Breaches. Complying with the HIPAA Omnibus Final Rule. Important Definitions. Protected Health Information Includes HIPAA PRIVACY 3/2/2014

Transcription

1 Breaches Complying with the HIPAA Omnibus Final Rule You Can Be Successful! Advocate Medical Group in Chicago had 4 desktop computers taken in a burglary that contained the personal information of over 4 million patients. A St. Louis orthodontist office was burglarized and company computers were taken with the data for over 10,000 patients. A physician practice at the University of Texas Health Science Center at Houston discovers a laptop has been stolen containing data for nearly 600 patients. Important Definitions Protected Health Information Includes HHS Health and Human Services OCR Office for Civil Rights - Oversee and enforce the Privacy and Security rules CE - Covered Entity Healthcare provider who performs identified transaction electronically. For example, billing electronically for services provided. PHI Protected health information ephi Protected health information stored electronically. BA - Business Associate Performs duties for the CE using patient health or financial information provided by the CE. Updated rules include sub-contractors. HITECH - Health Information Technology for Economic and Clinical Health Health information whether oral or recorded in any form or medium Names All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death Fax numbers Electronic mail addresses Social Security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images; and Any other unique identifying number, characteristic, or code HIPAA PRIVACY HIPAA, or The Health Insurance and Portability and Accountability Act, sets standards for protection and sharing of individually identifiable health information often referred to as protected health information. o Privacy Rule establishes guidance on how health care providers must protect patient information and outlines certain patient rights. o Security Rule identifies safeguards needed to protect health information stored in an electronic format. Use of Protected Health Information and Patient Rights 1

2 Use or Release Information For treatment, payment and healthcare operations after providing a Notice of Privacy Practices. To the individual or legal representative. To friends and family with informal approval or for emergencies. o May ask the patient for permission to discuss healthcare if accompanied by another person during exam. As authorized by the patient. Based on professional judgment of the healthcare provider which is in the best interest of the patient. Friends and Family Relevant information may be shared with family members or friends involved in the patient s care or payment for your health care, if the patient has provided permission, or if they do not object to sharing of the information. If the patient is not present or unable to give permission, a health care provider may share or discuss health information with family, friends, or others involved in the care or payment of care if the provider believes, in his or her professional judgment, that it is in the patient s best interest. Information should not be shared which is not pertinent to the involvement/situation. True or False Security Healthcare providers may give prescription drugs, medical supplies, x-rays, and other healthcare items to a family True member, friend, or other person the patient sends to pick them up. The doctor may discuss the drugs the patient needs to True take with a health aide who came to the appointment. In the patient s absence or if they cannot provide permission, a healthcare provider may share relevant information IF based on professional judgment, True sharing the information is in the patient s best interest. The doctor may discuss a patient s drugs with their caregiver who calls with a question about the right Truedosage. Protection of Information Stored or Transmitted Electronically ephi Think Broader Than Your Computer Laptops, office PCs, servers Smartphones Thumb or flash drives Back up devices CD/DVD Equipment such as fax or copiers ephi during transmission o o Healthcare providers o Personal health records ARRA Mandated Changes to HIPAA American Recovery and Reinvestment Act (ARRA). Health Information Technology for Economic and Clinical Health Act or the HITECH Act.. Signed into law on February 17, Final regulations to update the Privacy Rules, outline process for breach identification and notification, and provide further definition of business associates published January 25, o Effective date March 26, 2013 o Compliance date September 23,

