U NDERSTANDING HIPAA
C OMPLIANCE I N 2014:
E THICS , T ECHNOLOGY,
H EALTHCARE & LIFE
JULIE MEADOWS-KEEFE
GROSSMAN, FURLOW, AND BAYÓ, LLC
2022-2 RAYMOND DIEHL RD.
TALLAHASSEE, FL. 32308
(850) 385-1314
J.MEADOWS-KEEFE@GFBLAWFIRM.COM
D OES IT P UT Y OU I N A B AD M OOD ?
H OW M UCH P RIVACY D O Y OU H AVE ?
How Much Privacy Are You Willing To Give Up?
P ERCEIVED B ARRIERS ?
W IRED M AGAZINE 11-15-12

The age of the password has come to
an end; we just haven’t realized it yet.
And no one has figured out what will
take its place. What we can say for sure
is this: Access to our data can no longer
hinge on secrets—a string of characters,
10 strings of characters, the answers to
50 questions—that only we’re supposed
to know. The Internet doesn’t do
secrets. Everyone is a few clicks away
from knowing everything.
S O W E R ECOGNIZE
W E A RE A LL V ULNERABLE

“A stolen medical identity
has a $50 street value –
whereas a stolen social
security number, on the
other hand, only sells for
$1.00” said Kirk Herath,
Nationwide Chief Privacy
Officer.
FACTS A BOUT M EDICAL
I DENTITY T HEFT

1.5 Million American Affected

Average cost to restore identity is over
$20,000.

Medical identity theft comprises 3% of
all identity thefts

Nearly half of victims lose their
coverage

Can take a year to discover

Healthcare was most breached industry
in 2011
S O W HAT D OES HIPAA D O ?

HIPAA sets a national standard for
accessing and handling medical
information

Access to your own medical records,
prior to HIPAA, was not guaranteed by
federal law.

Notice of privacy practices about
how your medical information is used
and disclosed must now be given to
you.

An accounting of disclosures
HIPAA 1996
1996 M AC
P OPULAR S ONG & D ANCE IN 1996
I N 1996

Google.com didn’t exist yet.

In January 1996 there were only
100,000 websites, compared to more
than 160 million in 2008.

The web browser of choice was
Netscape Navigator, followed by
Microsoft Internet Explorer as a distant
second (Microsoft launched IE 3 in
1996).

Most people used dial-up Internet
connections
ARRA

February 17, 2009. ARRA Signed into Law. Also
known as the “Stimulus” $ 25.8 Billion for
Health IT

Increased Regulation of Organizations
Contracting with Covered Entities

Covered Entities Must Carefully Monitor
Disclosures of PHI

Increased Limitations on use of PHI

Increased Penalties and Enforcement Mechanisms

Breach notification and reporting requirements.
E VIDENCE B ASED M EDICINE

Conscientious, explicit and judicious
use of current best evidence in making
decisions about the care of individual
patients

Use of mathematical estimates of the
risk of benefit and harm, derived from
high-quality research on population
samples, to inform clinical decisionmaking in the diagnosis, investigation
or management of individual patients."
B IG D ATA
How much regulation is needed for
electronic health records and
systems? How much is too much? Does
technology harm patients? How much
risk do patients face in the era of "big
data?“ Can data reach level of necessary
granularity to only show minimum
amount of data necessary to provide a
particular treatment?
E XPRESS S CRIPTS H AS B IG D ATA

Provides Pharmacy Benefits to over 100
million people.

They see 1.4 billion prescriptions a year, each
one of which generates adds a little more
data to their pile.

They now have 100 people sorting through
that information trying to detect fraud.
They've got nurses and pharmacists and
forensic accountants, along with a group of
data nerds investigating thousands of cases of
shady dealings a year.
S OME F EAR
W HAT
IS A
“B REACH ?”

A breach is, generally, an impermissible use or disclosure under
the Privacy Rule that compromises the security or privacy of the
protected health information such that the use or disclosure
poses a significant risk of financial, reputational, or other harm
to the affected individual.

There are three exceptions to the definition of “breach.” The
first exception applies to the unintentional acquisition, access,
or use of protected health information by a workforce member
acting under the authority of a covered entity or business
associate. The second exception applies to the inadvertent
disclosure of protected health information from a person
authorized to access protected health information at a covered
entity or business associate to another person authorized to
access protected health information at the covered entity or
business associate. In both cases, the information cannot be
further used or disclosed in a manner not permitted by the
Privacy Rule. The final exception to breach applies if the
covered entity or business associate has a good faith belief that
the unauthorized individual, to whom the impermissible
disclosure was made, would not have been able to retain the
information.
TAKE -AWAY

PLEASE MAKE SURE ALL STAFF ARE UTILIZING
ENCRYPTION FOR TRANSMISSION OF PHI.
B REACHES B IG
IN
O MNIBUS

the nature and extent of the protected
health information involved, including the
types of identifiers and the likelihood of
re-identification

the unauthorized person who used the
protected health information or to whom
the disclosure was made

whether the protected health information
was actually acquired or viewed

the extent to which the risk to the
protected health information has been
mitigated
B REACHES S O FAR

January, 2013-First HIPAA
breach settlement involving
less than 500 patients (Idaho
Hospice)

April 2012 HHS settles case
with Phoenix Cardiac Surgery
for lack of HIPAA safeguards
A LASKA D EPARTMENT OF H EALTH
AND H UMAN S ERVICES

Settled for 1.7 million dollars.

One lost unencrypted flash drive from
an employee’s car led to extensive
HHS investigation.

Insufficient training and risk
assessment.
2013 V ERIZON B REACH
R EPORT

THREAT ACTORS

External 92%

Internal 14%

Partners 1%
T HREAT A CTIONS

Malware
10%

Hacking
52%

Social
29%

Misuse
13%

Physical
35%

Error
2%
ATTACKED
ENTITIES

Financial Organizations
37%

Utilities
24%

Manufacturing, transportation
20%

Healthcare organizations
0.90%
B USINESS A SSOCIATE
R EQUIREMENTS
Extends HIPAA’s
requirements, not just to
business associates, but to
subcontractors that handle
protected health information
on behalf of business
associates
N OTICE OF P RIVACY P RACTICES

Need to revise to reflect
patient’s right to receive
breach notifications.
R EQUEST

FOR
R ESTRICTIONS
Specifically, covered entities must agree
to restrict disclosures of protected health
information about the individual if the
disclosure is for payment or healthcare
operations purposes, is not required by
law, and the protected health information
pertains solely to a healthcare item or
service for which the individual, or
someone on the individual's behalf other
than the health plan, has paid the covered
entity in full.
J ULIE ’ S S TORY

Real-life experience with too much data
being included in an EHR.

https://www.youtube.com/watch?v=tK1KeC
y5j9Q
L ICENSURE

Licensure involves providing a full
explanation and record documenting any
affirmative responses to health questions,
including emotional/mental illness,
chemical dependency.
THANK YOU
J ULIE M EADOWS -K EEFE
G ROSSMAN , F URLOW, AND B AYÓ
2022-2 R AYMOND D IEHL RD.
TALLAHASSEE , FL. 32308
(850) 385-1314
J . MEADOWS - KEEFE @ GFBLAWFIRM . COM