You Probably Don t Even Know

You Probably Don’t Even Know

That You Need To Comply With HIPAA

About ERM

About The Speaker

Stephen Siegel, Esq., Of Counsel, Broad and Cassel

Board Certified – Health Law

Over 25 yrs. experience in private practice + 10 yrs.

with CMS' predecessor agencies

Practice includes regulatory compliance and

HIPAA-HITECH compliance

Member of Health Law and White Collar

Defense/Compliance Practice Groups

JD, Georgetown University Law Center

About Broad and Cassel

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

150+ Attorneys

Office Locations:

- Boca Raton

- Ft. Lauderdale

- Miami

- Tampa

- West Palm Beach

- Destin

- Jacksonville

- Orlando

About Broad and Cassel

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

Practice Areas include:

- Banking

- Commercial Litigation

- Computer & Tech. Law

- Corporate and Securities

- Elder Law

- Government Relations

- Health Law

- White Collar Defense & Compliance

- Housing

- Intellectual Property

- International Law

- Real Estate

- Labor and Employment

- Taxation

If I’m Not A Health Care Provider…

…Why Is This Relevant To Me?

Objective of HIPAA-HITECH

Protect an individual's "protected health

information" ("PHI") that becomes subject to an

electronic "transaction"

PHI belongs to the individual, NOT the business

Covered Entities and Business Associates are viewed

as having a fiduciary duty to protect the security and

confidentiality of each individual's PHI

Critical Date

September 24, 2013

HIPAA-HITECH* EFFECTIVE FOR BUSINESS

ASSOCIATES

IMPOSES MOST OF THE OBLIGATIONS OF COVERED

ENTITIES ON THEIR BUSINESS ASSOCIATES

* (Health Insurance Portability and Accountability Act of 1996,

as amended by the Health Information Technology for Economic

and Clinical Health Act of 2010)

What types of information is considered PHI?

PHI is information that is individually identifiable and

related to:

The individual’s past, present or future physical or

mental health or condition,

The provision of health care to the individual,

The past, present, or future payment for the provision

of health care to the individual.

NOTE-PHI is NOT determined in relationship to a payer,

it is determined by its relationship to the individual

PHI - Examples

Social Security Number

Name

Address

Telephone Number

Zip Code

Diagnosis, Plan of Care

Provider's Identity

Credit Card Number

Spouse's Identity

Date of Birth

What is a “transaction”?

"Transaction means the transmission of information

between two parties to carry out financial or

administrative activities related to health care", including:

Health care claims/encounter information;

Health care payment and remittance advice

Coordination of benefits

Claims status

Enrollment/disenrollment status in a health plan

Referral certification and authorization

Health care electronic funds transfers

Understanding your role

Are you a Covered Entity (“CE”)?

Are you a Business Associate (“BA”)?

NOTE: If the answer to both questions is "no",

HIPAA-HITECH does not apply*

*But do not forget state privacy laws and other federal laws regarding

protecting information that may be applicable

Covered Entities

Health Care Providers

"A provider of medical or health services and any other person or

organization who furnishes, bills, or is paid for health care in the

normal course of business."

"Health care means care, services or supplies related to the health of

an individual", including, but not limited to: Preventive, diagnostic,

rehabilitative, maintenance or palliative care …."

Examples: hospitals, physicians, medical equipment suppliers, nursing homes

Health Plans

Clearinghouses

CEs should have been complying with HIPAA before 9/24/13

Business Associates

Person or entity who,

on behalf of

a Covered

Entity-Creates, receives, maintains or transmits PHI for a

function or activity regulated by HIPAA-HITECH including –

Claims processing/administration, data analysis, utilization

review, quality assurance, patient safety, billing, benefit

management, practice management, etc.

Business Associates - Examples

Billing service

Claims processing

Administrative service

Computer software vendor

Medical record storage

Business equipment vendor

Cloud storage vendors

Accountants

Lawyers

Consultants

Business Associate Agreement (“BAA”)

If a CE engages a BA the CE must have a written business

associate agreement ("BAA")

The BAA must require the BA to comply with the Rules’

requirements for protecting the privacy and security of

PHI

BAs are directly liable for compliance with certain

provisions in the HIPAA-HITECH Rules.

BAs need BAAs with sub-BAs

Business Associates

Who is considered a BA under the Rules?

Persons or organizations outside the CE’s workforce

(i.e., independent contractors and their

subcontractors) that provide services which include

the creation, maintenance, use or disclosure of PHI

on behalf of a CE that has been the subject of an

electronic transaction.

The Breach Notification Rule

What happens if an unauthorized party gets PHI?

HIPAA-HITECH requires CEs to provide notification

following a breach of

unsecured

PHI.

Pre- HITECH presumption of no harm discarded in

HIPAA-HITECH

NOTE: PHI that is encrypted is

not

unsecured and thus not subject to breach

notification requirements.

The Breach Notification Rule (Cont.)

What is a breach?

A breach is an impermissible acquisition, access, use or

disclosure under the Privacy Rule that compromises the

security or privacy of the protected health information.

An impermissible acquisition, access, use or disclosure of

PHI is

presumed to be a breach

unless the CE can

demonstrate that there is a

low probability

that the PHI

has been compromised.

The Breach Notification Rule (Cont.)

A “low probability” that the PHI was compromised is

demonstrated via a comprehensive and documented

risk assessment

.

If the CE/BA can establish through its

risk assessment

that there is a low probability that the PHI was

compromised, breach notification is not required.

The Breach Notification Rule

If you are a CE or BA here are some likely data

breach sources:

smart phones

laptops

thumb drives

hackers

unsecure vendors

CDs or DVDs

tablets

digital cameras

e-mail archives

digital dictation

hard drives

cloud storage

gossip

unhappy employees

Conducting a Risk Assessment

After a breach evaluate at least the following 4 factors:

a. The nature and extent of the PHI involved, including the

types of identifiers and the likelihood of re-identification.

b. The unauthorized person who used the PHI or to whom

the disclosures were made.

c. Whether the PHI was actually acquired or viewed.

d. The extent to which the risk to the PHI has been

mitigated.

- The extent and efficacy of the mitigation may depend

on the recipient; was it a BA or CE or a third party?

The Breach Notification Rule (Cont.)

The burden is on the CE/BA to demonstrate that a

breach has not occurred and notification is not

required.

The risk assessment must be thoroughly documented.

In lieu of a risk assessment, the CE can choose to

simply notify the individuals whose PHI was

improperly used or disclosed as well as the press

and HHS-OCR (as required).

Who must be notified of a breach?

Following a breach of unsecured PHI a Covered Entity

must notify:

The

individual

whose PHI has been compromised or is

believed to have been compromised. The notification must

include:

What happened and when;

The type of unsecured PHI involved;

Steps the individual should take to protect him/herself from

potential harm from the breach;

What the CE is doing to investigate and mitigate the breach and

prevent further breaches; and

Contact information for individuals to ask questions.

Who must be notified of a breach? (Cont.)

Media Notice:

Breach involving more than 500 residents in a

state or jurisdiction- the entity must notify prominent media

outlets, in addition to the affected individuals, within 60 days

of discovery of the breach.

Notice to the Secretary of the Department of Health and

Human Services (DHHS):

Breach involving

500 or more

individuals the entity must notify

DHHS within 60 days of discovery.

Fewer than 500

individuals - the entity may notify the Secretary

within 60 days of the end of the calendar year in which the

breach occurred.

Who must be notified of a breach? (Cont.)

Notification by a Business Associate:

If the breach of unsecured PHI occurs at or by a BA,

the BA must notify the CE without unreasonable

delay, as required by the BA Agreement, but no later

than 60 days after discovering the breach, and

The BA must provide sufficient information for the CE

to notify the affected individual(s).

Note: BAA may require the BA do more

Indemnification

Credit protection

Enforcement of the Rules

The Office of Civil Rights (OCR) enforces the HIPAA

Privacy, Security and Breach Notification Rules.

