforcement action

14 WHEN MUST A COVERED ENTITY OBTAIN AN AUTHORIZATION? Authorization is required to disclose or use PHI for purposes other than TPO and not otherwise authorized under the Rule, such as Sales Marketing Third parties (life insurance companies, employers, etc.)

15 REQUIREMENTS FOR AN AUTHORIZATION The covered entity s authorization form must have specific terms in it to comply with HIPAA.

16 MINIMUM NECESSARY RULE FOR CES AND BAS PHI accessed, used or disclosed must be the minimum needed for the required purpose The whole record is not the minimum necessary unless the entire record is required to perform the function Limit who has access to record

17 BUSINESS ASSOCIATES The Privacy Rule creates standards for contracting with entities, known as Business Associates, that receive PHI in the course of providing services to covered entities A business associate is any service provider that receives PHI from another entity Covered entity s subcontractors, if they have access to health information, are business associates of covered entity Business associates must ensure that it has written contracts with all of its vendors and subcontractors who have access to a covered entity s PHI

18 EXPANSION OF SECURITY AND PRIVACY PROVISIONS AND PENALTIES TO HIPAA BUSINESS ASSOCIATES The Omnibus Rule applies some of the administrative, physical, and technical safeguards of the HIPAA security regulations directly to business associates (any entity supporting health care industry) The Omnibus Rule imposes additional obligations upon business associates regarding policies, procedures and documentation Business Associates subject to audit and penalties

19 SECURITY RULE HIPAA Security Rules: 45 C.F.R. Parts 160, 162 and 164 Covered Entity and Business Associate are required to implement administrative, physical and technical safeguards to protect PHI. Protect against threats or hazards to security Protect against wrongful uses or disclosure

20 HIPAA OMNIBUS RULE BREACH NOTIFICATION HHS Office for Civil Rights (OCR) issued HIPAA Omnibus Rule requiring covered entities to notify individuals of a breach of unsecured protected health information, and for business associates to notify covered entity of a breach.

21 DEFINITION OF BREACH The acquisition, access, use or disclosure of PHI in a manner not permitted by HIPAA which compromises the security or privacy of the protected health information.

22 UNSECURED PHI IS PHI that is not secured through the use of a technology or methodology specified by the Secretary in guidance. Technology or methodology must render PHI unusable, unreadable or indecipherable. encryption or an encryption algorithm destruction Access controls, fire walls and redaction insufficient

23 THREE EXCEPTIONS TO THE DEFINITION OF BREACH: 1. The unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of a covered entity or business associate if it was made in good faith, within the course and scope of employment or professional relationship, and does not result in further use or disclosure in a manner not permitted by HIPAA. 2. Inadvertent disclosure of PHI between similarly authorized personnel or within the same facility and the information is not further used or disclosed in a manner not permitted by HIPAA. 3. A disclosure in which the covered entity or business associate has a good faith belief that an unauthorized person to whom PHI has been disclosed would not reasonably have been able to retain the information.

24 NOTIFICATION If breach is of Unsecured PHI does not fall with one of the three exceptions, and based on a risk assessment there is a probability that the PHI was compromised, then Covered Entity notify individuals of the breach without unreasonable delay and in no event within 60 days of discovery of the breach. Business associates must: Follow the terms of the Business Associate Agreement with the covered entity whose data was breached in accordance with notification requirements

25 COVERED ENTITY S NOTIFICATION TO MEDIA AND HHS If breach involves more than 500 individuals residing in the same state, notice must be made to prominent media outlets and Secretary of HHS. Document notification made to each individual, press/media.

26 COVERED ENTITY S NOTIFICATION TO MEDIA AND HHS (CONT D) Report all breaches of less than 500 individuals to HHS by February 28 of each year (via website). Logs must be maintained for six (6) years

27 HIPAA ENFORCEMENT AUDITS Secretary of HHS required under HITECH to conduct periodic audits of covered entities and business associates for compliance and enforcement purposes Secretary of HHS is required to report the number of audits and a summary of audit findings to Congress starting in 2010 Reports are available on HHS website Increased enforcement activities by OCR All civil monetary penalties go back to OCR for enforcement proceedings

28 PENALTIES FOR VIOLATION Penalties are tiered, depending on conduct Unknown $100 per violation up to $25,000 for all identical violations in a calendar year Reasonable cause that is not willful neglect $1,000 for each violation up to $100,000 for all identical violations in a calendar year

