2014 CliftonLarsonAllen LLP HIPAA, Privacy, and Security Oh My! Chad D. Kunze CPA Health Care Principal Phoenix, AZ CLAconnect.com
Learning Objectives At the end of this learning session, you will be able to: Understand recent changes to HIPAA and HITECH regulations effecting providers and business associates Understand what is privacy and security? Identify who is a covered entity and who are my business associates that require a separate agreement What is a breach and how could I protect my organization Examples of good business practices, education and 3 rd party analysis 2
2014 CliftonLarsonAllen LLP HIPAA - What Is It? CLAconnect.com 3
HIPAA - What is it? Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) the 4 original parts included: Electronic transactions and code sets standards requirements Privacy requirements Security requirements National identifier requirements HIPPA or HIPAA? We will focus on privacy and security 4
2014 CliftonLarsonAllen LLP HIPAA Requirements Historically What s old and what s new? CLAconnect.com 5
Key Historical Dates The goal of HIPAA is to make health insurance more portable, ensure privacy and security of an individual s health and medical information, and create standardization. 1996 HIPAA 2003 Final Security Rule published 2011 OCR Compliance Audits began 2002 Final Modifications to the Privacy Rule published 2009 HITECH passed as part of the American Recovery & Reinvestment Act 9/15/09 breach notification obligations effective 1/17/13 Omnibus out, effective date 3/26/13 effective 9/23/13 6
HITECH ACT in 2009 HITECH Act - 2009 Extended the reach of HIPAA Breach notification requirements on covered entities and business associates Limits use and disclosure of certain PHI Increases individuals rights with respect to PHI Significant enforcement and penalties for violation of privacy and security of PHI 7
Protection of Electronic PHI Examples of EPHI: Clinical records, chargemaster, billing, detailed patient records, etc. HUD resident files containing medical information A/R and Billing Workers Comp Health Insurance and other benefits Payroll reports Revenue documentation Other 8
Protection of PHI Types of Data Written documentation and all paper records Spoken and verbal information including voice mails Electronic databases, including research information PHI on a phone, USB drive, etc. Photographic images Audio and video 9
HITECH Breach Notification Breach notification Must notify individuals whose unsecured PHI has been or is reasonably believed to have been breached Business Associates must notify covered entities of breach upon becoming aware Unsecured PHI defined by HHS and will be updated annually Notification without unreasonable delay no more than 60 days after discovery of breach Notification to individual via first class mail unless individual specified electronic mail 10
HITECH Breach Notification Breach notification (continued) Media notice required depending on number of individuals effected: Posting notice on website, major print, or broadcast media if more than 10 individuals involved More than 500 individuals in one State notice to prominent media outlets in the State HHS notice for any breach at least annually. If more than 500 then notice immediately. Notice must include duplication of facts, type of PHI, steps individuals should take to protect themselves, investigation method, mitigation to prevent and contact information to ask questions. 11
HITECH Penalties and Enforcement HITECH requires HHS to formally investigate: Possible violation exists or if breach reported Willful neglect present? Reasonable due diligence present Corrected? Not corrected? Tier approach to penalties 12
HITECH Penalties and Enforcement Civil monetary penalties: Violation Category Section 1176(a)(1) Each Violation (A) Did not know $100 - $50,000 $1,500,000 (B) Reasonable Cause $1,000 - $50,000 $1,500,000 (C) (i) Willful Neglect Corrected (C) (ii) Willful Neglect Not Corrected $10,000 - $50,000 $1,500,000 $50,000 $1,500,000 All such Violations of an Identical Provision in a Calendar Year 13
HITECH Penalties and Enforcement In addition State attorney generals may bring a HIPAA enforcement action against a covered entity or business associate HHS is now performing periodic audits related to compliance by covered entities and business associates (see enforcement section upcoming) 14
2014 CliftonLarsonAllen LLP New Omnibus Rule Changes What s old and what s new? CLAconnect.com 15
