You Probably Don t Even Know

You Probably Don t Even Know That You Need To Comply With HIPAA In Collaboration With:

About ERM

About The Speaker Stephen Siegel, Esq., Of Counsel, Broad and Cassel Board Certified Health Law Over 25 yrs. experience in private practice + 10 yrs. with CMS' predecessor agencies Practice includes regulatory compliance and HIPAA- HITECH compliance Member of Health Law and White Collar Defense/Compliance Practice Groups JD, Georgetown University Law Center

About Broad and Cassel 150+ Attorneys Office Locations: -Boca Raton -Ft. Lauderdale -Miami -Tampa -West Palm Beach -Destin - Jacksonville -Orlando -Tallahassee

About Broad and Cassel Practice Areas include: -Banking -Housing - Commercial Litigation - Intellectual Property -Computer& Tech. Law - International Law - Corporate and Securities - Real Estate -Elder Law - Labor and Employment - Government Relations -Taxation -Health Law - Trust and Estates - White Collar Defense & Compliance

If I m Not A Health Care Provider Why Is This Relevant To Me?

Objective of HIPAA-HITECH Protect an individual's "protected health information" ("PHI") that becomes subject to an electronic "transaction" PHI belongs to the individual, NOT the business Covered Entities and Business Associates are viewed as having a fiduciary duty to protect the security and confidentiality of each individual's PHI

Critical Date September 24, 2013 HIPAA-HITECH* EFFECTIVE FOR BUSINESS ASSOCIATES IMPOSES MOST OF THE OBLIGATIONS OF COVERED ENTITIES ON THEIR BUSINESS ASSOCIATES * (Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2010)

What types of information is considered PHI? PHI is information that is individually identifiable and related to: The individual s past, present or future physical or mental health or condition, The provision of health care to the individual, The past, present, or future payment for the provision of health care to the individual. NOTE-PHI is NOT determined in relationship to a payer, it is determined by its relationship to the individual

PHI - Examples Social Security Number Name Address Telephone Number Zip Code Diagnosis, Plan of Care Provider's Identity Credit Card Number Spouse's Identity Date of Birth

What is a transaction? "Transaction means the transmission of information between two parties to carry out financial or administrative activities related to health care", including: Health care claims/encounter information; Health care payment and remittance advice Coordination of benefits Claims status Enrollment/disenrollment status in a health plan Referral certification and authorization Health care electronic funds transfers

Understanding your role Are you a Covered Entity ( CE )? Are you a Business Associate ( BA )? NOTE: If the answer to both questions is "no", HIPAA-HITECH does not apply* *But do not forget state privacy laws and other federal laws regarding protecting information that may be applicable

Covered Entities Health Care Providers "A provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business." "Health care means care, services or supplies related to the health of an individual", including, but not limited to: Preventive, diagnostic, rehabilitative, maintenance or palliative care." Examples: hospitals, physicians, medical equipment suppliers, nursing homes Health Plans Clearinghouses CEs should have been complying with HIPAA before 9/24/13

Business Associates Person or entity who, on behalf ofa Covered Entity- Creates, receives, maintains or transmits PHI for a function or activity regulated by HIPAA-HITECH including Claims processing/administration, data analysis, utilization review, quality assurance, patient safety, billing, benefit management, practice management, etc.

Business Associates - Examples Billing service Claims processing Administrative service Computer software vendor Medical record storage Business equipment vendor Cloud storage vendors Accountants Lawyers Consultants

Business Associate Agreement ( BAA ) If a CE engages a BA the CE musthave a written business associate agreement ("BAA") The BAA must requirethe BA to comply with the Rules requirements for protecting the privacy and security of PHI BAs are directly liablefor compliance with certain provisions in the HIPAA-HITECH Rules. BAs need BAAs with sub-bas

Business Associates Who is considered a BA under the Rules? Persons or organizations outside the CE s workforce (i.e., independent contractors and their subcontractors) that provide services which include the creation, maintenance, use or disclosure of PHI on behalf of a CE that has been the subject of an electronic transaction.

The Breach Notification Rule What happens if an unauthorized party gets PHI? HIPAA-HITECH requires CEs to provide notification following a breach of unsecured PHI. Pre- HITECH presumption of no harm discarded in HIPAA- HITECH NOTE: PHI that is encrypted is notunsecured and thus not subject to breach notification requirements.

The Breach Notification Rule (Cont.) What is a breach? A breach is an impermissible acquisition, access, use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible acquisition, access, use or disclosure of PHI is presumed to be a breach unless the CE can demonstrate that there is a low probability that the PHI has been compromised.

The Breach Notification Rule (Cont.) A low probability that the PHI was compromised is demonstrated via a comprehensive and documented risk assessment. If the CE/BA can establish through its risk assessment that there is a low probability that the PHI was compromised, breach notification is not required.

