HIPAA and New Technologies Using Social Media and Texting Within the Rules. Today s Objectives

Transcription

1 HIPAA and New Technologies Using Social Media and Texting Within the Rules Jim Sheldon-Dean Director of Compliance Services Lewis Creek Systems, LLC For Northern California Chapter Healthcare Financial Management Association October 28, Today s Objectives Discuss how to handle patient communications Explain the issues involved with using Social Media and Texting Discuss how Social Media and Texting can work under HIPAA Identify guidance from HHS for patient communications Discuss new rights for electronic copies of electronic records Show the new process that must be used in the event of breach Learn about being prepared for enforcement and auditing Learn how to approach compliance Q&A session jim@lewiscreeksystems.com

2 My Background Disclaimer: I am an engineer, not a lawyer, and this is not legal advice I am only providing information and resources BSCE (Civil Engineering) from UVM, MST (Transportation) from MIT More than 32 years in consulting, information systems, software development, and information security Process, problem-solving oriented 8 years as Vermont EMT, crew chief 14 years in HIPAA and health information privacy and security regulatory compliance See for more details, resources, information security compliance news, etc. jim@lewiscreeksystems.com The Long Path of HITECH Health Information Technology for Economic and Clinical Health Act, or the HITECH Act, under consideration in 2008 Became Title XIII, Subtitle D-Privacy (all the sections 134xx) of the American Recovery and Reinvestment Act of 2009 Most of the proposed rules finalized in the big HIPAA Omnibus Update, enforceable as of September 23, 2013 Omnibus Update Rule, with Preamble, available at: New Combined Rules published by HHS OCR, available at: index.html jim@lewiscreeksystems.com

3 HIPAA Privacy & Security Rules Privacy Rule 45 CFR 164.5xx, enforceable since 2003 Establishes Rights of Individuals Controls on Uses and Disclosures Baseline Privacy and Security Protections for PHI Security Rule 45 CFR 164.3xx, enforceable since 2005 Applies to all electronic PHI Flexible, customizable approach to health information security Uses Risk Analysis to identify and plan the mitigation of security risks Calls for numerous Policies and Procedures Now being enforced much more vigorously HIPAA Breach Notification Rule CFR 45 Part 164 Subpart D; 45 CFR 164.4xx Enforceable since February 2010, Final Rule now in effect, with new changes in how to determine if a breach must be reported Works with Privacy and Security Rules Requires reporting of all PHI breaches to HHS and individuals; breaches affecting 500 or more individuals must be reported to individuals, HHS, and the Press, simultaneously Provides great examples of what not to do; HHS Wall of Shame: breachnotificationrule/breachtool.html jim@lewiscreeksystems.com

4 Designated Record Set In 45 CFR : (1) A group of records maintained by or for a covered entity that is: (i) The medical records and billing records about individuals maintained by or for a covered health care provider; (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals. (2) For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity. jim@lewiscreeksystems.com Individual Access of PHI Must have a process for individual to request access, for reasonable cost-based fee Must provide the entire record in the Designated Record Set if requested: Medical and billing records used in whole or in part to make decisions related to health care Information kept electronically must be available electronically if requested Exceptions for Psychotherapy notes, proceedings, if harm may result, if it would expose provider of confidential information Changes to HIPAA and CLIA allow access of lab information Automatic 30-day extension to provide records held off-site no longer allowed Make sure your Notice of Privacy Practices is up-to-date jim@lewiscreeksystems.com

5 New Guidance on Access of PHI Guidance on Access of PHI, particularly concerning minors and mental health information: special/mhguidance.html Guidance clarifying that same-sex spouses have the same HIPAA rights as other family members, no matter where services are provided: special/samesexmarriage/index.html Access and Individual Preferences (b)(1) Standard: Confidential Communications Requirements (i) A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations (c) Provision of Access (2) Form of access requested. (i) The covered entity must provide the individual with access to the protected health information in the form or format requested by the individual, if it is readily producible in such form or format; or, if not, in a readable hard copy form or such other form or format as agreed to by the covered entity and the individual. New (c)(2)(ii): If PHI is electronic, individual may request electronic copy. jim@lewiscreeksystems.com

