Office of the Secretary Office for Civil Rights () Current Developments in Privacy and Security Rule Enforcement Michigan Medical Billers Association Andrew C. Kruley, J.D. Equal Opportunity Specialist (Investigator) August 11, 2014 Disclaimer These power point slides, along with the remarks of Mr. Kruley, are intended to be purely informational and informal in nature. Nothing in the slides or in Mr. Kruley s statements are intended to represent or reflect the official interpretation or position of the Department of Health and Human Services or the Office for Civil Rights. 2 Topics 2013: A Major Year for Privacy and Security Recent Enforcement Actions Enforcement Statistics and Upcoming Enforcement Activities Omnibus Regulations and Related Guidance Patients Right to Restrict and the Breach Notification Rule Compliance Audits Resources 3 1
Office of the Secretary Office for Civil Rights () HIPAA Enforcement Actions: Recent Cases and Trends Security Rule and Privacy Rule Cases from 2013 Affinity Settles in Photocopier Security Rule Breach Case for $1,215,780 Affinity Health Plan impermissibly disclosed the PHI of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. 5 Affinity Settles in Photocopier Security Rule Breach Case for $1,215,780 s investigation revealed that Affinity failed to incorporate the electronic protected health information (ephi) stored in copier s hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the hard drives to its leasing agents. The corrective action plan required Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased and that remained in the possession of the leasing agent, and to take certain measures to safeguard all ephi. 6 2
WellPoint pays $1.7 million for leaving information accessible over Internet WellPoint s breach report indicated that security weaknesses in an online application database left the ephi (ephi) of 612,402 individuals accessible to unauthorized individuals over the Internet. 7 WellPoint pays $1.7 million for leaving information accessible over Internet s investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule: WellPoint did not adequately implement policies and procedures for authorizing access to the on-line application database. Did not perform an appropriate technical evaluation in response to a software upgrade to its information systems. Did not have technical safeguards in place to verify the person or entity seeking access to ephi maintained in its application database. 8 Hospice of North Idaho, a Small Provider, Pays $50,000 to Settle This was the first case involving a breach report for PHI of fewer than 500 individuals which resulted in the execution of a Resolution Agreement by the CE and the payment of a Resolution Amount to, namely $50,000. In 2010, Hospice of North Idaho (HONI) submitted a breach notification, reporting that a laptop containing the PHI of 441 patients had been stolen. 9 3
Hospice of North Idaho, a Small Provider, Pays $50,000 to Settle s investigation showed that HONI had not conducted a risk analysis and had not promulgated a policy designed to ensure the security of PHI held on mobile media devices. Since the breach was discovered, HONI did take substantial steps to improve its privacy and security compliance program. 10 Adult & Pediatric Dermatology Pays $150,000 to Settle Breach Notification Case received a report that an unencrypted thumb drive containing ephi for 2200 individuals was stolen from a staffer s car. The thumb drive was never recovered. 11 Adult & Pediatric Dermatology Pays $150,000 to Settle Breach Notification Case investigation showed that APDerm had not conducted an analysis of risks and vulnerabilities regarding ephi. APDerm did not have a written policy for reporting breaches and training employees on Privacy and Security Rule issues. 12 4
Shasta Regional Medical Center Settles Privacy Rule Case for $275,000 for Impermissible Disclosure SRMC failed to safeguard the patient s protected health information (PHI) from impermissible disclosure by intentionally disclosing PHI to multiple media outlets on at least three separate occasions, without a valid written authorization. s review indicated that senior management at SRMC impermissibly shared details about the patient s medical condition, diagnosis and treatment in an email to the entire workforce. 13 Shasta Regional Medical Center Settles Privacy Rule Case for $275,000 for Impermissible Disclosure In addition, SRMC failed to sanction its workforce members for impermissibly disclosing the patient s records pursuant to its internal sanctions policy. A corrective action plan (CAP) required SRMC to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures and to train its workforce members. The CAP also required fifteen other hospitals or medical centers under the same ownership or operational control as SRMC to attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media. 14 Lessons Learned Risk Analysis HIPAA covered entities and their business associates are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals data, and have appropriate safeguards in place to protect this information. Take caution When implementing changes to information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers health data using the Internet. Senior leadership Helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients rights are fully protected 15 5
