HIPAA Guidance Update: Providing Access to Individuals and ... · HIPAA Guidance Update: Providing...

HIPAA Guidance Update: Providing Access to Individuals and

Communicating with Family and Friends

Jim Sheldon-Dean Director of Compliance Services

Lewis Creek Systems, LLC www.lewiscreeksystems.com

For

AAHAM Inland Empire

2017 Summer Conference

July 11, 2017

1 © Copyright 2017 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com 802-425-3839

http://www.lewiscreeksystems.com

Agenda

A. Overview of HIPAA Regulations • The Origins and Purposes of HIPAA • Privacy Rule History and Objectives • Security Rule History and Objectives • Breach Notification Requirements,

Benefits, and Results

B. Access to PHI – HHS Priority Topic • Patient Rights of Access • The Access & Amendment Processes • Patient Rights and Communications • 2016 HHS Guidance on Access of PHI • Individual Access and the 21st Century

Cures Act

Break

C. Communications Issues with Individuals, Family and Friends • Exercise of Individual Rights • Dealing with New Technologies • Allowable Disclosures for Payment • Guidance on Communications with

Family and Friends

D. The Bigger Picture: Learning from the Mistakes of Others • Issues Identified in Breaches • Issues Identified in Audits • Issues Identified in Enforcement

Actions • Emerging Issues: Business Associates,

Hackers


My Background

• Disclaimer: I am an engineer and not a lawyer. This is not legal advice – I am only providing information and resources

• BSCE (Civil Engineering) from UVM, MST (Transportation) from MIT

• 35 years in consulting, information systems, software development, and security

• Process, problem-solving oriented

• 8 years as Vermont EMT, crew chief

• 17 years specializing in HIPAA and health information privacy and security regulatory compliance

• See www.lewiscreeksystems.com for more details, resources, information security compliance news, etc.



What is HIPAA?

• The Health Insurance Portability and Accountability Act of 1996

• The Portability part is being able to change health plans and have continuous coverage of pre-existing conditions

• The Accountability part is protecting the Privacy and Security of Health Information

© Copyright 2017 Lewis Creek Systems, LLC All Rights Reserved [email protected] www.lewiscreeksystems.com 802-425-3839

4

HIPAA Privacy & Security Rules

• Privacy Rule – 45 CFR §164.5xx; Enforceable since 2003

– Establishes Rights of Individuals

– Controls on Uses and Disclosures

– Access of PHI is a hot button issue for HHS

• Security Rule – 45 CFR §164.3xx; Enforceable since 2005

– Applies to all electronic PHI

– Flexible, customizable approach to health information security

– Uses Risk Analysis to identify and plan the mitigation of security risks

• 2013 Omnibus Update Rule, with Preamble, available at: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf


http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf









HIPAA Breach Notification Rule

• Breach Notification Rule

– 45 CFR §164.4xx; Enforceable since February 2010

– Requires reporting of all PHI breaches to HHS and individuals

– Extensive/expensive obligations

– Provides examples of what not to do on the HHS “Wall of Shame”: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

• HHS Breach Notification Rule definitions, information: http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

• Combined Rules as of March 2013 published by HHS OCR, available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html


https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html





http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html

http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html

What is a Breach Under HIPAA?

• §164.402 Breach is any acquisition, access, use, or disclosure in violation of the Privacy Rule, except if: – Unintentional internal use, in good faith, with no further use

– Inadvertent internal use, within job scope

– Information cannot be retained (returned intact, unopened, unviewed)

• If no exception, it is a Breach, but Not Reportable if: – Secured (encrypted) per HHS guidance, or destroyed

• Otherwise: Reportable unless there is a “low probability of compromise” based on a risk assessment, examining at least:

1. what was the info, how well identified was it, and is its release “adverse to the individual”

2. to whom it was disclosed

3. was it actually acquired or viewed

4. the extent of mitigation


7

Is It a Reportable Breach?


8

Learning from Past Breaches

• Breaches are caused by hackers, loss of PHI, theft of PHI, malicious insiders, and user errors

• Breaches are prevented by good processes, good security methods, and good people who know how to do the right thing carefully

• Breaches can lead to enforcement penalties in the millions of dollars https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html


9

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html





Trends in Breaches

• Hacking impact is way UP • Laptops and Portable Electronic Devices still the

leading preventable cause of breaches • Malicious Insiders still a threat • Increasing new threats from new technologies,

like insecure e-mail, texting, and social media • Most small breaches affect one or two individuals

– paper handling mistakes • http://www.hhs.gov/hipaa/for-

professionals/breach-notification/reports-congress/index.html


10

http://www.hhs.gov/hipaa/for-professionals/breach-notification/reports-congress/index.html







A Few Definitions

• Protected Health Information (PHI): Individually identifiable information about health, health care or payment for healthcare services; past, present, future; in any form or format

• Disclosure: the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information

• As distinct from Use: the sharing, employment, application, utilization, examination, or analysis of individually identifiable health information within an entity that maintains such information

• Designated Record Set (DRS): The medical records and billing records about individuals maintained by or for a covered health care provider; Used, in whole or in part, by or for the covered entity to make decisions about individuals.


11

Is it important to manage access of records properly?

• Yes, it is one of only two circumstances when PHI must be released, per Privacy Rule §164.502(a)

• Yes, based on enforcement actions

– $4.3 million fine for practice group that did not provide records as requested by individuals and did not respond to HHS investigators

– http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/cignet-health/index.html

• Yes, based on 2012 Audit results: The top 2 Privacy issues are access related

– Review process for denials of individual access to records

– Failure to provide appropriate individual access to records

• Yes, it was one of the few focus areas in the 2016 HIPAA Audits


12

http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/cignet-health/index.html







Designated Record Set

In 45 CFR §164.501:

(1) A group of records maintained by or for a covered entity that is:

(i) The medical records and billing records about individuals maintained by or for a covered health care provider;

(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or

(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.

NOTE! This includes information received from other providers


13

What is your Designated Record Set?

• The DRS is PHI about which patients have rights for: – Requesting Access

– Requesting Copies

– Requesting Amendment

• Where is your Designated Record Set? – Your EHR/EMR

– Your Practice Management system

– Radiology systems

– Pharmacy systems

– Laboratory systems

– Databases and spreadsheets

– Miscellaneous documents

• Defining the DRS is required in Privacy Rule § 164.524(e)(1)


14

What is NOT in your DRS?

• Information used for: – internal management purposes,

– certifications,

– evaluations,

– reviews,

– compliance,

– appointment information,

– schedules,

– incident reports,

– research, and

– anything else that is not used to make decisions about the patient, even if it has the patient’s name associated with it


15

What to do with your DRS

• Make the DRS list available to HIM for responding to records requests from individuals

• Know how to get copies of PHI from each file or system with DRS data – Are you prepared to make copies?

– Are you prepared to amend PHI in the DRS?

• Know how you will satisfy requests for electronic records – What format for data, and how transmitted?

• Have your EHR make DRS data available through the patient portal – Can the EHR integrate DRS data from other sources and display it for

individuals?


