HITECH Act of 2009

HITECH Act of 2009

Changes to the HIPAA Privacy and Security Regulations

This presentation is for general informational purposes only and is not to be taken as legal advice. Please consult with your attorney for legal advice regarding HIPAA compliance.

Expanding the Reach of the HIPAA Regulations

• Ezell Underdown• Director, Legal Affairs Department at Medical

Mutual of Ohio• [email protected]

Expanding the Reach of the HIPAA Regulations

• Before HITECH, HIPAA applied only to covered entities and did not apply to business associates directly

• After HITECH, HIPAA applies directly to business associates (e.g., brokers and other agents):– Requires business associates to directly comply with

Security Rule’s administrative, technical and physical safeguards and to implement security policies and procedures

– Subjects business associates to the same civil penalties as covered entities for breach of Security Rule or business associate agreements

“Fear Factor”, i.e., Why Should I Care?

• HITECH established a tiered civil penalty structure for HIPAA violations (and allows enforcement by state attorneys general)– Individual did not know

• $100/violation w/ $25,000 annual max for repetition

– Reasonable cause (but not willful neglect)• $1,000/violation w/ $100,000 annual max for repetition

– Willful neglect (but corrected w/i 30 days), e.g., refusal to take steps to comply

• $10,000/violation w/ $250,000 annual max for repetition

– Willful neglect (but not corrected w/i 30 days)• $50,000/violation w/ $1.5MM annual max for repetition

• Criminal penalties apply (up to 10 years imprisonment) for knowingly using or obtaining PHI in violation of HIPAA

Common Misconceptions

– Small organizations do not have to worry about compliance because the regulators do not audit small organizations

– Security and privacy incidents do not occur at small organizations

• Lost/stolen laptop, PDA or flash drive; misdirected/intercepted unsecure email; failure to properly destroy PHI

– 12,000 lost/stolen laptops in US airports– $204 ($60) / exposure according to Verizon 2009 data breach

study– 1000 SSNs = $60,000 direct cost (read $120,000 because AGs

now insisting on two years credit protection)

– No sanctions are applied for HIPAA/HITECH violations• Civil penalties• Criminal penalties

Common Problems

• No assigned responsibilities• No documented policies, procedures and forms• No training or awareness communications• No compliance monitoring• Noncompliance with contractual obligations, e.g.,

business associate agreements• Unsecure storage and disposal of PHI• Nonuse of encryption for emails containing ePHI• No mobile computing controls• Lack of breach procedures, logs and documentation• No backup or disaster recovery plans

Business Associate “To Do” List

• Appoint a privacy official

• Amend business associate agreements to include HITECH provisions (discussed later)

• Cure existing breaches of business associate agreements

• Enter into updated business associate agreements with any organization that provides data transmission services to you

• Comply with “minimum necessary” standard regarding uses of PHI. Rethink past practices, e.g., “Does this report need to contain SSNs or TINs?”

• Comply with the new marketing restrictions regarding PHI

• Seek authorization before selling PHI for certain purposes

Business Associate “To Do” List

• Appoint a security official – can be same person as privacy official

• Implement HIPAA security administrative, technical and physical safeguards

• Develop and maintain written security policies and procedures

• Develop and conduct privacy and security employee training

• Implement technologies or methodologies to secure PHI

• Comply with notification and documentation rules regarding breaches of unsecured PHI

• Conduct an inventory of all PHI that you process and store for covered entities

• Conduct an [independent] assessment of PHI risks within your business

Business Risk Assessment: General Questions

• How is PHI used and stored within your company, whether in paper or electronic form?

• What controls limit access into buildings or rooms in which PHI is stored (either in paper or electronic form)

• Who has access into buildings or rooms in which PHI is stored (either in paper or electronic form), and what is the procedure for granting and terminating such access?

• What environmental controls exist to protect PHI from destruction?

• Does your company use shredders for destroying documents that contain PHI? Have all employees been trained on the use of shredders?


• Who in your company is responsible for creating and updating HIPAA policies and procedures?

• When were the company’s HIPAA policies and procedures last updated?

• Are all new employees trained to follow the company’s HIPAA policies and procedures?

• How often are employees re-trained on the company’s HIPAA policies and procedures?

• Does your company have a formal response plan that addresses security breaches regarding PHI, which should assign roles and responsibilities, isolate affected systems and preserve evidence, and provide for post-incident reporting to covered entities?


• Does the company ever send PHI via email?• Does the company use up-to-date encryption software to

encrypt email containing PHI? NOTE: PW protection does not equal “encryption”

• Does the company conduct regular audits to ensure that encryption policies are being followed?

• Does the company know what PHI is stored on portable devices, e.g., laptops, USB drives, CDs, etc.?

