Protected Health Info HIPAA Update: Avoiding Penalties IHCA (7/15) Preliminaries This presentation is similar to any other legal education materials designed to provide general information on pertinent legal topics. The statements made as part of the presentation are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the speaker. This presentation is not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of law to your activities, you should seek the advice of your legal counsel. True or False? I don t have to worry about HIPAA because I live in Idaho and the government would never go after us. The Office for Civil Rights ( OCR ) must impose a $10,000 fine per HIPAA violation if I act with willful neglect. Under HIPAA, residents may sue our facility for HIPAA violations. Long term care facilities are vicariously liable for HIPAA violations by their business associates. HIPAA does not apply to resident names so long as we do not disclose medical information.
True or False? We must have the resident s authorization before disclosing protected health information to family members. Under HIPAA, residents have a right to access all information concerning the resident. HIPAA prohibits e-mailing or texting residents, family, or providers unless the e-mail or text is encrypted. We must self-report all HIPAA violations to the resident and the government. We only have to self-report breaches of unsecured protected health info if the breach would result in significant harm to the resident. HIPAA: Hot Topics Enforcement actions Recent settlements Private causes of action Security rule concerns Security rule compliance E-mails and texts Business associate liability Breach notification Applicable standards Applying the standards Preliminaries Written materials Stanger, HIPAA Update: How and Why You Must Comply This is overview. Feel free to ask questions or comment. But don t share protected health info. That would be awkward
HIPAA: Terminology Covered entities: Healthcare providers who engage in e-transactions. Health plans, including group health plans with 50+ participants or administered by third party. Protected health info ( PHI ): individually identifiable info concerning a resident s health, healthcare, or payment for care. Business associates: create, receive, maintain or transmit PHI on behalf of covered entity. HIPAA History 2003: Privacy Rule, 45 CFR 164.500 et seq. Requires covered entities and business associates to protect the confidentiality of protected health information ( PHI ) Gives residents certain rights concerning their PHI. 2005: Security Rule, 45 CFR 164.300 et seq. Requires covered entities to implement certain safeguards to protect e-phi. 2009: HITECH Act Breach Notification Rule, 45 CFR 164.400 et seq. Enforcement Rule, 45 CFR 160.400 et seq. 2013: Omnibus Rule. Requires updates to HIPAA policies and forms. HIPAA Overview
Privacy Rule Covered entities may not access, use or disclose protected health info unless: For purposes of treatment, payment or healthcare operations. To a family member or other person involved in healthcare or payment so long as: Resident has not objected; Is in resident s best interest; and Limit disclosure to scope of recipient s involvement. For certain safety or government functions. Have valid authorization. Do not disclose more than is minimally necessary. (45 CFR 164.500 to.514) Privacy Rule Resident or their personal representative has the right to: Receive notice of privacy practices. Request that disclosures of PHI for purposes of treatment, payment or healthcare operations be limited. Request communication by alternative means or at alternative locations. Access their PHI. Request amendment of their PHI. Obtain accounting of improper disclosures of PHI. (45 CFR 164.520 to.528) Privacy Rule Covered entity must: Designate privacy and security officer. Train staff. Implement policies and procedures. Implement reasonable safeguards. Document and respond to complaints. Sanction workforce members who violate HIPAA. Mitigate violations. Not retaliate. Maintain HIPAA documents for 6 years. (45 CFR 164.530-.538)
Security Rule Covered entity and business associates must: Perform risk analysis. Implement safeguards: Administrative Technical Physical Execute business associate agreements. (45 CFR 164.300-.318) * More about this later Breach Notification Rule If there is breach of unsecured ephi: Covered entity must: Notify affected individuals. Notify HHS. Notify media, if breach involves > 500 persons in a state. Business associate must notify covered entity. (45 CFR 164.400-.414) HIPAA Enforcement HIPAA Business Associates Covered Entities
Enforcement Criminal Penalties Applies if employees or other individuals obtain or disclose protected health info from covered entity without authorization. Conduct Knowingly obtain info in violation of the law Committed under false pretenses Intent to sell, transfer, or use for commercial gain, personal gain, or maliciousharm Penalty $50,000 fine 1 year in prison 100,000 fine 5 years in prison $250,000 fine 10 years in prison Enforcement Civil Penalties Conduct Penalty Did not know and should not have known of violation Violation due to reasonable cause Willful neglect, but correct w/in 30 days Willful neglect, but do not correct w/in 30 days $100 to $50,000 per violation Up to $1.5 million per type per year No penalty if correct w/in 30 days OCR may waive or reduce penalty $1000 to $50,000 per violation Up to $1.5 million per type per year No penalty if correct w/in 30 days OCR may waive or reduce penalty $10,000 to $50,000 per violation Up to $1.5 million per type per year Penalty is mandatory At least $50,000 per violation Up to $1.5 million per type per year Penalty is mandatory
Enforcement: 2014 Anchorage Community Mental Health Services pays $150,000 for failing to maintain patches on software. New York hospitals pay $4.8 million for leaving electronic medical records vulnerable to searches. Concentra pays $1.7 million for lost unencrypted laptop. QCA Health Plan pays $250,000 for lost unencrypted laptop. Skagit County, WA pays $215,000 because PHI was available on public database. Parkview Community Health: fined $800,000 for leaving 71 boxes of records in physician s driveway. All involved security rule violations Enforcement: Idaho Idaho is not exempt! In 2013, Hospice of North Idaho had to pay $50,000 for theft of unencrypted laptop that contained PHI of 441 patients. Investigation showed failure to comply with security rule. In 2013, Idaho State University had to pay $400,000 because firewall failure left PHI of 17,500 patients exposed. Remember: OCR must impose penalty if you are determined to act with willful neglect. Enforcement HHS purportedly to resume audits in 2015. OIG workplan for 2015 includes HIPAA issues. State attorney general can bring lawsuit under HIPAA. $25,000 fine per violation + fees and costs Some of biggest cases brought by AGs. In the future, affected individuals may recover percentage of fines or penalties. Enacted as part of HITECH. Still waiting for regulations. Must impose sanctions against employees who violate HIPAA.