16

Individual Access of PHI

• Must have a process for individual to request access for free, with copies for

a reasonable cost-based fee

• Must have a process for managing denials of access

• Must provide the entire record in the Designated Record Set if requested:

– Medical and billing records used in whole or in part to make decisions related to

health care

– Information kept electronically must be available electronically if requested

– Exceptions for Psychotherapy notes, information for civil, criminal, or

administrative proceedings, if harm may result, other specific exceptions

– Lab results now may be accessed by the individual, effective April 7, 2014

• 30-day extension for offsite data no longer allowed

• Access of PHI by individuals is a HOT BUTTON issue for HHS


HIPAA Right of Access

§164.524(a) Standard: Access to protected health

information

(1) Right of Access. Individual has right to access, inspect, and copy of

PHI in the Designated Record Set, except for:

(i) Psychotherapy Notes

(ii) Information compiled in reasonable anticipation of, or for use in, a

civil, criminal, or administrative action or proceeding

(iii) Section Removed – CLIA exemption removed: Now individuals may

access test results directly from laboratories


18

Denial of Access

More §164.524(a)

(2) Unreviewable Grounds for Denial. Covered Entity may deny for:

(i) Exempted under (1) above

(ii) Inmate records that may jeopardize health or safety of inmates or

others

(iii) Research, while in progress, with notice

(iv) Subject to the Privacy Act

(v) If obtained from someone other than a health care provider under a

promise of confidentiality and the access requested would be reasonably

likely to reveal the source of the information


19

Denial of Access

More §164.524(a)

(3) Reviewable Grounds for Denial

(i) Endangers Health or Safety of the Individual or others

(ii) Information references another person (not a provider) and access

could cause substantial harm to that person

(iii) Access requested by a personal representative who may cause harm

(4) Review of Denial of Access – If access denied under (3) above,

individual can request review by another licensed healthcare

professional


20

The Access Process

§164.524(b) Implementation specifications: Requests for access and timely action.

(1) Individual’s Request for Access. Must permit requests for access of PHI in the DRS, and may require requests in writing, with notice

(2) Timely Action by the Covered Entity.

(i) Must act within 30 days; must inform of action and provide access or a written denial

(ii) If can’t act within 30 days, may extend 30 days, once only, with an explanation and expected date of delivery

Automatic 30-day extension for offsite records removed

§164.524(c) Implementation specifications: Provision of Access.

(1) Must provide access, just one copy if there are duplicates


21

Individual Preferences for Communication • §164.522(b)(1) Standard: Confidential Communications Requirements

– (i) A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of PHI from the covered health care provider by alternative means or at alternative locations.

• §164.524(c) Provision of Access

– (2) Form of access requested. (i) The covered entity must provide the individual with access to the PHI in the form or format requested by the individual, if it is readily producible in such form or format; or, if not, in a readable hard copy form or such other form or format as agreed to by the covered entity and the individual.

– New (c)(2)(ii): If PHI is electronic, individual may request electronic copy.

• You Must Establish a Process to Handle Requests:

– Must accommodate reasonable requests

– Provide ability to mail to alternate addresses, not receive telephone calls, etc.

– May refuse if request is unreasonable

– Individuals may want to use e-mail, texting, social media

– Use Risk Analysis to determine suitability, obtain consent

• Document how you handle communications with patients, and anticipate requests for alternatives


22

Providing Access

More §164.524(c) Provision of Access (2)(iii) The covered entity may provide the individual with a summary of the protected

health information requested, in lieu of providing access to the protected health information or may provide an explanation of the protected health information to which access has been provided, if: (A) The individual agrees in advance to such a summary or explanation; and (B) The individual agrees in advance to the fees imposed, if any, by the covered

entity for such summary or explanation.

(3) Time and manner of access.

(i) The covered entity must provide access in a timely manner

(ii) Individual may designate a recipient of the information

(4) Fees. Reasonable cost-based fee is permitted, including only:

Labor, Supplies, Postage, and Preparation of a Summary

Costs may NOT include capital, equipment costs

State mandated maximum may be considered reasonable; or cost-based, whichever

is less expensive


23

More on Denial of Access and Documentation

§164.524(d) Implementation specifications: Denial of access.

(1) Making Other Information Available. If some is excluded, other must be provided

(2) Denial. Must be timely, in plain language, including:

(i) Basis for denial

(ii) Rights of review if applicable

(iii) How to complain to entity and HHS

(3) Other Responsibility. If CE doesn’t have it but knows where it is, must inform the

individual

(4) Review of denial requested. If review requested, must designate a licensed

healthcare professional to conduct the review, and review

§164.524(e) Implementation specification: Documentation.

Must document per §163.530(j)

(1) The DRS that is subject to access by individuals

(2) The person responsible for receiving and processing requests


24

2016 Guidance: General Right of Access

• As discussed earlier, confirmed

• Individuals have a right to a broad array of PHI: – medical records

– billing and payment records

– insurance information

– clinical laboratory test results

– medical images, such as X-rays

– wellness and disease management program files

– clinical case notes

– among other information used to make decisions about individuals

• “An individual’s personal representative … also has the right to access PHI about the individual in a designated record set (as well as to direct the covered entity to transmit a copy of the PHI to a designated person or entity of the individual’s choice), upon request…”


25

2016 Guidance: Requests for Access

• May require a written request

– May offer an electronic method

• Need to verify identity of requestor

– Professional Judgment

• No unreasonable measures allowed

– Can’t require requests in person only, or Web only, or by

mail only


26

2016 Guidance: Providing and Denying Access

• Provide in the Form or Format Requested if readily

producible (including electronic, e-mail)

• Timely

• Fees are Cost-based ONLY

– SHOULD be free copies

– NO charge to view records

• Denial of access limited

– Must have process for denials and reviews


27

2016 Guidance: Right to Direct to Another Person

• “An individual also has a right to direct the covered entity to transmit the PHI about the individual directly to another person or entity designated by the individual.

• The individual’s request to direct the PHI to another person must be in writing, signed by the individual, and clearly identify the designated person and where to send the PHI.

• A covered entity may accept an electronic copy of a signed request (e.g., PDF), as well as an electronically executed request (e.g., via a secure web portal) that includes an electronic signature.

• The same requirements for providing the PHI to the individual, such as the fee limitations and requirements for providing the PHI in the form and format and manner requested by the individual, apply when an individual directs that the PHI be sent to another person.”


28

2016 Guidance: Questions and Answers

• Fees: – ONLY labor for copying (NOT reviewing or fetching),

supplies, postage

– Fees set by actual or average costs for a type of request

– Flat fees for electronic copies of records, up to $6.50

– No per-page fees for electronic copies

– Can’t charge for review or portal access

– State law or HIPAA? Whichever costs less

– If provided by Authorization instead of Access, other fees permitted


29


• Access does not require Authorization – they are NOT the same thing!

• Cannot withhold access for non-payment of fees

• Cannot charge for viewing and making own photo of records

• Individual can designate a recipient of his copy, same fees as individual access

• Must be transmitted securely unless the individual requests an insecure method like plain e-mail


30


• Numerous categories of Q&A, including:

• Scope of Information Covered by Access Right

• Timeliness of Providing Access

• Form and Format and Manner of Access

– Entity not liable for breach if individual requests insecure

transmission

– Entity can consider its security in accepting or denying

various methods of providing access


31

Amendment of Records

• §164.526: Patients can ask to amend anything they have access to

• May deny if: – You believe information is accurate and complete

– Information was not created by you

– Legally prohibited

– Information is not part of the designated record set

• Must inform of acceptance or denial


32


• If you deny an Amendment request:

– Patient can submit a Statement of Disagreement

– Provider can provide a rebuttal

– The individual can request that the request to amend, the denial, the statement of disagreement, and the rebuttal be included in the medical record


33


• Must act in a timely manner (60 days with 30-day extension upon written notice)

• Information not to be expunged except within requirements of law and CE’s practices

• Must inform others who may have relied on un-amended information

• Must have policies and procedures to accept requests, agree to requests, deny requests, and manage statements of disagreement


34

How are we allowed to communicate with patients?

• Do what the patient or their representative wants

– Meet HIPAA Requirements

– Accommodate what you reasonably can

• Meet the Patient’s needs

– Communication with the office for scheduling, prescription renewals, etc.

– Discussion of particular health issues

– Access of Medical Records, test results

• Do what you can handle properly – For Patient Care

– For Medical Records


35

What are the HIPAA considerations?

