UNDERSTANDING HIPAA COMPLIANCE IN 2014: ETHICS, TECHNOLOGY, HEALTHCARE & LIFE

Transcription

1 UNDERSTANDING HIPAA COMPLIANCE IN 2014: ETHICS, TECHNOLOGY, HEALTHCARE & LIFE JULIE MEADOWS-KEEFE GROSSMAN, FURLOW, AND BAYÓ, LLC RAYMOND DIEHL RD. TALLAHASSEE, FL (850)

2 DOES IT PUT YOU IN A BAD MOOD?

3 HOW MUCH PRIVACY DO YOU HAVE? How Much Privacy Are You Willing To Give Up?

4 PERCEIVED BARRIERS?

5

6 WIRED MAGAZINE The age of the password has come to an end; we just haven t realized it yet. And no one has figured out what will take its place. What we can say for sure is this: Access to our data can no longer hinge on secrets a string of characters, 10 strings of characters, the answers to 50 questions that only we re supposed to know. The Internet doesn t do secrets. Everyone is a few clicks away from knowing everything.

7 SO WE RECOGNIZE WE ARE ALL VULNERABLE

8 A stolen medical identity has a $50 street value whereas a stolen social security number, on the other hand, only sells for $1.00 said Kirk Herath, Nationwide Chief Privacy Officer.

9 FACTS ABOUT MEDICAL IDENTITY THEFT 1.5 Million American Affected Average cost to restore identity is over $20,000. Medical identity theft comprises 3% of all identity thefts Nearly half of victims lose their coverage Can take a year to discover Healthcare was most breached industry in 2011

10 SO WHAT DOES HIPAA DO? HIPAA sets a national standard for accessing and handling medical information Access to your own medical records, prior to HIPAA, was not guaranteed by federal law. Notice of privacy practices about how your medical information is used and disclosed must now be given to you. An accounting of disclosures

11 HIPAA 1996

12 1996 MAC

13 POPULAR SONG & DANCE IN 1996

14 IN 1996 Google.com didn t exist yet. In January 1996 there were only 100,000 websites, compared to more than 160 million in The web browser of choice was Netscape Navigator, followed by Microsoft Internet Explorer as a distant second (Microsoft launched IE 3 in 1996). Most people used dial-up Internet connections

15 ARRA February 17, ARRA Signed into Law. Also known as the Stimulus $ 25.8 Billion for Health IT Increased Regulation of Organizations Contracting with Covered Entities Covered Entities Must Carefully Monitor Disclosures of PHI Increased Limitations on use of PHI Increased Penalties and Enforcement Mechanisms Breach notification and reporting requirements.

16 EVIDENCE BASED MEDICINE Conscientious, explicit and judicious use of current best evidence in making decisions about the care of individual patients Use of mathematical estimates of the risk of benefit and harm, derived from high-quality research on population samples, to inform clinical decisionmaking in the diagnosis, investigation or management of individual patients."

17 BIG DATA How much regulation is needed for electronic health records and systems? How much is too much? Does technology harm patients? How much risk do patients face in the era of "big data? Can data reach level of necessary granularity to only show minimum amount of data necessary to provide a particular treatment?

18 EXPRESS SCRIPTS HAS BIG DATA Provides Pharmacy Benefits to over 100 million people. They see 1.4 billion prescriptions a year, each one of which generates adds a little more data to their pile. They now have 100 people sorting through that information trying to detect fraud. They've got nurses and pharmacists and forensic accountants, along with a group of data nerds investigating thousands of cases of shady dealings a year.

19

20 SOME FEAR

21 WHAT IS A BREACH? A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. There are three exceptions to the definition of breach. The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member acting under the authority of a covered entity or business associate. The second exception applies to the inadvertent disclosure of protected health information from a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception to breach applies if the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information.

22 TAKE-AWAY PLEASE MAKE SURE ALL STAFF ARE UTILIZING ENCRYPTION FOR TRANSMISSION OF PHI.

23 BREACHES BIG IN OMNIBUS the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification the unauthorized person who used the protected health information or to whom the disclosure was made whether the protected health information was actually acquired or viewed the extent to which the risk to the protected health information has been mitigated

24 BREACHES SO FAR January, 2013-First HIPAA breach settlement involving less than 500 patients (Idaho Hospice) April 2012 HHS settles case with Phoenix Cardiac Surgery for lack of HIPAA safeguards

25 ALASKA DEPARTMENT OF HEALTH AND HUMAN SERVICES Settled for 1.7 million dollars. One lost unencrypted flash drive from an employee s car led to extensive HHS investigation. Insufficient training and risk assessment.

26 2013 VERIZON BREACH REPORT THREAT ACTORS External 92% Internal 14% Partners 1%

27 THREAT ACTIONS Malware 10% Hacking 52% Social 29% Misuse 13% Physical 35% Error 2%

28 ATTACKED ENTITIES Financial Organizations 37% Utilities 24% Manufacturing, transportation 20% Healthcare organizations 0.90%

29 BUSINESS ASSOCIATE REQUIREMENTS Extends HIPAA s requirements, not just to business associates, but to subcontractors that handle protected health information on behalf of business associates

30 NOTICE OF PRIVACY PRACTICES Need to revise to reflect patient s right to receive breach notifications.

31 REQUEST FOR RESTRICTIONS Specifically, covered entities must agree to restrict disclosures of protected health information about the individual if the disclosure is for payment or healthcare operations purposes, is not required by law, and the protected health information pertains solely to a healthcare item or service for which the individual, or someone on the individual's behalf other than the health plan, has paid the covered entity in full.

32 JULIE S STORY Real-life experience with too much data being included in an EHR. v=tk1kecy5j9q

33 LICENSURE Licensure involves providing a full explanation and record documenting any affirmative responses to health questions, including emotional/mental illness, chemical dependency.

34

35 THANK YOU JULIE MEADOWS-KEEFE GROSSMAN, FURLOW, AND BAYÓ RAYMOND DIEHL RD. TALLAHASSEE, FL (850)