HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

Transcription

1 HIPAA Update Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights New Mexico Health Information Management Association Conference April 11, 2014 Albuquerque, NM

2 Recent Enforcement Activities U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 2

3 HIPAA Privacy, Security, Breach Compliance and Enforcement Resolution Agreements/Corrective Action Plans 5 RA/CAPs in CY13 Total Resolution Amounts of $3,740,780 Investigated Complaints/Compliance Reviews 4,459 investigative closures in CY13 3,467 closed with corrective action Breach Reports 930 Breaches involving 500 or more individuals Over 113,000 Breaches involving fewer than 500 individuals U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 3

4 Breach Notification: 500+ Breaches by Type of Breach Unknown 2% Improper Disposal 4% Other 10% Hacking/IT Incident 8% Theft 47% Unauthorized Access/Disclosure 18% Loss 11% Data as of March 25, U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 4

5 Breach Notification: 500+ Breaches by Location of Breach 5% EMR 3% Other 11% Paper Records 21% Network Server 12% Desktop Computer 14% Portable Electronic Device 11% Laptop 23% Data as of March 25, U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 5

6 Recent Large Breaches Hacking network server 780,000 affected Backup tapes stored at hospital cannot be found and are presumed lost 315,000 affected Unencrypted s sent to employee s unsecured address ,435 affected Theft of laptop from employee s vehicle 116,506 affected Unauthorized access to e-phi stored in database-- 105,646 affected Hacking database stored on network server 70,000 affected U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 6

7 Recent Major Enforcement Actions Adult & Pediatric Dermatology, P.C. ($150,000) Unencrypted thumb drive stolen from employee vehicle affecting 2,200 patients Covered entity did not have breach policies and procedures Affinity Health Plan, Inc. ($1.2M) Breach affecting up to 344,000 individuals Covered entity had not properly erased photocopier hard drives prior to sending the photocopiers to a leasing company Massachusetts Eye and Ear Institute ($1.5M) Stolen personal laptop of physician using device as desktop substitute Covered entity had not implemented a program to mitigate identified risks to e-phi U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 7

8 Recent Major Enforcement Actions Hospice of Northern Idaho ($50K) Breach affecting 400 individuals when laptop stolen Provider had not conducted a risk assessment or taken other measures to safeguard e-phi as required by Security Rule Idaho State University ($400,000) Disabled firewall left the PHI of approx. 17,500 patients unsecured Risk analyses and risk management plans were incomplete or out of date Shasta Regional Medical Center ($275,000) Senior management disclosed patient information to the media and to the workforce without patient authorization CE failed to sanction workforce members in accordance with its internal policy U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 8

9 HIPAA Omnibus Changes U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 9

10 Omnibus Final Rule Important Dates Published in Federal Register January 25, 2013 Effective Date March 26, 2013 Compliance Date September 23, 2013 Conform BA contracts September 22, 2014 U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 10

11 Omnibus Components HITECH Privacy & Security Business associates (BA) Marketing & Fundraising Sale of protected health information (PHI) Right to request restrictions Electronic access HITECH Breach Notification HITECH Enforcement GINA Privacy Other Modifications Research Notice of privacy practices (NPP) Decedents Student immunizations U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 11

12 Not in Omnibus HITECH Accounting of Disclosures Rule HITECH Distribution of Penalties/Settlements to Harmed Individuals Rule HITECH Minimum Necessary Guidance HIPAA/CLIA Patient Access to Laboratory Test Reports Rule U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 12

13 Omnibus Final Rule What s New for Consumers Right to Electronic Copy of Electronic Health Record Right to direct copy to designated third party Prohibition on Sale of PHI without Authorization Marketing Communications Paid for by Third Party Require Authorization Limited exceptions for refill reminders and current prescriptions Right to Restrict Disclosures to Health Plans of Treatment/Services Paid for Out of Pocket U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 13

14 GINA Provisions Requires Genetic Information to be treated as PHI Prohibits Health Plans from using/disclosing genetic information for underwriting purposes Terms and definitions track regulations prohibiting discrimination in provision of health insurance based on genetic information U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 14

15 Omnibus Final Rule Non-statutory Provisions Student Immunization Makes it easier for parents to permit providers to release student immunization records to schools Research Allows researchers to use single authorization for more than one research purpose Relaxes policy on authorizations for future research Notice of Privacy Practices Updates required to Notices of Privacy Practices Relaxes distribution requirements for Health Plans Decedent Information Protections limited to 50 years after death Eases access to friends and families U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 15

16 Omnibus Final Rule What s New for Breach Breach Notification Provisions Replaces harm to individual with more objective measure of compromise to the data as threshold for breach notification Other provisions of 2009 IFR adopted without major change U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 16

17 Omnibus Final Rule What s New for Enforcement Enforcement Provisions Adopts increased CMP amounts and tiered levels of culpability from 2009 IFR Clarifies Reasonable Cause Tier Willful Neglect Penalties do not require informal resolution Intentional wrongful disclosures may be subject to civil, rather than criminal, penalties U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 17

18 HITECH Enforcement Raises CMP Levels Violation Category Each Violation All Identical Violations per Calendar Year Did Not Know $100 - $50,000 Reasonable Cause $1,000 - $50,000 Willful Neglect- Corrected Willful Neglect-Not Corrected $10,000 - $50,000 $1,500,000 $1,500,000 $1,500,000 $50,000 $1,500,000 U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 18

19 Omnibus Final Rule What s New for Business Associates New definition of Business Associate (45 C.F.R ): (1) Except as provided in paragraph (4) of this definition, business associate means, with respect to a covered entity, a person who: (i) On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or (ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person. U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 19

20 Omnibus Final Rule What s New for Business Associates New definition of Business Associate, cont. (2) A covered entity may be a business associate of another covered entity. (3) Business associate includes: (i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information. (ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity. (iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate. U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 20

21 Omnibus Final Rule What s New for Business Associates BAs must comply with the technical, administrative, and physical safeguard requirements under the Security Rule Must conduct a security risk analysis and implement a risk management plan Must implement safeguards to protect EPHI Liable for Security Rule violations BAs must comply with use or disclosure limitations expressed in its contract and those in the Privacy Rule Criminal and civil liabilities for violations Clarification that BAs are liable whether or not they have an agreement in place with the CE If CE delegates Privacy Rule obligation to BA (e.g., providing NPPs to individuals), contract must require BA to perform in compliance with Rule U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 21

22 Omnibus Final Rule What s New for Business Associates Direct liability Impermissible uses and disclosures (including more than minimum necessary) Failure to comply with Security Rule Failure to provide breach notification Failure to provide e-access as provided in BA contract Failure to disclose PHI to HHS for compliance and enforcement Failure to provide HITECH accounting (final rule not issued) Contractual liability for requirements of the BA contract U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 22

23 Marketing Communications about health-related products/services by covered entity (CE) to individuals now marketing & require authorization if paid for by third party Applies to receipt of financial remuneration only; does not include receipt of non-financial benefits Authorization must state that communication is paid for Authorization can be obtained to make subsidized communications generally Scope of authorization need not be limited to single product/service or products/services of one third party U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 23

24 Marketing Limited exception for refill reminders (and similar communications) Includes generic equivalents, adherence communications, drug delivery systems Payment must be reasonably related to cost of communication Face to face marketing communications and promotional gifts of nominal value still permitted without authorization U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 24

25 Sale of PHI Even where disclosure is permitted, CE is prohibited from disclosing PHI (without individual authorization) in exchange for remuneration Includes remuneration received directly or indirectly from recipient Not limited to financial remuneration If authorization obtained, authorization must state that disclosure will result in remuneration U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 25

26 Sale of PHI Exceptions: Treatment & payment Sale of business Remuneration to BA for services rendered Disclosure required by law Public health Research, if remuneration limited to cost to prepare and transmit PHI Providing access or accounting to individual Any other permitted disclosure where only receive reasonable, cost-based fee to prepare and transmit PHI U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 26

27 Electronic Access If individual requests e-copy of PHI maintained electronically in designated record set, CE: Must provide access in electronic form/format requested, if readily producible, otherwise in readable electronic form/format as agreed to by CE and individual If requested, CE must transmit copy of PHI to individual s designee (not limited to electronic access) Request must be in writing & signed Must clearly identify designated person and where to send U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 27

28 Electronic Access CE may charge for: Labor for copying Time attributable to reviewing request and producing copy Cost of electronic media CD, USB drive, or similar portable media/device, if individual requests copy on portable media CE has 30 days (with one 30-day extension) to act on request for access Provision allowing initial 60 days for off-site PHI removed U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 28

29 Definition of Breach Harm standard removed New standard impermissible use/disclosure of (unsecured) PHI presumed to require notification, unless CE/BA can demonstrate low probability that PHI has been compromised based on a risk assessment of at least: Nature & extent of PHI involved Who received/accessed the information Potential that PHI was actually acquired or viewed Extent to which risk to the data has been mitigated U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 29

30 Definition of Breach Exceptions for inadvertent, harmless mistakes remain Exception for limited data sets without dates of birth & zip codes removed U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 30

31 Breach Notification Makes permanent the notification and other provisions of the 2009 interim final rule (IFR), with only minor changes/clarifications E.g., clarifies that notification to Secretary of smaller breaches to occur within 60 days of end of calendar year in which breaches were discovered (versus occurred) U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 31

32 Guidance and Compliance Tools U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 32

33 De-identification Guidance overedentities/de-identification/guidance.html Sample Business Associate Contract Language overedentities/contractprov.html Security Rule Guidance ecurityrule/index.html Risk Analysis Guidance NIST HIPAA Security Rule Toolkit NIST Guidelines for Media Sanitation FTC Guidance on Copier Data Security Educational paper series Security for Mobile Devices (video/web) U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 33

34 ONC/OCR Mobile Device Program Instructional Video Series The videos explore mobile device risks and discuss privacy and security safeguards providers and professionals can put into place to mitigate risks. Securing Your Mobile Device is Important! Dr. Anderson's Office Identifies a Risk A Mobile Device is Stolen Can You Protect Patients' Health Information When Using a Public Wi-Fi Network? Worried About Using a Mobile Device for Work? Here's What To Do! U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 34

35 Downloadable Materials Fact sheets Posters Brochures U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 35

36 Mobile Device Program: Tips to Protect and Secure Health Information Use a password or other user authentication. Install and enable encryption. Install and activate wiping and/or remote disabling. Disable and do not install file- sharing applications. Install and enable a firewall. Install and enable security software. Keep security software up to date. Research mobile apps before downloading. Maintain physical control of your mobile device. Use adequate security to send or receive PHI over public Wi-Fi networks. Delete all stored health information before discarding or reusing the mobile device. U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 36

37 Sample Notices of Privacy Practices Versions for Providers and for Health Plans Multiple formats Customizable In English and Spanish U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 37

38 Medscape: Free CME and CE Training HIPAA: Creating Awareness and Educating Providers on the Importance of Compliance U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 38

39 Security Rule Assessment Tool U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 39

40 Questions? OCR website Jamie Sorley (214) U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 40