• Is PHI removed from portable devices immediately after use?

• Are all portable devices encrypted?• Does the company employ technology to prevent, detect,

correct and document improper PHI use?


• Is the company’s anti-virus software up-to-date?• Does the company allow remote access to its servers where

PHI is stored?• Do your company’s policies address (at a minimum):

– Risk management and assessment– Physical security– Encryption– Remote access– Media and document destruction– Acceptable use of email, PDAs and software– Training and security reminders– Antivirus and workstation security– Unique user IDs– Security audits– Security incident procedures and logs– Employee clearance, sanctions and access to PHI

Administrative Safeguards

• Implement policies and procedures to prevent, detect, contain and correct security problems– Conduct thorough assessment of the potential risks and

vulnerabilities regarding PHI– Implement security measures sufficient to reduce risks and

vulnerabilities to a reasonable and appropriate level– Apply appropriate sanctions to employees who fail to comply

with security policies and procedures– Implement procedures to regularly review records of

information system activity, such as audit logs, access reports and security incident tracking reports


• Identify the security official that is responsible for the development and implementation of the security policies and procedures

• Implement policies and procedures to ensure that only those employees with a legitimate business need have access to PHI– Implement procedures for authorizing access to PHI when a

legitimate business need exists; document and regularly review such access

– Implement procedures for terminating access to PHI when a legitimate business need no longer exists, e.g., change in job responsibilities, termination, etc.


• Implement a security awareness and training program for all employees– Develop procedures for guarding against, detecting and

reporting malicious software• Security officer should review and approve any new hardware

or software before it is installed• Restrict personal use of company-provided Internet service• Install virus protection software on all workstations and keep it

up to date• Never open unsolicited email or attachments

– Email must pass each of the “Know”, “Received”, “Expect” and “Sense” tests, i.e., is the email from someone you know, from whom you have received email before, from whom you were expecting an email and attachment, and does the email and attachment make sense in relation to the sender, subject line and name of attachment.


– Develop procedures for guarding against, detecting and reporting malicious software (cont.)

• If a dialogue box requests that you run a macro, always choose “No”

– Develop procedures creating, changing and safeguarding passwords

• Passwords should contain at least eight characters, not contain a proper name or common word, should contain at least one capital letter, one digit (0-9) and one special character (e.g., *, :, $, =, !, -, #, _) – so called “enterprise passwords”

• Implement procedure to change passwords regularly, e.g., every 60 days

• Never give password out over the phone or in email• Never leave password out in public view

– Issue periodic security reminders


• Implement policies and procedures to address security incidents– Identify, respond to, mitigate and document all security incidents

• Implement policies and procedures for responding to an emergency or other occurrence that damages systems that contain PHI– Implement and procedures to create and maintain exact copies of

ePHI– Establish procedures to restore any loss of data– Establish procedures to enable continuation of critical business

processes for protection of ePHI while operating in emergency mode

• Perform periodic technical and non-technical evaluations of policies and procedures

Physical Safeguards

• Implement policies and procedures to limit physical access to electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed

• Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstations that can access ePHI

Physical Safeguards

• Implement physical safeguards for all workstations that access ePHI to restrict access to authorized users

• Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of the facility, and the movement of these items within the facility– Implement policies and procedures to address the final

disposition of ePHI and/or the hardware or electronic media on which it is stored

– Implement policies and procedures for removal of ePHI from electronic media before it is re-used

Technical Safeguards

• Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to appropriate persons or software programs– Assign a unique user name for indentifying and tracking user

identity– Establish procedures for obtaining necessary ePHI during

an emergency– Implement a mechanism to encrypt and decrypt ePHI

• Implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI

Technical Safeguards

• Implement policies and procedures to protect ePHI from improper alteration or destruction

• Implement policies and procedures to verify that a person or entity seeking access to ePHI is the one claimed

• Implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network

Documentation Requirements

• Maintain all policies and procedures implemented in written (which may be electronic) form

• If an action, activity or assessment is required to be documented, maintain a written (which may be electronic) record of the action, activity or assessment

• All such documentation must be maintained for six (6) years from the date of its creation or the date when it was last in effect, whichever is later

Documentation Requirements

• Make all such documentation available to those persons responsible for implementing the policies and procedures covered by such documentation

• Review all such documentation periodically, and update as necessary, in response to environmental or operational changes affecting the security of ePHI

Security Breach Notification Requirements

• Business associate must notify covered entity following a discovery of a breach of unsecured PHI (whether in paper or electronic form) without unreasonable delay and in any event within 60 calendar days after discovery of the breach– “Unsecured PHI” means PHI that is not rendered unusable,

unreadable or indecipherable through the use of a technology or methodology specified by HHS, e.g., unencrypted data

