Add to collection(s) Add to saved
  1. Social Science
  2. Law
  3. Criminal Justice

Confidentiality and HIPAA Issues in Telemedicine

advertisement 
CURRENT LEGAL ISSUES IN
TELEMEDICINE WEBINAR:
CONFIDENTIALITY AND HIPAA
ISSUES IN TELEMEDICINE
AUGUST 26, 2015
Jeanne M. Born, RN, JD
Jborn@nexsenpruet.com
‣
‣
Patient Confidentiality
Every State and Federal law that protects the
confidentiality, privacy and security of protected health
information that is created in a face-to-face encounter
apply to virtual encounters.
Telemedicine creates new challenges:
‣
Increases the number of people who may/will have access to health
information:
‣
‣
Clinical professionals;
Technical professionals:
‣
‣
‣
Site where the patient is located +
Telemedicine provider +
Distant site.
Palmetto Care Connections
webinar
www.nexsenpruet.com
2
‣
Patient Confidentiality
Health information is being transmitted as it is being created:
‣
Subject to increased privacy and security risks
‣
‣
‣
‣
Increased number of people who have access;
Data management issues: Information may be in formats not previously part
of the medical record (audio and video recordings);
‣
How and where is this new information to be stored?
Data sharing issues: Who is the owner of medical record:
‣
‣
The site where the patient is located?
The distant site where the physician is located?
Potential for unauthorized persons viewing/hacking:
‣
‣
Fear of “unseen persons” during the telemedicine session;
Fear about the reliability of security with telemedicine
hardware/devices/applications.
Palmetto Care Connections
webinar
www.nexsenpruet.com
3
PATIENT CONFIDENTIALITY/HIPAA
‣
Examples of issues with Telemedicine/Telehealth can create
increased risk exposure:
‣
‣
‣
‣
‣
‣
Interoperability in cooperating locations' systems could increase risks
(breach; medical errors);
Interruptions in connectivity mid-examination/procedure;
Differences in operational procedures and technology implementations could
increase risk exposure
Treatment could be viewed by unauthorized individuals without patient
knowledge or permission
Electronic communications could be hacked by unauthorized individuals
Locally stored PHI could be accessed or altered by people with system-level
privileges.
Palmetto Care Connections
webinar
www.nexsenpruet.com
4
Patient Confidentiality/Privacy/Security
‣
Address concerns by conducting a thorough
review of the entire process:
‣
‣
‣
Comply with applicable State and Federal confidentiality
/ privacy / security laws;
Apply appropriate administrative, physical and technical
safeguards;
Educate both patients and staff (clinical and technical).
Palmetto Care Connections
webinar
www.nexsenpruet.com
5
‣
Patient Confidentiality: State Laws
Examples of professional licensing standards that require
confidentiality:
‣
‣
‣
‣
‣
‣
‣
Physicians - S.C. Code Regs. 81-60 § D
Nurses – S.C. Code Ann. § 40-33-110(A)(8)
Psychologists – S.C. Code Regs. 100-4 § B.2
Social Workers – S.C. Code Regs. 110-20 § 15
Professional counselors, associate counselors and marriage and family
therapists - S.C. Code Ann. § 40-75-190
Emergency Medical Technicians - S.C. Code Regs. 61-7 § 110.A.9
Violations can result in disciplinary action. See S.C. Board of
Medical Examiners v. Hedgepath,480 S.E.2d 724 (S.C. 1997).
Palmetto Care Connections
webinar
www.nexsenpruet.com
6
‣
Patient Confidentiality: State Laws
Examples of institutional licensing laws affecting
confidentiality:
‣
‣
‣
‣
‣
‣
‣
‣
Abortion Clinics - S.C. CODE REGS. 61-12 § 402
Hospitals - S.C. CODE REGS. 61-16 § 1107.A
Nursing Homes - S.C. Code Ann. § 44-81-40(H)
Physician Offices – S.C. Code Ann. § 44-115-40
Day Care Facilities for Adults - S.C. CODE REGS. 61-75 § 901.A.6
Home Health Agencies - S.C. CODE REGS. 61-77 §§ 801.A.3 &
902.C
Hospices - S.C. CODE REGS. 61-78 § 701
Facilities that Treat Individuals for Psychoactive Substance Abuse
or Dependence - S.C. CODE REGS. 61-93 § 703.B
Palmetto Care Connections
webinar
www.nexsenpruet.com
7
South Carolina Case Law
‣
Breach of confidence:
‣
‣
McCormick v. England: Established the tort of “breach
of confidence” for a physician who disclosed a patient’s
information to a third party without the patient’s consent
or legal compulsion. 494 S.E.2d 431 (S.C. App. 1997).
