HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA? 1
DEFINITIONS HIPAA Health Insurance Portability and Accountability Act of 1996 Primarily designed to ensure workers retain health care insurance coverage as they changes jobs But also authorized the Dept. of HHS to promulgate privacy regulations Controls fraud and abuse of private medical information Designed to promote uniformity among states concerning privacy and security of health information DEFINITIONS HITECH Health Information Technology for Economic and Clinical Health Act Part of the American Recovery and Reinvestment Act of 2009 Health Care Reform grafted onto an economic recovery bill Title XIII-Health Information Technology is HITECH Promotes electronic, encrypted health care records with universal retrieval Prohibits unauthorized acquisition and disclosure of protected health information Follows disclosure rules, duties, obligations of HIPAA 2
PROTECTED HEALTH INFORMATION (PHI) PHI is defined in the regulations to mean essentially any information regarding health status, provision of healthcare, or payment of healthcare that can be linked to an individual - 45 C.F.R. Section 160.103 SCOPE OF HIPAA/HITECH The HIPAA privacy and security regulations apply to covered entities and their business associates Covered entities is defined as any health plan, health care clearinghouse, healthcare provider who transmits any health information in electronic form Business associates include any third party service provider that creates, receives, maintains or transmits PHI on behalf of a covered entity Also includes any person who provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services to or for a covered entity And now subcontractors of business associates 3
HIPAA: WHAT DOES IT DO? Imposes privacy and security requirements for confidentiality of protected health information Disposal of electronic PHI and storage hardware Removal of PHI from media before reuse Emergency access procedures Imposes criminal penalties for knowingly obtaining/disclosing individually identifiable health information HIPAA Consists of two core components The Privacy Rule Restricts use and disclosure of PHI The Security Rule Establishes uniform standards for securing and transmitting electronic PHI The regulation also contain an enforcement section Authorizing HHS to impose civil monetary penalties for HIPAA violations 4
HIPAA PRIVACY RULE The privacy rule requires that prior to using or disclosing PHI, a covered entity must obtain and receive signed authorization from the individual who s PHI is at issue There are exceptions: For use in connection with a covered entities treatment, payment or healthcare operations When a pt is incapacitated and the use is in their best interest In connection with judicial proceedings (i.e.in response to a court order or subpoena). Attorneys routinely obtain a HIPAA qualified protective order at the outset of litigation which prohibits the parties from using the PHI for any purpose other than litigation, and requires the records to be returned or properly destroyed. HIPAA SECURITY RULE The security rule establishes regulatory standards for securing electronic PHI Applies only to electronic records Generally requires covered entities to take reasonable steps to: Ensure confidentiality, integrity, and availability of electronic PHI Protect against reasonably anticipated threats or hazards Ensure compliance by its workforce 5
HIPAA SECURITY RULE Requires three specific safeguards: administrative, physical and technical Administrative implement policies and procedures for evaluating and analyzing the physical and technical protections in place against security risks Physical implement policies and procedures for limiting physical access to facilities and devices containing PHI, and procedures for use, transfer or removal of devices with PHI. Technical implement policies and procedures for limiting technical access to PHI, preventing improper alteration or destruction and securing the transmission of electronic PHI HITECH: WHAT DOES IT DO? Pushes for digitization of health information and harmonization across the field for universal access Promotes use of electronic health records for each person in the United States Mandates use of EMR to maintain current levels of Medicaid and Medicare reimbursements Established new notice requirements in the event of a data breach Expanded liability under HIPAA, so that business associates are now subject to direct liability Requires covered entities and business associates to maintain written contracts that contain assurances regarding use and disclosure of PHI 6
HITECH BREACH NOTIFICATION RULE Imposes notice requirements on covered entities and business associates in the event of a breach of unsecured PHI Breach is defined as any impermissible acquisition, access, use or disclosure of PHI Unsecured PHI means not secured per guidelines from HHS Must notify HHS Must notify each individual affected If the breach is over 500 individuals, the covered entity must notify prominent media outlets in your state HIPAA/HITECH ENFORCEMENT HHS enforces these regulations by imposing civil monetary penalties, ranging from $100- $50,000 for each violation There can be criminal prosecution for those that intentionally or knowingly violate the regulations HIPAA contains no provision for a private lawsuit by an individual However, the regulations have been cited as evidence of the duty of care owed in civil suits 7
HACKERS, SPIES AND REGULAR GUYS Most breaches of privacy come from withinour own employees Curiosity, carelessness, animosity and greed all play a role in employee breach Yet Cyber security is also a concern Theft of paper records or electronic media (laptops, desktop computers and portable electronic devices) accounted for most large scale breaches PUBLISHED FINES/PENALTIES $4,8000,000 May 2014 New York Presbyterian Hospital and Columbia University agreed to pay $4.8M in HIPAA violation settlement for failing to secure thousands of medical records on their system (http://www.hhs.gov/news/press/2014pres/05/20140507b.html) 8
PUBLISHED FINES/PENALTIES $4,300,000 Civil fine imposed on Cigna Health in Maryland over denial of patient access to records $1,400,000 Jury award to a Crown Point, IN woman whose pharmacist disclosed PHI. The plaintiff was an ex-girlfriend of the husband $1,000,000 Civil fine to Mass General Hospital when an employee left PHI on a device on the MTA train IN THE NEWS Advocate Medical Group Under investigation after theft of computers containing PHI Class action suit threatened by over 4M patients Allegedly failed to use encryption and other security measures Suburban Lung Associates Dave Savini Channel 5 News report last week Patient paper medical records found in a dumpster Highlights issue about proper destruction of records and responsibility for business associates (record storage and disposal companies) 9
RECOMMENDATIONS Improve physical security by installing new security systems Relocate records or equipment to a more secure location Adopting the latest encryption technologies Changing passwords frequently Training and re-training workforce members who handle PHI Revising business associate contracts to explicitly require protection of PHI Document!!!! Need to have evidence of the policies, procedures, and training on this topic Consider insurance for these types of losses 10