6 , Texting, and Security and texting are inherently insecure Unless steps are taken, and texts may be retained or exposed by unknown parties Secure communications are essentially required as good practice for professional communications Yahoo mail, g-mail, texting, etc., are all insecure means of communication and their use may be considered a breach Technologies for securing communications are readily available today Security Rule requires consideration of encryption of data at rest and data in motion Security rule does not explicitly require encryption Risk Analysis may indicate need to encrypt over the Internet Professional communications must be encrypted over the Internet Guidance says plain with patients is fine if they want it Evaluate the risks and discuss with the individual Guidance says nothing about Texting May apply the same logic to Texting jim@lewiscreeksystems.com Patient Communications Guidance HHS Guidance and Preamble discussions in new rules say unencrypted between providers and patients is permitted if the patient requests it, per See HHS Guidance, Question 3, page 3: special/healthit/safeguards.pdf See Preamble to Omnibus Update, page 5634: pdf See Preamble to CLIA/HIPAA Modifications, page 7302: pdf jim@lewiscreeksystems.com

7 Texting is Very Useful Fast way to communicate short messages Useful for Updates, Schedule Changes Easy to communicate if running late, etc. Quick communication of results, comments More appropriate than an or phone call Can be more discreet and private than a phone conversation Can be quicker than a phone call for short messages Can provide accurate information not dependent on voice Many communications used to go by Pager Many paging operations moving to texting now Texting is more interactive than paging jim@lewiscreeksystems.com Issue Number One with Texting It s a Privacy thing Patients may not appreciate the risks of loss of privacy through texting HIPAA does require you to do your best to meet patient preferences for communication method Use Risk Analysis to evaluate and explain risks Provide a secure solution for those who prefer it It s a new technology and people will not understand it fully for quite some time jim@lewiscreeksystems.com

8 Issue Number Two with Texting Documentation: It s a Medical Records thing Regular texting doesn t provide a paper trail of conversations and contacts If it s part of patient care, it needs to be documented properly, and that requires more than regular texting A secure, traceable texting technology is important when medical record information is texted jim@lewiscreeksystems.com Secure Texting Solutions Cortext by Imprivata Comes in several versions Free app provides a secure channel Upgrades provide documentation, reporting, etc. TigerText Free app provides a secure channel DocHalo jim@lewiscreeksystems.com

9 Texting Education and Policies Staff can forget the rules with something new Educate the staff as to the risks and what MUST NOT be sent via plain or text message Establish secure, private and text messaging for private information (using Cortext by Imprivata, or TigerText, for instance, for texting) Define policies for use of and texting Require Risk Analysis for any uses of any or texting involving PHI Include process for approving and monitoring uses Include standards for allowable interactions via regular & texting Identify secure services to be used where secure and texting would be appropriate Texting Policy Contents Be brief and to the point Separation of Personal and Business activity Separation of Business and Patient information Requirement to encrypt any communications with PHI Provide Examples of what to do and what not to do Defining exceptions based on risk and need Define Rules for using any new technology Provide for regular reviews of usage to stay within bounds of HIPAA privacy and security rules Training, training, training!! Documentation, documentation, documentation!!

10 Social Media is Here to Stay Social Media now entrenched in society Facebook, Linked-In, Twitter, Instagram, Issues of Privacy Issues of management of communications Must be considered in policy Define roles, limits, guidelines Communication Issues Staff must distinguish between personal and entity use Staff may not represent entity unless authorized to Designate an authorized spokesperson for public contact Require tracking and retaining any data that may be treatment information as part of a medical record Establish use of private social networks for professional purposes carefully Don t forget, the usual HIPAA rules all still apply! jim@lewiscreeksystems.com

11 How Patients Want to Use Social Media Patients want to share experiences and treatments Patients want to share with providers and other patients There are significant benefits to sharing information as part of some treatment and healing processes Some younger patients (or clients) may be intensive users of social media and would prefer to communicate there, despite any privacy concerns How Professionals Want to Use Social Media Professional Support Group Share treatments and experiences with other providers Providers want to reach out to: Patients for marketing The Community for marketing Providers want to interact with some patients/clients There are significant benefits to sharing information as part of some treatment and healing processes Providers have to do what they need to to achieve their health care goals

12 Roles for Social Media Marketing Who represents you within your organization for those media? Are policies clear and unambiguous? Is there a formal approval channel, just like for any other official communication? Any rogue staff members representing themselves officially? Treatment Staying in touch for group therapies Discussing treatments for classes of patients in a group Professional Support Finding solutions, treatments Sharing experiences Any staff members sharing on inappropriate social media? jim@lewiscreeksystems.com The Number One Issue: Privacy Patients and clients may not appreciate the risks of loss of privacy through social media HIPAA does require you to do your best to meet patient preferences for communication method Use Risk Analysis to evaluate and explain risks Providers may not appreciate the risks of exposures and breaches under HIPAA Has the risk analysis considered social media? Is the organization prepared for breaches? Is the organization prepared for audits? It s a new technology and people will not understand it fully for quite some time jim@lewiscreeksystems.com

13 Issue Number Two: Documentation It s a Medical Records thing Regular Social Media do not provide a paper trail of conversations and contacts If it s part of patient care, it needs to be documented properly, and that requires more than Facebook or Twitter But Social Media can still be used for administrative or informative processes, so long as there is no PHI jim@lewiscreeksystems.com Issue Number Three: The Organization s Reputation Social Media is just like any media: If you don t control what is provided in your name to the media, your reputation may be permanently damaged If you don t manage the interaction, it may work against you in the modern world You must decide who is responsible for the organization s presence on social media and dedicate the resources for it Who should manage the presence? How will breaking news be handled? Who should definitely NOT be representing themselves as the organization jim@lewiscreeksystems.com

14 Managing Social Media Communications Discover how it is being used now do some research you probably have social-media-savvy staff on hand Define the three roles of Marketing, Treatment, and Professional Support Define the responsibilities and adopt policy for marketing via social media make sure staff knows they re not allowed to unilaterally represent themselves for the organization Define how social media may or may not be used for treatment purposes, and how to get approval make sure staff knows they can t make these decisions on their own Define what social media may be appropriate for professional support purposes and what information is to be shared make sure staff knows not to share any Protected Health Information inappropriately jim@lewiscreeksystems.com Preventing Social Media Issues Educate the staff as to the risks and what MUST NOT be posted on Facebook, Linked-In, Twitter, Instagram, etc. Establish private social media sites for private information (using Yammer, for instance) Define policies for use of social media for patient/client interactions Include process for approving and monitoring uses Include standards for allowable interactions on social media Identify secure social media services for appropriate group work Define policies for use of social media to address the public Include chain of command for communications Apply consistent resources to monitor and manage public interactions on social media Define policies for use of social media for professional support Define limits and allowable forums for various classes of data jim@lewiscreeksystems.com

15 Social Media Policies Be brief and to the point Cover Blogging, Collaborative Wikis, as well as Social Networks such as Facebook, Linked-In, Twitter, etc. Separation of Personal and Business activity Provide Examples of what to do and what not to do Say how you will manage any business presence Define Responsibilities for Official Representatives Define Rules for establishing any new presence on-line Provide for regular reviews of usage to stay within bounds of HIPAA privacy and security rules Training, training, training!! Documentation, documentation, documentation!! Information Security Management Process Definition of Information Security Protecting: Confidentiality Integrity Availability Definition of a Management Process: Define and understand what you have See how well it performs Watch for problems Review activities and issues Make changes based on bang-for-buck jim@lewiscreeksystems.com

16 Information Security Management Process Information Inventory and Flow Analysis Access and Configuration Control Know who and whats been going on in your networks and systems Respond to and learn from Incidents Audit and review regularly, and when operations or environment change Make risk-based improvements Focus: Confidentiality, Integrity, Availability What is a HIPAA Breach? Breach is any acquisition, access, use, or disclosure in violation of the Privacy Rule Exceptions Not Reportable if: Secured or destroyed Unintentional internal use, in good faith, with no further use Inadvertent internal use, within job scope Info cannot be retained Harm Standard removed from regulation Not reportable if a low probability of compromise based on a risk assessment jim@lewiscreeksystems.com

17 Is It a Reportable Breach? All breaches of unsecured PHI not meeting an exception are reportable, unless there is a low probability of compromise of the data, based on a risk assessment including at least: what was the info, how well identified was it, and is its release adverse to the individual to whom it was disclosed was it actually acquired or viewed the extent of mitigation All breaches, large and small, reportable to the individuals promptly, within 60 days Breaches affecting 500 or more individuals must also be reported to HHS and the press within 60 days of discovery By March 1, every year: Report prior year s small breaches to HHS To file breaches with HHS: jim@lewiscreeksystems.com HHS Report to Congress for 2009 and 2010 breaches For reported breaches of 500 or more individuals PHI in the first year of the reporting requirement: 76% of breaches involve loss (15%), theft (56%), or improper disposal (5%) Old-fashioned physical security of valuable data 17% are caused by unauthorized access or disclosure 6% are caused by hacking Portable data, laptops, smart phones, memory sticks the leaders for breaches of PHI, but servers not immune from physical or technical attack For smaller breaches, under 500 individuals: Largely single individuals affected Misdirected fax, , or hard copy communication breachnotificationrule/breachreptmain.html jim@lewiscreeksystems.com

18 HHS Report to Congress for 2011 and 2012 breaches For large breaches, affecting 500 or more individuals: In 2011 and 2012, HHS received 458 reports, affecting million people 0.97 percent of reports, but affected percent of affected individuals For smaller breaches, affecting fewer than 500 individuals: In 2012, there were 21,194 reports, affecting a total of 165,135 individuals In 2012, 83% took place at healthcare providers and 17% at health plans How? The most common causes: theft: 53%, unauthorized access or disclosure: 18% The largest number of individuals affected: due to theft, at 36% of all affected Where was the data? Laptop computers (27%), paper (23%), network servers, (13%), desktop computers (12%), and portable electronic devices (9%) jim@lewiscreeksystems.com Lessons Learned from PHI Breaches Encrypt whatever you reasonably can; honor wishes of the individuals for communication but explain the risks Check fax numbers and addresses regularly Use physical safeguards to restrict access to devices with PHI Reduce risk through network or enterprise storage as alternative to local devices Encrypt data at rest on any desktop or portable device/media storing ephi anything that isn t bolted down Have clear and well documented administrative and physical safeguards on the portable media which handle ephi Raise the security awareness of workforce members and managers to promote good data stewardship jim@lewiscreeksystems.com

19 New Enforcement Definitions Reasonable Cause: An act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect Reasonable Diligence: Business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances Willful Neglect: Conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated jim@lewiscreeksystems.com Tiered Penalty Structure Tier 1: Did not know and, with reasonable diligence, would not have known $100 - $50,000 per violation Tier 2: Violation due to reasonable cause and not willful neglect $ $50,000 per violation Tier 3: Violation due to willful neglect and corrected within 30 days of when known or should have been known with reasonable diligence $10,000 - $50,000 per violation Tier 4: Violation due to willful neglect and NOT corrected within 30 days of when known or should have been known with reasonable diligence $50,000 per violation Affirmative Defenses and Waivers may be available but not when willful neglect is involved Continued corrective action allowed, even if no penalty $1.5 million maximum for all violations of a similar type in a calendar year Can levy penalties on a daily basis! jim@lewiscreeksystems.com