Enforcement No private cause of action under HIPAA. Affected individuals may sue under common law tort theories. Negligence. Standard of care = HIPAA? Negligence per se. Privacy torts. Unreasonable, highly offensive intrusion into solitude or seclusion. Public disclosure of private facts. Infliction of emotional distress. Vicarious liability of employer. Enforcement Lessons learned: Beware state laws in addition to HIPAA. Not enough to simply implement policies and train staff; you must ensure that data is protected if you really want to be safe.
Security Rule Compliance 2014: Year of Cyber Attacks Security Rule Compliance Risk analysis. Implement safeguards. Administrative Technical Physical Execute business associate agreements. Intended to ensure: Confidentiality Integrity Availability of ephi.
Security Rule Compliance Security Rule Compliance Administrative Safeguards Physical Safeguards Technical Safeguards Standards Standards Standards Implementation Specifications Required Addressable Implementation Specifications Required Addressable Implementation Specifications Required Addressable Implementation Specifications Required : implement the specification. Addressable : Assess reasonableness of specification. If spec is reasonable, implement it. If spec is not reasonable, Document why it is not reasonable (e.g., size, cost, risk factors, etc.), and Implement alternative if reasonable. Must review and modify as needed.
Administrative Safeguards 1. Security management process 2. Assigned security responsibility 3. Workforce security 4. Information access management 5. Security awareness and training 6. Security incident procedures 7. Contingency plan 8. Evaluation 9. Business associate contracts Physical Safeguards 1. Facility access controls 2. Workstation use 3. Workstation security 4. Device and media controls Technical Safeguards 1. Access controls 2. Audit controls 3. Integrity of e-phi 4. Person or entity authorization 5. Transmission security
Data Privacy and Security Risk Analysis Security rule requires that covered entities and business associates conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of [ephi] (45 CFR 164.308(a)). Frequently cited in recent violations. Periodically reevaluate analysis. New systems or equipment. Every few (very few?) years. Include mobile devices. Risk Analysis
Risk Analysis Additional materials are available at www.hhs.gov/ocr/privacy/hipaa/administrative/s ecurityrule/securityruleguidance.html Final Guidance on Risk Analysis OCR Guidance re Risk Analysis NIST Publications
Mobile Devices Encryption Encryption is an addressable standard per 45 CFR 164.312: (e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to [ephi] that is being transmitted over an electronic communications network. (2)(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. ephi that is properly encrypted is secured. Not subject to breach reporting. OCR presumes that loss of unencrypted laptop, USB, mobile device is breach.