The Breach Notification Rule If you are a CE or BA here are some likely data breach sources: smart phones thumb drives unsecure vendors tablets e-mail archives hard drives gossip laptops hackers CDs or DVDs digital cameras digital dictation cloud storage unhappy employees

Conducting a Risk Assessment After a breach evaluate at least the following 4 factors: a. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. b. The unauthorized person who used the PHI or to whom the disclosures were made. c. Whether the PHI was actually acquired or viewed. d. The extent to which the risk to the PHI has been mitigated. -The extent and efficacy of the mitigation may depend on the recipient; was it a BA or CE or a third party?

The Breach Notification Rule (Cont.) The burden is on the CE/BA to demonstrate that a breach has not occurred and notification is not required. The risk assessment must be thoroughly documented. In lieu of a risk assessment, the CE can choose to simply notify the individuals whose PHI was improperly used or disclosed as well as the press and HHS-OCR (as required).

Who must be notified of a breach? Following a breach of unsecured PHI a Covered Entity must notify: The individual whose PHI has been compromised or is believed to have been compromised. The notification must include: What happened and when; The type of unsecured PHI involved; Steps the individual should take to protect him/herself from potential harm from the breach; What the CE is doing to investigate and mitigate the breach and prevent further breaches; and Contact information for individuals to ask questions.

Who must be notified of a breach? (Cont.) Media Notice: Breach involving more than 500residents in a state or jurisdiction-the entity must notify prominent media outlets, in addition to the affected individuals, within 60 days of discovery of the breach. Notice to the Secretary of the Department of Health and Human Services (DHHS): Breach involving 500 or moreindividuals the entity must notify DHHS within 60 days of discovery. Fewer than 500individuals -the entity may notify the Secretary within 60 days of the end of the calendar year in which the breach occurred.

Who must be notified of a breach? (Cont.) Notification by a Business Associate: If the breach of unsecured PHI occurs at or by a BA, the BA must notify the CE without unreasonable delay, as required by the BA Agreement, but no later than 60 days after discovering the breach, and The BA must provide sufficient information for the CE to notify the affected individual(s). Note: BAA may require the BA do more Indemnification Credit protection

Enforcement of the Rules The Office of Civil Rights (OCR) enforces the HIPAA Privacy, Security and Breach Notification Rules. The OCR implemented a pilot program that audited 115 covered entities in 2011 and 2012. OCR now randomly auditing compliance of CEs and BAs.

Audit Protocol The OCR audit protocol includes: Privacy Rule: Notice of privacy practices for PHI, Rights to request privacy protection for PHI, Access of individuals to PHI, Administrative requirements, Uses and disclosures of PHI, Amendment of PHI, Accounting of disclosures. Security Rule: Administrative, physical and technical safeguards Breach Notification Rule requirements.

Audits (Cont.) Every CE and BA (and, presumably sub-bas) is subject to auditing. Although audits are viewed as compliance improvement tools, a particular violation may lead to sanctions and penalties. If an audit indicates a serious compliance issue it may trigger a separate enforcement investigation by OCR or DOJ.

Audit Results Privacy Rule violations: Failure to provide appropriate patient access to records, Insufficient Notice of Privacy Practices, Lack of Policies and Procedures.

Audit Results Security Rule violations: Failure to monitor user activity, Lack of contingency planning, Authentication/integrity, Media reuse and destruction.

OCR s Complaint Investigation (pre HIPAA-HITECH) The Top 5 OCR investigation issues: Impermissible uses and disclosures of PHI Lack of safeguards Access to records Failure to keep access to minimum necessary No or insufficient Notice of Privacy Practices OCR Complaint Statistics (April 2013) through December 2012: Complaints received 77,190 Complaints resolved 70,800 Corrective action required 18,711 No violation 8,971 Ineligible for enforcement 43,118

Who is looking at you HIPAA-HITECH allows for enhanced sanctions and penalties and expands HIPAA s enforcement provisions Enforcement agencies include: OCR DOJ State Attorneys General Whistleblowers (?) Patients/family members (?)

Non-Compliance Risk Failure to comply with HIPAA-HITECH could result in: Federal/State penalties/fines/licensure action Criminal or civil investigation and prosecution Loss of contracts Public harm and reputational risk Legal costs Cost of notification of breach Private damage judgment

Civil Money Penalty Structure Violation Category Section 1176(a)(1) The Department will determine the penalty amounts based on the nature and extent of the violation and the nature and extent of the resulting harm. Each Violation All violations of same provision in one calendar year (A) Did not know $100-$50,000 $1,5000,000 (B) Reasonable Cause $1,000- $50,000 (C)(i) Willful Neglect Corrected (C)(II) Willful Neglect Not Corrected $10,000- $50,000 $1,5000,000 $1,5000,000 $50,000 $1,5000,000

HIPAA Criminal Penalties A person who knowinglyobtains or discloses PHI in violation of HIPAA-HITECH may be subject to criminal liability. That is, knowingly in violation of HIPAA-HITECH: Uses or causes to be used a unique health identifier; Obtains individually identifiable health information relating to an individual; or Discloses individually identifiable health information to another person.