20 HHS Is Serious About Enforcement $4.3 million fine for Cignet Health of Maryland for multiple HIPAA violations $1 million settlement with Mass General Hospital for records left on the subway $865K+ settlement with UCLA Medical Center for snooping in celebrity records Multiple multi-million dollar settlements with pharmacies for poor disposal of PHI $100K settlement with a physician s office for Security Rule violations $1.5 million settlement with BC/BS of Tennessee for lost hard drives $1.7 million settlement with Alaska Medicaid for lack of security process $1.5 million settlement with MEEI for lack of security for portable devices $50K settlement with Hospice of North Idaho for insecure laptop, no process $400K settlement with Idaho State University for insecure server, no process $275K settlement with Shasta Regional Med Center for inappropriate disclosure of PHI and lack of sanctions for violations $1.7 million settlement with WellPoint for insecure server, no process $1.2 million settlement with Affinity Health for improper disposal of copiers $150K settlement with APDerm for lost insecure USB drive and no Breach policies $215K settlement with Skagit County, WA for insecure server, no process $2 million in settlements with 2 entities for unsecured stolen laptops $4.8 million in settlements with Columbia/Presbyterian for poor server management $800K settlement with Parkview Health System for mishandled paper records jim@lewiscreeksystems.com What is a HIPAA Audit? Initial program conducted in 2012, being revised for New program already getting started initial survey of 1200 entities Will focus on identified problem areas from 2012: laptops, encryption, internal reviews and audits, risk analysis, and access of records Show you have in place all the policies and procedures required by the HIPAA Privacy and Security Rules Show you have been using them e.g., Show training policy, training materials, and training rosters e.g., Show security incident policy and security incident reports 2 week notice! You must be prepared in advance or it s too late! jim@lewiscreeksystems.com

21 2012 HIPAA Audit Program Overall Small covered entities (30% of the sample) had 66% of the deficiencies Health care providers (50% of the sample) had 81% of the deficiencies Security findings were 2/3 of the issues. Security issues User activity monitoring Contingency planning Authentication/integrity Media reuse and destruction Risk assessment Granting and modifying user access Privacy Issues Review process for denials of patient access to records Failure to provide appropriate patient access to records Lack of policies and procedures Uses and disclosures of decedent information Disclosures to personal representatives Business associate contracts Method for New Audits Find audit targets through survey of 1200 entities Approximately 200 Desk audits of specific issues All communication, submissions electronic, via portal NO CHANCE to provide additional information you must provide what is needed the first time Approximately 200 Field audits as necessary, depending on budget Get list of Business Associates from audit targets Audit Covered Entities in , BAs in

22 How to Prepare for an Audit 1. Do it NOW, before they call 2. Be ready to answer the questions asked in prior audits 3. Document any policies and procedures, and any action, activity, or assessment performed pursuant to compliance with the rules 4. Make sure your documentation is complete and up-to-date use tools to evaluate and document your compliance history HIPAA Audit Protocol downloaded to a spreadsheet, to link all your policies and procedures and documentation to the regulations so they re easy to find for daily use and in the event of an audit NIST HIPAA Security Rule Toolkit: New ONCHIT/OCR/OGC Security Risk Assessment Tool, with versions for ipad and Windows 7 jim@lewiscreeksystems.com Your To-Do List Find out what people are doing already Consider professional communications & patient communications separately Document your processes for proper methods of communications Find ways to secure professional communications Accommodate new individual rights Find ways to offer secure patient communications Develop and document the process for adopting and using insecure communications (plain , social media, and texting) if patients desire Establish your processes for Risk Analysis and Documentation Document your communications policies and procedures Update your Notice of Privacy Practices Train staff in new policies and procedures Document, document, document! Always have a plan for moving forward, and follow it! jim@lewiscreeksystems.com

23 Thank you! Any Questions? For additional information, please contact: Jim Sheldon-Dean Lewis Creek Systems, LLC 5675 Spear Street, Charlotte, VT