Surviving a HIPAA violation One Agency s Experience Presented by: Roger Shindell President & CEO Carosh Compliance Solutions & Liz Mayer, RHIA Director, Organizational Integrity HCI Care Services and VNS of Iowa Topics Covered Part One The Breach The Remediation The Investigation Lessons Learned Topics Covered Part Two What this Breach Tells Us Positioning for Success o Comparison to other Breaches o Proactive Activities 1
Learning Objectives After this presentation you will understand: Part One What constitutes a breach? What are your obligations after a breach occurs? What OCR expects from you? Part Two What has changed since the Breach described in part one? Areas that OCR finds deficient when investigating breaches. How to optimize outcomes after a breach and OCR s investigation. The Incident An RN left a list of client records, in a bag in her car at a restaurant. The bag was in sight and had the VNS of Iowa logo on it. The window of the car was broken out, and the bag was stolen. Initial Reaction Initially, we were hoping the bag would have been in a dumpster close by, but it wasn t. It was presumed that the bag was stolen because they felt there may have been medications in the bag due to the branding. Inside the bag were various personal papers. While doing the inventory with the RN, she mentioned there was a dental list of patients in the bag. 2
The List The list in the bag were names of approximately 1,700 clients (children) on a spreadsheet printout, including date of birth, date of services, and location of services, insurance type and some diagnoses. We were fortunate there were no social security numbers or insurance numbers. Action Items First: Filed a police report. Second: Reported the breach to DHS. The information stolen involved clients served by the I-Smile Program, funded by DHS. Third: Opened an internal investigation within our organization to identify the facts and prepare a report. Breach Our investigation lead to the conclusion that this was, in fact, a breach and needed to be reported to the Office of Civil Rights. Since there were over 500 client names on the list, we proceeded with the reporting requirements set forth in the breach notification rule. 3
Individual Notice A letter was composed and sent out to all parents of the clients listed on the spreadsheet printout. This letter contained a description of the breach, what information was contained in the breach, and a contact number for any questions. Media Notice Next, we issued a press release to a local news station and radio station, informing them of the breach and providing them with details for the press release. Notice to the Secretary Finally, we submitted a breach notification electronically to the Secretary on the link provided on the HHS website. 4
Response from OCR Once we completed all the reporting requirements, we received a follow-up letter back from DHHS, Office for Civil Rights. The letter confirmed receipt of the breach report, indicating which CFR sections were potential violations and stating that they were launching an investigation. OCR response In addition to acknowledging the breach, the OCR sent a list of requested documents from us. We had 20 days from the receipt of the letter to produce the following items Items Requested by OCR Policies and procedures related to permissible use and disclosure of PHI, as required by 45 C.F.R. Section 164.502(a) A copy of policies and procedures implemented by our organization to safeguard PHI, as required by 45 C.F.R. Section 164.530(c) Copy of press release issued about the event Specification of the period of time that the press release was issued about the event Copy of any disciplinary action taken against the employee involved in this incident Documentation substantiating that covered entity has its Notice of Privacy Practices posted on website (which they already found that we didn t) 5
Items Requested by OCR A copy of the letter notifying consumers regarding breach of their protected health information. Specification as to whether our organization received 10 or more returned letters; if so, how many were received. (Seven returned letters were received.) Specification as to whether our organization had insufficient or out-ofdate contact information for 10 or more individuals; and if so, how many. OCR noted that we notified consumers of breach on July 10, and we notified the Secretary on July 16. OCR wanted us to explain why the notice to the Secretary was not provided contemporaneously with the notice to affected individuals. OCR requested our agenda, dates and list of attendees for training that was provided to staff as a result of this incident and the safeguarding of consumer PHI. Names and titles of those persons conducting this training. Resolution We received a letter back from DHS/OCR stating that we complied with all requests for information and that we were compliant in our reporting. Therefore, the OCR closed the case. No fines were issued to us. Lessons Learned We should have provided a language or interpreter line for clients to call in with questions. Many of our clients do not speak English and could not understand the letter. Some saw words such as child and police and thought their child had done something illegal. We received 13 calls out of 1,298 letters sent. 6
Timeline, 5/27 6/19/12 5/27/12 Breach occurred 5/27/12 Police report filed 5/29/12 Contacted IDPH as I-Smile funded through DHS 5/29/12 Contacted organization attorney as well as attorney for IDPH 5/29/12 Organization Board Chair contacted 5/30/12 CEO notified managers and team leads of incident 6/6/12 CEO relayed in an all-staff conference that notification to individuals were going out 6/7/12 Draft letter to Board of Directors for review June and July 2012 Series of trainings to departments 6/18/12 Letters to consumers went out 6/19/12 All staff email stating letters went out Timeline, 6/19/12 3/11/13 7/10/12 Press release issues 7/16/12 Submitted to Secretary 7/17/12 Secretary called us to clarify information 8/3/12 Received letter from OCR requesting data for investigation 8/21/12 Mailed response to OCR Data Request 1/7/13 OCR rep called wanting additional information, specifically, contacting media contacts to get in writing whether they received the press release and whether it was picked up or not, giving them 20 days to respond. Forward response and emails that went out with no response, whichever the end result. Specific documentation for corrective action with employee. 3/11/13 Received letter from OCR stating that we complied with all required documents, and that they were closing case. Questions? For future assistance: Liz Mayer, RHIA Director, Organizational Integrity HCI Care Services and VNS of Iowa (515) 333-4253 lmayer@hci-vns.org 7