• HIPAA Security Rule §164.312(e) requires consideration

of encryption of communications as an Addressable

Implementation Specification

• HIPAA Privacy Rule §164.522 and §164.524 give

patients rights of communication preferences and

access of information

• Making Patients happy

• Making HHS happy


36

Calculating/Evaluating Risk

• Each Risk Issue has an Impact and Likelihood

– Impact is how great the damage would be; more information about

more people with more detail has a greater Impact

– Likelihood is how likely it is that the risk issue would become a reality

• Risk = Impact x Likelihood

• If risk level appears low, it may be acceptable to both the

entity and the individual

– An informed risk decision can be made about the importance of

mitigating certain risks

– Individuals can exert their right to communicate the way they wish,

within reason


Professional Communications with PHI MUST be Protected

• Required HIPAA Risk Analysis shows risks of using insecure

communications such as plain e-mail and texting

• Organizations that discover they have used insecure

communications report insecure communications as a breach

• One of the enforcement settlements was based in part on the

use of insecure e-mail for professional communications

http://www.hhs.gov/hipaa/for-professionals/compliance-

enforcement/examples/phoenix-cardiac-surgery/index.html


38

http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/phoenix-cardiac-surgery/index.html









Communication with Patients requires flexibility

• Provide a variety of means of communication that you understand and manage

• Provide and encourage using secure solutions for communications

• Be prepared to respond to requests to do other than your preferences

• Need to have policies and processes for such decisions, and documentation


39

Steer Patients to your Portal

• Most new EHR systems offer a Portal option for patients to use to access their records in the EHR; encourage them to use the Portal

• The EHR may not reflect all of the information in the Designated Record Set

• Be prepared to handle requests for information in the DRS outside the EHR

• You must accommodate reasonable requests to communicate by other means

• Be careful in setting costs for electronic copies of records!


40

Communications and Access Guidance

• HHS Guidance and Preamble discussions in new rules say unencrypted e-mail between providers and patients is permitted if requested, per §164.522, §164.524

• 2016 Guidance on Access of PHI by Individuals: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html

• See HHS Guidance, Question 3, page 3: http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/healthit/safeguards.pdf

• See Preamble to Omnibus Update, page 5634: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf

• See Preamble to CLIA/HIPAA Modifications, page 7302: http://www.gpo.gov/fdsys/pkg/FR-2014-02-06/pdf/2014-02280.pdf

• Guidance on Access of PHI, particularly re minors and mental health: http://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/index.html


41

http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html



http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/safeguards.pdf

http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/safeguards.pdf



















http://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/index.html







E-mail, Texting, and Security

• E-mail and texting are inherently insecure – communications are not secured by default and may be retained or exposed by unknown parties

• Secure e-mail solutions for general use are often cumbersome

• An individual’s e-mail or texts could be accessed by a third party if a weak or easy-to-guess password is used for the e-mail account

• Secure communications are essentially required as good practice for professional communications

• Consumer-grade Yahoo mail, g-mail, texting, etc., are all insecure means of communication and their use for professional purposes may be considered a breach

• Technologies for securing e-mail and texting are readily available today


42

Many Prefer E-mail to Telephone

• Scheduling

• Reporting of status

• Inquiries about issues, treatments

• Requesting copies of records

• Communication of test results

• Can be more accurate than the phone

• Provides a documented record of communication

• Modern e-mail servers can seamlessly send securely, sometimes, if the path is secure to the desktop – Outside e-mail vendors must be treated as business associates


43

Texting is Very Useful

• Fast way to communicate short messages

– Useful for Updates, Schedule Changes

– Easy to communicate if running late, etc.

– Quick communication of results, comments

• More appropriate than an e-mail or phone call

– Can be more discreet and private than a phone conversation

– Can be quicker than a phone call for short messages

– Can provide accurate information not dependent on voice

• Many communications used to go by Pager

– Many paging operations moving to texting now

– Texting is more interactive than paging


44

Potential Mobile Device Issues

• Information provided to the wrong individual – poor authentication and access control – leading to a “small” breach and maybe healthcare threat

• Incorrect information provided about an individual – perhaps by faulty authentication or a poorly performing App – causing a healthcare threat

• Patient loses control of device exposing their data (their problem) – potentially exposing additional data or providing faulty data (whose problem?)

• Provider loses control of device potentially exposing extensive data (big problem) – potentially providing access to provider systems (bigger problem)

• Data travels through insecure channels and may remain, accessible, on systems


45

Three Issues with Texting

• It’s a Privacy thing: Patients may not appreciate the risks of loss of privacy

– HIPAA requires you to do your best to meet patient preferences for communication method

– Use Risk Analysis to evaluate and explain risks

– It’s a new technology and people will not understand it fully for quite some time

• It’s a Medical Records thing: Documentation is key to health care

– Regular texting doesn’t provide a paper trail of conversations and contacts

– If it’s part of patient care, it must be documented properly

– Secure, traceable texting is essential when medical record information is texted

• It’s a patient safety thing: Triage of incoming messages is essential

– Regular texting doesn’t automatically route to the most appropriate individual

– Texts may arrive at all hours, 24/7 and may include a variety of information and situations, including emergencies

– Texting with patients must be managed to protect patients and provide appropriate service


46

Secure Texting Solutions • Secure Texting for Business Use with PHI (encrypted with no

documentation capability)

– WhatsApp

– Wickr Me

– Signal

• Secure Texting for official Business Use (incl. documentation & reporting)

– Cortext by Imprivata – http://www.imprivata.com/secure-messaging

– TigerText – http://www.tigertext.com/messaging-for-healthcare/

– DocHalo – http://www.dochalo.com/secure-texting.html

• Secure Texting as part of an Integrated Communications Solution

– pingMD – https://www.pingmd.com

– OhMD – http://www.ohmd.com

• Free App, easy to sign up and authenticate on-line

• Office implementation integrates with the EHR

• Messages from patients go to team for Triage

• Fantastic acceptance by individuals and providers


47

http://www.imprivata.com/secure-messaging



http://www.tigertext.com/messaging-for-healthcare/





http://www.dochalo.com/secure-texting.html



https://www.pingmd.com

http://www.ohmd.com

Policy on Using Insecure Communications with Patients

• Insecure communications with PHI are prohibited between professionals

• Define the usual, preferred, secure means of communication, and the preferred insecure alternatives

– Consider what you are “reasonably able” to do

• Require client to request using insecure communication methods, and indicate preferred method to be used

• If another method is requested, consider it according to §164.522(b)(2) and §164.524(c) and guidance

• If an insecure alternative method is granted:

– Explain risks

– Obtain consent (with signature if appropriate)

– Inform those who communicate of the preference

• Document the request and consent or denial


Joint Commission Restrictions on Texting

• JCAHO said on April 29, 2016 using secure texting with the proper attributes for physician orders is OK – The required components of an order must be included, and the messaging platform should include: – a secure sign-on process,

– encrypted messaging,

– delivery and read receipts,

– date and time stamp,

– customized message retention time frames, and

– a specified contact list for individuals authorized to receive and record orders

• Note! This limitation is for professional communications, and HIPAA rights for individuals allow insecure communications if requested by the individual


49


• Communications must be documented, and organizations should:

– Develop an attestation documenting the capabilities of their secure text

messaging platform

– Define when text orders are or are not appropriate

– Monitor how frequently texting is used for orders

– Assess compliance with texting policies and procedures

– Develop a risk management strategy and perform a risk assessment

– Conduct training for staff, licensed independent practitioners, and other

practitioners on applicable policies and procedures

• The update is available from the Joint Commission at:

http://www.jointcommission.org/assets/1/6/Update_Texting_Orders.pdf

• Then, they said, No, we need more guidance before going ahead


50

http://www.jointcommission.org/assets/1/6/Update_Texting_Orders.pdf


• On July 18, 2016, Health IT Security reported that JCAHO decided to

delay the previously announced removal of a ban on the use of

texting (even secure texting) for physician ordering.

• Instead, will wait for guidance from JCAHO and CMS to ensure

texting is done correctly and aligns with the Medicare Conditions of

Participation.

• The ban had been put in place because “texting applications were

unable to verify the identity of the person sending the text or to

retain the original message as validation of the information entered

into the medical record,” the Commission stated. See more at:

http://healthitsecurity.com/news/secure-texting-ban-reinstated-

commission-calls-for-guidance


51

http://healthitsecurity.com/news/secure-texting-ban-reinstated-commission-calls-for-guidance
















• Then: The Joint Commission, in its December 2016 issue of The Joint Commission Perspectives, reaffirmed its ban on using texting of any kind for patient care orders, even if secured. The issues identified include: – Using texts or other messaging apps to order treatments could increase the

burden on nurses or other clinical staff who would be responsible for inputting such data into electronic health records

– Talking in-person allows for easier clarifications if there are questions about an order, and allows for better confirmation of directives

– If there are any clinical decision support alerts triggered during the EHR process, the clinician inputting the information into the system will have to take time to contact the ordering physician to resolve the issue, potentially causing treatment delays

• The Joint Commission’s new “Clarification” is available at: https://www.jointcommission.org/assets/1/6/Clarification_Use_of_Secure_Text_Messaging.pdf


52

https://www.jointcommission.org/assets/1/6/Clarification_Use_of_Secure_Text_Messaging.pdf

https://www.jointcommission.org/assets/1/6/Clarification_Use_of_Secure_Text_Messaging.pdf

TCPA and Communicating to Cell Phones

• Be cautious, especially for any calls or texts relating to billing or financial matters

• Get consent up front to call the number provided for healthcare and financial purposes, including reminders and follow-up

• Penalties for, without consent, calling a cell phone or leaving a payment related message (voice or text)

• Penalties for, without consent, calling a cell phone or leaving a healthcare related message more than one minute (voice) or 160 characters (text) long; no more than one per day or three per week


53

21st Century Cures Act

• Emphasizes that patient access to information is essential to improving the nation’s health

• Promotes a single, longitudinal record that patients can access

• Access must be secure

• Ensure access is convenient but without burden to the provider

• Educate patients and providers


54

Break Time

15 minutes only, please!


55

Sharing Information with Family and Friends: Permissible or Prohibited?

• Some communications are permitted under HIPAA, like for treatment, payment, and healthcare operations (a.k.a. TPO)

• Some communications are prohibited without a HIPAA Authorization

• What about the middle ground, where communication may be permitted that is not TPO, and where a formal Authorization may not be appropriate?


56

A Familiar Example

• People tell me HIPAA stories

• One of the most common stories is that of a friend taking a suddenly ill friend to the hospital ED

• A little while later, the friend asks about the now checked-in patient, “How is he doing?”

• The answer given: “I can’t tell you because of HIPAA”

• Oh dear…


57

What’s Wrong With This Picture?

• The friend is involved with the patient • The friend BROUGHT the patient to the ED • The patient did not object to having the friend present

when he first presented at the ED • Not providing an answer and claiming HIPAA in this

case is cruel and unacceptable behavior, no matter what the rules are! Use your common sense!

• How can the friend contact the patient’s family to inform them if he can’t be told what’s going on and tell the whole story?

• Whenever I hear “Because HIPAA Says So” it’s usually wrong


58

Personal Interactions are Key to Health Care

• Patients need the support and assistance of their family and friends

• Family and Friends of patients need to know certain information to take care of patients and relay appropriate information to others

• Completing an Authorization may not be reasonably possible, or may appear to be overkill under many circumstances


59

What’s the rule?

• Privacy Rule § 164.502(g) and 164.510(b)

• The Privacy Rule allows a health care provider or health plan to share information with a patient’s family or friends if: – They are involved in the patient’s health care or

payment for health care,

– The patient tells the provider or plan that it can do so,

– The patient does not object to sharing of the information, or

– If, using its professional judgment, a provider or plan believes that the patient does not object


60

What’s the rule?

• The Privacy Rule does not require a health care provider or health plan to share information with a patient’s family or friends, unless they are personal representatives of the patient

• https://www.hhs.gov/hipaa/for-individuals/family-members-friends/index.html

• https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/personal-representatives/


61

https://www.hhs.gov/hipaa/for-individuals/family-members-friends/index.html







https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/personal-representatives/





What is a Personal Representative?

• There may be times when individuals are legally or otherwise incapable of exercising their rights, or simply choose to designate another to act on their behalf as a Personal Representative

• A Personal Representative has all the same rights for the individual, that the individual would have


62

What is a Personal Representative?

• A Personal Representative has been designated by the individual as the person who is responsible for making healthcare decisions on the individual’s behalf

• Or, a parent of a minor, or a guardian

• Someone’s lawyer is NOT their personal representative unless they are prepared to fully act on the patient’s behalf to make healthcare decisions


63

Authority to Act for the Patient May Be Limited

• Where the authority to act for the individual is limited to particular health care decisions, the personal representative is to be treated as the individual only with respect to protected health information that is relevant to the representation

• For example, a person with an individual’s limited health care power of attorney regarding only a specific treatment, such as use of artificial life support, is that individual’s personal representative only with respect to protected health information that relates to that health care decision


64

How is a Personal Representative Different from Family and Friends?

• Family and Friends are involved with the individual in some way but do not have authority to make decisions for the patient

• Personal Representatives may be family and friends (or not), and have the ability to exercise rights and make decisions on the patient’s behalf


65

What information can you share with Family and Friends?

• Familiar Examples:

– If the patient does not object, the doctor could talk with the friend who goes with the patient to the hospital, or with a family member who pays the medical bill 

– If a patient sends his friend to pick up the patient’s prescription, the pharmacist can assume that the patient does not object to their being given the medication  

– When the patient is not there or is injured and cannot give permission, a provider may share information with a patient’s family and friends if it seems like this would be in the patient’s best interest


66

But there are Limitations!

• In the case of the family member paying the hospital bills for the patient:

– It is fine to share enough information to facilitate the payment (e.g. what procedures took place)

– But underlying clinical information should be withheld

– Information other than what is needed for the task at hand should not be shared


67

But there are Limitations!

• In the case of a friend taking someone to the hospital in an emergency:

– You can let them know how the patient is doing and provide enough information so that they can contact other friends and family who would be concerned

– But you might hold off on specific details of issues discovered in the examination that should be communicated more carefully (such as an unexpected or sensitive diagnosis), or issues unrelated to the current one


68

If the Patient is Present and Has the Capacity to Make Health Care Decisions

• The provider may discuss the patient’s health information with a family member, friend, or other person if the patient agrees or, when given the opportunity, does not object

• A health care provider also may share information with these persons if, using professional judgment, he or she decides that the patient does not object

• In either case, the health care provider may share or discuss only the information that the person involved needs to know about the patient’s care or payment for care


69

What Might a Patient Expect to be Shared?