3 Notice of Privacy Practices Notice of Privacy Practices (NPP) Statement which outlines the types of uses and disclosures which will require authorization. o Release of psychotherapy notes Do not have to include if do not record or maintain this information. o Disclosures for marketing purposes. o Disclosures for any purposes which require the sale of PHI. Statement that other uses and disclosures will not be made without written authorization. Notice of updated rights: o Right to restrict certain disclosures of protected health information to a health plan where the individual pays out of pocket in full for the health care item or service. o Will receive notification in the event of a breach scenario. Notice of fundraising communications and the opportunity to opt out. o Not required to include the opt-out process NPP Direct Care Providers Business Associate Relationships Direct care providers are not required to print and hand out a revised NPP to all individuals seeking treatment. Providers must post the revised NPP in a clear and prominent location and have copies of the NPP at the delivery site for individuals to request to take with them. Providers are only required to give a copy of the NPP to, and obtain a good faith acknowledgment of receipt from new patients. Don t forget to update the NPP on the company website. Business Associate Business Associate Subcontractors Create, receive, maintain, or transmit protected health information on the behalf of a covered entity. Rule has been updated to include the following: o A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires routine access to such protected health information. o A person who offers a personal health record to one or more individuals on behalf of a covered entity. Entity must obtain satisfactory assurances in the form of a contract or other arrangement that the business associate will appropriately safeguard the information. Create, receive, maintain, or transmit protected health information on the behalf of a business associate. Business associate must obtain satisfactory assurances in the form of a contract or other arrangement that the business associate will appropriately safeguard the information. Subject to same liabilities and responsibilities. o Security Rule compliance o Use and disclosure only as outlined in the written contract CE has NO responsibility to enter into an agreement with subcontractors. 3

4 NOT Considered BAs Business Associate Agreement Couriers. Janitorial services. Banking and financial institutions which respect to payment and processing activities. o Check cashing. o Fund transfer. Dental labs provide a service for a patient and do not bill electronically for the service. Provide the minimum necessary amount of information. Written contract required by law. o Existing BAA may stay in place until September 23, o If updated or modified between now September 23, 2013 must meet published standards. Minimum necessary applies to BA for use/disclosure. Updated contracts to include: o Establish required uses and disclosures. o Provision to comply with the security rule with respect to ephi. o Provision the BA must comply with the elements of the Privacy Rule which apply to the CE. o Breach reporting requirements. Other Clarifications BREACH When information is provided to another health care provider concerning the treatment of an individual, the receiving provider is not considered a business associate. Entities that maintain or store protected health information on behalf of a covered entity are business associates, even if they do not actually view the protected health information. Even if a contract is not in place, but the actions meet the definition of a BA the rules apply. What is a Breach? Breach Exclusions The unauthorized acquisition, access, use, or disclosure of PHI not permitted under the privacy rule, which compromises the security or privacy of such information. An acquisition, access, use, or disclosure of protected health information in a manner not permitted under the privacy rule is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised. Compliance date September 23, Worker who has the authority to access information accidentally accesses a record in which they are not involved in the care of that patient. Worker who has the authority to access information inadvertently shares the information with another worker who is not involved in the care of the patient. Information is shared with an individual/entity who is not authorized but the unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. 4

5 Risk Analysis Must Be Completed Breach Notification 1) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification. 2) The unauthorized person who used the protected health information or to whom the disclosure was made. 3) Whether the protected health information was actually acquired or viewed. 4) The extent to which the risk to the protected health information has been mitigated. Patients must be notified without reasonable delay and no later than 60 days of the discovery of the breach. Breaches involving 500 or more individuals: Notify prominent media outlets serving the State or jurisdiction with the notification sent to the individual. Notify the Secretary of HHS concurrently with the notification sent to the individual. Breaches involving less than 500 individuals: Maintain a log or other documentation of the breaches and report no later than 60 days after the end of each calendar year in which the breach was discovered. Provide the notification as listed on HHS website. Reporting Breach Information Breach Notification and Business Associates Must provide notice to the covered entity (CE) without reasonable delay and no later than 60 days from the discovery of a breach. MUST address timing of reporting either known breaches or suspect situations in the BA contract. It is the CE ultimate responsibility to report the breach to impacted individuals. o Reporting of the incident may be delegated by contract to the BA. o Does not lessen the responsibility of the CE. o Both parties should NOT report. What Does This Mean? All events must be documented; this includes exclusion events and why they are determined to meet the definition. CE and BA have the burden of proof: To demonstrate that all breach notifications were provided. An impermissible use or disclosure did not constitute a breach such as by demonstrating through a risk assessment that there was a low probability that the protected health information had been compromised. Must maintain documentation sufficient to meet that burden of proof. CRITICAL QUESTION: How will BAs communicate potential breach scenarios? Patient Notification Process Written notice to affected individuals, provided by first class mail or by electronic mail is specified as the preferred method by the individual. o May be provided in one or MORE mailings as information becomes available. o Phone notice is allowed in an urgent situation, but must be followed by written notice. Substitute notice to affected individuals if contact information is insufficient or out-of-date must be provided. This may be provided via . Insufficient contact information for 10 or more individuals, the notice must be a conspicuous posting on the home page of the covered entity s Web site for 90 days or notice in major print or broadcast media in the geographic areas where the affected individuals likely reside. o Toll-free number must be included where individuals can learn whether their information was included in the breach. 5

