Disclaimer 8/8/2014. Current Developments in Privacy and Security Rule Enforcement

(1)

Office of the Secretary

Office for Civil Rights (OCR)

Andrew C. Kruley, J.D.

Equal Opportunity Specialist (Investigator)

August 11, 2014

Current Developments in Privacy

and Security Rule Enforcement

Michigan Medical Billers

Association

OCR

Disclaimer

2



These power point slides, along with the

remarks of Mr. Kruley, are intended to be

purely informational and informal in

nature. Nothing in the slides or in Mr. Kruley’s

statements are intended to represent

or reflect the official interpretation or

position of the Department of Health and

Human Services or the Office for Civil Rights.

OCR

Topics

3



2013: A Major Year for Privacy and Security



Recent OCR Enforcement Actions



Enforcement Statistics and Upcoming Enforcement

Activities



Omnibus Regulations and Related Guidance



Patients’ Right to Restrict and the Breach

Notification Rule



Compliance Audits



OCR Resources

(2)

HIPAA Enforcement Actions: Recent

Cases and Trends

Security Rule and Privacy Rule Cases

from 2013

OCR

Affinity Settles in Photocopier Security

Rule Breach Case for $1,215,780

• Affinity Health Plan impermissibly

disclosed the PHI of up to 344,579

individuals when it returned multiple

photocopiers to a leasing agent

without erasing the data contained on

the copier hard drives.

5

Affinity Settles in Photocopier Security

Rule Breach Case for $1,215,780

•OCR’s investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored in copier’s hard drives in its analysis of

risks and vulnerabilities as required by the Security

Rule, and failed to implement policies and procedures when returning the hard drives to its leasing agents. •The corrective action plan required Affinity to use its

best efforts to retrieve all hard drives that were contained on photocopiers previously leased and that remained in the possession of the leasing agent, and to take certain measures to safeguard all ePHI.

(3)

OCR

WellPoint pays $1.7 million for leaving

information accessible over Internet

7



WellPoint’s breach report indicated that

security weaknesses in an online

application database left the ePHI (ePHI) of

612,402 individuals accessible to

unauthorized individuals over the Internet.

OCR

WellPoint pays $1.7 million for leaving

information accessible over Internet

8

OCR’s investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule:

◦ WellPoint did not adequately implement policies and

procedures for authorizing access to the on-line application

database.

◦ Did not perform an appropriate technical evaluation in response to a software upgrade to its information systems. ◦ Did not have technical safeguards in place to verify the

person or entity seeking access to ePHI maintained in its application database.

OCR

Hospice of North Idaho, a Small Provider,

Pays $50,000 to Settle

This was the first case involving a breach report for

PHI of fewer than 500 individuals which resulted in the execution of a Resolution Agreement by the CE and the payment of a Resolution Amount to OCR, namely $50,000.

In 2010, Hospice of North Idaho (HONI) submitted a

breach notification, reporting that a laptop containing the PHI of 441 patients had been stolen.

(4)

OCR

Hospice of North Idaho, a Small Provider,

Pays $50,000 to Settle

OCR’s investigation showed that HONI had not

conducted a risk analysis and had not promulgated a policy designed to ensure the security of PHI held on mobile media devices.

Since the breach was discovered, HONI did take

substantial steps to improve its privacy and security compliance program.

10

OCR

Adult & Pediatric Dermatology Pays $150,000

to Settle Breach Notification Case

OCR received a report that an unencrypted thumb

drive containing ePHI for 2200 individuals was stolen from a staffer’s car.

The thumb drive was never recovered.

11

Adult & Pediatric Dermatology Pays $150,000

to Settle Breach Notification Case

OCR investigation showed that APDerm had not

conducted an analysis of risks and vulnerabilities regarding ePHI.

APDerm did not have a written policy for reporting

breaches and training employees on Privacy and Security Rule issues.

(5)

OCR

Shasta Regional Medical Center Settles Privacy Rule Case for $275,000 for Impermissible

Disclosure

SRMC failed to safeguard the patient’s protected health

information (PHI) from impermissible disclosure by intentionally disclosing PHI to multiple media outlets on at least three separate occasions, without a valid written authorization.

OCR’s review indicated that senior management at SRMC

impermissibly shared details about the patient’s medical condition, diagnosis and treatment in an email to the entire workforce.

13

OCR

Shasta Regional Medical Center Settles Privacy Rule Case for $275,000 for Impermissible

Disclosure

In addition, SRMC failed to sanction its workforce members for impermissibly disclosing the patient’s records pursuant to its internal sanctions policy.

A corrective action plan (CAP) required SRMC to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures and to train its workforce members. The CAP also required fifteen other hospitals or medical centers

under the same ownership or operational control as SRMC to attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media.

