View the Replay on YouTube

Transcription

1 View the Replay on YouTube Privacy Implications of Texas HB 300: What Should You Be Doing Now? FairWarning Executive Webinar Series December 18, 2012

2 Agenda Privacy Implications of Texas HB 300: What Should You Be Doing Now? Share expertise in advising healthcare organizations how to achieve compliance with HB 300 Discuss where current compliance activities can be used or slightly modified to fulfill new requirements Give advice on keeping state and federal auditors as well as licensing authorities satisfied Take advantage of the time now to review your full compliance program including Meaningful Use, HIPAA, and Legal Defensibility Outline the steps to take to satisfy OCR auditors requests and comply with the Security Rule Questions

3 Today s Panel Amanda J. Ellis Healthcare Lawyer Austin, Texas amanda@ajellislaw.com Darin Pederson Solution Specialist FairWarning, Inc. Darin@FairWarning.com

4 The New Texas Privacy Law (HB 300) and HIPAA & HITECH Compliance: What You Need To Know Now

5 Notice This information is provided with the express understanding that (i) no attorney-client relationship exists; (ii) Amanda J. Ellis is not engaged in providing legal advice in connection with this presentation; and (iii) the information in this presentation is of general character. You should not rely on this information when dealing with personal legal matters; rather, you should seek legal advice from retained legal counsel.

6 HB 300 Overview Incorporates and expands application of the HIPAA Privacy and Security Rules and HITECH provisions. Broadens the scope of the rules to include entities that would not otherwise be considered covered entities or business associates under federal law. Imposes breach notification requirements on a larger class of entities and for Information that would not be considered protected health information (PHI) under existing federal law. Requires all covered entities to provide all employees with training regarding both federal and state privacy requirements. Provides for consumer access to electronic health care records (EHR) in a shorter time period than that required by HIPAA. Permits the Executive Commissioner of the Texas Health and Human Services Commission to recommend a standard electronic format for release of EHR. Mandates new notice and authorization requirements for electronic disclosure of PHI Increases civil penalties and makes licensees subject to investigation and discipline by state licensing agencies. Creates new areas of state agency regulation, audit and enforcement.

7 Definitions and Scope The Texas Medical Records Privacy Act (TMRPA) Covered Entity Section (2)of the Texas Health & Safety Code "Covered entity" means any person who: (A) For commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information. The term includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site; (B) comes into possession of protected health information; (C ) obtains or stores protected health information under this chapter; or (D) is an employee, agent, or contractor of a person described by Paragraph (A), (B), or (C) insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.

8 Definitions and Scope Section of the Texas Insurance Code Insurance entities defined as covered entities under the Texas Insurance Code must comply with Chapter 181 of the Texas Health & Safety Code and the privacy and security standards adopted under Section of the Texas Health & Safety Code.

9 Definitions and Scope Marketing Section (4)of the Texas Health & Safety Code (4) "Marketing" means: (A) making a communication about a product or service that encourages a recipient of the communication to purchase or use the product or service, unless the communication is made: (i) to describe a health-related product or service or the payment for a health-related product or service that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: (a) the entities participating in a health care provider network or health plan network; (b) replacement of, or enhancement to, a health plan; or (c) health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; (ii) for treatment of the individual; (iii) for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual; or (iv) by a covered entity to an individual that encourages a change to a prescription drug included in the covered entity's drug formulary or preferred drug list; (B) an arrangement between a covered entity and any other entity under which the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service; and (C) notwithstanding Paragraphs (A)(ii) and (iii), a product-specific written communication to a consumer that encourages a change in products.

10 Definitions and Scope The Identity Theft Enforcement and Protection Act (ITEPA) Sensitive Personal Information (SPI) Section (a) of the Texas Business & Commerce Code (2) "Sensitive personal information" means, subject to Subsection (b): (A) an individual's first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted: (i) social security number; (ii) driver's license number or government-issued identification number; or (iii) account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account; or (B) information that identifies an individual and relates to: (i) the physical or mental health or condition of the individual; (ii) the provision of health care to the individual; or (iii) payment for the provision of health care to the individual.

11 Training Required Section of the Texas Health & Safety Code CE to provide training to every employee regarding federal and state concerning PHI. Must be specific to CE s course of business and employee s scope of employment CE must provide training within 60 days of hire date. CE employees to receive training every 2 years CE employee required to sign statement verifying attendance at training and CE to maintain record of signed statement.

12 Consumer Access to EHR Section of the Texas Health & Safety Code Any HC Provider using an EHR system capable of fulfilling the request must provide individual with record in electronic form within 15 business days after date receives written request. Not required to provide if excepted from access/access denied under 45 CFR Section

13 Consumer Access to EHR Texas Health and Human Services Commission (HHSC) Executive Commissioner may propose rules for standard electronic format for release of EHR, in consultation with the Texas Department of State Health Services (DSHS), Texas Medical Board (TMB) and Texas Department of Insurance (TDI) (and as informed by Texas Health Services Authority (THSA))

14 Consumer Information Website Section of the Texas Health & Safety Texas OAG to maintain website: Consumer privacy rights under federal and state law List of state agencies that regulate covered entities. Detailed information re each agency s complaint enforcement process; and Contact information for each agency for reporting violations Ch. 181

15 Consumer Complaint Report by Attorney General Section of the Texas Health & Safety Each state agency to submit information to OAG regarding Section complaints to OAG OAG to compile information re Section complaints that it and the other agencies receive in annual report to be submitted to the legislature OAG to de-indentify PHI in the report

16 Sale of PHI Prohibited; Exceptions Section of the Texas Health & Safety Code CE may not disclose IPHI to another person in exchange for direct or indirect remuneration, except for: oanother CE (as def d by or Section of the Texas Insurance Code) for: Treatment Payment Health care operations or Performing an insurance or HMO function (Section of Texas Insurance Code) o As otherwise permitted by state or federal law Remuneration may not exceed CE s reasonable costs of preparing or transmitting the PHI

17 Notice of Authorization Required for Electronic Disclosure of PHI; Exceptions Section of the Texas Health & Safety Code CEs must provide written notice to individuals for whom receive or create PHI, if the PHI is subject to electronic disclosure, by: o Posting a written notice in the CE place of business o Posting a notice on the CE website (internet), or o Posting a notice in any other place where those individuals likely to see notice CE may not disclose PHI electronically without separate authorization from individual or rep for each disclosure unless treatment, payment, operations, insurance or HMO function or otherwise authorized under state or federal law. Authorization may be written or oral OAG will adopt standard form for the electronic disclosure authorization N/A to Section , Insurance Code, CE if not a 45 CFR Section CE

18 Breach Notification Requirements Section (b) and (b-1) of the Texas Business & Commerce Code Any person who conducts business in Texas or owns and licenses computerized data that includes SPI must disclose any breach of system security to any individual whose SPI was or is reasonably believed to have been acquired by any unauthorized person. Breach notification requirements include both Texas residents and individuals in other states that do not require notification to individuals of a breach of system security.

19 Enforcement Section of the Texas Health & Safety OAG may seek injunctive relief to prevent unauthorized release of PHI OAG may also seek civil penalties: o $5000 for each violation that occurs in one year negligence o $25,000 for each violation that occurs in one year knowingly and intentionally o $25,000 for each violation in which the CE knowingly or intentionally used PHI for financial gain. o Total penalty for violation of re authorization for electronic disclosure of PHI capped at $250,000 annually if: Disclosure only made to another CE The PHI disclosed was encrypted or transmitted using encryption The recipient did not release or use the PHI, or At the time of the disclosure of PHI, the CE had developed, implemented, and maintained security policies, including the education and training of employees response o If court finds violations have occurred with a frequency as to constitute a pattern or practice, may assess up to $1.5M penalty. (also subject to mandatory exclusion from all state-funded HC programs per ) OAG may only institute action against state-licensed CE if agency refers violation to OAG.

20 Enforcement Sections (a), (a-1) and (b) of the Texas Business & Commerce Code OAG may seek injunctive relief to prevent unauthorized release of SPI OAG may also seek civil penalties: o $100 per individual to whom notification is due for each consecutive day that person fails to take reasonable action to comply Section (b) breach notification requirements o Total penalty for violation of (b) re authorization for electronic disclosure of SPI capped at $250,000 for all individuals to whom notification due after single breach Failure to comply with breach notification requirements is a state jail felony if the information accessed, read, scanned, stored, or transferred was PHI.

