Stephen L. Page RegionalCare Hospital Partners [email protected] (615) 844-9849...
-
Upload
denzel-eggleton -
Category
Documents
-
view
219 -
download
1
Transcript of Stephen L. Page RegionalCare Hospital Partners [email protected] (615) 844-9849...
1
Stephen L. PageRegionalCare Hospital [email protected](615) 844-9849
Elizabeth WarrenBass Berry Sims [email protected](615) 742-7719
HIPAA in a Post-HITECH World
2
3
2014 HIPAA TOPICSOverview of HIPAA BasicsLiability Risks with Business AssociatesOCR Enforcement 2014OCR 2014 GuidanceHIPAA AuditsData BreachesNew Frontiers (and some old ones)
4
HIPAA 101
HIPAA refers to the Health Insurance Portability and Accountability Act of 1996
HIPAA prohibits the unauthorized use or disclosure of protected health information unless an exception applies
HIPAA impacts covered entities and business associates of covered entities
HITECH Act of 2009 revised certain parts of HIPAA
5
HIPAA 101 - What is PHI?
Individually identifiable informationRelating to condition, treatment, or
paymentCreated or received by a provider, plan,
employer, or clearinghouseTransmitted or stored electronically or
in any other form
6
HIPAA 101 - Who is covered by HIPAA?
Covered Entities (CEs)Health Plans (including group health
plans)ClearinghousesProviders
Business Associates of Covered Entities (BAs)Including law firms that handle PHI for
clients who are CEs or BAs
7
HIPAA 101 – Uses and Disclosures
The Privacy Rule defines and limits how an individual’s PHI may be used or disclosed by CEs
The CE may not use or disclose PHI except:as the Privacy Rule permits or requires
(without an authorization), ORas authorized in writing by the individual
who is subject of the information
8
HIPAA 101 – HIPAA Authorizations
A HIPAA authorization is a specific type of written permission
Must contain a number of mandatory elements (who, what, why, etc.)
A “2 sentence” type permission is not compliant
May not be combined with other types of permission (with very narrow exceptions such as for research)
9
HIPAA 101 – HIPAA Patient Rights
AccessAmendmentAccounting of certain disclosuresPrivacy noticeRestrictions and confidential
communicationsComplaints
10
HIPAA 101 – Additional Requirements:
Minimum necessarySafeguards (all PHI)Business associate agreementsPrivacy officerPolicies and proceduresTraining
11
Liability Risks with Business Associates
• HITECH: increased risk of being held liable for BA acts
• Actions of business associate vendors can create breach notification obligations for covered entities
• Client view may be: “we didn’t cause this so, not our problem.” Wrong response
• OCR view: “no get out of jail free card for covered entity.”
12
Liability Risks with Business Associates
• How to prevent/mitigate issues with BA compliance?• Consider indemnification clauses• Consider reviewing key BA security safeguards—but watch out for risks• Confirm policies address process for providing access to BAs
13
Liability Risks with Business Associates
Risks for BA oversight:If you know about issues and
don’t address them . . .Be careful what you ask for and
how wide of a net you castWill your oversight trigger the BA
being viewed as an agent?
14
Enforcement
Since April 2003, HHS has received over 99,957 HIPAA complaints
OCR has resolved 96% of complaints received (over 96,741 cases)
OCR found violations of HIPAA in over 22,927 cases
OCR found no violation in 10,390 casesOCR found 63,424 cases that were not
eligible for enforcement
15
Enforcement
Jail time for HIPAA criminal violations: still happening-10/2013 nursing assistant in Florida sentenced to 3 years for stealing and selling patient records
First penalty for failure to have breach notification policies: $150,000 penalty imposed on dermatology practice (involved stolen unencrypted thumb drive)
16
Enforcement
Don’t leave PHI on the curb:$800,000 Settlement for 2009 conduct (Parkview; June 2014)
Don’t post PHI on the internet: $4.8 Million record settlement (NY Presby/Columbia; May 2014)
Do encrypt laptops
-$1,725,220 (Concentra; April 2014)
-$250,000 (QCA; April 2014)
17
Enforcement: Lawsuits
West Virginia case allowed to proceed based on state law
Many class actions based on breaches still dismissed
FCRA claims?
18
Enforcement: Lessons Learned or Not
Hard to predict amount of penalties or when conduct gets penalized
Enforcement actions may take yearsIncreasing pressure to allow private causes of
actionCriminal penalties may help with internal trainingSources of complaints/investigations broadening
-unions-covered entity in response to BA breach notice-payers
19
New OCR Guidance
Guidance on lawfully married same sex spouses
Sharing Information related to Mental Health
Security Risk Assessment tool released
20
On the Horizon: New Audits
Audits of some 350 healthcare providers and another 50 of their business associates will likely start in early 2015; they were originally set to begin in October 2014
Per OCR, will ask audited CEs for list of BAs and draw from that pool for the 50 audited BAs
Per OCR, will be tied to enforcement
21
Breach Notification Standard
• Presumption of breach applies to any non-permissible use or disclosure
• Risk assessment using at least 4 factors• Nature and extent of PHI• Who received?• Accessed or not?• Mitigated?
• Little guidance on how to apply these 4 factors
22
Data Breach
23
Data Breaches
OCR investigated since September 2009:Breach involving greater than 500
individuals -1,176 incidentsBreaches involving fewer than 500
individuals-122,000 incidents60% of data breaches could have been
prevented if Covered Entities or Business Associates had encrypted data
24
Recent Notable Data Breaches and Issues
CHS-new concern: hacking
Concentra (laptops)Identity theft a real risk (not just dealing
with mistakes but with deliberate acts)HR issues often result in breachesThe “social media defense” breach risk
25
State Law Privacy Risks
State law risksCalifornia: 5 day standard; AG has
brought lawsuits-Alere caseFlorida: new, stricter breach notification
law (30 days timing requirement)Massachusetts: not limited to enforcing
within its borders (RI case)
26
New Frontiers
False Claims LiabilityMedicare Number certifications relating
to Business Associate AgreementsMeaningful Use CertificationsFDA Issues Cybersecurity Guidelines for
Medical DevicesFTC enforcement
27
New Frontiers
HIPAA as barrier to technology innovation
The remote use documentation on HHS’s website pre-dates Apple’s iPhone rollout (last updated in December 2006)
It does not include information on any new Apple iOS or Android phones or tablets, making it challenging for developers that want to ensure their apps meet HIPAA regulations
28
Old Frontiers
BAA templates still lacking for many Covered Entities
Still battles of the formsStill working to get BAAs in place where
neededSome CEs still lack comprehensive
HIPAA policies or awarenessBAs often are still behind the curve
29
29
Questions?