But see, Evans v. Rite Aid Corp. where the S.C.
Supreme Court found that neither a pharmacist nor a
pharmacy had a duty of confidentiality to a customer.
478 S.E.2d 846 (S.C. 1996).
‣
Following this case the S.C. Legislature passed the
Prescription Information Privacy Act. S.C. Code Ann. §§ 44117-10 through -380.
Palmetto Care Connections
webinar
www.nexsenpruet.com
8
Patient Confidentiality: Behavioral Health
‣
Behavioral Health information:
‣
‣
S.C. Code Ann. § 19-11-95 – creates both a privilege and a
confidentiality obligation for behavioral health providers (not
physicians) – a provider may not knowingly reveal a
confidence of his patient, use a confidence of his patient to
the disadvantage of the patient or use a confidence of his
patient for the advantage of himself or of a third person
unless the patient gives written authorization after disclosure
to him of what confidences is to be used and how it is to be
used except when permitted by law.
Requires providers to pass on confidentiality/re-disclosure
obligations downstream.
Palmetto Care Connections
webinar
www.nexsenpruet.com
9
Patient Confidentiality: Behavioral Health
‣
Exceptions: a provider may disclose confidential
information:
‣
‣
‣
‣
‣
‣
With written authorization;
As allowed by law;
To prevent the commission of a crime/prevent harm to the patient;
Collect fee for service;
In the course of diagnosis, counseling, or treatment, confidences
necessary to promote care within the generally recognized and
accepted standards, practices, and procedures of the provider's
profession; and
For peer review participation.
Palmetto Care Connections
webinar
www.nexsenpruet.com
10
Patient Confidentiality: State Laws
‣
Information held by the Department of Mental Heath:
‣
S.C. CODE ANN. § 44-22-90 – Communications between
patients and mental health professionals including general
physicians, psychiatrists, psychologists, psychotherapists,
nurses, social workers, or other staff members employed in a
patient therapist capacity or employees under supervision of
them are considered privileged. A patient may refuse to
disclose and may prevent a witness from disclosing
privileged information with certain exceptions.
Palmetto Care Connections
webinar
www.nexsenpruet.com
11
‣
Patient Confidentiality: State Laws
Exceptions:
‣
‣
‣
‣
‣
‣
‣
To other staff on a “need to know” basis;
For involuntary commitment proceedings;
In an emergency to prevent the patient from self-harm;
In the course of court-ordered psychiatric examination if the
information is admissible only on issues involving the
patient’s mental condition;
In a civil proceeding when the patient introduces his/her
mental condition as an element of his/her claim or defense if
the court finds that the need for the disclosure outweighs the
need to protect the psychiatrist /patient relationship;
With consent of the patient or legal representative; or
As otherwise permitted by law.
Palmetto Care Connections
webinar
www.nexsenpruet.com
12
Patient Confidentiality: State Laws
‣
S.C. CODE ANN. § 44-22-100 - Certificates, applications, records,
and reports made by the DMH that directly or indirectly identifying a
mentally ill or alcohol and drug abuse patient or former patient or
individual whose commitment has been sought, must be kept
confidential, and must not be disclosed except:
‣
‣
‣
‣
‣
With patient or legal representative’s consent;
Court decides that failure to disclose in a proceeding is contrary to public
interest;
Required for research by the DMH or DAODAS with patient consent;
Necessary to cooperate with law enforcement, health, welfare and other
State agencies or when furthering the welfare of the patient/patient’s
family;
Disclosure is necessary to carry out the provisions of Chapters 9, 11, 13,
15, 17, 20, 23, 24, 25, 27 & 52 of Title 44 of the S.C. Code.
Palmetto Care Connections
webinar
www.nexsenpruet.com
13
Patient Confidentiality: State Laws
‣
S. C. CODE ANN. § 44-26-130 Communications
between clients and intellectual disability
professionals, including general physicians,
psychiatrists, psychologists, nurses, social workers,
members of interdisciplinary teams, or other staff
members employed in a client-therapist capacity or
an employee under supervision of them are
considered confidential. Certificates, applications,
records, and reports made for the purpose of
Chapter 26 that directly or indirectly identify a client,
as well as privileged communications, must be kept
confidential and must not be disclosed by a person
with exceptions.
Palmetto Care Connections
webinar
www.nexsenpruet.com
14
‣
Patient Confidentiality: State Laws
Exceptions:
‣
‣
‣
‣
‣
‣
The client of legal representative consents;
Court decides that failure to disclose in a proceeding is contrary to public
interest;
Required for research conducted by the Department;
Necessary to cooperate with law enforcement, health, welfare and other
State agencies, schools, and county entities;
Necessary to carry out Chapter 26.
