Presenting a live 90 minute webinar with interactive Q&A HIPAA Privacy and Security: Surviving Heightened Enforcement Crafting and Implementing Data Security Policies and Responding to Breaches THURSDAY, MAY 5, 2011 1pm Eastern 12pm Central 11am Mountain 10am Pacific Td Today s faculty features: Nathan A. Kottkamp, Partner, McGuireWoods, Richmond, Va. Gina M. Kastel, Partner, Faegre & Benson, Minneapolis Rebecca C. Fayed, Counsel, SNR Denton, Washington, D.C. The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
Conference Materials If you have not printed the conference materials for this program, please complete the following steps: Click on the + sign next to Conference Materials in the middle of the left- hand column on your screen. Click on the tab labeled Handouts that appears, and there you will see a PDF of the slides for today's program. Double click on the PDF and a separate page will open. Print the slides by clicking on the printer icon.
Continuing Education Credits FOR LIVE EVENT ONLY For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps: Close the notification box In the chat box, type (1) your company name and (2) the number of attendees at your location Click the blue icon beside the box to send
Tips for Optimal Quality Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial 1-888-450-9970 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.
HIPAA Enforcement: The Dawn of a New Era Nathan A. Kottkamp May 5, 2011 www.mcguirewoods.com
HIPAA Enforcement: Before HITECH All Bark, and No Bite? McGuireWoods LLP 6
HIPAA Enforcement Pre-HITECH Pre-HITECH Penalty limited to $100 per violation or $25K for all identical violations No Civil Money Penalties cases McGuireWoods LLP 7
Providence Health & Services-2008 la di da... McGuireWoods LLP 8
Providence Health & Services-2008 Providence agrees to pay $100,000 000 and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss. The Resolution Agreement relates to Providence's loss of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006. Providence agreed to perform certain obligations (e.g., staff training) and make reports to HHS for three years. During the period, HHS monitors the compliance of the covered entity with the obligations it has agreed to perform. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/prov idenceresolutionagreement.html McGuireWoods LLP 9
CVS-2009 Patient records? McGuireWoods LLP 10
CVS-2009 Under the Resolution Agreement, CVS agreed to pay a $2,250,000 resolution amount and implement a strong Corrective Action Plan that requires: 1.revising and distributing its policies and procedures regarding disposal of protected health information; 2.sanctioning workers who do not follow them; 3.training workforce members on these new requirements; 4.conducting internal monitoring; 5.engaging a qualified, independent third-party assessor to conduct assessments of CVS compliance with the requirements of the Corrective Action Plan and render reports to HHS; 6.new internal reporting procedures requiring workers to report all violations of these new privacy policies and procedures; and 7.submitting compliance reports to HHS for a period of three years. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresolutionagre ement.html McGuireWoods LLP 11
HIPAA Penalties Under HITECH The Health Information Technology for Economic and Clinical Health (HITECH) Act revised HIPAA s enforcement regulations: New Penalty Tiers: Unknowing ($100 per violation/ $25K max) Reasonable Cause (($1K per violation /$100 K max) Willful neglect ($10K per violation/$250k max) Uncorrected willful neglect ($50K per violation/$1.5m max) Civil and criminal liability for HIPAA violations extended to business associates Mandatory investigations and civil penalties for violations due to willful neglect Increased emphasis and significant funding on enforcement McGuireWoods LLP 12
Rite Aid-2010 McGuireWoods LLP 13
Rite Aid-2010 Under the HHS resolution agreement, Rite Aid agreed to pay a $1 million resolution amount to HHS and must implement a strong corrective action program that includes: Revising and distributing its policies and procedures regarding disposal of protected health h information i and sanctioning i workers who do not follow them; Training workforce members on these new requirements; Conducting internal monitoring; and Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/riteai dresagr.html McGuireWoods LLP 14
2011 McGuireWoods LLP 15
Enforcement To boost enforcement of the HIPAA security rule, OCR has added investigators in 10 regional offices. HHS is seeking $5.6 million increase in funding for Fiscal 2012 enforcement. In FY 2010, the office received approximately 9,400 complaints associated with HIPAA privacy and security rules McGuireWoods LLP 16
Cignet Health-Landmark HIPAA Civil Monetary Penalty, February 4, 2011 Today the message is loud and clear: HHS is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule and ensuring provider cooperation with our enforcement efforts. -OCR Director Georgina Verdugo http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cignhhs etresolutionagreement.html McGuireWoods LLP 17