Communicating by E-mail HIPAA Privacy Rule allows resident to request communications by alternative means or at alternative locations. Including unencrypted e-mail. (45 CFR 164.522(b)). Omnibus Rule commentary states that covered entity or business associate may communicate via unsecured e-mail so long as they warn resident of risks and resident elects to communicate via unsecured e-mail to text. (78 FR 5634)
Business Associates Business Associates Entities that create, receive, maintain, or transmit PHI on behalf of a covered entity to perform: A function or activity regulated by HIPAA (e.g., healthcare operations, payment, covered entity function), or Certain identified services (e.g., billing or claims management, legal, accounting, or consulting services). Health information organizations and e-prescribing gateways. Data transmission companies if they routinely access PHI. Data storage companies (e.g., cloud computing, off-site storage facilities) even if they do not access PHI. resident safety organizations. Subcontractors of business associates. Covered entities acting as business associates. (45 CFR 160.103; 78 FR 5570-75) Business Associates Business Associates Management company Billing company EMR / IT specialist Consultant Accountant Attorney Malpractice insurer Interpreters Data storage entities Data transmission services if have routine access to info Subcontractors of forgoing NOT Business Associates Workforce members, i.e., if you have right to control Other providers when they are providing treatment Members of organized healthcare arrangement Insurance companies unless acting for you Mere conduits of information, e.g., mailman Janitors
Business Associates Covered Entity (Healthcare Provider or Health Plan) PHI Business Associate PHI Subcontractor(s) Not Business Associates Members of covered entity s workforce. Covered entity has control over the person. Entities who do not handle PHI as part of their job duties. Janitor, mailman, etc. Entities that receive PHI to perform functions on their own behalf, not on behalf of covered entity. E.g., banks, third party payors, etc. Other healthcare providers while providing treatment. Data transmission companies that do not routinely access PHI. Entity is mere conduit of PHI. Members of an organized healthcare arrangement. Group of entities that provide coordinated care. (45 CFR 160.103) Business Associate Agreements ( BAA ) Business Associate
BAA Covered entity must have BAA before disclosing PHI to business associate or authorizing business associate to create or receive PHI for covered entity. BAA limits business associate s use of PHI. Business associate must have BAA with subcontractor. Must match scope of BAA between covered entity and business associate. BAA must contain terms required by HIPAA privacy and security rules. Must comply with HIPAA even if no BAA. (45 CFR 164.314 and.502(e); 78 FR 5601) BAA Covered Entity must ensure there is BAA Business Associate must ensure there is BAA Covered Entity (Healthcare Provider or Health Plan) BAA BAA Business Associate BAA Subcontractor(s) Subcontractor BAA must mirror the BAA with the covered entity
BAA: Pro-Covered Entity Terms Covered entities may want to add these terms: Business associate must report or act within x days. Business associate must implement policies. Business associate must encrypt or implement other safeguards. Business associate must to carry data breach insurance. Business associate notifies individuals of breaches and/or reimburses covered entity for costs of the notice. Business associate defends and indemnifies for losses, claims, etc. Business associate is an independent contractor, not agent. Business associate assumes liability for subcontractors. Allow termination of underlying agreement. Must have consent to operate outside the United States. Covered entity has right to inspect and audit. Cooperate in HIPAA investigations or actions. BAA: Pro-BA Terms Business associates probably want to add these terms: Covered entity will not disclose PHI unless necessary. Covered entity will not request action that violates HIPAA. Covered entity will not agree to restrictions on PHI that will adversely affect business associate. Covered entity will notify business associate of all such restrictions. Covered entity will reimburse for additional costs. Blanket reporting for security incidents Specify business associate does not maintain designated record set. Reserve the right to terminate based on restrictions or other change that adversely affects business associate. Subcontractors are independent contractor, not agent. Mutual indemnification. Limitation or cap on damages. Liability for Business Associates
Liability for Business Associate Covered entity or business associate violates HIPAA if: Knew of a pattern of activity or practice of the business associate/subcontractor that constituted a material breach or violation of the business associate s/subcontractor s obligation under the contract or other arrangement; Failed to take reasonable steps to cure the breach or end the violation, as applicable; or Failed to terminate the contract or arrangement, if feasible. (45 CFR 164.504(e)(1)) Liability for Business Associate Covered entity or business associate is liable, in accordance with the Federal common law of agency, for the acts or omissions of a business associate/subcontractor acting with the scope of the agency. (45 CFR 160.402(c)) Test: right or authority of a covered entity to control the business associate s conduct. Contract terms. Right to give interim directions or control details. Relative size or power of the entities. Maintain independent contractor status! (78 FR 5581-82) Responding to a Breach