The OCR implemented a pilot program that audited

115 covered entities in 2011 and 2012.

OCR now randomly auditing compliance of CEs and

BAs.

Audit Protocol

The OCR audit protocol includes:

Privacy Rule:

Notice of privacy practices for PHI,

Rights to request privacy protection for PHI,

Access of individuals to PHI,

Administrative requirements,

Uses and disclosures of PHI,

Amendment of PHI,

Accounting of disclosures.

Security Rule:

Administrative, physical and technical safeguards

Breach Notification Rule

requirements.

Audits (Cont.)

Every CE and BA (and, presumably sub-BAs) is subject to

auditing.

Although audits are viewed as compliance improvement

tools, a particular violation may lead to sanctions and

penalties.

If an audit indicates a serious compliance issue it may

trigger a separate enforcement investigation by OCR or

DOJ.

Audit Results

Privacy Rule violations:

Failure to provide appropriate patient access to records,

Insufficient Notice of Privacy Practices,

Lack of Policies and Procedures.

Audit Results

Security Rule violations:

Failure to monitor user activity,

Lack of contingency planning,

Authentication/integrity,

Media reuse and destruction.

OCR’s Complaint Investigation (pre HIPAA-HITECH)

The Top 5 OCR investigation issues:

Impermissible uses and disclosures of PHI

Lack of safeguards

Access to records

Failure to keep access to “minimum necessary”

No or insufficient Notice of Privacy Practices

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

OCR Complaint Statistics (April 2013)

through December 2012:

Complaints received

77,190

Complaints resolved

70,800

Corrective action required

18,711

No violation

8,971

Who is looking at you

HIPAA-HITECH allows for enhanced sanctions and

penalties and expands HIPAA’s enforcement provisions

Enforcement agencies include:

OCR

DOJ

State Attorneys General

Whistleblowers (?)

Patients/family members (?)

Non-Compliance Risk

Failure to comply with HIPAA-HITECH could result in:

Federal/State penalties/fines/licensure action

Criminal or civil investigation and prosecution

Loss of contracts

Public harm and reputational risk

Legal costs

Cost of notification of breach

Private damage judgment

Civil Money Penalty Structure

The Department will determine the penalty amounts based on the

nature and extent of the violation and the nature and extent of the

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

Violation Category

Section 1176(a)(1)

Each Violation

All violations of

same provision in

one calendar year

(A) Did not know

_$100-$50,000

_$1,5000,000

(B) Reasonable Cause

$1,000-$50,000

$1,5000,000

(C)(i) Willful Neglect –

Corrected

$10,000-$50,000

$1,5000,000

(C)(II) Willful Neglect –

HIPAA Criminal Penalties

A person who

knowingly

obtains or discloses PHI in

violation of HIPAA-HITECH may be subject to criminal

liability.

That is,

knowingly

in violation of HIPAA-HITECH:

Uses or causes to be used a unique health identifier;

Obtains individually identifiable health information

relating to an individual; or

Discloses individually identifiable health information

to another person.

HIPAA Criminal Penalties (Cont.)

Under HIPAA-HITECH

any person

can be prosecuted for

violating the provision – including an employee or

other person.

The “knowledge” requirement refers only to obtaining

PHI, not to knowledge that such actions were in

violation of HIPAA-HITECH.

HIPAA Criminal Penalties (Cont.)

Summary of Categories of Criminal Penalties:

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

Level of Knowledge/Intent

Criminal Penalty

A person knowingly obtains or

disclosed PHI in violation of

HIPAA

Up to $50,000, and/or

Imprisonment up to 1 year

If such offense is committed

under false pretenses

Up to $100,000, and/or

Imprisonment up to 5 years

If such offense is committed with

the intent to sell, transfer, or use

PHI for commercial advantage,

personal gain, or malicious harm

Up to $250,000, and/or

HORROR STORIES

AvMed

Lost laptop; private state action

Affinity Health Plan

Photocopier memories; 350,000 members;

$1.3 million

Advocate Medical Group

4 million members; 4 mainframes stolen; 4 weeks to

notify; $ ????????