Cignet Health of Prince George s County McGuireWoods LLP 18
Cignet Health of Prince George s County, MD-Landmark HIPAA Civil Monetary Penalty, February 4, 2011 The first-ever civil money penalty of $4.3 million Cignet violated 41 patients rights by denying them access to their medical records when requested between September 2008 and October 2009. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient s request. The CMP for these violations is $1.3 million. Cignet failed to cooperate with OCR s investigations of the complaints and produce the records in response to OCR s subpoena. Covered entities are required under law to cooperate with the Department s investigations. The CMP for these violations is $3 million. McGuireWoods LLP 19
Cignet Health-Landmark HIPAA Civil Monetary Penalty, February 4, 2011 Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA s requirements.... The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules. -OCR Director Georgina Verdugo http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cign etresolutionagreement.htmlent l McGuireWoods LLP 20
Mass General- The Million Dollar Subway Ride, February 14, 2011 $1M McGuireWoods LLP 21
Seriously? McGuireWoods LLP 22
Mass General- The Million Dollar Subway Ride, February 14, 2011 An employee of General Hospital Corporation and Massachusetts General Physicians Organization Inc. ( Mass General ) left documents on a subway that included a patient schedule containing protected health information ( PHI ) of 192 patients, and billing forms with PHI for 66 of those patients. This included PHI of patients with HIV/AIDS. The records were bound only by a rubber band! McGuireWoods LLP 23
Mass General- The Million Dollar Subway Ride, February 14, 2011 Mass General paid the US Government a $1,000,000 settlement and entered into a Corrective Action Plan ( CAP ): Develop and implement a comprehensive set of policies and procedures that ensure PHI is protected when removed from Mass General s premises; Train workforce members on these policies and procedures; and Designate the Director of Internal Audit Services to serve as an internal monitor who will conduct assessments compliance with the CAP and render semi-annual reports to HHS for a 3-year period. McGuireWoods LLP 24
Mass General- The Million Dollar Subway Ride, February 14, 2011 To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules.... A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents. -OCR Director Georgina Verdugo McGuireWoods LLP 25
Consequences MORE, MORE, MORE Education Policies Monitoring Documentation Scrutiny McGuireWoods LLP 26
Lessons Learned Expect HHS to continue its HIPAA enforcement efforts Cooperate with HHS investigations to limit penalties Covered Entities must have a robust Compliance Plan Updated policies and procedures Workforce training Internal audits Mitigation plan upon discovery of a potential HIPAA violation McGuireWoods LLP 27
Contact Information Nathan A. Kottkamp 804.775.1092 nkottkamp@mcguirewoods.com www.mcguirewoods.com Ó 2011 McGuireWoods LLP McGuireWoods LLP 28
HIPAA Privacy and Security: Surviving Heightened Enforcement Gina M. Kastel 612.766.7923 gkastel@faegre.com
Agenda Background Recent developments Best practices 30
Background Historic (non)enforcement complaint driven and non-aggressive No civil penalties imposed from 2003 to 2011 by Office of Civil Rights Minimal criminal prosecution Penalties increased under HITECH Easy to be complacent? 31
Recent Developments Cignet, Massachusetts General, CVS, Rite Aid Recent criminal prosecutions Arkansas physician and hospital staff plead guilty to a criminal misdemeanor violation for accessing a patient s record without any legitimate purpose. Each sentenced to a year s probation, physician fined $5,000 and had to perform community service. Hospital clerk sentenced to year in prison for sharing patient information on myspace.com. Medical records administrator received two years in prison for stealing patient information in credit card scam. Enforcement generally on the rise 32
The View from Office of Civil Rights We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity s responsibility to protect its patients health information. To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules, said Verdugo. A robust compliance program includes employee training, i vigilant il implementation ti of policies i and procedures, regular internal audits, and a prompt action plan to respond to incidents. - Georgina Verdugo, OCR Director 33
Best Practices 34
Learn from the Mistakes of Others Massachusetts General Resolution Agreement www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/massgeneralra.pdf Cignet Notice of Final Determination www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cignetpenaltyletter.pdf OCR enforcement examples and resolution available at www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html OCR security breach list www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html 35