• An emergency room doctor may discuss a patient’s treatment in front of the patient’s friend if the patient asks that her friend come into the treatment room

• A doctor’s office may discuss a patient’s bill with the patient’s adult daughter who is with the patient at the patient’s medical appointment and has questions about the charges

• A doctor may discuss the drugs a patient needs to take with the patient’s health aide who has accompanied the patient to a medical appointment

• A doctor may give information about a patient’s mobility limitations to the patient’s sister who is driving the patient home from the hospital

• A nurse may discuss a patient’s health status with the patient’s brother if she informs the patient she is going to do so and the patient does not object

• BUT: A nurse may not discuss a patient’s condition with the patient’s brother after the patient has stated she does not want her family to know about her condition


70

If the Patient is Not Present or Incapacitated

• A health care provider is not required by HIPAA to share a patient’s information when the patient is not present or is incapacitated, and can choose to wait until the patient has an opportunity to agree to the disclosure

• But…


71

If the Patient is Not Present or Incapacitated

• The provider may share information with family, friends, or others as long as the health care provider determines, based on professional judgment, that it is in the best interest of the patient

• When someone other than a friend or family member is involved, the health care provider must be reasonably sure that the patient asked the person to be involved in his or her care or payment for care

• The health care provider may discuss only the information that the person involved needs to know about the patient’s care or payment


72

What Might a Patient Expect to be Shared?

• A surgeon who did emergency surgery on a patient may tell the patient’s spouse about the patient’s condition while the patient is unconscious

• A pharmacist may give a prescription to a patient’s friend who the patient has sent to pick up the prescription

• A hospital may discuss a patient’s bill with her adult son who calls the hospital with questions about charges to his mother’s account

• A health care provider may give information regarding a patient’s drug dosage to the patient’s health aide who calls the provider with questions about the particular prescription

• BUT: A nurse may not tell a patient’s friend about a past medical problem that is unrelated to the patient’s current condition


73

Ask For Permission When You Can

• As long as the individual does not object, you can share or discuss the patient’s health information with family, friends, or others involved in care or payment for care

• A provider may: – Ask the individual for permission,

– Inform the individual they plan to discuss the information and give an opportunity to object

– Decide, using his or her professional judgment, that the patient does not object

• In any of these cases, the health care provider may discuss only the information that the person involved needs to know about the patient’s care or payment for care

• If you have the opportunity, ASK!


74

The Role of Authorizations

• You don’t need an Authorization for these disclosures to family and friends involved with the patient’s care, but you may wish to document the permissions and disclosures (It’s a good idea!)

• If it goes beyond these allowed disclosures or beyond the patient’s clear wishes, a HIPAA Authorization is required

• https://www.hhs.gov/hipaa/for-individuals/faq/523/can-my-health-care-provider-share-or-discuss-my-health-information-with-my-family/index.html


75

https://www.hhs.gov/hipaa/for-individuals/faq/523/can-my-health-care-provider-share-or-discuss-my-health-information-with-my-family/index.html





























Must the Provider Share Information with Family and Friends of the Patient?

• Sharing information under this rule allows for reasonable, compassionate care for family and friends as well as the patient

• BUT! Sharing information under this rule is not required, and the provider may decide to not share information until permission is provided

• (Except when the family or friend is a personal representative)


76

The Orlando Incident

• In the Orlando night club shooting, many who would be considered friends or family of the victims were denied information on their unmarried partners

• Health care providers may use their professional judgment in their determination as to whether or not someone is a friend, family member, or other individual involved with the patient’s care

• HHS has clarified that Family Members may include unmarried partners or other non-obvious Family Members – a marriage is NOT required to establish a family relationship under HHS rules

• https://www.hhs.gov/hipaa/for-professionals/faq/2086/does-hipaa-privacy-rule-permit-doctor-discuss-patient-s-health-status.html


77

https://www.hhs.gov/hipaa/for-professionals/faq/2086/does-hipaa-privacy-rule-permit-doctor-discuss-patient-s-health-status.html























Sharing Alcohol and Drug Abuse Treatment Information

• For facilities providing treatment under SAMHSA (42 CFR Part 2), remember there are additional limitations on sharing drug and alcohol abuse treatment information that are stronger than HIPAA

• 42 CFR Part 2 provides greater privacy protections than HIPAA and is the bar for sharing information

• New changes to 42 CFR Part 2 relax some disclosure rules but retain rules related to sharing with family and friends

• Disclosees will be permitted to redisclose information to other providers involved with the patient’s care, with documented consent

• New rule changes effective March 21, 2017 https://www.federalregister.gov/documents/2017/01/18/2017-00719/confidentiality-of-substance-use-disorder-patient-records


78

https://www.federalregister.gov/documents/2017/01/18/2017-00719/confidentiality-of-substance-use-disorder-patient-records















State Law Restrictions

• You may also operate under State Law or other law that further restricts the sharing of information with family and friends

• In particular, note state laws pertaining to Mental Health, HIV/AIDS, Reproductive Health, and Minors

• HIPAA allows disclosures to family and friends but does not require them

• Be sure to consider your state laws in your policies, practices, and training


79

Responding to Telephone Calls

• May a health care provider discuss a patient’s health information over the phone with the patient’s family, friends, or others involved in the patient’s care or payment for care?

• Yes. Where a health care provider is allowed to share a patient’s health information with a person, information may be shared face-to-face, over the phone, or in writing

www.complianceiq.com 80

Does there need to be proof of identity?

• If a patient’s family member, friend, or other person involved in the patient’s care or payment for care calls a health care provider to ask about the patient’s condition, does HIPAA require the health care provider to obtain proof of who the person is before speaking with them?

• No. If the caller states that he or she is a family member or friend of the patient, or is involved in the patient’s care or payment for care, then HIPAA doesn’t require proof of identity in this case

– However, a health care provider may establish his or her own rules for verifying who is on the phone

– In addition, when someone other than a friend or family member is involved, the health care provider must be reasonably sure that the patient asked the person to be involved in his or her care or payment for care


81

Picking Up Prescriptions, Supplies, X-Rays, and other kinds of PHI

• Providers should use professional judgment and experience to decide if it is in the patient’s best interest to allow another person to pick up prescriptions, etc. for the patient

• Example: The fact that a relative or friend arrives at a pharmacy and asks to pick up a specific prescription for a patient effectively verifies that he or she is involved in the patient’s care

• HIPAA allows the pharmacist to give the filled prescription to the relative or friend

• The patient does not need to provide the pharmacist with their names in advance.


82

Delivering Prescriptions, Supplies, X-Rays, and other kinds of PHI

• People may wish to have their prescriptions delivered to a workplace or apartment building

• Requiring an Authorization might be seen as overkill – you’re not necessarily revealing any significant PHI

• You would want to get documented permission about where a prescription may be delivered and who may sign for it

• Those who may sign for a delivery could be considered as friends or others involved with the patient’s care, so long as you check with the patient first to be sure


83

Interpreters and Family Members

• Often a good interpreter for a patient with limited English proficiency is a friend or family member

• No Authorization or contract is necessarily needed to use interpreters (unless they are acting as your HIPAA Business Associate)

• The provider may share information with an interpreter who is the patient’s family member, friend, or other person identified by the patient as his or her interpreter, – if the patient agrees, or does not object, or

– the health care provider determines, using his or her professional judgment, that the patient does not object


84

Guidance on Access Regarding Mental Health & Minors

• 2014 Guidance on minors and mental health information: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html

• Does HIPAA allow a health care provider to communicate with a patient’s family, friends, or other persons who are involved in the patient’s care? Yes

• Does HIPAA provide extra protections for mental health information compared with other health information? No, except for Psychotherapy Notes; not available to the patient but must have Authorization to disclose to others

• Is a health care provider permitted to discuss an adult patient’s mental health information with the patient’s parents or other family members? Yes, unless the patient objects

• Can a minor child’s doctor talk to the child’s parent about the patient’s mental health status and needs? Per HIPAA yes, maybe not per State law


85

http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html

http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html

Guidance on Access Regarding Mental Health & Minors

• Does HIPAA permit a doctor to contact a patient’s family or law enforcement if the doctor believes that the patient might hurt herself or someone else? Yes

• If a doctor believes that a patient might hurt himself or herself or someone else, is it the duty of the provider to notify the family or law enforcement authorities? Yes, based on ethical standards, state law

• Does HIPAA prevent a school administrator, or a school doctor or nurse, from sharing concerns about a student’s mental health with the student’s parents or law enforcement authorities? Not HIPAA; FERPA?