21 Disciplinary Action Section of the Texas Health & Safety CE licensees subject to investigation and disciplinary proceeding by licensing agency for violation of Chapter 181 including probation and suspension If violations are egregious and constitute a pattern or practice the agency may revoke CE license or refer to OAG for section action for civil penalties.

22 Exclusion from State Programs Section of the Texas Health & Safety Code CE subject to mandatory exclusion from all state-funded HC programs if court finds pattern or practice of violation

23 Audits of Covered Entities Section of the Texas Health & Safety HHSC, in coordination with the OAG, THSA and TDI may request HHS to audit a CE HHSC must periodically monitor and review HHS audits of state CEs HHSC may require pattern or practice/egregious CE violators to provide results of risk analysis self-audit or request that state licensing agency audit the CE HHSC must submit annual reports of all federal and state audits of state CEs to appropriate standing committees of both senate and house.

24 Standards for Electronic Sharing of Protected Health Information; Covered Entity Certification Section of the Texas Health & Safety Code THSA must develop privacy and security standards for the electronic sharing of PHI and submit them to HHSC for ratification. THSA will establish a process of certification of compliance with these standards. CEs will be able to apply for certification of past compliance. The Texas Health Services Authority (THSA) is responsible for coordinating the implementation of health information exchange (HIE) strategic and operational plans for the State of Texas.

25 Funding Section of the Texas Health & Safety Code HHSC and TDI, in consultation with THSA, must apply for and actively pursue federal funding for Chapter 181 enforcement.

26 Mitigation Section of the Texas Health & Safety Evidence of good faith efforts to comply with state privacy of IIHI laws Evidence of good faith efforts to comply with HIPAA Act and Privacy Standards

27 Contact Amanda J. Ellis 3005 S. Lamar Blvd., Suite D109 #133 Austin, Texas

28 Privacy Implications of Texas HB 300: What Should You Be Doing Now? FairWarning Executive Webinar Series December 18, 2012

29 Reviewing Your Privacy & Security Procedures Take advantage of this opportunity to review your full compliance program: User Activity Monitoring KPMG & OCR HIPAA Audits Data Retention Meaningful Use Stages 1, 2 and 3 Increased Fraud & Misuse of Data Legal Defensibility

30 FairWarning Patient Privacy Monitoring: A Platform for Developing a Culture of Privacy Compatible with Every Major EHR and Over 185 Applications Used in Healthcare User and Patient Access Reports Streamline Health Cerner MEDITECH Siemens Collaborative Patient Privacy Monitoring Privacy Breach Detection Analytics and Alerts Governance and Compliance Effectiveness Investigations and Legal Defense

31 OCR HIPAA Audits OCR sponsored HIPAA audits of 2012 revealed that many care providers have not sufficiently addressed HIPAA provisions related to FairWarning User Activity Monitoring was the largest single shortfall in compliance with the Security Rule Audit protocols and initial findings: How FairWarning addresses key areas of the audit protocols: OCR-PROTOCOL-MAPPING.pdf

32 Satisfying the Auditors In order to satisfy the auditors requests, and comply with the Security Rule: Appropriate technology (or manual processes for small organizations) must be in place Technology must be actively used Follow-on processes to resolve findings must be active and current Written documentation for monitoring or not monitoring a particular system accessing PHI is required. Further evidence of a meeting or appropriate parties evaluating justification must be maintained.

33 Data Retention The retention of data related to complaints and investigations is a best practice and required by law Current HIPAA Privacy Rule requires 6 years retention of data such as policies, records, plans and audit logs Pending HIPAA Omnibus package may shorten to 3 years

34 Meaningful Use Stages 1, 2 & 3 Meaningful Use Stages 1, 2 and 3 (pending) require compliance with HIPAA 45 CFR (a)(1) which includes requirements for risk management, sanction policies, and information system activity review specifically addressed by FairWarning Stage 3, pending, is anticipated to include additional privacy and security requirements For more information on how FairWarning helps address Meaningful Use Stage 1 & 2 requirements, please visit FAIRWARNING-AND-MEANINGFUL-USE.pdf

35 Contact Us Amanda J. Ellis Healthcare Lawyer Austin, Texas Darin Pederson Solution Specialist FairWarning, Inc.