THE FINAL OMNIBUS HIPAA RULE: ARE YOU COMPLIANT?

Transcription

1 THE FINAL OMNIBUS HIPAA RULE: ARE YOU COMPLIANT? Ohio Hospital Association Annual Meeting June 9, 2014 Presented By: Lisa Pierce Reisz Vorys, Sater, Seymour and Pease Natasha Davis Nationwide Children s Hospital Natasha.davis@nationwidechildrens.org

2

3 HIPAA History The Privacy Rule balances protections and uses. HIPAA 1996 Security Rule and Privacy Rule 2003 HITECH Act and Stimulus Package 2009 New Breach Reporting Increased Enforcement and Audits Omnibus Regulations The New Rule January 2013 The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity, and availability of electronic protected health information.

4 Final Omnibus HIPAA Rule is Comprised of Four Final Rules Final modifications to the HIPAA Privacy, Security and Enforcement Rules as mandated by HITECH. Final rule adopting changes to the HIPAA Enforcement Rule provided by HITECH. Final rule on Breach Notification for unsecured PHI under HITECH. Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act ( GINA ).

5 Changes to the Privacy Rule 1. Right to electronic copy of EHR, and right to direct copy to third party. 2. Right to restrict disclosures to health plans of treatment/services paid for in cash. 3. Marketing communications paid for by third parties require authorization. Limited exception for refill reminders and current prescriptions. 4. Easy way to stop fundraising communications. 5. Prohibition on sale of PHI without authorization.

6 Changes to Privacy Rule (cont d) 6. Makes it easier for parents to permit providers to release student immunization records to schools. 7. Permits researchers to use a single authorization for more than one purpose, and relaxes the policy on authorization for future research. 8. HIPAA protection limited to 50 years after death, and makes access to friends and families easier. 9. Required changes to Notices of Privacy Practices, but relaxes distribution requirements for Health Plans.

7 The Security Rule NO CHANGES Except: Business Associates are now required by HHS to fully comply with The Security Rule. Moral of the story is: All entities should take care before simply signing a business associate agreement since the stakes of HIPAA compliance are now quite high.

8 HIPAA Enforcement Rule Transformed HIPAA Compliance HITECH transformed HIPAA compliance from low priority to a high risk obligation requiring careful attention of both CEs and BAs. Significant increase in civil monetary penalties Increased budget to OCR for HIPAA enforcement efforts. Audits (with budget to conduct them). Granted state AGs enforcement authority over HIPAA violations affecting state residents. Created breach notification and reporting requirements for certain violations. HITECH s increased enforcement emphasis has been incorporated into the Final Omnibus HIPAA Rule.

9 Increased Civil Monetary Penalties Civil monetary penalties for HIPAA violations were significantly increased after HITECH (and these increased CMPs have been incorporated into the Final Omnibus HIPAA Rule). Civil Monetary Penalties for HIPAA Violations: Violation Category of Culpability Did not know (and would not have known with reasonable diligence) Violation due to reasonable- cause but not willful neglect. Each Violation Annual Maximum for Identical Violations $100 - $50, $1,500, $1,000 - $50, $1,500, Willful neglect but violation corrected $10,000 - $50, $1,500, Willful neglect violation NOT corrected $50, $1,500,000.00

10 Factors Impacting Amount of CMPs The nature and extent of the violation. The nature and extent of the resulting harm. Other factors: prior compliance with the rules the financial condition of the CE or BA at the time of the violation.

11 Summary of Federal Enforcement HHS Enforcement: 91,721 HIPAA complaints filed with OCR between April 14, 2003 and January 31, ,148 (92%) resolved through investigation and enforcement; 9,948 resolved through investigation and finding no violation; 53,516 resolved through closure of cases not eligible for enforcement. The compliance issues investigated most are: Impermissible uses and disclosures of PHI; Lack of safeguards of PHI; Lack of patient access to their PHI; Uses or disclosures of more than the minimum necessary PHI; and Lack of administrative safeguards of ephi.

12

13 HHS Enforcement Actions RiteAid settled with HHS and FTC for $1 million for its failure to protect PHI in disposal of pill bottles and other health information, 6/2010. Cignet Health Care fined $4.3 million for failing to provide patients a copy of their own medical records, 2/2011. Mass General Hospital paid $1 million settlement and CAP after employee lost paper file containing PHI on subway, 2/2011. UCLA Health Systems settles with HHS for $865,000 and commitment to a CAP for employee PHI surfing, 7/2011. Blue Cross Blue Shield of Tennessee settled HIPAA violation with HHS for $1.5 million for failing to secure PHI in off-site storage facility, 3/2012.