• If a law enforcement officer brings a patient to a hospital or other mental health facility to be placed on a temporary psychiatric hold, and requests to be notified if or when the patient is released, can the facility make that notification? Punt! To locate an suspect, or with written statement of need, or in cases of threat to health or safety


86

Policies About Disclosures to Families and Friends

• Distinguish between Personal Representatives and Family and Friends

• Define circumstances for when the patient can respond, and for when the patient can not respond to questions about sharing information

• Define most-common circumstances for sharing in policy

• Be sure to consider all reasonable scenarios


87

Policies About Disclosures to Families and Friends

• Define your usual processes and when the circumstances are most likely to arise

• Consider needs in various departments; e.g., the ED versus the nursing floor

• Be ready to respond to patient permission for information to be shared

• Document sharing or agreement to share whenever it is beyond “normal” processes


88

Training About Disclosures to Families and Friends

• The policy part is pretty easy to understand, but how to apply it?

• These activities already take place at least informally

• Use plenty of examples right from your own experiences and staff

• Tie it to your policies

• Presenting familiar scenarios brings it home


89

What this all adds up to…

• Providing the appropriate communications the way you always used to

• Sharing where appropriate or necessary

• Asking permission when you can

• Documenting permission when you reasonably need to

• Providing compassionate care for patients, their friends, and their families


90

Guidance from HHS OCR

• A HEALTH CARE PROVIDER’S GUIDE TO THE HIPAA PRIVACY RULE: Communicating with a Patient’s Family, Friends, or Others Involved in the Patient’s Care

• https://www.hhs.gov/sites/default/files/provider_ffg.pdf


91

https://www.hhs.gov/sites/default/files/provider_ffg.pdf

https://www.hhs.gov/sites/default/files/provider_ffg.pdf

How to approach HIPAA Compliance

• Two ways to approach HIPAA compliance:

– One is to start from the regulations and work outward to deal with

issues found as compliance with the regulations is implemented

– Other way is to start with the known issues first, and knock them

down, as they are the most likely to cause problems

– Best is both, of course, but…

• We will examine the issues identified in breaches, audits, and

enforcement actions to identify the top priorities for attention

• The session will provide background on the issues, explain

enforcement and audit activity, and show what must be

documented, and how, to survive any issues


92

What is a HIPAA Breach?

• Breach may be any acquisition, access, use, or disclosure of PHI in violation of Privacy Rule, except when: – unintentional use, in good faith, with no further use;

– inadvertent use within job scope; or,

– information cannot be retained

• A Breach but Not Reportable if: – Destroyed, or Secured per HHS guidance at

http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html

• Otherwise, must report unless there is a “low probability of compromise” of the data, based on a risk assessment including: – what was the info (and is its release “adverse to the individual”)

– to whom it was disclosed

– was it actually acquired or viewed

– the extent of mitigation


93







Is It a Reportable Breach?


Incident/Breach Notification Policy • Part 1: Security incident handling policy/procedure

– What is an incident? – Report to whom? (Incident Response Team) – Respond to incident reports: Investigate, evaluate, and prioritize the incident – Identify potential Breaches – Prepare for public response – Document the incident

• Part 2: If it may be a breach… – Define information covered by HIPAA and State breach notification rules – Define Process for Evaluation of Reportable Breach – Require documentation of evaluation and reasoning, especially when deciding

NOT to report • Part 3: Then if it is a reportable breach…

– How to provide notification, time limits – Sample Content of Breach Notice – Substitute Notice – Additional Required Notices (HHS, state, regulators, consumer reporting agencies) – Law Enforcement delays – Business Associate requirements – Document risk assessment, decisions to report or not (and why), actions taken, etc.


95

Learning from Past Breaches

• Breaches are caused by hackers, loss of PHI, theft of PHI, malicious insiders, and user errors

• Breaches are prevented by good processes, good security methods, and good people who know how to do the right thing carefully

• Breaches can lead to enforcement penalties in the millions of dollars https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html


96






Trends in Breaches

• Hacking impact is way UP

• Laptops and Portable Electronic Devices still the leading preventable cause of breaches

• Malicious Insiders still a threat

• Increasing new threats from new technologies, like insecure e-mail, texting, and social media

• Most small breaches affect one or two individuals – paper handling mistakes

• http://www.hhs.gov/hipaa/for-professionals/breach-notification/reports-congress/index.html


97








What do we do about Breaches? • Hackers affect the most individuals • BUT! Many incidents involve lost or stolen portable devices – the

most significant risk issue you can address today • Encrypt data wherever you can, at rest on any desktop or portable

device/media storing ePHI – any server as well • Reduce risk through network or enterprise storage as an alternative

to local devices • Have clear and well documented administrative and physical

safeguards on the portable media which handle ePHI • Be prepared for increased threats of hacking & Ransomware – have

good backup and disaster recovery processes • Audit systems and access to discover hacking and malicious insider

activity • Raise the security awareness of workforce members and managers

to promote good data stewardship • Check fax numbers and addresses regularly


98

Enforcement Definitions

• Reasonable Cause: An act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect

• Reasonable Diligence: Business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances

• Willful Neglect: Conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated


99

Affirmative Defenses & Waivers • Affirmative Defenses

– §160.410: For violations after 2/17/2009: – If the act is punishable as a Wrongful Disclosure, – Or the Secretary is satisfied that violation is:

• Not due to willful neglect (reasonable cause requirement removed) • Corrected during:

– 30 days from when known or should have known – Additional period as Secretary determines

• Waivers – §160.412: For violations due to reasonable cause and not willful

neglect – If there is a requirement that you can’t meet for some reasonable

cause – Not corrected within the 30-day (or extended) period – Secretary may waive penalty or a portion, to the extent penalty is

excessive relative to the violation


100

Enforcement Penalty Structure

• Tier 1: Did not know and, with reasonable diligence, would not have known

– $100 - $50,000 per violation (may use an Affirmative Defense if no willful neglect)

• Tier 2: Violation due to reasonable cause and not willful neglect

– $1000 - $50,000 per violation (may get a Waiver if no willful neglect)

• Tier 3: Violation due to willful neglect and corrected within 30 days of when known or should have been known with reasonable diligence

– $10,000 - $50,000 per violation (no Waiver or Affirmative Defense available)

• Tier 4: Violation due to willful neglect and NOT corrected within 30 days of when known or should have been known with reasonable diligence

– $50,000 per violation (no Waiver or Affirmative Defense available)

• $1.5 million maximum for all violations of a similar type in a calendar year

• Corrective Action Plans may also be prescribed, even without a penalty

• Can levy fines on a daily basis!


Resolution Agreements

• A Resolution Agreement is a contract signed by HHS and a covered entity in which the CE agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years.

• During the period, HHS monitors the covered entity’s compliance with its obligations.

• A Resolution Agreement likely would include the payment of a resolution amount. These agreements are reserved to settle investigations with more serious outcomes.

• To date, HHS has entered into more than three dozen resolution agreements, and the pace is now significantly increasing.


102

Civil Money Penalties

• When HHS has not been able to reach a

satisfactory resolution through the covered

entity’s demonstrated compliance or corrective

action through other informal means, civil money

penalties (CMPs) may be imposed for

noncompliance against a covered entity.