Responding to Breach Timely response important because: Required to mitigate breach. May minimize risk that data is compromised and avoid breach notification requirements. May avoid penalties if do not act with willful neglect and correct the situation within 30 days. Train employees to report immediately. Sanction workforce members for violations. Document your actions. Responding to a Breach If you think there is a breach: Act immediately to stop disclosure and retrieve PHI. Confirm scope of breach. Persons who may have received PHI. Type of PHI involved. Additional redisclosures. Obtain confirmation from recipient[s] that they have not and will not further use or disclose the info, and warn them of penalties. Document in writing, e.g., letter to recipients. Responding to a Breach HHS interprets corrected broadly: For example, in the event a covered entity s or business associate s noncompliant inadequate safeguards policies result in an impermissible disclosure, the disclosure violation itself could not be fully undone or corrected. The safeguards violation, however, could be corrected in the sense that the noncompliant policies and procedures could be brought into compliance. (75 FR 40879)
Breach Notification Breach Notification If there is breach of unsecured PHI, Covered entity must notify: Each individual whose unsecured PHI has been or reasonably believed to have been accessed, acquired, used, or disclosed. HHS. Local media, if breach involves > 500 persons in a state. Business associate must notify covered entity. (45 CFR 164.400 et seq.) Secured PHI Currently, only two methods to secure PHI: Encryption of electronic PHI Transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. Notice provides processes tested and approved by Nat l Institute of Standards and Technology (NIST). Destruction of PHI. Paper, film, or hard copy media is shredded or destroyed such that PHI cannot be read or reconstructed. Electronic media is cleared, purged or destroyed consistent with NIST standards. Guidance updated annually. (74 FR 42742 or www.hhs.gov/ocr/privacy)
Breach of Unsecured PHI Acquisition, access, use or disclosure of PHI in violation of privacy rules is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the info has been compromised based on a risk assessment of the following factors: nature and extent of PHI involved; unauthorized person who used or received the PHI; whether PHI was actually acquired or viewed; and extent to which the risk to the PHI has been mitigated. unless an exception applies. (45 CFR 164.402) Breach of Unsecured PHI Breach excludes the following: Unintentional acquisition, access or use by workforce member if made in good faith, within scope of authority, and PHI not further disclosed in violation of HIPAA privacy rule. Inadvertent disclosure by authorized person to another authorized person at same covered entity, business associate, or organized health care arrangement, and PHI not further used or disclosed in violation of privacy rule. Disclosure of PHI where covered entity or business associate have good faith belief that unauthorized person receiving info would not reasonably be able to retain info. (45 CFR 164.402) Breach of Unsecured PHI Determine the probability that the data has been compromised by assessing: 1. Nature and extent of PHI involved, including types of identifiers and the likelihood of re-identification. 2. Unauthorized person who used PHI or to whom disclosure was made. 3. Whether PHI was actually acquired or viewed. 4. Extent to which the risk to the PHI has been mitigated. 5. Other factors as appropriate under the circumstances. (45 CFR 164.402)
Breach Notification: Summary No breach notification required if: No privacy rule violation Incidental disclosures are not violations. PHI is secured Encrypted per HHS standards. Exception applies Unintentional internal disclosure and no re-disclosure. Low probability that data has been compromised based on: Nature of PHI disclosed. Person who received the PHI. Whether PHI actually viewed. Mitigation. Hypothetical Your facility faxed a resident s medical records to the wrong physician s office. A records clerk at the other physician s office called to alert you to same. The clerk confirmed that they would shred the info. The record contains the following info: Name Diagnosis Description of care Other similar info Hypothetical The family of one of your residents maintains a Facebook page in which she shares information about the resident. One of your CNAs, who is close to the family, posted comments about the resident on the page, including info that confirms the resident is in your facility and her general condition.
Hypothetical Your social services director routinely photographs residents engaging in activities and posts it on your website as well as on a bulletin board in the facility. The photos simply show the residents engaged in activities, but does not include names. Hypothetical You are missing an unencrypted USB containing the following info concerning residents: Name Birthdate Account number Dates of service Diagnosis Breach Notification According to HHS, the following constitutes willful neglect, requiring mandatory penalties: A covered entity s employee lost an unencrypted laptop that contained unsecured PHI. [T]he covered entity feared its reputation would be harmed if info about the incident became public and, therefore, decided not to provide notification as required by 164.400 et seq. (75 FR 40879) Beware missing PHI or devices containing PHI.
Breach Notification If breach is reportable, notify: Individual No more than 60 days from discovery. By mail. Contain required elements. HHS If < 500 persons, by March 1 of next year. If > 500 persons, no more than 60 days from discovery. Electronic report from OCR website www.hhs.gov/ocr/privacy/hipaa/administrative/brinstr uctions.html. Media if breach > 500 persons in a state. (45 CFR 164.400 et seq.) Breach Notification New breach reporting portal requires additional info. If wait to report, ensure you are tracking required info. Remember your employee benefit plan HIPAA applies to employee benefit plans if: Administered by a third party, or Have 50+ participants. Employee benefit plan must comply with HIPAA Required policies. Required notices. Others.
Additional Resources HIPAA Resources OCR website: www.hhs.gov/ocr/hipaa Regulations Summary of regulations Frequently asked questions Guidance regarding key aspects of privacy rule Sample business associate agreement Breach notification to HHS portal OCR listserve Notice of HIPAA changes
Holland & Hart Resources Available on our website Checklists Privacy rule Security rule Omnibus rule Notice of privacy practices Business associate agreements Authorization Practice guides Free webinars Free client alerts Sample privacy policies Questions? Holland & Hart LLP (208) 383-3913