Reassess Organization s Current Compliance Review and update policies and procedures Complete? Accessible? Ensure HITECH requirements are included Look at recent enforcement decisions for guidance Removal of PHI from facility Encryption of mobile devices Be sure staff follows them do not get hung by zombie policies i 36
Train, Train, Train Consider mix of training methods Train regularly Focus on high risk issues Have staff take tests and certify to completion of training Keep training materials 37
Respond Quickly Ensure prompt p incident response processes are in place Investigate thoroughly Implement appropriate p corrective action Take appropriate disciplinary action COOPERATE WITH THE GOVERNMENT! 38
Set the Tone at the Top Get buy in on health care compliance from executive team Ensure managers and supervisors stress importance of compliance 39
Conduct Ongoing Compliance Assessments Develop a program of self-monitoring and auditing Focus on high risk areas Mobile devices High profile patients and members Improper disclosures Disposal of records Follow up when problems are found 40
Monitor New Developments Someone in organization should be responsible for tracking new developments Share information when the law or enforcement activity changes Have mechanism in place to respond to new developments 41
HIPAA Privacy and Security: Surviving Heightened Enforcement Strategies to Prepare For or Respond To a Breach May 5, 2011 Rebecca C. Fayed rebecca.fayed@snrdenton.com
10-Step Breach Response Plan Overview 1. Prepare for the possibility of a breach. 2. Investigate the incident. 3. Mitigate the harm and take corrective action. 4. Assess and document whether the incident is a breach under the HITECH Act / HHS Breach Notification Rule. 5. Analyze whether incident is a breach under applicable state law. 6. Notify individuals (or the covered entity). 7. Notify the media. 8. Notify HHS and, if applicable, state agencies. 9. Reassess privacy and security compliance policies and procedures. 10. Prepare for possibility of HHS-OCR or state AG investigation. 43
Step 1: Prepare for the Possibility of a Breach Develop and implement an incident response and breach notification procedure. Establish an incident response team. Consider encrypting protected health information. When negotiating business associate agreements, consider including an indemnification clause and a breach notification provision addressing who is responsible for what. Consider purchasing data security breach insurance. 44
Step 2: Investigate the Incident Do you have a breach notification procedure in place? Do you have an incident response team? If yes, follow the procedure and initiate actions of incident response team. If no, identify individuals in the best positions to help investigate and respond dto the incident. id Identify the following: Facts surrounding the incident (e.g., stolen or lost laptop, backup tape, portable storage device; email or fax sent to wrong recipient; paper records thrown in the trash). Data elements (e.g., names, address, phone numbers, PHI, Social Security Numbers, credit card numbers). Number of people affected. States in which affected people live and total in each state. Whether the information was encrypted. 45
Step 3: Mitigate Harm & Take Corrective Action Mitigate: A covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of PHI in violation of its policies and procedures or the Privacy Rule by the covered entity or its business associate. 45 C.F.R. 164.530(f). e.g., file a police report, contact recipient and ask for information to be returned or destroyed. Corrective action: May need to terminate t agreement with BA, revise procedures, sanction employees. If determined to be a breach, decide whether credit monitoring services will be offered. 46
Step 4: Assess and Document Whether Incident is a Breach Under the HITECH Act / HHS Breach Notification Rule Breach: Acquisition, access, use, or disclosure of PHI (either electronic or hard copy) not permitted by the Privacy Rule which compromises the security or privacy of PHI (i.e., it poses a significant risk of financial, reputational, or other harm to the individual). 3 Steps to Determine if Incident is a Breach: Impermissible use or disclosure of PHI under Privacy Rule? Compromises the privacy or security of PHI by creating significant risk of harm? Is the incident id excluded d from the definition iti of a breach? An unintentional use of PHI by a workforce member acting in good faith and within the scope of his or her authority, and the PHI is not further used or disclosed improperly; An inadvertent tdisclosure of fphib by an authorized person to another authorized person, and the PHI is not further used or disclosed improperly; or A disclosure of PHI to an unauthorized person where there is a good faith belief that the unauthorized person would not reasonably have been able to retain the PHI. 47