14 HHS Enforcement Actions (cont d) Phoenix Cardiac Surgery (physician practice) settled with HHS for $100, after OCR found failure to implement HIPAA policies and procedures and to safeguard ephi, 4/2012. State of Alaska settled HIPAA violations with HHS for $1.7 million after OCR determined that Alaska did not have adequate HIPAA policies and procedures in place (i.e. no risk assessment), 6/2012. Massachusetts Eye and Ear Infirmary paid $1.5 million to HHS for HIPAA Security Rule violations including failure to conduct a risk assessment and to implement policies related to security of ephi on mobile devices, 9/2012. Hospice of North Idaho settled HIPAA violation for $50, after breach investigation showed that HONI failed to do a security risk assessment, 1/2013.

15 HHS Enforcement Actions (cont d) Idaho State University agreed to pay HHS $400,000 after a breach of ephi involving 17,500 patients. The ephi was unsecured for at least 10 months after a firewall was disabled. OCR concluded that ISU s risk analysis and assessments were incomplete and inadequately identified potential risks and vulnerabilities, 5/2013. Shasta Regional Medical Center paid HHS $275,000 and agreed to a comprehensive CAP after two senior leaders met with multiple media outlets regarding medical services provided to patient and impermissibly ed PHI to its entire workforce. The CAP requires SRMC to update its policies and procedures and train its workforce regarding HIPAA, 6/2013. Wellpoint agreed to pay HHS $1.7 million for Security Rule violations after security weaknesses left the ephi of 612,402 individuals accessible over the internet. Wellpoint failed to (1) adequately implement policies and procedures for authorizing access to the on-line application database, (2) perform an appropriate technical evaluation to a software upgrade, or (3) implement technical safeguards to verify the user, 7/2013.

16 HHS Enforcement Actions (cont d) Affinity Health Plan paid HHS $1,215,780 to settle potential HIPAA violations arising from the return of a leased copier to its leasing vendor which contained the PHI of 344,579 individuals still on its hard drive. OCR concluded that Affinity had violated HIPAA by returning the copiers without erasing the ephi from the hard drive. OCR also determined that Affinity had failed to incorporate the ephi contained on these copiers into its Security Rule risk assessment, 8/2013. Adult & Pediatric Dermatology, P.C. agreed to pay HHS $150,000 to settle potential HIPAA violations arising out of the theft of an unencrypted thumb drive containing the PHI of approximately 2,200 individuals from the vehicle of one of its employees. OCR s investigation determined that APDerm failed to conduct an accurate and thorough risk assessment and did not have written HIPAA policies and procedures or employee training in place, 12/2013.

17 HHS Enforcement Actions (cont.) Skagit County, Washington Public Health Department agreed to pay HHS $215,000 and to correct deficiencies in its HIPAA compliance program following a breach report that seven individuals ephi was accessed by unknown parties when the ephi had been inadvertently moved to a publicly accessible server, 3/2014. Concentra Health Services paid HHS $1,725,220 to settle HIPAA violations arising out of the theft of unencrypted laptops. OCR s investigation revealed that Concentra had previously recognized the risk in multiple risk analyses but failed to take adequate steps to encrypt, 4/2014. QCA Health Plan paid HHS $250,000 to settle HIPAA violations arising from the theft of an unencrypted laptop from an employee s car. OCR determined that QCA had failed to comply with multiple HIPAA obligations, 4/2014.

18 HHS Enforcement Actions (cont.) The New York and Presbyterian Hospital and Columbia University agreed to pay HHS $3,300, and $1,500,000 respectively and to enter into a CAP to settle the following potential HIPAA violations: Impermissibly disclosed the ephi of 6,800 patients to Google and other internet search engines when a computer server was errantly reconfigured; Failed to conduct an accurate and thorough risk analysis that incorporated all IT equipment, applications and ephi data systems; Failed to implement processes for assessing and monitoring all IT equipment, applications and systems that were linked to patient databases prior to the breach incident and failed to implement security measures sufficient to reduce the risks of inappropriate disclosure to an acceptable level; Failed to implement appropriate policies and procedures for authorizing access to patient data bases and failed to comply with its own policies on access, 5/2014.

