OCR Reports on the Enforcement. Learning Objectives



Similar documents
OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR UPDATE Breach Notification Rule & Business Associates (BA)

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

Disclaimer 8/8/2014. Current Developments in Privacy and Security Rule Enforcement

HIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

What do you need to know?

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA WEBINAR HANDOUT

Overview of the HIPAA Security Rule

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

What s New with HIPAA? Policy and Enforcement Update

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

Business Associates, HITECH & the Omnibus HIPAA Final Rule

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014

HIPAA Compliance Guide

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

HIPAA LIAISON MEETING PRESENTAITON. August 11, 2015 Leslie J. Pfeffer, BS, CHP University HIPAA Privacy Officer

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

HIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq.

HIPAA Security Rule Compliance

HIPAA in an Omnibus World. Presented by

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

COMPLIANCE ALERT 10-12

Presented by Jack Kolk President ACR 2 Solutions, Inc.

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

HIPAA Compliance Guide

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

HIPAA and HITECH Compliance for Cloud Applications

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

Security Is Everyone s Concern:

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Philip L. Gordon, Esq. Littler Mendelson, P.C.

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

Lessons Learned from HIPAA Audits

HIPAA Breaches, Security Risk Analysis, and Audits

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Privacy & Security. Risk Management Strategies for Healthcare Data. Ohio Hospital Association Centennial Annual Meeting.

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance. For Calendar Years 2009 and 2010

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

New HIPAA regulations require action. Are you in compliance?

AHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA

Dissecting New HIPAA Rules and What Compliance Means For You

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

Legislative & Regulatory Information

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

Datto Compliance 101 1

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

You Probably Don t Even Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

OCR/HHS HIPAA/HITECH Audit Preparation

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

The HIPAA Audit Program

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Privacy and Information Security Management Briefing

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Transcription:

OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil Rights Learning Objectives 1.Update on OCR s enforcement of Privacy/Security/Breach Notification Rules 2.Discuss the practical implications of the final breach notification rule and enforcement rule 3.Learn about HHS tools you can use in your privacy and security awareness training April 22, 2013 2 1

HIPAA Compliance/Enforcement (As of December 31, 2012) TOTAL (since 2003) Complaints Filed 77,200 Cases Investigated 27,500 Cases with Corrective Action 18,600 Civil Monetary Penalties & Resolution Agreements (since 2008) $14.9 million April 22, 2013 3 Issues Most Frequently Reviewed Privacy Rule Impermissible Uses and Disclosures of PHI Safeguards to Protect Health Information Access to Health Records Minimum Necessary Notice of Privacy Practices Security Rule Risk Analysis Security Incident Response and Reporting Security Awareness and Training Access Controls Encryption and Decryption (Data in Storage) April 22, 2013 4 2

Breach Notification Highlights September 2009 through March 20, 2013 556 reports involving over 500 individuals Over 78,000 reports involving under 500 individuals Top types of large breaches Theft Unauthorized Access/Disclosure Loss Top locations for large breaches Laptops Paper records Desktop Computers Portable Electronic Device April 22, 2013 page 5 Spotlight on Largest Breaches of 2012 Hacking network server 780,000 affected Backup tapes stored at hospital cannot be found and are presumed lost 315,000 affected Unencrypted emails sent to employee s unsecured email address 228,435 affected Theft of laptop from employee s vehicle 116,506 affected Unauthorized access to e PHI stored in database 105,646 affected Hacking database stored on network server 70,000 affected April 22, 2013 page 6 3

Breach Notification: 500+ Breaches by Type of Breach Hacking/IT Incident 8% Improper Unknown Disposal 2% 5% Unauthorized Access/ Disclosure 20% Loss 13% Theft 52% April 22, 2013 page 7 Breach Notification: 500+ Breaches by Location of Breach Network Server 11% E mail 2% Other 10% Paper Records 22% EMR 2% Portable Electronic Device 14% Desktop Computer 15% Laptop 23% April 22, 2013 page 8 4

Major 2012 Enforcement Actions BCBS Tennessee ($1.5 M) E PHI stored on servers stolen from deactivated data center after construction/relocation to new facility Reevaluate threats/vulnerabilities to e PHI caused by changing operational environment and manage risk Phoenix Cardiac Surgery ($100K) E PHI disclosed through Internet when provider used third party application hosted in the cloud Business associate agreements required when sharing data with cloud computing service providers Alaska DHSS ($1.7M) Portable storage device stolen from personal vehicle symptomatic of widespread failure to implement program wide information security safeguards Risk analysis to identify location and safeguards for PHI, training and controls for portal devices April 22, 2013 9 Major Enforcement Actions of 2012 Massachusetts Eye and Ear Institute ($1.5M) Stolen personal laptop of physician using device as desktop substitute Covered entity had not implemented a program to mitigate identified risks to e PHI Encrypt data stored on end user devices Hospice of Northern Idaho ($50K) Breach affecting 400 individuals when laptop stolen Provider had not conducted a risk assessment or taken other measures to safeguard e PHI as required by Security Rule Implement security measures to safeguard e PHI April 22, 2013 page 10 5