Also:
‣
‣
‣
To the next of kin upon inquiry;
For educational purposes if the client’s identity is concealed;
To the ombudsman or S.C. Protection and Advocacy System for the
handicapped, Inc.
Palmetto Care Connections
webinar
www.nexsenpruet.com
15
Patient Confidentiality: State Laws
‣
‣
‣
‣
Protects information regarding STDs.
All information which is reported to DHEC
regarding STDs must be kept completely
confidential with extremely limited exceptions.
Confidentiality of information encourages
persons who may be infected to obtain testing
and counseling, which in turn protects the public
health.
In order to ensure the confidentiality of records
relating to sexually transmitted diseases, DHEC
must keep information related to known or
suspected cases of sexually transmitted disease
strictly confidential. S.C. Code Ann. § 44-29-135.
Palmetto Care Connections
webinar
www.nexsenpruet.com
16
‣
Patient Confidentiality: State Laws
Drug and Alcohol Treatment: (creates a privilege)
‣
‣
‣
S. C. CODE ANN. § 44-53-140 - Whenever a holder of the privilege
shall seek counselling, treatment, or therapy for any drug problem
from a confidant, no statement made by such holder and no
observation or conclusion derived from such confidant shall be
admissible against such holder in any proceeding. The results of any
examination to determine the existence of illegal or prohibited drugs
in a holder's body shall not be admissible in any proceeding against
such holder.
The privilege belongs to the holder and if he waives the right to claim
the privilege the communication between the holder of the privilege
and the confidant shall be admissible in evidence in any proceeding.
There is no privilege if the services of a confidant are sought to
enable the holder of the privilege to commit or plan to commit a crime
or a tort.
Palmetto Care Connections
webinar
www.nexsenpruet.com
17
Patient Confidentiality: Federal Laws
‣
Constitutional Protections:
‣
‣
‣
Fifth Amendment – The U.S. Supreme Court held that there is a
right to privacy which is an interest related to personal autonomy
and an interest in avoiding disclosure of personal matters.
Fourteenth Amendment – The right to protection against an
invasion of privacy extends to a person’s documents, which include
a person’s health information.
Whalen v. Doe, 429 U.S. 589 (1977).
Palmetto Care Connections
webinar
www.nexsenpruet.com
18
‣
‣
Patient Confidentiality: Federal Laws
Privacy Act of 1974 – Enacted to help protect
personal information collected by the federal
government including medical information collected
in the Medicare and Medicaid programs. 5 U.S.C. §
552a.
The confidentiality protection under this federal
statute is riddled with exceptions. Persons/agencies
with access to these records are: (1) employees of
the agency maintaining the record; (2) recipients who
provide advance notice that records will be used for
statistical research; (3) federal government agencies
enforcing civil/criminal law; (4) persons showing a
compelling need; and (5) may be disclosed to a
private firm for transcription or copying. Id.
Palmetto Care Connections
webinar
www.nexsenpruet.com
19
Patient Confidentiality: Federal Laws
‣
Medicare/Medicaid Conditions of Participation:
‣
‣
‣
‣
‣
Hospitals: 42 C.F.R. § 482.24(b)(3)
Critical Access Hospitals: 42 C.F.R. § 485.638(b)(1)
Home Health Services: 42 C.F.R. § 484.10(d)
Hospice: 42 C.F.R. § 418.52(c)(5)
Community Mental Health Centers: 42 C.F.R. § 485.910(c)(3)
Palmetto Care Connections
webinar
www.nexsenpruet.com
20
Patient Confidentiality: Federal Laws
‣
‣
‣
‣
Alcohol and Drug Rehab Act – Severely limits access to
records of alcohol and drug abuse patients.
42 U.S.C. § 290 dd-2; 42 C.F.R. Part 2.
Applies only to programs holding themselves out as
providing drug and alcohol treatment;
Applies to Medicare participating hospitals only if:
‣
‣
Has an identified unit that provides drug and alcohol diagnosis,
treatment or referral; or
Medical personnel or other staff whose primary function is the
provision of such care.
Palmetto Care Connections
webinar
www.nexsenpruet.com
21
Patient Confidentiality: Federal Laws
‣
Disclosures may be made:
‣
‣
‣
‣
With prior written consent of the patient, under the circumstance and
purpose expressed in the consent (requires a specific consent);
With or without patient consent when made to medical personnel to
the extent necessary to handle a bona fide medical emergency;
Without consent for research, management audit, or program
evaluation purposes as long as patient's identity is not revealed; or
Without patient consent pursuant to a court order upon application
showing good cause. Good cause= public interest in the need to
disclose vs. potential injury to the patient, the physician-patient
relationship, and the treatment program.