Office of the Secretary Office for Civil Rights () Enforcement Statistics and Upcoming Enforcement Activities HIPAA Compliance/Enforcement (As of December 31, 2013) TOTAL (since 2003) Complaints Filed 90,000 Cases Investigated 31,925 Cases with Corrective Action 22,026 Civil Monetary Penalties & Resolution Agreements (since 2008) $18.6 million 17 Top Five Issues Nationally in Cases Closed in 2013 with Corrective Action 1. Impermissible Uses and Disclosures of PHI 2. Lack of adequate physical, technical, or administrative safeguards 3. Individuals or their Representatives Being Denied Access to their PHI 4. Minimum Necessary 5. Lack of Mitigation by CE 18 6
Eye to the Future Increased efficiency High-impact cases Audit HHS expects full compliance, no matter the size of a covered entity. Assure that policies relating to privacy, security and breach notification are up- to- date and effectively implemented. 19 HIPAA Privacy, Security, Breach Compliance and Enforcement What s to Come Resolution Agreements/Corrective Action Plans Continue to increase activity and resources Maintain focus on fundamentals of compliance programs Address emerging issues Investigated Complaints/Compliance Reviews New web portal for complaints/centralized intake https://ocrportal.hhs.gov/ocr/cp/complaint_frontpage.jsf Strategic approach to increase efficiencies, identify cases for investigation Breach Reports Redesigned website for 500+ postings http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/br eachtool.html 20 Office of the Secretary Office for Civil Rights () HIPAA/HITECH Guidance 7
HIPAA/HITECH Guidance What s Done Omnibus Final Rule De-identification Combined Regulation Text Sample BA provisions Refill Reminder Factsheets on Student Immunizations and Decedents Model Notice of Privacy Practices English and Spanish Versions Other Guidance Ability to report serious and imminent threats Permitted mental health disclosures Right to access updated for e-access requirements Law enforcement guide 22 Guidance Regarding the Sharing of Mental Health Information In September 2013, issued extensive guidance regarding the issue of when information about an individual who is receiving mental health care treatment can be shared with the individual s family and others involved in his or her care. The guidance also addresses the patient s capacity to agree to or object to the sharing of such information. It also addresses related law enforcement issues. 23 Guidance Regarding Marketing and Refill Reminders Also in September 2013, issued guidance regarding the refill exception from the marketing provision of the Privacy Rule. Normally, under the marketing provisions, as amended by the omnibus regulations that took effect in 2013, an individual has to provide written authorization before his or her PHI can be sued for marketing purposes. However, the guidance makes clear that prescription refill reminders and other communications about a currently prescribed drug or biologic are generally exempt from the authorization requirement. In addition, a CE can receive financial remuneration from the drug manufacturer or similar third party provided that the remuneration is reasonably related to the CE s cost of making the communication. 24 8
Guidance Regarding Disclosure of Decedents PHI The omnibus regulations contained changes to the original April 2003 version of the Privacy Rule regarding the ability of family members to access a deceased relative s PHI. Originally, only an executor or administrator could access a decedent s PHI, unless state law permitted other individuals, such as surviving spouses or adult children to do so. Now, in most instances, any member of the family or other person who was involved in the provision of care to a deceased individual has a right to access his or her PHI, even if that person is not the decedent s personal representative. In September 2013, issued guidance regarding these changes to the Privacy Rule. 25 Model Notice of Privacy Practices Notice in the form of a booklet; A layered notice that presents a summary of the information on the first page, followed by the full content on the following pages; A notice with the design elements found in the booklet, but formatted for full page presentation. A text only version of the notice; Different versions for plans and health care providers. http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html 26 HIPAA/CLIA Final Rule Now in Effect: Patient Right of Access to Test Results Center for Medicare and Medicaid Services Enforcement Amends Clinical Laboratory Improvement Amendments (CLIA) regulations to allow labs to give patients completed test results Enforcement Amends HIPAA right to access to remove exemption for CLIA labs Individual has right to access and get copy of PHI in DRS of labs, including right to electronic copy Access obligations on labs same as for other covered entities Individual can still go through physician to obtain test results Dates Publish in FR -- February 6 Effective Date -- April 7 HIPAA Compliance Date -- October 8 27 9