Step 4: Assess and Document Whether Incident is a Breach Under the HITECH Act / HHS Breach Notification Rule HITECH Act breach notification requirement applies only to the breach of unsecured PHI. The breach of secure PHI is not subject to the breach notification requirement. If PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals, it is secure. Technologies and Methodologies that will render PHI secure: 1. Encryption. 2. Destruction. 48
Step 5: Analyze Whether Incident is a Breach Under State Law Vast majority of states have data breach notification laws. Need to analyze state law s definition of personal information. Small number of states include health or medical information within the definition. Need to analyze any exceptions to breach notification obligations (e.g., encryption, harm-based standards). If state breach notification law is triggered, notification obligations may exist in addition to those required by the HITECH Act. 49
Step 6: Notify Individuals or the Covered Entity HITECH Act and HHS Breach Notification Rule: Notice must be provided to the individual without unreasonable delay and no later than 60 days after breach is discovered. Notification should be made sooner than 60 days if possible. Many state laws require notification sooner. Via first-class mail unless the individual has specified a preference for email. Notice must include the following: Description of facts about breach. Type of PHI involved. Steps individuals should take to protect themselves. What the covered entity is doing to investigate the situation and prevent future breaches. Contact information for individuals to ask questions. Substitute notice may be required if not able to contact people. HIPAA business associates must notify the covered entity of the breach. Contract t may specify who will notify the individual id and/or who will pay for such notification. 50
Step 7: Notify Media If PHI of more than 500 individuals in one state is breached, the entity must notify prominent media outlets in the state. 51
Step 8: Notify HHS and/or State Agencies Covered entities must notify HHS of the breach: If more than 500 affected individuals must notify HHS contemporaneously with notification to the individual via online notification. If less than 500 affected individuals must notify HHS via an annual log of events no later than 60 days following the end of the calendar year. Check state laws to determine whether any state agencies must be notified (e.g., police department, consumer protection agencies, Attorney General s office). 52
Step 9: Reassess Privacy & Security Policies and Procedures Compliance policies and procedures should be evaluated and revised if they do not work for an organization or do not prevent against privacy and security violations. For example: If incident involved lost or stolen backup data tape, consider changing procedure for transport and/or storage. If incident involved faxing information to a wrong number, consider changing procedure to require contacting the intended d recipient i before the fax is sent to confirm number and after the fax is sent to confirm receipt. If incident was the result of employee error, consider retraining employees. If incident was the result of a business associate s error, consider terminating the agreement or imposing more stringent safeguards under the agreement. 53
Step 10: Prepare for a Possible Investigation by OCR or AG HHS-OCR recently stated that they have initiated an investigation into every breach reported to their office via the online notification system stem that involved more than 500 individuals. id OCR is in the midst of training state AGs on HIPAA enforcement. Investigations have been initiated via letter and by phone. As evidenced d by recent actions, OCR expects cooperation. Generally, OCR has been asking for: Facts surrounding the breach. Copies of notification letters, media notices, business associate agreements. Actions taken to locate missing data, prevent further loss of data, and protect affected individuals (e.g., credit monitoring services). Security Rule risk assessments. Description of safeguards in place to protect the information, specifically requesting information related to whether data was encrypted. Compliance efforts related to policies and procedure revisions, training, and sanctions imposed. 54
CONTACT INFORMATION Rebecca C. Fayed SNR Denton US LLP rebecca.fayed@snrdenton.com www.snrdenton.com 202-408-6351
DISCLAIMER These materials should not be considered as, or as a substitute for, legal advice and they are not intended to nor do they create an attorney-client relationship. Because the materials included here are general, they may not apply to your individual legal or factual circumstances. You should not take (or refrain from taking) any action based on the information you obtain from these materials without first obtaining professional counsel. The views expressed do not necessarily reflect those of the firm, its lawyers, or clients.