29 PENALTIES FOR VIOLATION (CONT D) Willful neglect If violation corrected within 30 days of knowledge: $10,000 for each identical violation, up to $250,000 for all identical violations in a calendar year If violation not corrected: $50,000 for each violation, up to $1.5 million for all identical or non-identical violations in a calendar year

30 ENFORCEMENT BY STATE ATTORNEYS GENERAL State AGs may commence civil actions in federal district court for violations of HIPAA Damages: $100 per violation with a cap of $25,000 Costs and attorneys fees may be awarded to State OCR has trained State AGs on HIPAA enforcement No private right of action to enforce HIPAA

31 CRIMINAL ENFORCEMENT PROVISIONS HIPAA also carries criminal penalties for persons who knowingly obtain or disclose PHI in violation of the Privacy Rule, or who improperly use unique health identifiers, under 42 U.S.C. 1320d 6(a): Fine Prison Knowingly $50,000 One year False Pretenses $100,000 Five years For Profit, Gain, or Harm $250, years

32 42 USC 290(DD)-2 SUBSTANCE ABUSE Confidentiality of substance abuse records Records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation or research Content of any substance abuse treatment record may only be disclosed with prior written consent of the patient In a treatment emergency Court Order Do not transmit any substance abuse treatment records without patient consent or Court Order

33 RHODE ISLAND STATE INFORMATION PRIVACY LAWS Identity Theft Prevention Act (R.I.G.L ) Confidentiality of Health Care Communications Act (R.I.G.L ) Mental Health Law (R.I.G.L ) HIV/Aids (R.I.G.L ) Sexually transmitted diseases (R.I.G.L ) Genetic Information (R.I.G.L , , )

34 ENFORCEMENT/FINES AND PENALTIES 2008 Providence Health and Services $100, CVS Pharmacy, Inc. $2.25M 2010 Rite Aid $1M Management Services Organization Resolution Agreement/No $ 2011 Cignet $4.3M Massachusetts General Hospital $1M UCLA $865,500

35 ENFORCEMENT/FINES AND PENALTIES 2012 Blue Cross Blue Shield of Tennessee $1.5M Phoenix Cardiac Surgery $100,000 Alaska Department of Social Services $1.7M Massachusetts Eye & Ear $1.5M Hospice of North Idaho $50, Idaho State University $400,000

36 ENFORCEMENT/FINES AND PENALTIES 2014 Skagit County $215,000 Concentra Health $1,725,220 QCA Health Plan, Inc. $250,000 New York Presbyterian Hospital $3.3M Columbia University $1.5M Parkview Health $800,000 Anchorage Community Mental Health Services $150,00-

37 RISKS OF THE USE OF FOR COMMUNICATIONS Risks Misaddress an (or hit replay all ) sending confidential information to the wrong recipient Security in sending or receiving s Hackers obtaining username and password

38 BEST PRACTICES WHEN USING Encryption Virtual Private Network/RSA Verify Selected Recipients Use Standard Confidentiality Disclaimers in Outlook Sensitive communications should be given special protections against disclosure to 3 rd parties It is the responsibility of the employee directing the communication to determine if the communication is sensitive

39 BEST PRACTICES TO PROTECT HIGH RISK DATA Protect High risk data Paper records Any documents with SSN and medical insurance number W-2s Benefits records Workers compensation Health records Salary and personnel information Applications/recruiting Locked filing cabinets Locked facility Only accessed by authorized personnel with a need to know Do not send via regular mail Implement a Shred Policy and shred everything Destroy any paper records that don t need to be kept/stored Witness information Suspect information

40 BEST PRACTICES TO PROTECT HIGH RISK DATA (CONT D) Electronic records Use encryption for sensitive data Mobile Technology Encryption Prohibition of downloading sensitive data on hard drive Loaners/erasure of laptops

41 BEST PRACTICES TO PROTECT HIGH RISK DATA (CONT D) Verbal information Minimum necessary Only speak to those with need to know

42 BEST PRACTICES FOR PAPER RECORDS (CONT D) Lock filing cabinets if available Lock facilities Only permit access by authorized individuals with a need to know Do not send full SSN via regular mail Shred Destroy paper records that do not need to be stored

43 THANK YOU! QUESTIONS? Linn Foster Freedman, Esq. Nixon Peabody LLP One Citizens Plaza Suite 500 Providence, RI Phone: