Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

Transcription

1 Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style July 27,

2 Introductions Holly Carnell McGuireWoods LLP Meggan Bushee McGuireWoods LLP McGuireWoods 2

3 Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Issues: Part 1 McGuireWoods 3

4 Part 1 Agenda Review of HIPAA and the HITECH Act What are HIPAA and the HITECH Act? Who do these laws apply to? Business Associates What are Business Associates? Pitfalls of Business Associates Diligence of Business Associates Business Associate Agreements 2015/2016 HIPAA Enforcement Actions McGuireWoods 4

5 Recap of HIPAA and the HITECH Act No, it's not a female Hippopotamus, anyone else know? Cartoon by Dave Harbaugh McGuireWoods 5

6 What is HIPAA? HIPAA stands for the Health Insurance Portability & Accountability Act of Provides a framework for the establishment of standards to protect patient confidentiality, to ensure the security of electronic systems, and to facilitate the secure electronic transmission of health information. HIPAA creates federal privacy floor (minimum requirement) Must comply with the more restrictive of HIPAA or state law Covered Entities and Business Associates are required to comply with HIPAA. McGuireWoods 6

7 Core Elements of HIPAA HIPAA has four key parts: The Privacy Rule establishes patients privacy rights and addresses the use and disclosure of protected health information ( PHI ) by covered entities and business associates. The Security Rule requires the adoption of administrative, physical, and technical safeguards to protect electronic PHI ( ephi ). The Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI. The Enforcement Rule establishes both civil monetary penalties and federal criminal penalties for the knowing use or disclosure of PHI in violation of HIPAA. McGuireWoods 7

8 What is the HITECH Act? The HITECH Act ( Health Information Technology for Economic and Clinical Health Act of 2009, part of the American Recovery and Reinvestment Act of 2009 ) expanded the scope of HIPAA HITECH made changes to HIPAA in these areas: Breach Notification Rules Increased Penalties Mandated Audits by Office of Civil Rights More rights for individual patients Directly applied the Security Rule and certain aspects of Privacy Rule to Business Associates McGuireWoods 8

9 Who Must Comply? Covered Entities Health Care Providers Hospitals Physician practices Laboratories Pharmacies Health Plans Health insurance issuers HMOs Group Health Plans Medicare, Parts A and B Medicare + Choice Medicaid Includes employer-sponsored health plans Health Care Clearinghouses Billing companies Business Associates Persons or organizations that perform certain functions or activities on behalf of, or provide certain services to, a Covered Entity that involve the use or disclosure of protected health information or PHI Includes downstream contractors McGuireWoods 9

10 Business Associates McGuireWoods 10

11 Who is a Business Associate? An individual or entity that provides services on behalf of the Covered Entity or another business associate that require the entity to create, receive, maintain, or transmit protected health information (PHI). Includes downstream contractors Examples: Billing companies IT consultants Law firms PHI disposal companies Transcriptionists Hosting companies McGuireWoods 11

12 Who is NOT a Business Associate? When the services performed are not for or on behalf of a Covered Entity The postal service or wireless carrier where PHI is transferred across the country or the network, as applicable Deemed mere courier of PHI Payors, where a provider sends PHI for purposes of receiving reimbursement Persons receiving PHI inadvertently, i.e., a person or vendor that overhears PHI while on-site at a client s health care facility A provider, where another provider sends PHI for treatment of an individual McGuireWoods 12

13 Pitfalls with Business Associates When a Business Associate violates a material term of a BAA, covered entities still must take reasonable steps to cure breach If unsuccessful in curing breach, covered entity must terminate the BAA Business associates may have less concern with the privacy and security of a covered entity s PHI because they are further removed It is the covered entity s reputation and patient relationships on the line McGuireWoods 13

14 Importance of Protecting ephi The principal goal of every health care provider and every health insurer, from a privacy and security perspective, is to avoid a data breach. In turn, this becomes the goal of every business associate, and every downstream contractor, that creates, receives, maintains or transmits PHI on behalf of a covered entity. Despite these objectives, CEs and BAs often know very little about the downstream entities to whom they are entrusting data. What security safeguards have they implemented? What is the company s operating history? Are they passing on data to subcontractors? Are they housing data offshore? McGuireWoods 14

15 Proper Diligence of Business Associates Often see Business Associates that have taken no steps towards HIPAA Compliance Start by conducting diligence on the Business Associate s compliance Seek references from other clients Ask questions of leadership Consider a third-party review of Business Associate s compliance with HIPAA Need to assess vendor s compliance in light of the work they will be doing and the extent of PHI involved McGuireWoods 15

16 Conducting Effective Vendor Due Diligence Key Administrative Safeguards and Requirements (45 CFR ; 45 CFR ) Does the vendor have a HIPAA Privacy Officer and a Security Official to implement and oversee HIPAA-related policies and procedures? Does the vendor have policies and procedures that comply with the Privacy Rule and Security Rule? The CE should ask for either a copy of the policies and procedures or a narrative description of their contents. McGuireWoods 16

17 Conducting Effective Vendor Due Diligence Security Risk Assessments (45 CFR (a)(1)(ii)) Has the vendor conducted a risk assessment in accordance with the HIPAA Security Rule? The CE or BA should request information regarding the vendor s most recent risk assessment and ensure that the vendor has a policy requiring the periodic performance of risk assessments. McGuireWoods 17

18 Conducting Effective Vendor Due Diligence Security Training (45 CFR (a)(5); 45 CFR (b)(1)) Does the vendor conduct HIPAA compliance training for its workforce, and in particular for workforce members who have access to ephi? The Security Rule requires CEs and BAs to implement security awareness and training programs for all members of their workforce (including management). How often does the vendor conduct training and who is required to participate? McGuireWoods 18

19 Conducting Effective Vendor Due Diligence Data Security Implementation Specifications (45 CFR ) What is the vendor s password management policy? What is the vendor s data encryption policy? What is the vendor s policy regarding portable media? Does the vendor have a data backup plan and a disaster recovery plan? McGuireWoods 19

20 Conducting Effective Vendor Due Diligence Response and Reporting (45 CFR (a)(6)) Does the vendor have a protocol for investigating and responding to actual or potential breaches of ephi? The Security Rule requires the implementation of policies and procedures to identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the [CE or BA]; and document security incidents and their outcomes. The CE or BA should review a copy of the vendor s breach protocol or obtain a description of their breach identification and response processes. McGuireWoods 20

21 Conducting Effective Vendor Due Diligence Subcontractors Does the vendor use one or more subcontractors in connection with the services provided to the CE? If so, the CE should determine whether these subcontractors will have access to ephi and request information as to how the BA will evaluate the security and privacy practices of each subcontractor prior to retention. In general, BAs and BA subcontractors that store or transmit ephi outside of the CE s own IT infrastructure present more risk than BAs or subcontractors that simply access data on the premises of the CE or within the CE s information systems (cloud provider vs. software vendor). McGuireWoods 21

22 Business Associate Agreements A covered entity and a business associate are required to enter into a written agreement referred to as a Business Associate Agreement. The Business Associate Agreement provides that the business associate will safeguard individuals PHI when it is in the business associate s possession. The Business Associate Agreement must provide for termination by the non-breaching party in the event of a violation that is not cured. This is different from an NDA or other confidentiality agreement. Any use or disclosure of an individuals PHI by the business associate must be within the scope of the Business Associate Agreement and the HIPAA Privacy Rule. Includes regulatory requirements and negotiated provisions McGuireWoods 22

23 Negotiating with Business Associates Covered Entities can protect themselves against breach by a Business Associate with certain strategies Pre-contract diligence Audit Rights; annual review of vendors Require consent for downstream subcontractors Indemnification Insurance Covenant to encrypt PHI Return or destruction of PHI; Certifications Restrictions on off shore Use/Access/Disclosure of PHI McGuireWoods 23

24 HIPAA and Business Associate Enforcement Actions McGuireWoods 24

25 Raleigh Orthopaedic Clinic, P.A. (April 2016) Raleigh Orthopaedic Clinic, P.A. April 20, 2016 Agreed to settle potential violations for $750,000 The practice had released x-ray films and related PHI of 17,300 patients to a vendor for them to transfer the images to electronic media. Failed to execute a business associate agreement with the vendor! HIPAA s obligations on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise. It is critical for entities to know to whom they are handling PHI and to obtain assurances that the information will be protected. said OCR Director Jocelyn Samuels. McGuireWoods 25

26 North Memorial Healthcare (March 2016) North Memorial Healthcare of Minnesota March 2016 Agreed to settle potential violations of HIPAA for $1.55 million Theft of unencrypted laptop from a business associate s locked vehicle No business associate agreement with a vendor that had access to North Memorial s patient database! McGuireWoods LLP 26

27 Triple-S Management Corp. (November 2015) Triple-S Management Corp. November 30, 2015 Triple-S (formerly American Health Medicare, Inc.) agreed to settle potential violations of HIPAA for $3,500,000. Triple-S made multiple breach notifications to OCR resulted in investigation. Failure to conduct an accurate and thorough risk analysis. Failure to have appropriate BAAs in place with vendors. Failure to implement appropriate security safeguards. OCR remains committed to strong enforcement of the HIPAA Rules, said OCR Director Jocelyn Samuels. This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information. McGuireWoods LLP 27

28 Senior Health Partners Business Associate Breach (January 2015) Senior Health Partners business associate Premier Home Health caused the breach Registered Nurse working for Premier Home Health had her laptop and smart phone stolen Laptop was encrypted, but encryption key was stolen with laptop, and phone was not password protected or encrypted Contained potentially accessible containing ephi Result: 2,700 Members of Senior Health Partners affected Senior Health Partners forced to contact all health plan members who were affected McGuireWoods 28

29 Questions or Comments? McGuireWoods 29

30 Key Legal Issues in EMR, HIPAA and Privacy Issues: Part 2 McGuireWoods 30

31 Part 2 Agenda EMR/IT System Enforcement Actions EMR Data Security Risks Other Data Security Hot Topics Text Messaging Social Media McGuireWoods 31

32 EMR/IT System Enforcement Actions McGuireWoods 32

33 EMR Data Security Risks Open workstations/emr terminals Workstations left unattended and station does not log the user out Users not informed or forget to log out immediately after use Improper deletion of information on previously used equipment Data governance issues Personal Devices (laptops, tablets, and smartphones) Devices containing PHI are stolen Failure to destroy or delete all information before disposal/ re-use of device One of most common ways for ephi breach Lack of Encryption Use encryption so that even if ephi is lost on something like a device, it is undecipherable and unusable Malicious Software McGuireWoods 33

34 Security Rule Compliance University of Washington Medicine December 14, 2015 UWM agreed to settle potential violations of HIPAA for $750,000. Potential violations of the Security Rule were discovered after UWM breach report that ephi of 90,000 patients was accessed after an employee downloaded an attachment containing malware that compromised the UWM IT system. All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise, said OCR Director Jocelyn Samuels. An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data. McGuireWoods LLP 34

35 Encryption Cancer Care Group PC September 2, 2015 Cancer Care Group agreed to settle potential violations of HIPAA for $750,000. An employee s laptop was stolen and accessed; contained PHI for 55,000 patients. Failure to conduct a company wide risk analysis following the breach. No policies dealing with the removal of hardware and electronic media. "Proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information. said OCR Director Jocelyn Samuels. McGuireWoods LLP 35

36 UCLA Health Breach (July 17, 2015) Four-hospital UCLA health was attacked by cyber criminals potentially starting as early as September 2014 Suspicious activity on the network was discovered in October 2014, but not until May 5, 2015 did UCLA realize attackers had access to its system UCLA can not yet tell if information was physically moved from the system Result: The medical records of an estimated 4.5 million people were potentially exposed Hackers had access to part of system where records could be accessed McGuireWoods 36

37 St. Elizabeth s Medical Center Enforcement Action (settled July, 2015) SEMC is a tertiary care hospital offering inpatient and outpatient services OCR received complaint alleging workforce members used internetbased document sharing application to store documents containing ephi of 498 individuals SEMC did not analyze the risks associated with such practice SEMC failed to timely identify and respond to the incident, mitigate its harmful effects, and document it and its outcome Resolution: Settlement of $218,400 with HHS SEMC must also institute a corrective action plan to cure gaps in the organization s HIPAA compliance program McGuireWoods 37

38 Other Data Security Hot Topics McGuireWoods 38

39 Three Principles 1. All it takes is a phone and the press of a button to cause a HIPAA Breach 2. News travels in an instant 3. Retrieval of PHI is almost always impossible McGuireWoods 39

40 Texting Issues Unable to verify identity of sender or receiver Unable to keep original message to verify order No assurance of delivery dependent on phone service Important to complete a risk assessment to determine whether texting fits into overall security profile Telling doctors not to text will probably not resolve the issue need to evaluate alternatives McGuireWoods 40

41 Texting Issues Joint Commission: not acceptable for physicians or licensed independent practitioners to text orders for patients to the hospital or other healthcare provider setting. Need to consider how this fits into electronic medical record Patient may be entitled to accounting of disclosures McGuireWoods 41

42 Patients are making Healthcare decisions based upon Social Media Information In a survey of more than a thousand consumers, more than two-fifths of individuals said social media affected their choice of a provider or organization. Forty-five percent said it impacted their decision to seek a second opinion; 34 percent said it influenced their decisions regarding medication selection and 32 percent said it would impact their choice of a health insurance plan. Source: PWC and HRI Social Media Consumer Survey, 2012 McGuireWoods 42

43 Benefits of Social Networking in Healthcare Single biggest risk is failure to participate Era of accountable care will require new strategies to engage patient populations and to manage population health Tools for collaboration and support with key internal and external customers Opportunities to build and support your brand McGuireWoods 43

44 Risks of Social Media Safety and security of patient information Discoverability and liability Patient consent issues Employment issues including administrative bullying Physician credentialing and licensing issues Boundary violations Ethical issues regarding the use of social media McGuireWoods 44

45 Current Privacy Issues Caused by New Technology Comments about patient care or clinical situations on FACEBOOK BLOGS about patient safety in hospitals TWEETS about cutting edge procedure in OR VIDEO of consent process, postoperative instructions or procedure on YOUTUBE S between providers regarding patient care or incident VIDEO of patient taken by family member on YOUTUBE PHOTOS that intentionally or inadvertently disclose patient information McGuireWoods 45

46 Dr. Tran Physician posted information about a patient on Facebook no name, but enough information to identify the patient OUTCOME: Fired by hospital Reprimanded by licensure board for unprofessional conduct McGuireWoods 46

47 Do I Need a Social Media Policy? Purposes of social media policy: Educate on proper uses of social media Establish guidelines to protect patient rights Reduce liability for provider organization and its employees Reduce risk of willful neglect However, a social media policy will not absolve all liability in the event of a significant breach Who should be involved in creating and maintaining policy? McGuireWoods 47

48 Elements of a Social Media Policy Definition of social media Guidelines for use of social media Penalties for HIPAA violations Address rogue employee conduct Provide for appropriate training at regular intervals Review of existing HIPAA-compliant communications policies & procedures Consistency and strict enforcement NLRB Guidance Review and revision of policy periodically McGuireWoods 48

49 Strategies to reduce liability Block access to social networking sites Develop policies and procedures Educate staff on policy and implications Routinely monitor the online presence of staff Define and disseminate information regarding disciplinary action for inappropriate use On hospital network; or From PDA Enforcement of policies McGuireWoods 49

50 Questions or Comments? McGuireWoods 50

51 Document Number v. 1 McGuireWoods 51