6 Patient Notification to Include And Now. The Rest of the Story Brief description of what happened. Description of the types of unsecured PHI that were involved in the breach (name, Social Security Number, etc.). Steps individuals should take to protect themselves from potential harm. Brief description of what the covered entity is doing to investigate the breach, mitigate damage, and protect against further breaches. Contact information at the covered entity for questions by patients. Must make a decision on credit monitoring services. Access to PHI Health Information of Deceased Individuals Must provide a copy of their PHI if maintained in an electronic format in the electronic form and format the patient requests if possible. o If not readily producible, must offer in at least one readable electronic format. o Not required to purchase software or hardware to comply, but entity MUST be able to produce the information in a least one readable electronic copy. o If requested must transmit the copy to a third party. o If sent via unencrypted must advise of the risk. Must supply within 30 days with one 30 day extension allowed. The HIPAA Privacy Rule protects the individually identifiable health information about a decedent for 50 years following the date of death of the individual. During the 50-year period of protection, the Privacy Rule generally protects a decedent s health information to the same extent the Rule protects the health information of living individuals but does include a number of special disclosure provisions relevant to deceased individuals. Release of Decedent Information Marketing To alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct ( (f)(4). To coroners or medical examiners and funeral directors ( (g). For research that is solely on the protected health information of decedents ( (i)(1)(iii). To organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation. To a family member, or other person who was involved in the individual s health care or payment for care prior to the individual s death, unless doing so is inconsistent with any prior expressed preference of the deceased individual that is known to the covered entity. Making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. If financial remuneration (direct or indirect payment from or on behalf of a third party whose product or service is being described) occurs, prior authorization must be obtained. o Direct or indirect payment does not include any payment for treatment of an individual Marketing does not include a communication made: (i) To provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual, only if any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity s cost of making the communication. 6

7 Marketing Sale of PHI (ii) For the following treatment and health care operations purposes, except where the covered entity receives financial remuneration in exchange for making the communication: o For treatment of an individual by a health care provider, including case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual; o To describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; or Prohibited without patient permission except in the following circumstances: o Public health activities o Research o Sale, transfer, merger or consolidation with another Covered Entity o Paying a BA under BAA o Providing copies of information to a patient or personal representative Restriction Request Restriction Request Must agree to the requested restriction of sending PHI to a health plan for the purpose of payment or healthcare operations, unless the disclosure is otherwise required by law, if the restriction applies to information that pertains solely to a health care item or service for which has been paid out of pocket in full. Payment may be by another family member, other persons, even secondary insurance. Does not require creation of a separate medical file, but there must be some sort of flag to denote protection of this information. If filing of a claim is required by law, then law takes precedent. From HHS, we clarify that the responsibility to notify downstream providers of a restriction request in this situation also remains with the individual, and not the provider. However, we do encourage providers to assist individuals as feasible in alerting downstream providers. For follow-up appointments, if restriction is not requested the claim may be filed which may include release of the restricted information to justify medical necessity. o Providers again encouraged to advise patients about this scenario. HHS Guidance Disclosure to Law Enforcement Willful Neglect With the individual s signed HIPAA authorization. Without the individual s signed HIPAA authorization in certain incidents, including: o To report PHI to a law enforcement official reasonably able to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public. o To report PHI that the covered entity in good faith believes to be evidence of a crime that occurred on the premises of the covered entity. o To alert law enforcement to the death of the individual when there is a suspicion that death resulted from criminal conduct. o When responding to an off-site medical emergency, as necessary to alert law enforcement to criminal activity. o To report PHI to law enforcement when required by law to do so (such as reporting gunshots or stab wounds). Fines now range from $100 - $1.5 million Violation was due to willful neglect and was timely corrected, an amount not less than $10,000 or more than $50,000 for each violation. Violation in which it is established that the violation was due to willful neglect and was not timely corrected, an amount not less than $50,000 for each violation. Penalty for violations of the same requirement or prohibition under any of these categories may not exceed $1,500,000 in a calendar year. Secretary of HHS has waiver authority. 7

