You Probably Don’t Even Know
That You Need To Comply With HIPAA
About ERM
About The Speaker
Stephen Siegel, Esq., Of Counsel, Broad and Cassel
Board Certified – Health Law
Over 25 yrs. experience in private practice + 10 yrs.
with CMS' predecessor agencies
Practice includes regulatory compliance and
HIPAA-HITECH compliance
Member of Health Law and White Collar
Defense/Compliance Practice Groups
JD, Georgetown University Law Center
About Broad and Cassel
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
150+ Attorneys
Office Locations:
- Boca Raton
- Ft. Lauderdale
- Miami
- Tampa
- West Palm Beach
- Destin
- Jacksonville
- Orlando
About Broad and Cassel
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Practice Areas include:
- Banking
- Commercial Litigation
- Computer & Tech. Law
- Corporate and Securities
- Elder Law
- Government Relations
- Health Law
- White Collar Defense & Compliance
- Housing
- Intellectual Property
- International Law
- Real Estate
- Labor and Employment
- Taxation
If I’m Not A Health Care Provider…
…Why Is This Relevant To Me?
Objective of HIPAA-HITECH
Protect an individual's "protected health
information" ("PHI") that becomes subject to an
electronic "transaction"
PHI belongs to the individual, NOT the business
Covered Entities and Business Associates are viewed
as having a fiduciary duty to protect the security and
confidentiality of each individual's PHI
Critical Date
September 24, 2013
HIPAA-HITECH* EFFECTIVE FOR BUSINESS
ASSOCIATES
IMPOSES MOST OF THE OBLIGATIONS OF COVERED
ENTITIES ON THEIR BUSINESS ASSOCIATES
* (Health Insurance Portability and Accountability Act of 1996,
as amended by the Health Information Technology for Economic
and Clinical Health Act of 2010)
What types of information is considered PHI?
PHI is information that is individually identifiable and
related to:
The individual’s past, present or future physical or
mental health or condition,
The provision of health care to the individual,
The past, present, or future payment for the provision
of health care to the individual.
NOTE-PHI is NOT determined in relationship to a payer,
it is determined by its relationship to the individual
PHI - Examples
Social Security Number
Name
Address
Telephone Number
Zip Code
Diagnosis, Plan of Care
Provider's Identity
Credit Card Number
Spouse's Identity
Date of Birth
What is a “transaction”?
"Transaction means the transmission of information
between two parties to carry out financial or
administrative activities related to health care", including:
Health care claims/encounter information;
Health care payment and remittance advice
Coordination of benefits
Claims status
Enrollment/disenrollment status in a health plan
Referral certification and authorization
Health care electronic funds transfers
Understanding your role
Are you a Covered Entity (“CE”)?
Are you a Business Associate (“BA”)?
NOTE: If the answer to both questions is "no",
HIPAA-HITECH does not apply*
*But do not forget state privacy laws and other federal laws regarding
protecting information that may be applicable
Covered Entities
Health Care Providers
"A provider of medical or health services and any other person or
organization who furnishes, bills, or is paid for health care in the
normal course of business."
"Health care means care, services or supplies related to the health of
an individual", including, but not limited to: Preventive, diagnostic,
rehabilitative, maintenance or palliative care …."
Examples: hospitals, physicians, medical equipment suppliers, nursing homes
Health Plans
Clearinghouses
CEs should have been complying with HIPAA before 9/24/13
Business Associates
Person or entity who,
on behalf of
a Covered
Entity-Creates, receives, maintains or transmits PHI for a
function or activity regulated by HIPAA-HITECH including –
Claims processing/administration, data analysis, utilization
review, quality assurance, patient safety, billing, benefit
management, practice management, etc.
Business Associates - Examples
Billing service
Claims processing
Administrative service
Computer software vendor
Medical record storage
Business equipment vendor
Cloud storage vendors
Accountants
Lawyers
Consultants
Business Associate Agreement (“BAA”)
If a CE engages a BA the CE must have a written business
associate agreement ("BAA")
The BAA must require the BA to comply with the Rules’
requirements for protecting the privacy and security of
PHI
BAs are directly liable for compliance with certain
provisions in the HIPAA-HITECH Rules.
BAs need BAAs with sub-BAs
Business Associates
Who is considered a BA under the Rules?
Persons or organizations outside the CE’s workforce
(i.e., independent contractors and their
subcontractors) that provide services which include
the creation, maintenance, use or disclosure of PHI
on behalf of a CE that has been the subject of an
electronic transaction.
The Breach Notification Rule
What happens if an unauthorized party gets PHI?
HIPAA-HITECH requires CEs to provide notification
following a breach of
unsecured
PHI.
Pre- HITECH presumption of no harm discarded in
HIPAA-HITECH
NOTE: PHI that is encrypted is
not
unsecured and thus not subject to breach
notification requirements.
The Breach Notification Rule (Cont.)
What is a breach?
A breach is an impermissible acquisition, access, use or
disclosure under the Privacy Rule that compromises the
security or privacy of the protected health information.
An impermissible acquisition, access, use or disclosure of
PHI is
presumed to be a breach
unless the CE can
demonstrate that there is a
low probability
that the PHI
has been compromised.
The Breach Notification Rule (Cont.)
A “low probability” that the PHI was compromised is
demonstrated via a comprehensive and documented
risk assessment
.
If the CE/BA can establish through its
risk assessment
that there is a low probability that the PHI was
compromised, breach notification is not required.