Breach Notification New Modifications Change in the definition of a breach in the 2009 omnibus rule from: acquisition, access, use or disclosure of PHI in a manner not permitted under [the privacy rule] which compromises the security or privacy of the PHI compromises the security or privacy of PHI is defined as posing a significant risk of financial, reputational, or other harm to the individual the risk of harm threshold Final Rule definition of a breach - Section 13400(1) an acquisition, access, use, or disclosure of PHI in a manner not permitted [and] is presumed to be a breach, unless the covered entity can demonstrate that there is a low probability that the PHI has been compromised. 16
Breach Notification Exceptions There are three exceptions to the Breach Notification Requirement which are unchanged: Unintentional acquisition access or use of PHI if it was made in good faith Inadvertent disclosure which will not be further used or disclosed in an impermissible manner Good faith belief that the disclosure was not retained If it does not meet the three exceptions, it is presumed to be a breach UNLESS the PHI was rendered unusable, unreadable, or indecipherable i.e. ENCRYPTION!!! 17
Breach - Risk Assessment Covered entity AND business associate must consider: Nature and extent of PHI involved Who used the information or to whom was the disclosure made? Was PHI actually acquired or viewed? How was the risk mitigated? Does the event rise to the level of a breach Requirement to notify the Secretary of HHS following the discovery of a breach of unsecured PHI Should have been compliant by March 26, 2013 required to be compliant by September 23, 2013 18
Willful Neglect and Penalties Appears over 70 times in the final ruling Defined by 45 CFR 160.401 as conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated 19
Action Plan for Covered Entities Encrypt, encrypt, encrypt and implement a BYOD ( Bring your own device ) policy Review and update business associate agreements Affects an estimated 250,000 500,000 business associates around the country and beyond Review and revise your breach notification policies Affects 19,000 covered entities Review and update privacy policies Affects 700,000 covered entities Provide updated education for your workforce (data obtained from the 2013 HIPAA Omnibus approximate number of affected entities) 20
2014 CliftonLarsonAllen LLP Covered Entities and Business Associate Agreements CLAconnect.com 21
HIPAA - What Is It? Privacy Governs the use and disclosure of individually identifiable health information or Protected Health Information ( PHI ) Security Administrative, technical and physical safeguards required to prevent unauthorized access to PHI 22
HIPAA - Covered Entities Covered entities Directly effected Health care providers Health plans Health care clearinghouses HC providers are: Person or organization who furnishes, bills, or is paid by HC in the normal course of business Covered ONLY if they transmit health information electronically in connection with transaction covered by HIPAA transaction rules Directly or through a business associate 23
How to Comply Security Rules Appoint a security officer Perform an internal or 3 rd party risk analysis: Likelihood and impact of risks to ephi Implement security measures to address Document the security measures Maintain protections (continuous, reasonable, etc.) Develop and implement a risk management plan Education and training is a MUST 24
HIPAA - Who are Business Associates A business associate is: A person who performs a function or activity on behalf of, or provides services to, a covered entity that involves individually identifiable health information Not a workforce member A covered entity can also be a business associate 25
HIPAA - Who are Business Associates (Con t) Vendors providing services not directly but indirectly subject to the HIPAA privacy and security provisions (not covered entities but are business associates): Legal Accounting Consulting Information technology Financial support Claims procession and billing Data destruction/shredding Required to sign business associates agreements (BAA) Covered entity who contracts to perform business associate services or activities must protect through BAA Agree by contract to maintain privacy and security of PHI 26
Business Associate Agreements What is in a BAA? It is a contract between covered entity and business associate Responsibilities identified Understanding and acknowledgement of those responsibilities Identification of what constitutes a breach Breach notification requirements Communication requirements Termination clauses Subcontractor clauses Signed by both parties 27
HIPAA - How Does It Effect You? Does your organization have business associate agreements in place for all required vendors or partners you work with? Action necessary by covered entity and BAA to ensure they both live up to requirements Protections added Indemnification Reporting Policies in place Hardware and software Learning and training 28