Fines, Penalties and Settlement Agreements

$1.5M Settlement - Massachusetts Eye and Ear

Infirmary (MEEI) (9/12).

MEEI reported the theft of a laptop containing unencrypted PHI.

The laptop contained information about MEEI’s patients, incl.

patient prescriptions and clinical information.

OCR concluded that MEEI showed a long-term organizational

disregard for the requirements of the Security Rule.

In addition to the $1.5M settlement MEEI must adhere to a

corrective action plan and must retain an independent compliance

monitor and render semi-annual reports to HHS for 3 years.

Fines, Penalties (Cont.)

$4.3M Fine – Cignet Health, 2010

HIPAA Privacy Rule Violation

41 patients denied access to medical records and individually filed

complaints with OCR.

Cignet refused to cooperate with OCR in its investigation incl.

refusing to produce the subpoenaed records.

$1.3M fine for denying patients access to their records

$3M fine for the failure to cooperate with OCR

Fines, Penalties (Cont.)

$1.5M Settlement – Blue Cross Blue Shield of

Tennessee, March 2012

Theft of 57 computer hard drives containing unencrypted PHI of

over 1 million individuals.

Compromised PHI included: Names, SSN#, DOB, and Diagnosis

Codes

OCR’s investigation showed a failure to implement physical

safeguards in violation of the Security Rule.

Fines, Penalties (Cont.)

$1.0M Settlement– Massachusetts General Hospital

(2/2011).

Loss of PHI of 192 patients from the Infectious Disease Associates

O/P practice.

Compromised PHI included: List of Names of Patients, DOB,

Diagnosis, etc.

OCR’s investigation showed a failure to implement safeguards to

protect PHI when removed from premises. (Documents were lost

by employee who left them behind on subway train).

How can you reduce your risk?

Perform self-audits!

Review and update policies and procedures for:

Administrative Safeguards,

Physical Safeguards, and

Technical Safeguards as they pertain to the Privacy and Security

Rules.

Review your Breach Notification procedures.

EDUCATE, EDUCATE, EDUCATE

…and document, document, document…

Administrative Safeguards

Designate a privacy officer responsible for reviewing,

updating, and documenting policies concerning:

Potential risks to PHI and e-PHI and implementation of

measures to reduce the risk and vulnerability of the

information,

Keeping authorized access to PHI and e-PHI to the

“minimum necessary” based on the user’s role,

Periodic training of workforce members,

Compliance with BAA requirement

Administrative Safeguards (Cont.)

Training of workforce members and BAs should

include:

Annual training for everyone

Immediate training of new hires/BAs

Have processes in place to evaluate and sanction violations.

Workforce members include employees, volunteers, trainees and

others under the CE’s direct control.

Physical Safeguards

Privacy officer should review, revise and document the

following:

Physical access to the entity’s facility should be limited to

authorized access,

Proper use of and access to workstations and electronic

media, including transfer, disposal, and re-use of electronic

media.

Technical Safeguards

Privacy officer should review, revise, and document:

Technical procedures allowing only authorized personnel

access to e-PHI,

Hardware or software that records access to and activity in

systems that contain e-PHI,

Electronic measures in place to ensure that e-PHI is not

improperly altered or destroyed,

Technical security measures that protect e-PHI that is

transmitted over an electronic network

Document your self-audits

Must maintain written security policies and procedures

and written records of required actions, activities or

assessments.

These records must be maintained until 6 years after

the later of their date of creation or their last effective

date.

While BAs are not obligated to self-audit, is it a good

idea?

SUMMARY

Self-audit – start now!

Designate a privacy officer and review your privacy, security

and breach notification processes and procedures,

Identify your risks and take steps to remove or reduce

them,

EDUCATE

your workforce members, and

DOCUMENT, DOCUMENT,

DOCUMENT!

Your go to advisors

for all matters in

information security.

www.emrisk.com

800 S Douglas Road #940

Coral Gables, FL 33134

Phone:

305-447-6750

Email:

info@emrisk.com

Stephen H. Siegel, Esq.

305-373-9424