19 Criminal Enforcement Actions 42 U.S.C. 1302d-6 To commit a criminal offense under HIPAA a person must knowingly and in violation of HIPAA do one of the following: Use or cause to be used a unique health identifier; Obtain individually identifiable health information; or Disclose individually identifiable health information to another person. Penalties for Criminal Violations: HIPAA Violation Fine Prison Knowingly Up to $50, Up to 1 year False Pretenses: Intent to sell, transfer, or use to commercial advantage, personal gain, or malicious harm DOJ enforces HIPAA s criminal provisions. Up to $100, Up to 5 years Up to $250, Up to 10 years Few cases have been prosecuted but typically involve theft of PHI for some form of financial gain by an employee of a covered entity. - U.S. v. Gibson, No. CR RSM, 2004 WL (W.D. Wash. Aug. 19, 2004).

20 OCR Audits HITECH required HHS to provide for periodic audits to ensure HIPAA compliance by CEs and BAs. OCR began a pilot audit program in November 2011, in which it conducted 115 audits of CEs to assess privacy and security compliance. The pilot phase ended in December The goal of the OCR audit program was analyze the policies and procedures of covered entities to determine areas of risk. Full investigations of covered entities were only undertaken if the audit revealed a serious compliance problem. In February 2014, OCR announced that it would begin a second round of HIPAA audits later this year with a preaudit survey of covered entities being issued soon.

21 State Enforcement Actions HITECH gave state AGs new HIPAA enforcement powers. June 2011, HHS trained state AGs on HIPAA enforcement. Security breach-related legislation has been enacted in 46 states, the District of Columbia, Puerto Rico and the Virgin Islands.

22 Breach Notification Rule Final Omnibus HIPAA Rule significantly changed definition of Breach. Beginning on September 23, 2013, HITECH s significant harm test will be replaced with a more objective test for breach. Expectation is that more data incidents will be reportable breaches under the new breach rule.

23 Definition of Breach Replaces significant harm test used to determine breach with a more objective measure. Now, any unauthorized acquisition, access, use or disclosure of PHI is presumed to be a breach, unless the covered entity or business associate demonstrates a low probability that the PHI has been compromised based on an assessment of the following four risk factors: The nature and extent of the PHI involved, including the types of identifiers; The unauthorized person who used the PHI or to whom it was disclosed; Whether the PHI was actually acquired or viewed; and Extent to which the risk to the PHI has been mitigated.

24 Exceptions to Definition of Breach Not every impermissible acquisition, access, use or disclosure of PHI constitutes a Breach under HIPAA. The unauthorized acquisition or access to secured PHI does not constitute a breach: ENCRYPT, ENCRYPT, ENCRYPT!! Exceptions to Definition of Breach: Unintentional acquisition. Inadvertent disclosure. Recipient would not have been able to retain information.

25 Causes of Breach Human error and process mistakes, not technology, are the biggest causes of HIPAA violations. Top 3 Causes of Breach: 1. Lost or stolen laptops, removable devices (flash drives), mobile devices, and documents (46%). 2. Employee mistake or unintentional actions (42%). 3. Third-party errors (42%). Ponemon Institute (2012)

26

27 Causes of Breach (cont d) Process Failures include: 1. Failure to encrypt PHI. 2. Failure to establish adequate password protections. 3. Failure to adequately train employees on HIPAA policies and procedures. 4. Failure to consistently discipline employees for HIPAA violations.

28 28 et-isnt-to-blame-for-hipaabreaches-0913/

29 BREACH MATRIX Note: This Matrix is not an exhaustive list and is only intended to be used as a guide. The "totality of the circumstances" will be considered with the use of the 4 factors to determine whether an incident rises to the level of a reportable breach.

30 HIGH MEDIUM LOW Financial Reputational Personal Nature of the data would allow for identity theft such as: (SSN, CC, drivers license) Combination of information that would indicate a high risk to patient MRN + Medical History Publicly available information Sensitive diangoses (HIV, STD, Mental Health, Hema/Onc) Family members or other relationship where there is explicit instruction they should not receive information. Revealing Photos, Abuse information, Custody Sensitive diangoses (HIV, STD, information. Mental Health, Hema/Onc) Employer is notified of a sensitive condition. MRN + Medical History. Certain types of Treament information and/or medication. Appointment reminder or Physician's name (sensitive dept) Family with close relationship to the child but not authorized disclosure. Photo where pt can be identified (scar/tatto) Publicly available information Non-sensitive Lab Value Appt reminder (non-sensitive dept) Revealing Photos, Abuse information, Custody information. MRN + Medical History Appointment reminder or Physician's name (sensitive dept) Photo where pt can be identified (scar/tatto) Physician's Name (Sensitive Department) Publicly available information MRN Appt reminder (non-sensitive dept) IMPACT Factor 1 Note: Any identifiers listed herein do NOT represent an exhaustive list; rather, they represent examples that have occurred at NCH and other institutions and are listed to serve as triggers and NOT definitive results. Photo of unidentified body part Photo of unidentified body part