The Breach Notification Rule
If you are a CE or BA here are some likely data
breach sources:
smart phones
laptops
thumb drives
hackers
unsecure vendors
CDs or DVDs
tablets
digital cameras
e-mail archives
digital dictation
hard drives
cloud storage
gossip
unhappy employees
Conducting a Risk Assessment
After a breach evaluate at least the following 4 factors:
a. The nature and extent of the PHI involved, including the
types of identifiers and the likelihood of re-identification.
b. The unauthorized person who used the PHI or to whom
the disclosures were made.
c. Whether the PHI was actually acquired or viewed.
d. The extent to which the risk to the PHI has been
mitigated.
- The extent and efficacy of the mitigation may depend
on the recipient; was it a BA or CE or a third party?
The Breach Notification Rule (Cont.)
The burden is on the CE/BA to demonstrate that a
breach has not occurred and notification is not
required.
The risk assessment must be thoroughly documented.
In lieu of a risk assessment, the CE can choose to
simply notify the individuals whose PHI was
improperly used or disclosed as well as the press
and HHS-OCR (as required).
Who must be notified of a breach?
Following a breach of unsecured PHI a Covered Entity
must notify:
The
individual
whose PHI has been compromised or is
believed to have been compromised. The notification must
include:
What happened and when;
The type of unsecured PHI involved;
Steps the individual should take to protect him/herself from
potential harm from the breach;
What the CE is doing to investigate and mitigate the breach and
prevent further breaches; and
Contact information for individuals to ask questions.
Who must be notified of a breach? (Cont.)
Media Notice:
Breach involving more than 500 residents in a
state or jurisdiction- the entity must notify prominent media
outlets, in addition to the affected individuals, within 60 days
of discovery of the breach.
Notice to the Secretary of the Department of Health and
Human Services (DHHS):
Breach involving
500 or more
individuals the entity must notify
DHHS within 60 days of discovery.
Fewer than 500
individuals - the entity may notify the Secretary
within 60 days of the end of the calendar year in which the
breach occurred.
Who must be notified of a breach? (Cont.)
Notification by a Business Associate:
If the breach of unsecured PHI occurs at or by a BA,
the BA must notify the CE without unreasonable
delay, as required by the BA Agreement, but no later
than 60 days after discovering the breach, and
The BA must provide sufficient information for the CE
to notify the affected individual(s).
Note: BAA may require the BA do more
Indemnification
Credit protection
Enforcement of the Rules
The Office of Civil Rights (OCR) enforces the HIPAA
Privacy, Security and Breach Notification Rules.
The OCR implemented a pilot program that audited
115 covered entities in 2011 and 2012.
OCR now randomly auditing compliance of CEs and
BAs.
Audit Protocol
The OCR audit protocol includes:
Privacy Rule:
Notice of privacy practices for PHI,
Rights to request privacy protection for PHI,
Access of individuals to PHI,
Administrative requirements,
Uses and disclosures of PHI,
Amendment of PHI,
Accounting of disclosures.
Security Rule:
Administrative, physical and technical safeguards
Breach Notification Rule
requirements.
Audits (Cont.)
Every CE and BA (and, presumably sub-BAs) is subject to
auditing.
Although audits are viewed as compliance improvement
tools, a particular violation may lead to sanctions and
penalties.
If an audit indicates a serious compliance issue it may
trigger a separate enforcement investigation by OCR or
DOJ.
Audit Results
Privacy Rule violations:
Failure to provide appropriate patient access to records,
Insufficient Notice of Privacy Practices,
Lack of Policies and Procedures.
Audit Results
Security Rule violations:
Failure to monitor user activity,
Lack of contingency planning,
Authentication/integrity,
Media reuse and destruction.
OCR’s Complaint Investigation (pre HIPAA-HITECH)
The Top 5 OCR investigation issues:
Impermissible uses and disclosures of PHI
Lack of safeguards
Access to records
Failure to keep access to “minimum necessary”
No or insufficient Notice of Privacy Practices
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
OCR Complaint Statistics (April 2013)
through December 2012:
Complaints received
77,190
Complaints resolved
70,800
Corrective action required
18,711
No violation
8,971
Who is looking at you
HIPAA-HITECH allows for enhanced sanctions and
penalties and expands HIPAA’s enforcement provisions
Enforcement agencies include:
OCR
DOJ
State Attorneys General
Whistleblowers (?)
Patients/family members (?)
Non-Compliance Risk
Failure to comply with HIPAA-HITECH could result in:
Federal/State penalties/fines/licensure action
Criminal or civil investigation and prosecution
Loss of contracts
Public harm and reputational risk
Legal costs
Cost of notification of breach
Private damage judgment
Civil Money Penalty Structure
The Department will determine the penalty amounts based on the
nature and extent of the violation and the nature and extent of the
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Violation Category
Section 1176(a)(1)
Each Violation
All violations of
same provision in
one calendar year
(A) Did not know
$100-$50,000
$1,5000,000
(B) Reasonable Cause
$1,000-$50,000
$1,5000,000
(C)(i) Willful Neglect –
Corrected
$10,000-$50,000
$1,5000,000
(C)(II) Willful Neglect –
HIPAA Criminal Penalties
A person who
knowingly
obtains or discloses PHI in
violation of HIPAA-HITECH may be subject to criminal
liability.
That is,
knowingly
in violation of HIPAA-HITECH:
Uses or causes to be used a unique health identifier;
Obtains individually identifiable health information
relating to an individual; or
Discloses individually identifiable health information
to another person.
HIPAA Criminal Penalties (Cont.)
Under HIPAA-HITECH
any person
can be prosecuted for
violating the provision – including an employee or
other person.
The “knowledge” requirement refers only to obtaining
PHI, not to knowledge that such actions were in
violation of HIPAA-HITECH.
HIPAA Criminal Penalties (Cont.)
Summary of Categories of Criminal Penalties:
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS