1

Stephen L. PageRegionalCare Hospital Partnersstephen.page@regionalcare.net(615) 844-9849

Elizabeth WarrenBass Berry Sims PLCewarren@bassberry.com(615) 742-7719

HIPAA in a Post-HITECH World

2

3

2014 HIPAA TOPICSOverview of HIPAA BasicsLiability Risks with Business AssociatesOCR Enforcement 2014OCR 2014 GuidanceHIPAA AuditsData BreachesNew Frontiers (and some old ones)

4

HIPAA 101

HIPAA refers to the Health Insurance Portability and Accountability Act of 1996

HIPAA prohibits the unauthorized use or disclosure of protected health information unless an exception applies

HIPAA impacts covered entities and business associates of covered entities

HITECH Act of 2009 revised certain parts of HIPAA

5

HIPAA 101 - What is PHI?

Individually identifiable informationRelating to condition, treatment, or

paymentCreated or received by a provider, plan,

employer, or clearinghouseTransmitted or stored electronically or

in any other form

6

HIPAA 101 - Who is covered by HIPAA?

Covered Entities (CEs)Health Plans (including group health

plans)ClearinghousesProviders

Business Associates of Covered Entities (BAs)Including law firms that handle PHI for

clients who are CEs or BAs

7

HIPAA 101 – Uses and Disclosures

The Privacy Rule defines and limits how an individual’s PHI may be used or disclosed by CEs

The CE may not use or disclose PHI except:as the Privacy Rule permits or requires

(without an authorization), ORas authorized in writing by the individual

who is subject of the information

8

HIPAA 101 – HIPAA Authorizations

A HIPAA authorization is a specific type of written permission

Must contain a number of mandatory elements (who, what, why, etc.)

A “2 sentence” type permission is not compliant

May not be combined with other types of permission (with very narrow exceptions such as for research)

9

HIPAA 101 – HIPAA Patient Rights

AccessAmendmentAccounting of certain disclosuresPrivacy noticeRestrictions and confidential

communicationsComplaints

10

HIPAA 101 – Additional Requirements:

Minimum necessarySafeguards (all PHI)Business associate agreementsPrivacy officerPolicies and proceduresTraining

11

Liability Risks with Business Associates

• HITECH: increased risk of being held liable for BA acts

• Actions of business associate vendors can create breach notification obligations for covered entities

• Client view may be: “we didn’t cause this so, not our problem.” Wrong response

• OCR view: “no get out of jail free card for covered entity.”

12

Liability Risks with Business Associates

• How to prevent/mitigate issues with BA compliance?• Consider indemnification clauses• Consider reviewing key BA security safeguards—but watch out for risks• Confirm policies address process for providing access to BAs

     

13

Liability Risks with Business Associates

Risks for BA oversight:If you know about issues and

don’t address them . . .Be careful what you ask for and

how wide of a net you castWill your oversight trigger the BA

being viewed as an agent?

14

Enforcement

Since April 2003, HHS has received over 99,957 HIPAA complaints

OCR has resolved 96% of complaints received (over 96,741 cases)

OCR found violations of HIPAA in over 22,927 cases

OCR found no violation in 10,390 casesOCR found 63,424 cases that were not

eligible for enforcement

15

Enforcement

Jail time for HIPAA criminal violations: still happening-10/2013 nursing assistant in Florida sentenced to 3 years for stealing and selling patient records

First penalty for failure to have breach notification policies: $150,000 penalty imposed on dermatology practice (involved stolen unencrypted thumb drive)

16

Enforcement

Don’t leave PHI on the curb:$800,000 Settlement for 2009 conduct (Parkview; June 2014)

Don’t post PHI on the internet: $4.8 Million record settlement (NY Presby/Columbia; May 2014)

Do encrypt laptops

-$1,725,220 (Concentra; April 2014)

-$250,000 (QCA; April 2014)

17

Enforcement: Lawsuits

West Virginia case allowed to proceed based on state law

Many class actions based on breaches still dismissed

FCRA claims?

18

Enforcement: Lessons Learned or Not

Hard to predict amount of penalties or when conduct gets penalized

Enforcement actions may take yearsIncreasing pressure to allow private causes of

actionCriminal penalties may help with internal trainingSources of complaints/investigations broadening

-unions-covered entity in response to BA breach notice-payers

19

New OCR Guidance

Guidance on lawfully married same sex spouses

Sharing Information related to Mental Health

Security Risk Assessment tool released

20

On the Horizon: New Audits

Audits of some 350 healthcare providers and another 50 of their business associates will likely start in early 2015; they were originally set to begin in October 2014

Per OCR, will ask audited CEs for list of BAs and draw from that pool for the 50 audited BAs

Per OCR, will be tied to enforcement

21

Breach Notification Standard

• Presumption of breach applies to any non-permissible use or disclosure

• Risk assessment using at least 4 factors• Nature and extent of PHI• Who received?• Accessed or not?• Mitigated?

• Little guidance on how to apply these 4 factors

22

Data Breach

23

Data Breaches

OCR investigated since September 2009:Breach involving greater than 500

individuals -1,176 incidentsBreaches involving fewer than 500

individuals-122,000 incidents60% of data breaches could have been

prevented if Covered Entities or Business Associates had encrypted data

24

Recent Notable Data Breaches and Issues

CHS-new concern: hacking

Concentra (laptops)Identity theft a real risk (not just dealing

with mistakes but with deliberate acts)HR issues often result in breachesThe “social media defense” breach risk

25

State Law Privacy Risks

State law risksCalifornia: 5 day standard; AG has

brought lawsuits-Alere caseFlorida: new, stricter breach notification

law (30 days timing requirement)Massachusetts: not limited to enforcing

within its borders (RI case)

26

New Frontiers

False Claims LiabilityMedicare Number certifications relating

to Business Associate AgreementsMeaningful Use CertificationsFDA Issues Cybersecurity Guidelines for

Medical DevicesFTC enforcement

27

New Frontiers

HIPAA as barrier to technology innovation

The remote use documentation on HHS’s website pre-dates Apple’s iPhone rollout (last updated in December 2006)

It does not include information on any new Apple iOS or Android phones or tablets, making it challenging for developers that want to ensure their apps meet HIPAA regulations

28

Old Frontiers

BAA templates still lacking for many Covered Entities

Still battles of the formsStill working to get BAAs in place where

neededSome CEs still lack comprehensive

HIPAA policies or awarenessBAs often are still behind the curve

29

29

Questions?