31 BREACH MATRIX Likelihood Factor 2 - Who received the PHI: Covered Entity Entity obligated to protect sensitive data (bank, school, government) Business Associate Non-covered entity with no obligations to protect Inappropriate Access (Snooping) Criminal (Due to Theft) Mal-intent Unknown Factor 4 - Extent risk mitigated: Signed COD We do not know refusal to sign certificate Other Mitigating Circumstances: Days Missing Number of people who viewed it Impact to Likelihood: Low Low Low Increase Likelihood Increase Likelihood Increase Likelihood Increase Likelihood Increase Likelihood Lowers Likelihood Medium/High Medium/High Varies Varies Note: This Matrix is not an exhaustive list and is only intended to be used as guide. High >50% likely (Almost Certain) Medium 10-50% likely (Moderate) Low <10% likely (Unlikely/Rare)

32 BREACH MATRIX Probability of Compromise Assessment All 4 factors have been considered: 1. The nature and extent of the PHI involved 2. To whom the disclosure was made Was the PHI actually viewed or 3. acquired Extent to which the risk to the PHI was 4. mitigated

33 BREACH MATRIX Scale Likelihood Low Medium High Low Low Low Medium Impact Medium Low Medium High High Medium High High Note: This Matrix is not an exhaustive list and is only intended to be used as a guide.

34 Breach Notification Requirements HITECH breach notification rule adopted without change: Breaches involving fewer than 500 people. Written notification by first class mail to the individual at their last known address. Annual submission of a log to the Secretary of HHS documenting such breaches during the year involved. Breaches involving 500 or more people. Written notification by first class mail to the individual at their last known address. Notification to prominent media outlets serving a state or jurisdiction of a breach involving more than 500 residents of the state or jurisdiction. Immediate notification to the Secretary of HHS. Posting on HHS website the HHS Wall of Shame.

35 Timing of Breach Notification: Covered Entity: If a Breach has occurred, a CE must provide notice to the affected individuals without unreasonable delay and in no event later than 60 days from the date of discovery.

36 Timing of Breach Notification: (cont d) Business Associate: BA, following discovery of a breach, must notify the CE of such breach without unreasonable delay and in no case later than 60 days following the discovery of the breach. If a BA is acting as an agent of a CE, then BA s discovery of the breach will be imputed to CE (which means the 60-day clock runs at the time the BA discovers the breach). If the BA is not an agent of the CE, then the CE must provide notice based on the time the BA notifies the covered entity of the breach (a new 60-day clock starts).

37 Breach Statistics There are currently 991 entities listed on the HHS Wall of Shame. Healthcare industry loses $7 Billion a year due to HIPAA data breaches. The average economic impact of a data breach has increased by $400, to a total of $2.4 million since 2012 with an average cost of $471 per patient record. 94% of healthcare organizations have had at least one data breach in the last two years.

38 Breach Statistics (cont d) Average number of lost or stolen records per breach is 2, % of all data breaches in 2012 involved medical records. 18% of healthcare organizations say medical identity theft was a result of a data breach. Annual security risk assessments are conducted by less than half of all health care providers. Ponemon Institute (2012)

39 Breach Response Plan 1. Establish a security incident response team. 2. Breach Response: a. Identify and immediately stop the data incident. b. Develop and document a detailed description of facts. c. Conduct an investigation (including an IT forensic investigation) into incident. d. Engage outside experts (consider structuring expert retention through legal counsel to maximize privilege). e. Identify and isolate pertinent records, files and documents (both paper and electronic). f. Mitigate any harm to individuals/patients. g. Document all steps taken in responding to breach incident.

40 Breach Response Plan (cont d) 3. Designate a Communications Coordinator to do the following: a. Regularly communicate with response team. b. Consult with legal regarding scope of information to be disclosed. c. Manage publicity and public relations efforts. d. Serve as single contact point with media. e. Communicate accurate and concise information; avoid misleading, inaccurate or incomplete information. f. Establish policies and procedures for tracking timing of notice. i. Date breach was discovered and details of discovery. ii. All notifications made within 60-day reporting period. iii. All notification delays and reasons for such delays. iv. All communications with OCR. v. All notification delays requested by law enforcement.

41 Breach Response Plan (cont.) 4. Develop a Breach Notification Process: a. Develop and document your notification to individuals/patients affected by the breach including all means to ensure delivery. b. Develop and document your notifications to necessary regulators, including OCR and state agencies, if applicable. c. Develop and document your notifications to media, if required. 5. Determine root cause of incident, formulate a corrective action plan and institute remedial steps in a timely manner. 6. Update risk assessment. 7. Update or reinstitute training of employees. 8. Discipline employees for any violations of HIPAA policies and procedures.