HIPAA/HITECH Guidance What s to Come Guidance on Omnibus Final Rule Breach Safe Harbor Update Breach Risk Assessment Tool Minimum Necessary More on Marketing Security Rule Updates small provider risk analysis tool More Factsheets on other provision Model Notice Web based version challenge issued Other YouTube new content; more Spanish versions Medscape new module coming soon -- EHRs and HIPAA: Steps for Maintaining the Privacy and Security of Patient Information 28 Office of the Secretary Office for Civil Rights () Patients Right To Restrict PHI 29 Patient Right to Request Restrictions Old Rule Under the April 2003 version of the Privacy Rule, an individual had the right to request a covered entity to place a restriction regarding use and disclosure of his or her PHI for treatment, payment, and health care operations (and certain other reasons). The CE was not required to agree to any restriction. However, if the CE did agree, the CE was bound by the restriction. 30 10
Right to Require Restrictions New Rule as of September 2013 Under the Omnibus Regulations, the CE must agree to an individual s request to restrict the disclosure of PHI to the individual s health plan if: PHI pertains solely to health care for which the individual (or a person on behalf of individual other than the health plan) has paid the CE in full, out-of-pocket; and The disclosure is not required by other law. The CE is encouraged, but not required, to notify downstream providers of the restriction The Preamble to the Omnibus Regulations contained in the January 25, 2013 issue of the Federal Register provides guidance on the scope of the restriction and other potential implementation issues, including a number of illustrative, hypothetical cases. The old permissive rule still applies to all other requests for restrictions from an individual. 31 Office of the Secretary Office for Civil Rights () Breach Notification Highlights Breach Notification Highlights September 2009 through November 6, 2013 682 reports involving over 500 individuals 84,963 reports involving under 500 individuals Top types of large breaches Theft Unauthorized Access/Disclosure Loss Top locations for large breaches Laptops Paper records Desktop Computers Portable Electronic Device 33 11
Spotlight on Largest Breaches of 2012 Hacking network server 780,000 affected Backup tapes stored at hospital cannot be found and are presumed lost 315,000 affected Unencrypted emails sent to employee s unsecured email address 228,435 affected Theft of laptop from employee s vehicle 116,506 affected Unauthorized access to e-phi stored in database 105,646 affected Hacking database stored on network server 70,000 affected 34 Breach Notification: 500+ Breaches by Type of Breach Hacking/IT Incident 7% Loss 14% Improper Disposal Unknown 5% 3% Unauthorized Access/ Disclosure 20% Theft 51% Data as of January 2013. 35 Breach Notification: 500+ Breaches by Location of Breach E mail 3% Other EMR 2% Network Server 11% 10% Paper Records 22% Portable Electronic Device 14% Laptop 23% Desktop Computer 15% Data as of January 2013 36 12
Office of the Secretary Office for Civil Rights () COMPLIANCE AUDITS 37 Audit Program HITECH Act Sec. 13411 Periodic audits to ensure covered entities and business associates comply with requirements of HIPAA and HITECH Audit Objectives Examine mechanisms for compliance Identify best practices Discover risks and vulnerabilities that may not have come to light through complaint investigations and compliance reviews Renew attention of covered entities to health information privacy and security compliance activities 38 Compliance and Enforcement: Audit Where We Have Been 39 13
Audit Pilot Completed Pilot Process Tiered approach for snapshot of compliance across covered entity types, sizes, complexity Sample of 115 covered entities selected spread across 4 tiers All audits were completed by December 2012 published audit protocol Issued final reports to entities audited in pilot 40 Audit Pilot Observations Completed Audits of 115 entities 61 Providers, 47 Health Plans, 7 Clearinghouses No findings or negative observations for 13 entities (11%) 2 Providers, 9 Health Plans, 2 Clearinghouses Total 979 audit findings and observations 293 Privacy 592 Security 94 Breach Notification Percentage of Security Rule findings and observations was double what would have been expected based on the protocol Smaller entities (Level 4) struggled with all three areas 41 Summary of Entities Audited Level 1 Entities Large Provider / Payer Extensive use of HIT - complicated HIT enabled clinical /business work streams Revenues and or assets greater than $1 billion Level 3 Entities Community hospitals, outpatient surgery, regional pharmacy / All Self-Insured entities that don t adjudicate their claims Some but not extensive use of HIT mostly paper based workflows Revenues between $50 million and $300 million 42 Level 2 Entities Large regional hospital system (3-10 hospitals/region) / Regional Insurance Company Paper and HIT enabled work flows Revenues and or assets between $300 million and $1 billion Level 4 Entities Small Providers (10 to 50 Provider Practices, Community or rural pharmacy) Little to no use of HIT almost exclusively paper based workflows Revenues less than $50 million 14
Size/Type of Entities Audited Level 1 Level 2 Level 3 Level 4 Total Health Plans 13 12 11 11 47 Healthcare Providers Healthcare Clearinghouses 11 16 10 24 61 2 3 1 1 7 Total 26 31 22 36 115 Data as of December 2012. 43 Types of Privacy Rule Audit Findings 50% 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% 20% Notice of Privacy Practices 2% Restriction Requests & Alternative Communications 16% Individual Right of Access 18% Administrative Standards 44% Uses and Disclosures of PHI Data as of December 2012. 44 Types of Security Rule Audit Findings 20% 18% 18% 16% 14% 12% 12% 14% 14% 14% 10% 9% 8% 6% 4% 2% 0% Risk Analysis Access Management Data as of December 2012. Security Incident Procedures 45 Contingency Planning Audit Controls and Monitoring Movement and Destruction of Media 15
Compliance and Enforcement Audit What s Ahead in 2014 Formal Program Evaluation 2013 Internal analysis for follow up and next steps Creation of technical assistance based on results Determine where entity follow up is appropriate Identify leading practices Revise Protocol to reflect Omnibus Rule Ongoing program design and focus Business Associates Accreditation /Certification correlations 46 Resumption of Audits in 2014 will be conducting a second round of compliance audits on its own beginning later in 2014 and continuing into 2015. selected from a very large data base an oversupply of 1200 organizations as possible subjects of the new round of audits. is currently making determinations about the listed organizations to determine their suitability for audit. Roughly 800 of the organizations are covered entities and 400 are business associates. 47 New Issues Likely to be Covered in Audits expects to revise its 2012 audit protocol to include changes brought by the Omnibus Regulations. also expects a more intensive focus on organizations analysis of potential risks and vulnerabilities involving the PHI which they generate and which comes in their custody as found the lack of any and/or adequate risks analysis to be very high in the 2012 audit. 48 16
Office of the Secretary Office for Civil Rights () RESOURCES 49 We ve Been Busy New Compliance Assistance Tools for Covered Entities and Business Associates The HIPAA Omnibus Rule https://www.youtube.com/watch?v=m X QL9PoePU 50 New Resource Center at Medscape.org Video Programs module imbedded into page for dynamic interest Educational Links, Including Mobile Device Content http://www.medscape.org/sites/advances/patients-rights 51 17
Two New Learning Modules for Free CME and CE Credit The goal of this activity is to describe steps in analyzing and managing risks related to the security of protected health information http://www.medscape.org/viewarticle/810563 The goal of this activity is to describe steps healthcare practices should take to assess and improve the security of protected health information on mobile devices. http://www.medscape.org/viewarticle/8105 68 52 Consumer Awareness and Engagement Your New Rights Under HIPAA - Consumers https://www.youtube.com/watch?v =3-wV23_E4eQ Over 262,000 views since September 4, 2013 Visit us at http://www.youtube.com/usgovhhs 53 s YouTube Videos Your New Rights Under HIPAA 264,781 Views Your Health Information, Your Rights 116,291 Views The Right to Access Your Health Information 84,909 Views EHRs: Privacy and Security 5,645 Views Explaining the Notice of Privacy Practices 124,888 Views The HIPAA Omnibus Rule 273,927 Views Su Informacion de Salud, Sus Derechos 503,898 Views Treatment, Payment and Health Care Operations 77,967 Views Communicating with Friends and Family 97,428 Views HIPAA Security Rule 291,263 Views 1,840,997 TOTAL VIEWS FROM FEB 16 2012 to JAN 30, 2013 Visit us at http://www.youtube.com/usgovhhs 54 18
Contact Information Andrew C. Kruley Equal Opportunity Specialist (Investigator) Office for Civil Rights Region V United States Department of Health and Human Services 233 North Michigan Avenue Suite 240 Chicago, Illinois 60601 312-886-5888 Andrew.Kruley@hhs.gov 55 19