HIPAA Criminal Penalties (Cont.) Under HIPAA-HITECH any personcan be prosecuted for violating the provision including an employee or other person. The knowledge requirement refers only to obtaining PHI, not to knowledge that such actions were in violation of HIPAA-HITECH.

HIPAA Criminal Penalties (Cont.) Summary of Categories of Criminal Penalties: Level of Knowledge/Intent Criminal Penalty A person knowingly obtains or disclosed PHI in violation of HIPAA Up to $50,000, and/or Imprisonment up to 1 year If such offense is committed under false pretenses Up to $100,000, and/or Imprisonment up to 5 years If such offense is committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm Up to $250,000, and/or Imprisonment up to 10 years

HORROR STORIES AvMed Lost laptop; private state action Affinity Health Plan Photocopier memories; 350,000 members; $1.3 million Advocate Medical Group 4 million members; 4 mainframes stolen; 4 weeks to notify; $????????

Fines, Penalties and Settlement Agreements $1.5M Settlement -Massachusetts Eye and Ear Infirmary (MEEI) (9/12). MEEI reported the theft of a laptop containing unencrypted PHI. The laptop contained information about MEEI s patients, incl. patient prescriptions and clinical information. OCR concluded that MEEI showed a long-term organizational disregard for the requirements of the Security Rule. In addition to the $1.5M settlement MEEI must adhere to a corrective action plan and must retain an independent compliance monitor and render semi-annual reports to HHS for 3 years.

Fines, Penalties (Cont.) $4.3M Fine Cignet Health, 2010 HIPAA Privacy Rule Violation 41 patients denied access to medical records and individually filed complaints with OCR. Cignetrefused to cooperate with OCR in its investigation incl. refusing to produce the subpoenaed records. $1.3M fine for denying patients access to their records $3M fine for the failure to cooperate with OCR

Fines, Penalties (Cont.) $1.5M Settlement Blue Cross Blue Shield of Tennessee, March 2012 Theft of 57 computer hard drives containing unencrypted PHI of over 1 million individuals. Compromised PHI included: Names, SSN#, DOB, and Diagnosis Codes OCR s investigation showed a failure to implement physical safeguards in violation of the Security Rule.

Fines, Penalties (Cont.) $1.0M Settlement Massachusetts General Hospital (2/2011). Loss of PHI of 192 patients from the Infectious Disease Associates O/P practice. Compromised PHI included: List of Names of Patients, DOB, Diagnosis, etc. OCR s investigation showed a failure to implement safeguards to protect PHI when removed from premises. (Documents were lost by employee who left them behind on subway train).

How can you reduce your risk? Perform self-audits! Review and update policies and procedures for: Administrative Safeguards, Physical Safeguards, and Technical Safeguards as they pertain to the Privacy and Security Rules. Review your Breach Notification procedures. EDUCATE, EDUCATE, EDUCATE and document, document, document

Administrative Safeguards Designate a privacy officer responsible for reviewing, updating, and documenting policies concerning: Potential risks to PHI and e-phi and implementation of measures to reduce the risk and vulnerability of the information, Keeping authorized access to PHI and e-phi to the minimum necessary based on the user s role, Periodic training of workforce members, Compliance with BAA requirement

Administrative Safeguards (Cont.) Training of workforce members and BAs should include: Annual training for everyone Immediate training of new hires/bas Have processes in place to evaluate and sanction violations. Workforce members include employees, volunteers, trainees and others under the CE s direct control.

Physical Safeguards Privacy officer should review, revise and document the following: Physical access to the entity s facility should be limited to authorized access, Proper use of and access to workstations and electronic media, including transfer, disposal, and re-use of electronic media.

Technical Safeguards Privacy officer should review, revise, and document: Technical procedures allowing only authorized personnel access to e-phi, Hardware or software that records access to and activity in systems that contain e-phi, Electronic measures in place to ensure that e-phi is not improperly altered or destroyed, Technical security measures that protect e-phi that is transmitted over an electronic network

Document your self-audits Must maintain written security policies and procedures and written records of required actions, activities or assessments. These records must be maintained until 6 years after the later of their date of creation or their last effective date. While BAs are not obligated to self-audit, is it a good idea?

SUMMARY Self-audit start now! Designate a privacy officer and review your privacy, security and breach notification processes and procedures, Identify your risks and take steps to remove or reduce them, EDUCATE your workforce members, and DOCUMENT, DOCUMENT, DOCUMENT!

Your go to advisors for all matters in information security. 800 S Douglas Road #940 Coral Gables, FL 33134 Phone: 305-447-6750 Email: info@emrisk.com Stephen H. Siegel, Esq. 305-373-9424 shsiegel@broadandcassel.com www.emrisk.com