42 Incident Response Plan Test: Table Top Mock Breach Sample breach scenarios that are atypical Goal: to catch gaps in process Half day commitment of key players from incident response team Security, Privacy, Legal, PR/Marketing, HR, Executive Leadership Surprise we learned: Social media response needs to be quick and is crucial, requires leadership comfort with fast decision making around a message! Have written documentation that is widely accessible so B Team is ready for an audit or an incident.

43 Lessons Learned From Data Breaches: Encrypt all data on portable devices. Improve physical security. Do not give employees unfettered access to all spaces in which data, records and devices are stored. Limit online access to data. Not everyone needs access to everything. Re-evaluate job descriptions and tailor data access to those reasonably necessary for employees to perform their duties. Terminate access for all former employees. Discipline employees who access patient data without need. Ask patients to update their information regularly to eliminate billing and information release errors.

44 Lessons Learned From Data Breaches: (cont d) Properly destroy data on recycled and retired technology. Properly destroy patient paper records that are beyond statutory retention periods. Update HIPAA policies and procedures to reflect actual operations of organization. Train and re-train employees on HIPAA compliance. Consider procuring cyber insurance.

45 GINA Provisions Requires genetic information be treated as PHI. Prohibits health plans from using/disclosing genetic information for underwriting purposes.

46

47 Business Associates Definition of Business Associate expanded: Includes Health Information Organizations, E-prescribing Gateways, and PHR vendors that provide services to covered entities. Includes entities that merely store PHI ( business associates may now create, receive, maintain, or transmit PHI ). Downstream subcontractors of Business Associates are now defined as Business Associates. Patient safety activities have been added to the list of functions that may cause an organization to be deemed a business associate. Conduit exception is narrow and intended to only exclude courier services and their electronic equivalents; data storage services that store PHI are considered business associates. Whether an entity is considered a business associate is based on the nature of their activities. The outcome cannot be avoided by simply foregoing a contract!

48 Business Associates (cont d) Various HIPAA provisions now expressly apply to BA and their subcontractors: All applicable provisions of the Security Rule. BAs are now directly liable for Security Rule violations (as well as breach of contract liability). The use and disclosure limitations of the Privacy Rule including the minimum necessary principle and, if applicable, deidentification standards. BAs are now directly liable for Privacy Rule violations (as well as breach of contract liability). The requirement to provide a copy of ephi to a covered entity, the individual or the individual s designee. The requirement to maintain an accounting of disclosures. The obligation to cooperate with HHS during an investigation or compliance review.

49 Business Associates (cont d) As of September 23, 2013, BAs and their subcontractors must comply with HIPAA requirements: Adoption and implementation of dozens of documented HIPAA policies and procedures. Implementation of Security Rule technical requirements. Conducting a security risk analysis. Developing mitigation plan. Producing a contingency plan. Encryption of ephi. Preparing systems to log and monitor user activity. Compliance requires training workforce on HIPAA compliance program.

50 Business Associate Agreements CEs should be reviewing and updating all business associate agreements: Enhanced business associate compliance obligations. Breach response and reporting obligations. Timing. Responsibility designation. Cost of reporting obligations. Indemnification provisions. Breach notification costs. Credit monitoring and other mitigation costs. Defense costs. CMPs. Insurance coverage. Federal agency law will play an important part in defining the relationship between CEs and BAs. CEs are directly liable for their BAs if they constitute agents.

51 State Law and 42 C.F.R. Part 2 HIPAA is a Floor. Additional federal and state laws also govern confidentiality of drug and alcohol treatment records and behavioral health and mental health records. More stringent is standard to determine preemption; i.e., which law controls. More stringent = greater privacy protection and/or greater rights to individuals regarding protected health information.

52 Judicial and Administrative Proceedings Subpoenas Satisfactory assurances Court orders Mental health information Substance abuse information

53 HIPAA In The Digital Age Technology complicates HIPAA compliance. Your risk assessment must consider: Mobile devices (smartphones, ipads, laptops) BYOD policies Texting Secure s and data transfers Cloud computing Telecommuting Social Media

54 Key Issues to Address: Keeping a risk assessment up-to-date. Development/Update of HIPAA policies and procedures. Review and update of business associate agreements to include breach notification provisions, indemnification provisions, insurance requirements. Update of NPPs. Update breach response plan to include new test for determining whether you have a reportable breach. Encryption policies. Employee training and discipline.

55

56 QUESTIONS?