Example - How Does It Affect CLA? CLA approach in the past: Comply as if we were a covered entity, but with a highest common denominator approach to EPHI Protect ALL data at the level for EPHI Education Annual education and orientation for new employees Understand requirements and responsibility (not just principal or partner responsibility) Identification of breach and how to notify and/or report Business associate agreements CLA MUST HAVE in place for all clients where EPHI is directly used or indirectly obtained 29
2014 CliftonLarsonAllen LLP Enforcement Covered Entities and Business Associates CLAconnect.com 30
Stepped Up HIPAA Related Enforcement 2012 HHS to conduct periodic audits to ensure covered entities and business associates are complying with HIPAA privacy and security rules and breach notification standards. For Phase 1 - Office for Civil Rights (OCR) has conducted 115 audits, of which 20 were completed in 2012. Entities were stratified into four different levels as follows: Level 1 Entities Large Provider/Health Plans Extensive use of IT/complicated IT/business work streams Revenues or assets > $1 billion Level 2 Entities Large regional hospital systems (3-10 hospitals/region) & Regional Insurance Companies Paper & HIT enabled workflows Revenues and/or assets between $300 million and $1 billion Level 3 Entities Community hospitals/outpatient surgery, regional pharmacy/all selfinsured companies that don t adjudicate their claims Some but not extensive use of HIT mostly paper based workflows Revenues between $50 million and $300 million Level 4 Entities Small providers (10 to 50 provider practices, community or rural pharmacy) Little to no use of HIT almost exclusively paper based workflows Revenues less than $50 million Source: U.S. Dept. of HHS Presentation: 2012 HIPAA Privacy and Security Audits by Linda Sanches, OCR Senior Advisor Health Information Privacy; Lead HIPAA Compliance Audits 31
Stepped Up HIPAA Related Enforcement (cont d) Source: U.S. Dept. of HHS Presentation: 2012 HIPAA Privacy and Security Audits by Linda Sanches, OCR Senior Advisor Health Information Privacy; Lead HIPAA Compliance Audits 32
Stepped Up HIPAA Related Enforcement (cont d) Source: U.S. Dept. of HHS Presentation: 2012 HIPAA Privacy and Security Audits by Linda Sanches, OCR Senior Advisor Health Information Privacy; Lead HIPAA Compliance Audits 33
Security Rule Findings 65% HITECH regulations 164.312 User activity monitoring Authentication/integrity 164.310 Media reuse and destruction 164.308 Contingency planning Risk assessment Ask yourself Are you periodically reviewing established users to determine if they are current, authorized, and have the correct access rights? Risk assessment: How frequently are you examining the information system for vulnerabilities? Monitoring of controls: How are you verifying the controls are designed to mitigate unacceptable risks? 34
Privacy Rule Findings 26% Breach Notification - 9% HITECH regulations 164.502 Deceased individuals Personal representatives Verification of the identify of those requesting ephi 164.310 Business associate contracts 164.308 Breach notification process Ask yourself What steps do you take to verify the identity of those requesting PHI? How do you identify business associates? How often are your contracts reviewed? Do your staff know what to do if a breach occurs? What steps do you take to document the occurrence of the breach and investigation results? 35
Phase 2 of OCR Audits 550-800 entities will be contacted for pre-survey OCR will use survey data to select a projected 350 covered entities to audit Audits to begin in fall of 2014 Covered entities will identify their business associates and selection from those provided will be subject to be audited in 2015 Desk audits for selected areas and comprehensive on-site audits as resources allow Focus areas for 2014-2015 audits Security risk analysis and risk management Breach content and timeliness of notifications Privacy notice and access 36
Fines and Penalties WellPoint pays $1.7M for leaving information accessible over the internet. Issues related to their implementation of changes in their IT systems. WellPoint provided a breach report. 612,402 individuals ephi was unsecured and unprotected. 37
Fines and Penalties MEEI, a Harvard medical school affiliate, and Alaska DHS have agreed to pay the HHS $1.5 and $1.7 million (respectively) to settle potential violations. 38
Fines and Penalties Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay the HHS a $100,000 settlement the first small practice to be penalized over HIPAA violations. 39