• To date, HHS has issued CMPs to three covered

entities who did not settle allegations


103

Recent Large Settlements

• $5.5 million for not reviewing access and use of PHI as recommended in risk analyses, leading to breach

• $2.4 million for improper public disclosure of a patient name and not sanctioning the individual responsible

• Let’s examine the issues…

• https://www.hhs.gov/hipaa/for-

professionals/compliance-enforcement/agreements


104

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements





Typical Corrective Action Plan

• HIPAA Privacy and Security P&Ps, distribution and training, with verifications

• Risk Analysis and Risk Management Plan

• Implement encryption of PHI

• Facility and physical security safeguards

• Report violations of HIPAA policies to HHS

• Internal (or external) audit and monitoring of compliance

• Regular reports to HHS


105

HHS Resolution Agreements

• $4.3 million fine for Cignet Health of Maryland: multiple HIPAA violations, including $3 million for willful neglect by ignoring investigators

• $1 million settlement with Mass General Hospital: records left on the T

• $865K settlement with UCLA Medical Center: snooping in celebrity records

• Multi-million dollar settlements with 2 pharmacies: poor disposal of PHI

• $100K settlement with a physician’s office: using insecure e-mail & calendar, no risk analysis or security policies

• And that’s just a start…


106


• $1.5 million settlement with BC/BS of Tennessee: lost hard drives

• $1.7 million settlement with Alaska Medicaid: lack of security process

• $1.5 million settlement with MEEI: lack of security for portable devices

• $50K settlement with Hospice of North Idaho: insecure laptop, no process

• $400K settlement with Idaho State University: insecure server, no process

• $275K settlement with Shasta Regional Medical Center: inappropriate disclosure of PHI to staff and public, and lack of sanctions for violations


107


• $1.7 million settlement with WellPoint: insecure server, no security process

• $1.2 million settlement with Affinity Health: improper disposal of copiers

• $150K settlement with APDerm: lost insecure USB drive and no Breach policies

• $215K settlement with Skagit County, WA: insecure server, no security process, had not designated Hybrid Entity status

• $2 million in settlements with 2 entities: unsecured stolen laptops

• $4.8 million in settlements with Columbia/Presbyterian: poor server management exposing PHI


108


• $800K settlement with Parkview Health System: mishandled paper records

• $150K settlement with Anchorage Community Mental Health Services: no security processes, not patching systems, and using unsupported software

• $125K settlement with Cornell Prescription Pharmacy: insecure disposal of PHI

• $218K settlement with St. Elizabeth’s Medical Center: using web-based storage without risk analysis, breach of a laptop held by a former employee

• $750K settlement with Cancer Care Group, P.C.: unencrypted, stolen laptop & backup, no Risk Analysis or Risk Management Plan, no Policies on portable devices


109


• $850K settlement with Lahey Clinic: lost laptop used as a medical device, with issues of insufficient RA, physical safeguards, policies, unique user ID, logging, breach of PHI

• $3.5 million settlement with Triple-S Management Corporation: lack of safeguards, impermissible disclosures, lack of security process

• $750K settlement with University of Washington Medicine: affiliate not having done risk analysis nor implemented security practices per policy

• $240K FINE for Lincare, Inc.: improper care of paper records leading to theft of records, lack of policies and procedures, minimal compliance work


110


• $250K settlement with Complete P.T., Pool & Land Physical Therapy, Inc.: Posting Patient Pictures and Testimonials Without Authorizations, No Policies and Procedures for Authorization Process

• $1.55 million settlement with North Memorial Health Care of Minnesota: stolen unencrypted laptop, no BA Agreement, insufficient Risk Analysis

• $3.9 million settlement with Feinstein Institute for Medical Research: stolen unencrypted laptop with research subject information, limited security processes

• But don’t answer yet!


111


• $750K settlement with Raleigh Orthopaedic Clinic for handing over PHI to a BA, no BAA

• $2.2 million settlement with New York Presbyterian for allowing TV crews into the facility and filming patients without obtaining Authorizations

• $650K settlement with Catholic Health Care Services of the Archdiocese of Philadelphia, acting as a Business Associate that didn’t protect a mobile device, resulting in breach

• $2.7 million settlement with Oregon Health & Science University: widespread HIPAA Security Rule violations and safeguard issues leading to breaches


112


• $2.75 million settlement with University of Mississippi Medical Center: lack of risk management despite awareness of risks since 2005, leading to loaned laptop & breach

• $5.55 million settlement with Advocate Health Care Network: long term Security Rule non-compliance, lack of Business Associate Agreements, leading to breaches

• $400K settlement with Care New England Health System: loss of unencrypted backup tapes, lack of BA Agreement with parent company

• $2.14 million settlement with St. Joseph Health (SJH) for misconfigured server, no RA, resulting in Breach of almost 32K records


113


• $650K settlement with UMass for incomplete Hybrid designation, risk analysis, safeguards, resulting in breach of 1,670 records via malware

• $475K settlement with Presence Health for untimely reporting of a HIPAA breach

• $2.2 million settlement with MAPFRE for breach of insecure storage devices when they knew it was an issue

• $3.2 million Civil Money Penalty for Children’s Medical Center of Dallas for knowing they had risks of insecure portable devices and doing nothing about it – they just paid the penalty with no settlement discussions and no corrective action plan!


114

HHS Resolution Agreements • $5.5 million settlement with Memorial Healthcare Systems

for not reviewing access and use of PHI as recommended in risk analyses, allowing a breach of 115K individuals

• $400K settlement with Metro Community Provider Network (a FQHC) for not doing risk analysis until after a breach and then not doing a good job with the analysis or mitigation planning

• $31K settlement with Center for Children’s Digestive Health for no BA in place with records storage vendor

• $2.5 million settlement with CardioNet for insufficient RA, RM, and policies, with breached laptop resulting


115

HHS Resolution Agreements • $2.4 million settlement with Memorial Hermann Health

System for using a patient name in a press release headline and not sanctioning the CEO for the improper disclosure

• $387,000 settlement with St. Luke’s-Roosevelt Hospital Center for faxing patient medical records (including information re HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis, and physical abuse) to the patient’s employer by accident, repeating a related breach

• And they keep on coming…


116

Categories of Failure

• Laptops and Portable Devices

• Insecure Systems

• Improper Handling of PHI

• Privacy Issues

• Failure to Manage Security Overall


117

Enforcement Lessons Learned • Information Security Management Process

– Risk Analysis and Risk Management • Include the entire enterprise and integrate with compliance overall • Don’t forget your Business Associates • Include smart phones and mobile devices in your Risk Analysis • Plan to Manage the Risks you find – don’t ignore them!

– Use Physical, Technical, and Administrative Safeguards – Incident Handling and Breach Notification – Policies and Procedures – Training and Documentation – Internal Audits and System Reviews – Professional Communications involving PHI must be secured – No sharing of IDs and passwords – Secure Laptops, Portable Devices, and Backup media – Secure System Implementation and Decommissioning Processes – use

a checklist to make sure!


118

Enforcement Lessons Learned • Privacy Rule Compliance

– Have complete policies and procedures

– Handle physical records properly, paper and electronic

– If you’re a hybrid entity, make sure you properly find and identify ALL the portions that may be covered, not just the obvious ones, and then implement the appropriate safeguards

– Don’t leave unsecured records in public areas

– Properly shred discarded paper and pill bottles

– Get Authorization for posting pictures and testimonials or before allowing ANY unauthorized persons into patient areas

– Have good policies & procedures for working outside the office

– Apply sanctions for violations of HIPAA policies

– Handle individual requests for records properly

– Know and manage your Business Associates

– Don’t ignore the rules or HHS OCR investigators


119

What is a HIPAA Audit?