Part Two What we will cover today Notice of Privacy Practices Business Associate Relationships Assessment of Suspected Breaches Training Requirements Notice of Privacy Practices Modification to, and redistribution of, Your Notice of Privacy Practices Your Notice of Privacy Practice now need to include language around: The use or disclose medical information for marketing purposes. Use of medical information for fundraising purposes. Specifically state what disclosers need specific authorization from the patient disclosures for which you are paid Special disclosures such as psychotherapy notes. You must abide by a patient s request not to disclose data (i.e., non-treatment disclosures to a health plan or other payer). 8
Business Associate Relationships BAs directly liable for compliance with Privacy and Security requirements The Safe Harbor exemption from to breaches through signed BAAs are no more! Sub-contractors (BAs of BAs) are now in the mix Potential Liability flows through the relationships Common Law Agency still exists, but beware What Is a Business Associate? A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Includes: claims processing legal data aggregation data analysis actuarial management utilization review accounting administrative billing consulting accreditation financial services data transmission of PHI e-prescribing Gateway PHR/ EHR vendor 9
BAs directly liable for compliance with Privacy and Security requirements The Safe Harbor exemption to breaches is no more! BA s account for more than 30% of breaches of electronic Protected Health Information (ephi) BAs directly liable for compliance with Privacy and Security requirements BAs ( and their sub-contractors) are required to comply with all the HIPAA regulations. BAs directly liable for compliance with Privacy and Security requirements Required an additional level of due diligence to uncover Need to uncover any pattern of activity or practice by a business associate in violation of the business associate agreement and it fails to take reasonable steps to cure the breach and if unsuccessful, terminate the contract if feasible 10
Required Changes to the Business Associates Agreement Add a definition of HITECH and the Omnibus Rule, and consider whether to include them in the definition of HIPAA. Required Changes to the Business Associates Agreement Where the BAA describes the Business Associate as an entity receiving data from the Covered Entity or producing it for the Covered Entity, include the words creates, receives, maintains or transmits. That is the new language defining the roles that a third party vendor can play to become a Business Associate, and it is useful to include the same language. Required Changes to the Business Associates Agreement Specifically note that the Business Associate must notify you of any breach as defined in HIPAA. This can be included in the reporting of disclosures. Include a relatively short reporting period (3-5 days, usually), so that you will be able to meet your own timing requirements if the breach must be reported. A Covered Entity has up to 60 days to report a breach, but that is an outside limit; the obligation is to report without unreasonable delay. 11
Required Changes to the Business Associates Agreement Add to the accounting of disclosures section a statement specifying that, if the Business Associate maintains records in electronic form, it will account for ALL disclosures for at least a 3-year period. Required Changes to the Business Associates Agreement Specifically note that the Business Associate has obligations under the HITECH Act, and require the Business Associate to acknowledge and agree to abide by those requirements. Required Changes to the Business Associates Agreement Add a provision noting that the Business Associate will abide by requirements not to disclose data to insurers and other health plans if the patient pays for the service in full and requests confidentiality. 12
Required Changes to the Business Associates Agreement The BAA should already give the Covered Entity right to terminate if the Business Associate violates the BAA. Include a provision allowing the Business Associate to terminate the BAA if the Covered Entity fails to meet its HIPAA obligations. Required Changes to the Business Associates Agreement If the Business Associate carries out one of the Covered Entity s obligations under the Privacy Rule, the BAA must require that the Business Associate agree to abide by that Privacy Rule provision. Assessment of Suspected Breaches 13
New Reporting Requirements for Breaches After the Final Omnibus Rule - acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised 4 Part Assessment is Now Required 1. Nature and extent of the PHI involved 2. To whom was the disclosure made 3. Was the information acquired or viewed 4. Was the Breach Mitigated 14
4 Part Assessment is Now Required 1. Nature and extent of the PHI involved Does the Breach Include PHI? Does the Breach Include Identifiable Data? Can De-identified Data be Re-identified? 4 Part Assessment is Now Required 2. To whom was the disclosure made Is the Person Able to Retain the PHI? Is the Person Authorized to See Other PHI? Is the Person Under the Authority of a CE or BA? 4 Part Assessment is Now Required 3. Was the information acquired or viewed 4. Was the Breach Mitigated 15
Training Requirements: Section 164.530 of the HIPAA privacy rule states: (b) 1. Standard: training. A covered entity must train all members of its work force on the policies and procedures with respect to PHI required by this subpart, as necessary and appropriate for the members of the work force to carry out their function within the covered entity (b) 2. Implementation specifications: training. i. A covered entity must provide training that meets the requirements of paragraph (b) (1) of this section, as follows: ii. To each member of the covered entity's work force by no later than the compliance date for the covered entity Thereafter, to each new member of the work force within a reasonable period of time after the person joins the covered entity's work force To each member of the covered entity's work force whose functions are affected by a material change in the policies or procedures required by this subpart, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section A covered entity must document that the training as described in paragraph (b)(2)(i) of this section Other liabilities to consider Modifications of HIPAA by HITECH State Regulations- may be more restrictive than Federal Regulations. Fair Credit Reporting Act Federal Trade Commission Gramm-Leach-Bliley Act State Insurance Regulators Business Disruption Compliance is your Affirmative Defense Requirements under the HIPAA Regulations are seen as the Gold Standard for privacy of PHI. 16
Summary Notice of Privacy Practices Business Associate Relationships Assessment of Suspected Breaches Training Requirements Questions? Roger Shindell President & CEO Carosh Compliance Solutions (219) 230-9000 rshindel@carosh.com 17