Fines and Penalties Hospice of North Idaho has agreed to pay HHS a $50,000 settlement for potential violations and became the 1 st settlement related to a breach of unprotected ephi that affected <500 individuals. 40
Additional Thoughts and Stats After EHR implementations providers have seen a surge in data breaches Average breach cost was approximately $2.5MM Most were preventable 40% of breaches in 2013 involved a business associate Reputation costs are hard to quantify but are significant 41
Encryption Why it is important Lack of encryption now is the #1 reason for penalty Emails containing ephi (electronic protected health information) Data published on an internet site Mobile devices such as laptops, smart phones, or tablets Remote access sessions 42
Six Steps to Breach Prevention or Mitigation Lock down end users and infrastructure know where your data resides User identification Single point of control Anti-malware Encryption e-discovery 43
2014 CliftonLarsonAllen LLP Best Practices They are in place to protect us all! CLAconnect.com 44
HIPAA Safeguards: Administrative, Physical, and Technical Administrative safeguards the management of: Risk Employees and training Continuity Evaluation Business associates Physical safeguards securing and accounting for: Facilities Workstations Media disposal Technical safeguards logical access: System logging and review Password requirements User accounts and access 45
Safeguarding Computers Secure laptops and desktops at all times Do not loan your laptop to others Do not allow others to use your computer unattended Do not leave laptop or equipment unattended If left unattended for any reason lock the office space being used or place computer into Lock mode requiring password to re-start programs Use privacy screens if available Know your surroundings 46
Messages That Contain Sensitive or Protected Information Personnel should NOT be permitted to send emails that containssensitive PHI that is NOT encrypted PHI is defined as information about: Health status Provision of health care Payment of health care PHI linked through any of the following must be treated with care: Names, phone/fax numbers, addresses, email addresses, dates (related to care, admit, discharge, etc.) SSN, medical record numbers, health plan info, photos, device identifiers, etc. 47
Example of CLA IT Security That Is In Place Due To Being A Business Associate Administrative Safeguards Technical Safeguards Physical Safeguards Risk management IT policies Security leadership Access management Awareness Incident response Inquiry response Auditing Passwords Change control Anti-Virus/SPAM Firewall Workstation control (CSA) Web filtering Remote access FTP Encryption Portable media control Event correlation Office physical security Laptop policy Equipment disposal Data backup and storage 48
Don t We Already Have Enough Security? Can you and your employees answer YES to all of these? If I follow my organization s policies I believe that we are covered Am I following my organization s policies? Do I understand what constitutes a potential or actual breach? Do I protect data as if it is my own? 49
What Can You Do Today? Clean your offices Move any resident data off your hard drive Don t store PHI or resident data in emails Use the network or other solutions to store data Don t request or receive or send EPHI to/from anyone unless it is encrypted and is absolutely needed Return EPHI or private data when complete or delete immediately 50
Other Protections Protect discussions Public places, elevators, client location, airplane, etc Discussions with friends, spouse, family, etc. If you are in public places or travel in planes - Privacy screens on computers Provide data with mind on privacy and security (FTP site, data encrypted, data scrubbed, etc.) Don t leave sensitive information laying around at anytime Err on being overprotective of computer Limit data on your hard drive and follow Organization policy 51
Recap And What We Have Learned Today HIPAA, privacy, security are just good common sense Understand what HIPAA requires we all are responsible to know and understand Know when a breach may have occurred (covered entity or business associate) Is our business associate HIPAA compliant? can we help? Organization policy is in place to HELP and not there to HINDER our resident service and productivity More to come and breaches and fines are starting to ramp up Risk is out there - Do your part and promote privacy and security of PHI and remember it is really good business sense 52
2014 CliftonLarsonAllen LLP Chad D. Kunze, CPA Principal Chad.Kunze@CLAconnect.com 602-604-3534 Office 314-42-6512 Cell CLAconnect.com twitter.com/ CLAconnect facebook.com/ cliftonlarsonallen linkedin.com/company/ cliftonlarsonallen 53