8 How Much of a Fine and Investigations Nature and extent of the violation. Number of individuals impacted. Nature and extent of harm, including reputational harm. Indications of non-compliance Broadly includes past issues around compliance. Investigations: o Indications of willful neglect will result by law in an investigation. o Civil money penalties will NOT be imposed if the violation is corrected within 30 days from when the entity is aware of the violation UNLESS due to willful neglect. OCR Enforcement Example The Hospice of North Idaho (HONI) has agreed to pay HHS $50,000 to settle potential violations of the HIPAA Security Rule. First settlement involving a breach of unsecured ephi affecting fewer than 500 individuals. Unencrypted laptop computer containing the ephi of 441 patients had been stolen in June OCR discovered that o HONI had not conducted a risk analysis to safeguard ephi. o Did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Leon Rodriguez This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients health information. Encryption is an easy method for making lost information unusable, unreadable and undecipherable. OCR Enforcement $1.2 million settlement A managed care company impermissibly disclosed PHI by failing to erase the hard drives when returning multiple leased copiers. A mental health center did not provide notice of privacy practices (NPP) to a father or his minor daughter, a patient at the center at their first encounter. A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room. Also computer screens displaying patient information were easily visible to patients. $150,000 Ouch! Tips to Protect Information Dermatology practice investigated by Office for Civil Rights (OCR) after they received a report that an unencrypted thumb drive containing the electronic protected health information (ephi) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. Investigation revealed: o No risk analysis performed related to potential risks to the confidentiality of ephi as part of its security management process. o No written policies or training of workforce in place to comply with the Breach Notification Rule. First settlement with Health and Human Services related to policies for breach notification. 8

9 How to Begin Training To keep information secure in your environment, you must first understand all of the places it is stored: Written communication Electronic files Business Equipment Fax Machines, copiers/printers, equipment Computers, servers, portable hard drives Thumb Drives - flash drives - smart phones Any transmission of protected health information And don t forget verbal communication Baseline training for all new employees o Train specific job functions on targeted areas of need Priority to train employees regarding breach o Definition Protection strategies o Minimum necessary o Logins/passwords o Computer protections physical security o Social media o Acceptable information sharing sites o Remote access What Can Others See or Hear? Safeguarding ephi Be mindful of hallway conversations which may be overheard. Know what you can discuss with who in patient care areas when others are brought back into the exam area. What information is viewable on your computer screen? Are the appointments for the day posted? Is patient information in the regular trash? When PHI is printed out, double check whose information it is before it is given to a patient (common problem!). Report anything unusual which could indicate improper use, access, or disclosure of protected health information. Access information with personal login and password. o Passwords must not be shared! Log off or lock computer when moving away from work area. Be mindful of the physical security of especially mobile devices containing ephi (laptops, smart phones). Only open /attachments from reliable sources. Access only approved internet sites. Patient information should not be mentioned on personal social media accounts. Data encryption back-up devices, phones, servers, computers. Encryption Must follow National Institute of Standards and Technology guidelines. Dependent on: o Strength of the encryption algorithm o Security of the decryption key or process o Keys that might enable decryption have not been breached Items to consider: o Portable devices Laptops, thumb/flash drives, smart phones o Devices in your office Computers in practice, copiers, scanners, fax o Server need to weigh risk o Information being transmitted o Media being transported o Business Associate data containing PHI must be sent in a secure manner. o This includes ing information for referral purposes. o ing between employees within the practice is acceptable if the system is secure. Means of protection include: o Patient portal. o Encryption. At the patient s request, PHI may be sent unsecured if you have informed the patient of the risk. o Request should be in writing using the Authorization for Release - Compound Release form. 9

10 Risk Analysis and Audits Checklist to Success Risk Analysis required by the Security Rule Audits o Logons outside usual business hours o Remote access report o File update or change reports o Review of daily activity o Review of employees logged in o Record access. o Logon when person is out of office o Change report o Exceptional access or print o VIP record access Ensure an updated NPP is being distributed. Review list of BAs and status of BAA. Review current policies/procedures to ensure the updated standards are reflected. Review current Risk Analysis and address areas of vulnerabilities. o Mobile devices o Copy machines, scanners, fax machines o Encryption TRAIN, TRAIN, TRAIN Thank you! Karen Gregory, RN Director of Compliance and Education Karen@totalmedicalcompliance.com