14

OCR

Lessons Learned

 Risk Analysis

 HIPAA covered entities and their business associates are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.

 Take caution

 When implementing changes to information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.

 Senior leadership

 Helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients’ rights are fully protected

(6)

Enforcement Statistics and Upcoming

Enforcement Activities

OCR

HIPAA Compliance/Enforcement

(As of December 31, 2013) 17 TOTAL (since 2003) Complaints Filed 90,000 Cases Investigated 31,925 Cases with Corrective Action 22,026 Civil Monetary Penalties &

Resolution Agreements (since 2008) $18.6 million

Top Five Issues Nationally in Cases

Closed in 2013 with Corrective Action

1. Impermissible Uses and Disclosures of PHI

2. Lack of adequate physical, technical, or

administrative safeguards

3. Individuals or their Representatives Being

Denied Access to their PHI

4. Minimum Necessary

5. Lack of Mitigation by CE

(7)

OCR

Eye to the Future



Increased efficiency



High-impact cases



Audit

HHS expects full compliance, no matter the size

of a covered entity. Assure that policies relating

to privacy, security and breach notification are

up- to- date and effectively implemented.

19

OCR

HIPAA Privacy, Security, Breach Compliance and Enforcement – What’s to Come

Resolution Agreements/Corrective Action Plans

• Continue to increase activity and resources • Maintain focus on fundamentals of compliance

programs

• Address emerging issues

Investigated Complaints/Compliance Reviews

• New web portal for complaints/centralized intake

https://ocrportal.hhs.gov/ocr/cp/complaint_frontpage.jsf

• Strategic approach to increase efficiencies, identify cases for investigation

Breach Reports

• Redesigned website for 500+ postings

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/br eachtool.html 20 Office of the Secretary Office for Civil Rights (OCR)

HIPAA/HITECH Guidance

(8)

OCR

HIPAA/HITECH Guidance –

What’s Done

Omnibus Final Rule

◦ De-identification ◦ Combined Regulation Text ◦ Sample BA provisions ◦ Refill Reminder ◦ Factsheets on Student

Immunizations and Decedents

Model Notice of Privacy Practices

English and Spanish Versions

Other Guidance

◦ Ability to report serious and imminent threats ◦ Permitted mental health disclosures

◦ Right to access – updated for e-access requirements ◦ Law enforcement guide

22

OCR

Guidance Regarding the Sharing of

Mental Health Information



In September 2013, OCR issued extensive

guidance regarding the issue of when information

about an individual who is receiving mental health

care treatment can be shared with the individual’s

family and others involved in his or her care.



The guidance also addresses the patient’s capacity

to agree to or object to the sharing of such

information.



It also addresses related law enforcement issues.

23

Guidance Regarding Marketing and Refill

Reminders

 Also in September 2013, OCR issued guidance regarding the “refill exception” from the marketing provision of the Privacy Rule.

 Normally, under the marketing provisions, as amended by the omnibus regulations that took effect in 2013, an individual has to provide written authorization before his or her PHI can be sued for marketing purposes.

 However, the guidance makes clear that prescription refill reminders and other communications about a currently

prescribed drug or biologic are generally exempt from the

authorization requirement.

 In addition, a CE can receive financial remuneration from the drug manufacturer or similar third party provided that the remuneration is reasonably related to the CE’s cost of making the communication.

(9)

OCR

Guidance Regarding Disclosure of

Decedents’ PHI

 The omnibus regulations contained changes to the original April 2003 version of the Privacy Rule regarding the ability of family members to access a deceased relative’s PHI.

 Originally, only an executor or administrator could access a decedent’s PHI, unless state law permitted other individuals, such as surviving spouses or adult children to do so.

 Now, in most instances, any member of the family or other person who was involved in the provision of care to a deceased individual has a right to access his or her PHI, even if that person is not the decedent’s personal representative.

 In September 2013, OCR issued guidance regarding these changes to the Privacy Rule.

25

OCR

Model Notice of Privacy Practices

 Notice in the form of a booklet;

 A layered notice that presents a

summary of the information on the first page, followed by the full content on the following pages;

 A notice with the design elements found in the booklet, but formatted for full page presentation.

 A text only version of the notice;  Different versions for plans and

health care providers.

26

http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html

OCR

HIPAA/CLIA Final Rule Now in Effect:

Patient Right of Access to Test Results

 Center for Medicare and Medicaid Services Enforcement –

Amends Clinical Laboratory Improvement Amendments (CLIA) regulations to allow labs to give patients completed test results

 OCR Enforcement – Amends HIPAA right to access to remove

exemption for CLIA labs

◦ Individual has right to access and get copy of PHI in DRS of labs, including right to electronic copy

◦ Access obligations on labs same as for other covered entities ◦ Individual can still go through physician to obtain test results  Dates

◦ Publish in FR -- February 6 ◦ Effective Date -- April 7

◦ HIPAA Compliance Date -- October 8 27

(10)

OCR

HIPAA/HITECH Guidance –

What’s to Come

 Guidance on Omnibus Final Rule

◦ Breach Safe Harbor Update ◦ Breach Risk Assessment Tool ◦ Minimum Necessary ◦ More on Marketing

◦ Security Rule Updates – small provider risk analysis tool ◦ More Factsheets on other provision

 Model Notice

◦ Web based version – challenge issued  Other

◦ YouTube – new content; more Spanish versions ◦ Medscape – new module coming soon -- EHRs and HIPAA:

Steps for Maintaining the Privacy and Security of Patient Information

28

Patients’ Right To Restrict

PHI

29

Patient Right to Request Restrictions –

Old Rule

Under the April 2003 version of the Privacy Rule, an

individual had the right to request a covered entity to place a restriction regarding use and disclosure of his or her PHI for treatment, payment, and health care operations (and certain other reasons).

The CE was not required to agree to any restriction.

However, if the CE did agree, the CE was bound by the restriction.

(11)

OCR

Right to Require Restrictions – New

Rule as of September 2013

 Under the Omnibus Regulations, the CE must agree to an individual’s

request to restrict the disclosure of PHI to the individual’s health plan if: ◦ PHI pertains solely to health care for which the individual (or a person on behalf of

individual other than the health plan) has paid the CE in full, out-of-pocket; and ◦ The disclosure is not required by other law.

 The CE is encouraged, but not required, to notify downstream providers of the restriction

 The Preamble to the Omnibus Regulations contained in the January 25, 2013 issue of the Federal Register provides guidance on the scope of the restriction and other potential implementation issues, including a number of illustrative, hypothetical cases.

 The old permissive rule still applies to all other requests for restrictions from an individual.

31

Breach Notification Highlights

OCR

Breach Notification Highlights

September 2009 through November 6, 2013 682 reports involving over 500 individuals 84,963 reports involving under 500 individuals Top types of large breaches

◦ Theft

◦ Unauthorized Access/Disclosure ◦ Loss

Top locations for large breaches

◦ Laptops ◦ Paper records ◦ Desktop Computers ◦ Portable Electronic Device

(12)

OCR

Spotlight on Largest Breaches of

2012



Hacking network server – 780,000 affected



Backup tapes stored at hospital cannot be found

and are presumed lost – 315,000 affected



Unencrypted emails sent to employee’s

unsecured email address – 228,435 affected



Theft of laptop from employee’s vehicle –

116,506 affected



Unauthorized access to e-PHI stored in database

– 105,646 affected



Hacking database stored on network server –

70,000 affected

34

OCR

Breach Notification:

500+ Breaches by Type of Breach

35 Data as of January 2013. Unauthorized Access/ Disclosure 20% Theft 51% Loss 14% Hacking/IT Incident 7% Improper Disposal 5% Unknown3%

Breach Notification:

500+ Breaches by Location of Breach

Paper Records 22% Laptop 23% Desktop Computer 15% Portable Electronic Device 14% EMR 2% Network Server 11% E‐mail 3% Other 10% Data as of January 2013

(13)

Office of the Secretary Office for Civil Rights (OCR)

COMPLIANCE AUDITS

37 OCR

Audit Program

HITECH Act – Sec. 13411

◦ Periodic audits to ensure covered entities and business associates comply with requirements of HIPAA and HITECH

Audit Objectives

◦ Examine mechanisms for compliance ◦ Identify best practices

◦ Discover risks and vulnerabilities that may not have come to light through complaint investigations and compliance reviews

◦ Renew attention of covered entities to health information privacy and security compliance activities

38

OCR

Compliance and Enforcement:

Audit – Where We Have Been

(14)

OCR

Audit Pilot Completed



Pilot Process

◦ Tiered approach for snapshot of compliance across covered entity types, sizes, complexity

◦ Sample of 115 covered entities selected spread across 4 tiers

◦ All audits were completed by December 2012 ◦ OCR published audit protocol

◦ Issued final reports to entities audited in pilot

40

OCR

Audit Pilot Observations

Completed Audits of 115 entities

◦ 61 Providers, 47 Health Plans, 7 Clearinghouses

No findings or negative observations for 13 entities (11%)

◦ 2 Providers, 9 Health Plans, 2 Clearinghouses

Total 979 audit findings and observations

◦ 293 Privacy ◦ 592 Security ◦ 94 Breach Notification

Percentage of Security Rule findings and observations was double what would have been expected based on the protocol Smaller entities (Level 4) struggled with all three areas

41

Summary of Entities Audited

Level 1 Entities

 Large Provider / Payer

 Extensive use of HIT - complicated HIT enabled clinical /business work streams

 Revenues and or assets greater than $1 billion

 Large regional hospital system (3-10 hospitals/region) / Regional Insurance Company