• HITECH §13411 requires HHS to conduct periodic audits; initial program in 2012, now revised and under way

• Desk Audits of 167 covered entities to be completed by December 31, 2016

• If you haven’t been notified, you will not get a desk audit this round but you may get an on-site audit

• Be able to show you have in place the policies and procedures required by the HIPAA Privacy, Security, and Breach Notification Rules

• Show you have been using them

– e.g., Show access policy, access requests, and approvals or denials

– e.g., Show risk analysis and risk management policy and reports/documentation

• 2 week notice! – You must be prepared in advance or it’s too late!

• http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html


120

http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html





2012 HIPAA Audit Program Highlights

• Overall – Small covered entities (30% of the sample) had 66% of the deficiencies – Health care providers (50% of the sample) had 81% of the deficiencies – Security findings were 2/3 of the issues


121

• Security issues – User activity monitoring – Contingency planning – Authentication/integrity – Media reuse and destruction – Risk assessment – Granting and modifying user

access

• Privacy Issues – Review process for denials of

patient access to records – Failure to provide appropriate

patient access to records – Lack of policies and procedures – Uses and disclosures of

decedent information – Disclosures to personal

representatives – Business associate contracts

New Guidance on Access of PHI • New 2016 HHS Guidance on Access of PHI:


– Released January 7, 2016

– Updated with new Q&A twice since release

– Highly Recommended Reading!

• Also see:

– Guidance on Access of PHI, particularly concerning minors and mental health information: http://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/index.html

– Guidance clarifying that same-sex spouses have the same HIPAA rights as other family members, no matter where services are provided: http://www.hhs.gov/hipaa/for-professionals/special-topics/same-sex-marriage/index.html


122











http://www.hhs.gov/hipaa/for-professionals/special-topics/same-sex-marriage/index.html









Change in Focus for 2016 Audit Program • Not a general, soup-to-nuts review like in 2012 • 167 Desk Audits, specific to particular problem areas revealed in prior

Audits, Breaches, and Enforcement Actions – Privacy Rule

• Notice of Privacy Practices & Content Requirements §164.520(a)(1), (b)(1) • Provision of Notice - Electronic Notice §164.520(c)(3) • Right to Access §164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1),

(d)(3) – Breach Notification Rule

• Timeliness of Notification §164.404(b) • Content of Notification §164.404(c)(1)

– Security Rule • Security Management Process – Risk Analysis §164.308(a)(1)(ii)(A) • Security Management Process – Risk Management §164.308(a)(1)(ii)(B)

• 45 Business Associates audited beginning November 2016 – HHS got list of Business Associates from Covered Entity targets – HHS selected BAs to audit from the lists collected from the CEs

• Limited number of On-site Audits to be done in 2017


123

How can I prepare for an Audit?

• Document Policies and Procedures

– Must realistically represent actual practices

– Must be within regulatory requirements

• Document any Action, Activity, or Assessment

• Make documentation live, accessible, updatable

– Easy to keep procedures updated, easy to show compliance

• Use tools to evaluate and document compliance

– The New 2016 HIPAA Audit Protocol, at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html


124

http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html






What might I be asked in an Audit?

• 42 questions asked in first OIG HIPAA Security audit in March 2007: http://tinyurl.com/meupq8t

• CMS OESS 2008 Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Reviews: http://tinyurl.com/27eakjz

• Questions asked of a small provider after a data breach involving theft of a laptop and server: http://tinyurl.com/3jpoa4p

• Questions asked in the first round of 2012 HIPAA random audits (still a good framework of questions): http://tinyurl.com/jdoz47z

• The New 2016 HIPAA Audit Protocol, at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html


125

http://tinyurl.com/2ac9jm

http://tinyurl.com/27eakjz

http://tinyurl.com/3jpoa4p

http://tinyurl.com/jdoz47z






Audit Protocol in a Spreadsheet


126

Sample Audit Protocol Questions

• Item 66, Privacy Rule §164.524(d)(2): Denial of Access

• Has the covered entity implemented policies and procedures that ensure that an individual receives a timely, written denial that contains all mandated elements?

• Inquire of management.

• Obtain and review policies and procedures to determine if they comply with the established performance criterion.

• Obtain and review a sample of denied access requests.


127

Sample Audit Protocol Questions • Item 69, Privacy Rule §164.524(a)(4)&(d)(4): Review of Denial of

Access

• Do policies and procedures address request for and fulfillment of review of instances of access denial? Inquire of management.

• Review policies and procedures to determine whether they comply with the established performance criterion. For example, does the entity have a process for an individual to request and receive a review of a denial of access by a licensed health care professional who did not participate in the original decision to deny the individual's request for access as set forth in §164.524(d)(4)? Does it provide prompt referral of denial for review by licensed health care professional not directly involved in the original denial, determination within a reasonable period of time, and prompt written notice to individual?

• Review documentation obtained for item 66 for consistency with these requirements


128

Audits ask for History

• Audit information requests ask for the history of

your policies, procedures, documentation, and

reports

• Going back six years

• Looking for consistency of compliance

• Develop your book of HIPAA compliance

documentation


129

And it’s not just HHS OCR…

• HHS Office of Inspector General will also be auditing HIPAA

Security Rule compliance including:

– Analyzing the IT security of community health centers funded by

the Health Resources and Services Administration

– Reviewing controls over networked medical devices at hospitals

– Reviewing information security at recipients of EHR incentive

funding

– Verifying performance of a HIPAA Security Rule Risk Analysis at

recipients of EHR incentive funding


130

What’s Likely for HIPAA Audits in the Future?

• Finishing up the 2016 Audits and developing a permanent plan for Auditing

• Any New Audits in 2017? – OVERALL: Expect little new action in Auditing

– Similar process to 2016 process, perhaps in 2018?

– Potential new focus areas:

• Preparation for Ransomware and Disaster Recovery

• Continued focus on individual access of records, risk analysis, risk management

• E-mail and Texting usage a new target?


131

And it’s not just HHS OCR…

• HHS Office of Inspector General will also be auditing

HIPAA Security Rule compliance including:

– Analyzing the IT security of community health centers funded by

the Health Resources and Services Administration

– Reviewing controls over networked medical devices at hospitals

– Reviewing information security at recipients of EHR incentive

funding

– Meaningful Use audits for EHR Incentive Funding, verifying you

have performed a HIPAA Security Rule Risk Analysis


132

Audit Your Own Compliance

• Ensure your Policies and Notice of Privacy Practices reflect the rules and your own practices

• Review processes for handling patient rights

• Look for issues identified in prior Breaches, Enforcement, and Audit activity

• Complete the HIPAA Audit Protocol

• Prioritize issues identified and plan their mitigation

• Verify that Policies and Procedures are being followed

• Document all your HIPAA Compliance Activities

• Review your own compliance – don’t leave it to the local TV News team to find your gaps


Emerging Issues

• Business Associates – Play an increasing role in health care

– Potential for huge breaches of PHI, including yours?

• Hackers – Stealing information

– Denial of Service attacks

– RAMSOMWARE!

– What’s Next???


134

Your to-do list…

• Don’t be in denial – willful neglect costs more than compliance

• Accommodate individual rights

• Implement practices for sharing information with family and friends of a patient

• Review enforcement actions to see what not to do

• Review the questions asked in prior HIPAA audits

• Document your policies and procedures

• Train staff in your policies and procedures

• Conduct drills in audit and breach response

• Make corrections based on results

• Always have a plan for moving forward, and follow it!


Thank you!

Any Questions?

For additional information, please contact:

Jim Sheldon-Dean

Lewis Creek Systems, LLC

5675 Spear Street, Charlotte, VT 05445

[email protected]

www.lewiscreeksystems.com


mailto:[email protected]


HIPAA Guidance Update: Providing Access to Individuals and ... · HIPAA Guidance Update: Providing...

Documents

Transcript of HIPAA Guidance Update: Providing Access to Individuals and ... · HIPAA Guidance Update: Providing...