• Use of encryption is a “safe harbor” under HITECH– Full disk encryption, email encryption, file encryption and device

encryption (Blackberries and other PDAs, USB thumb drives, IPODs, CDs/DVDs)


– Breaches are treated as “discovered” as of the first day on which the breach is known to the business associate or, by exercising reasonable diligence, would have been known by the business associate

– Note: Because the covered entity must provide required notifications to the individuals affected, HHS and the media within 60 calendar days after discovery of the breach, business associate agreements will limit the time to report breaches to shorter period, e.g., 10 business days

– Note: Business associates must notify covered entities of all unauthorized uses not just “breaches”


– “Breach” means the acquisition, access, use or disclosure of PHI that compromises the security or privacy of the PHI, i.e., poses a significant risk of financial, reputational or other harm to the affected individuals

– “Breach” excludes:• Unintentional access to PHI by employee of business associate

if such access was made in good faith and within the employee’s scope of authority and does not result in further use or disclosure

• Inadvertent disclosure by a person authorized to access PHI at the business associate to another person authorized to access PHI at the same business associate that does not result in further use or disclosure

• A disclosure of PHI where the business associate has a good faith belief that the person to whom the disclosure was made would not reasonably have been able to retain such PHI

Content of Breach Notice

• Breach notice must contain:– Identity of each individual whose unsecured PHI has been,

or is reasonably believed by the business associate to have been, accessed, acquired, used or disclosed during the breach

– Brief description of what happened, including the date of the breach and the date the breach was discovered

– Description of the types of unsecured PHI that were involved in the breach

– Steps individuals should take to protect themselves from potential harm

– Brief description of what company is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches

Breach Risk Assessment

• Case by case risk assessment– Who received information?– What information was disclosed?– Were any steps taken to mitigate risks?

• Risk assessment must be documented and kept for 6 years because burden of proof is on business associate to prove either:– Company provided the required notice; or – Use or disclosure was not a “breach”

Revising Business Associate Agreements

• Must contain all original HIPAA terms– Recall “model” business associate agreement

• Must contain HITECH updates– Breach notification requirements– Administrative, physical and technical safeguards

and security documentation requirements– New privacy rules re. marketing, sale of PHI and

fundraising


• Should contain:– Supersession provision– Definitions (e.g., limiting “PHI” to PHI received

from, or created or received on behalf of, covered entity

– Reference to underlying agreement and its relationship to business associate agreement

– Disclaimer regarding (no) intent to waive privilege– Permission of use PHI for management and

administration of business associate


• Should contain:– Permission to use PHI for data aggregation

services– Provision for disclosure of PHI in response to legal

process, e.g., subpoena– Provision regarding ownership of PHI– Explicit agreement regarding compliance costs– Option to terminate business associate agreement

upon material breach – the “tattletale rule”


• Should contain:– Notice and certification (and time period) when

destruction of PHI upon termination is not feasible– Disclaim any agency relationship– No third party beneficiaries– Contact information for notices– Construction and amendment upon amendment of

security/privacy rules


• Should contain:– Indemnity/hold harmless, e.g., providing breach

notification and mitigation– Requirement regarding cyber-liability coverage

naming additional insured– Provision regarding responsibility for sending

breach notification– Provision regarding responsibility for maintaining

accounting of disclosures


• Should contain:– Provision regarding amendment of PHI– Provision regarding access to PHI– Provision regarding transition services upon

termination of agreement– Time period for reporting security incidents– Time period for reporting “breaches” (recall notice

requirements)– Time period regarding access, amendment and

accounting for disclosures


• Should contain:– Time period for cure of violations or breaches– Time period regarding requests for restrictions– Provision regarding amendment/addenda for new

rule-making– Provision regarding auditing

Resources

– Virus protection• Symantec• TrendMicro• Kapersky Labs

– Email encryption• ZixCorp• Hushmail

– Encrypted thumb drives• SanDisk encrypted flash drives

– Data loss prevention• Symantec – Vontu, Endpoint

Resources

• HHS Website– Privacy -

http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html– FAQ - http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html

• Bibliography– HIPAA Privacy and Security Rules - 45 C.F.R. Parts 160, 162 and

164– HITECH Act – 42 U.S.C. 17921 – 17954– HHS Guidance on Significant Aspects of the Privacy Rule -

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/privacyguidance.html

– HHS Guidance on How to Comply with the Security Rule - http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html

This presentation is for general informational purposes only and is not to be taken as legal advice. Please consult with your attorney for legal advice regarding HIPAA/HITECH compliance.

HITECH Act of 2009

Documents

Transcript of HITECH Act of 2009