 Paper and HIT enabled work flows  Revenues and or assets between $300

million and $1 billion

•Community hospitals, outpatient surgery, regional pharmacy / All Self-Insured entities that don’t adjudicate their claims •Some but not extensive use of HIT – mostly paper based workflows •Revenues between $50 million and $300 million

• Small Providers (10 to 50 Provider Practices, Community or rural pharmacy)

• Little to no use of HIT – almost exclusively paper based workflows • Revenues less than $50 million

(15)

OCR

Size/Type of Entities Audited

43 Data as of December 2012. Level 1 Level 2 Level 3 Level 4 Total Health Plans 13 12 11 11 47 Healthcare Providers 11 16 10 24 61 Healthcare Clearinghouses 2 3 1 1 7 Total 26 31 22 36 115 OCR

Types of Privacy Rule Audit Findings

20% 2% 16% 18% 44% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Notice of Privacy Practices Restriction Requests & Alternative Communications Individual Right of Access Administrative Standards Uses and Disclosures of PHI 44 Data as of December 2012. OCR

Types of Security Rule Audit Findings

12% 14% 9% 18% 14% 14% 0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20% Risk Analysis Access Management Security Incident Procedures Contingency Planning Audit Controls and Monitoring Movement and Destruction of Media 45 Data as of December 2012.

(16)

OCR

Compliance and Enforcement

Audit – What’s Ahead in 2014

46

Formal Program Evaluation 2013

Internal analysis for follow up and next steps

• Creation of technical assistance based on results • Determine where entity follow up is appropriate • Identify leading practices

Revise Protocol to reflect Omnibus Rule Ongoing program design and focus

• Business Associates

• Accreditation /Certification correlations

OCR

Resumption of Audits in 2014



OCR will be conducting a second round of

compliance audits on its own beginning later

in 2014 and continuing into 2015.



OCR selected from a very large data base an

“oversupply” of 1200 organizations as

possible subjects of the new round of audits.

OCR is currently making determinations

about the listed organizations to determine

their suitability for audit. Roughly 800 of the

organizations are covered entities and 400

are business associates.

47

New Issues Likely to be Covered in Audits



OCR expects to revise its 2012 audit protocol

to include changes brought by the Omnibus

Regulations.



OCR also expects a more intensive focus on

organizations’ analysis of potential risks and

vulnerabilities involving the PHI which they

generate and which comes in their custody as

OCR found the lack of any and/or adequate

risks analysis to be very high in the 2012 audit.

(17)

Office of the Secretary Office for Civil Rights (OCR)

OCR RESOURCES

49 OCR

We’ve Been Busy

New Compliance Assistance Tools for Covered Entities and Business Associates 50 The HIPAA Omnibus Rule https://www.youtube.com/watch?v=m X‐QL9PoePU OCR

New OCR Resource Center at Medscape.org

http://www.medscape.org/sites/advances/patients-rights Video Programs module imbedded into page for dynamic interest

OCR Educational Links, Including Mobile Device Content

(18)

OCR

Two New Learning Modules for

Free CME and CE Credit

52 The goal of this activity is to describe steps in analyzing and managing risks related to the security of protected health information The goal of this activity is to describe steps healthcare practices should take to assess and improve the security of protected health information on mobile devices. http://www.medscape.org/viewarticle/8105 68 http://www.medscape.org/viewarticle/810563 OCR

Consumer Awareness and

Engagement

53

Your New Rights Under HIPAA - Consumers

https://www.youtube.com/watch?v =3-wV23_E4eQ

Over 262,000 views since September 4, 2013

Visit us at http://www.youtube.com/USGovHHSOCR

OCR’s YouTube Videos

Your Health Information, Your Rights 116,291 Views The Right to Access Your Health Information 84,909 Views EHRs: Privacy and Security 5,645 Views Explaining the Notice of Privacy Practices 124,888 Views Su Informacion de Salud, Sus Derechos 503,898 Views Treatment, Payment and Health Care Operations 77,967 Views Communicating with Friends and Family 97,428 Views

1,840,997 TOTAL VIEWS FROM FEB 16 2012 to JAN 30, 2013

HIPAA Security Rule 291,263 Views Visit us at http://www.youtube.com/USGovHHSOCR Your New Rights Under HIPAA 264,781 Views The HIPAA Omnibus Rule 273,927 Views

(19)

OCR

Contact Information

• Andrew C. Kruley

• Equal Opportunity Specialist (Investigator)

• Office for Civil Rights – Region V

• United States Department of Health and

Human Services

• 233 North Michigan Avenue – Suite 240

• Chicago, Illinois 60601

• 312-886-5888

• [email protected]

55