Audit Program HITECH Act Sec. 13411 Periodic audits to ensure covered entities and business associates comply with requirements of HIPAA and HITECH Audit Objectives Examine mechanisms for compliance Identify best practices Discover risks and vulnerabilities that may not have come to light through complaint investigations and compliance reviews Renew attention of covered entities to health information privacy and security compliance activities April 22, 2013 page 11 Audit Pilot Completed Pilot Process Tiered approach for snapshot of compliance across covered entity types, sizes, complexity Sample of 115 covered entities selected spread across 4 tiers All audits completed by December 2012 Published audit protocol Issuing final reports to 115 entities audited in pilot and assessing findings Conducting Evaluation of Audit Pilot April 22, 2013 page 12 6

Audit Pilot Observations Completed Audits of 115 entities 61 Providers, 47 Health Plans, 7 Clearinghouses No findings or observations for 13 entities (11%) 2 Providers, 9 Health Plans, 2 Clearinghouses Total 979 audit findings and observations 293 Privacy 592 Security 94 Breach Notification Percentage of Security Rule findings and observations was double what would have been expected based on protocol Smaller entities (Level 4 ) struggle with all three areas April 22, 2013 page 13 Omnibus Final Rule Important Dates Public Display at Federal Register January 17, 2013 Published in Federal Register January 25, 2013 Effective Date March 26, 2013 Compliance Date September 23, 2013 Conform BA contracts September 22, 2014 April 22, 2013 page 14 7

Omnibus Final Rule What s New for Business Associates BAs must comply with the technical, administrative, and physical safeguard requirements under the Security Rule Liable for Security Rule violations BA must comply with use or disclosure limitations expressed in its contract and those in the Privacy Rule Criminal and civil liabilities for violations BA definition expressly includes Health Information Organizations, E prescribing Gateways, and PHR vendors that provide services to covered entities Subcontractors of a BA are now defined as a BA BA liability flows to all subcontractors April 22, 2013 page 15 Omnibus Final Rule What s New for Breach Breach Notification Provisions Replaces harm to individual with more objective measure of compromise to the data as threshold for breach notification Other provisions of 2009 IFR adopted without major change April 22, 2013 page 16 8

Omnibus Final Rule What s New for Enforcement Enforcement Provisions Adopts increased CMP amounts and tiered levels of culpability from 2009 IFR Clarifies Reasonable Cause Tier Willful Neglect Penalties do not require informal resolution Intentional wrongful disclosures may be subject to civil, rather than criminal, penalties April 22, 2013 page 17 HITECH Enforcement Raises CMP Levels April 22, 2013 page 18 9

Enforcement Rule: Investigation and Resolution of Violations The Final Rule reflects the requirement of the HITECH Act that HHS will investigate a possible HIPAA violation if a preliminary review of the facts available from a complaint or a compliance review, or information from an independent inquiry by HHS, indicates the possibility of willful neglect. The investigation may proceed directly to an enforcement action, particularly but not only, in the case of willful neglect. However, the Final Rule offers reassurance that, absent indications of willful neglect, HHS still will seek compliance through informal, voluntary action in appropriate cases. April 22, 2013 19 Enforcement Rule: Violations Due to Reasonable Cause Of the four tiers of penalties specified in the HITECH Act, the required state of mind for the lowest tier (entity did not know, and in the exercise of reasonable diligence would not have known of the violation) and for the highest two tiers (willful neglect) are unchanged under the Final Rule. The state of mind for second tier, violations due to reasonable cause not amounting to willful neglect, was not specified in the HITECH Act. April 22, 2013 20 10

Enforcement Rule: Violations Due to Reasonable Cause The second tier is important as a practical matter, because it likely covers many common violations by otherwise generally compliant covered entities and business associates, such as those that occur due to human error, despite workforce training and appropriate policies and procedures. Modifies the definition of reasonable cause to specify the state of mind; reasonable cause covers violations in which the entity exercised ordinary business care and prudence to comply with the provision that was violated or in which the entity knew of the violation but lacked conscious intent or reckless indifference associated with a violation due to willful neglect. April 22, 2013 21 HIPAA: Creating Awareness and Educating Providers on the Importance of Compliance Medscape: Free CME and CE Training http://www.medscape.org/viewarticle/762170?src=cmsocr April 22, 2013 page 22 11

ONC/OCR Mobile Device Program Instructional Video Series The videos explore mobile device risks and discuss privacy and security safeguards providers and professionals can put into place to mitigate risks. Securing Your Mobile Device is Important! Dr. Anderson's Office Identifies a Risk A Mobile Device is Stolen Protecting Patients' Health Information When Using a Public Wi-Fi Network? Worried About Using a Mobile Device for Work? Here's What To Do! 23 Downloadable Materials www.healthit.gov/mobiledevices Fact sheets Posters Brochures April 22, 2013 page 24 12

Guidance/Compliance Tools De identification Guidance http://www.hhs.gov/ocr/privacy/hipaa/understanding/cov eredentities/de identification/guidance.html Sample Business Associate Contract Language http://www.hhs.gov/ocr/privacy/hipaa/understanding/cov eredentities/contractprov.html Risk Analysis Guidance http://www.hhs.gov/ocr/privacy/hipaa/administrative/sec urityrule/rafinalguidance.html Security for Mobile Devices (video/web) http://www.healthit.gov/mobiledevices April 22, 2013 25 Questions? OCR website www.hhs.gov/ocr/privacy Contact Information david.holtzman@hhs.gov April 22, 2013 page 26 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information