11 BREACH/ INCIDENT INVESTIGATION REPORT Report Date Incident Date Practice Name Practice Address Description of the incident - Describe the incident/use/disclosure with information relevant to how it happened, how it was detected, individuals involved, how it was reported, etc. Record elements of the investigation Reports reviewed, people talked to, etc. Risk Analysis Answer the following questions to determine status of the incident (Breach or inappropriate use/disclosure). 1. Nature of the event? Types of PHI involved* Include the amount and type of clinical information released and the nature of the service (mental health, infectious disease) *Risk increases when credit card/ss info released due to identity theft. 1

12 2. Who is the unauthorized person/entity on the receiving end? Record who the information was released to or accessed by. Was the recipient another CE or BA covered by HIPAA or other privacy rules or an unknown recipient? 3. Was the information actually viewed or simply exposed to a potential breach? Provide detail on how it was determined which event occurred. For instance audit trail documents access to information in question, mailing returned and unopened or forensic evidence proves data on a computer was never accessed 4. To what extent was the risk mitigated? Mark all that apply. Quick response to the event Information returned Signed confidentiality agreement and PHI being destroyed Additional supporting comments below: 2

13 Was the access, use or disclosure ruled a Breach or not? Describe why the decision was made. The Burden of Proof is on the practice. Determined not to be a breach for the following reason: Data encrypted Meets one of the following exceptions allowed by the Privacy Rule o Unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate. Information is not further used or disclosed in a manner not permitted under the privacy rule. o Inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement. Information is not further used or disclosed in a manner not permitted under the privacy rule. o Unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. Signed confidentiality agreement and PHI being destroyed Other reason/additional details: Determined to be a breach for the following reason: For BREACH Date Patients Notified: Date HHS Notified: Date prominent media outlet informed (list media outlet): For Breaches impacting 500 or more patients, HHS and a prominent media outlet MUST be notified at the same time patients are informed. NOTE: Attached all supporting documentation to include copy of patient communication. For Inappropriate Disclosure Date Accounting of Disclosures entries made in the client record: 3

14 Corrective action taken or planned to prevent any reoccurrence - Include in this description procedural or system changes made, policies written or changed, sanctions of workforce members, employee training, etc. The report was prepared by Preparer Signature Date Privacy Officer Signature Date 4

15 HIPAA Compliance Checklist Check items which are implemented in your site. For all unchecked items determine actions necessary to address outstanding issues. HIPAA Administrative Safeguards Do you have an assigned Privacy and Security officer? Can employees identify the person if asked? Do you have written policies on how patient information will be protected? Is there a business associate agreement on file for all business associates? Is access to patient information assigned based on job function? Is there a written Contingency Plan clearly listing actions to take to resume/restore functions in order to provide patient care? Are new patients provided a copy of your Notice of Privacy Practices (NPP)? Is your NPP posted in a prominent area in your practice? On your website? Have employees been trained on processes to protect patient information which is in written, electronic, and verbal format? On the definition of BREACH? Is there a clearly defined process for deletion of access to patient information/access to the building for terminated employees? Technical Safeguards Has your practice completed a Risk Analysis of the electronic environment to identify any vulnerability which may put patient information at risk? Is there a comprehensive inventory of electronic devices which store or allow access to patient information? Includes computers, services, back up devices, thumb drives, printers/copiers, fax machines, patient equipment. Does each user having access to protected health information have an individual user name and password? If utilizing Wi Fi for patient access when in the facility, is it separate from the practice network? Are safeguards in place for any information sharing sites (Dropbox)? Is there a BAA in place for the site? Is encryption utilized to protect patient information which is being stored? Are mobile devices (laptops, smart phones, thumb drives) with PHI encrypted for protection against a breach if lost or stolen? Have you restored data from back up devices to ensure the backup is not corrupted? If ing patient information is a secure method of being utilized? Is there a strong working relationship with an IT company who is in compliance with the HIPAA regulations? Physical Safeguards What physical security measures are in place to protect patient information? Alarm, deadbolt locks, limited access to areas of the practice which house patient information by non employed staff. How is patient information protected after hours? Hard copies of records secured? Placed out of sight? Are visitors accompanied when in areas housing/utilizing patient information?