Palmetto Care Connections
webinar
www.nexsenpruet.com
22
‣
‣
Patient Confidentiality: Federal Laws
Good cause in a civil case:
‣
‣
Other ways of obtaining the information are unavailable or ineffective; &
The public interest and need for disclosure outweigh the potential injury
to the patient, the physician-patient relationship, and the treatment
services.
Good cause in a criminal case:
‣
‣
‣
‣
‣
Extremely serious crime (ex: homicide, rape, kidnapping);
Information will be of substantial value in the case;
Other ways of obtaining the information are unavailable or ineffective;
Injury to the patient, physician/patient relationship & the program is
outweighed by public interest in making the disclosure; &
The applicant & person holding the records has been afforded counsel.
Palmetto Care Connections
webinar
www.nexsenpruet.com
23
HIPAA: Privacy and Security
Palmetto Care Connections
webinar
www.nexsenpruet.com
24
HIPAA/HITECH
Administrative
Simplification
provisions of the
Health Insurance
Portability and
Accountability Act of
1996 (“HIPAA”)
American Recovery
and Reinvestment
Act of 2009
• Health Information
Technology for
Economic and
Clinical Health Act
of 2009
(“HITECH”);
• Subtitle D –
Privacy
Palmetto Care Connections
New HITECH
Implementing
Regulations: 78 F.R.
5566 (“HITECH
Final Rule”)
published January
25, 2013 – effective
March 26, 2013 –
enforcement begins
September 22, 2013
webinar
HITECH Final Rule
also implements
changes necessary
in the Patient Safety
& Quality
Improvement Act
(“PSQIA”) and the
Genetic Information
Nondiscrimination
Act (“GINA”)
www.nexsenpruet.com
25
HIPAA/HITECH = Assumptions
‣
I will assume that you all speak “HIPAA”
Palmetto Care Connections
webinar
www.nexsenpruet.com
26
HIPAA/HITECH
HITECH made multiple
changes in the existing
HIPAA Statutes, Privacy
Standards and Security
Standards that directly affect
covered entities, business
associates and others.
Palmetto Care Connections
webinar
www.nexsenpruet.com
27
HIPAA/HITECH
HITECH Act Definitions:
Generally, all definitions are
the same as under prior law
with the exception of the
terms further described in
this presentation
Palmetto Care Connections
HITECH Final Rule
provides more definitions:
Including HITECH, PSQIA
& GINA
webinar
www.nexsenpruet.com
28
Abbreviations: KEY
‣
‣
‣
‣
‣
‣
‣
‣
Covered Entity: CE
Business Associate: BA
Business Associate Agreement: BAA
Individually Identifiable Health Information: IIHI
Protected Health Information: PHI
Electronic Protected Health Information: E-PHI
Civil Money Penalty: CMP
Notice of Privacy Practices: NPP
Palmetto Care Connections
webinar
www.nexsenpruet.com
29
‣
HIPAA
HIPAA applies to health plans, health care clearinghouses
and health care providers that transmit PHI in a HIPAA
covered transaction including:
‣
‣
‣
‣
‣
‣
‣
‣
‣
health claims or equivalent encounter information;
health claims attachments;
enrollment and disenrollment in a health plan;
eligibility for a health plan;
health care payment and remittance advice;
health plan premium payments;
first report or injury;
health claim status; and
referral certification and authorization.
Palmetto Care Connections
webinar
www.nexsenpruet.com
30
HIPAA
‣ HIPAA purposes:
‣ Standardize the transmission of information
between health care providers and payors
‣ Protect the privacy and security of health
information
Palmetto Care Connections
webinar
www.nexsenpruet.com
31
HIPAA
‣
Various regulations have been promulgated under HIPAA
and HITECH:
‣
‣
‣
‣
‣
‣
Security Standards
Privacy Standards
Identifier standards:
‣
‣
‣
Provider;
Health Plan; &
Employer
Transaction Standards
Enforcement Standards
Breach Standards
Palmetto Care Connections
webinar
www.nexsenpruet.com
32
General Rules
‣
‣
‣
Must have policies and procedures to comply
with the Privacy Standards and the Security
Standards.
Prior to HITECH, the Privacy and Security
Standards applied only the CEs.
After HITECH many of the provisions of the
Privacy and Security Standards apply to BAs.
Palmetto Care Connections
webinar
www.nexsenpruet.com
33
General Rules: Privacy Standards
‣ Privacy Standards are all about using and
disclosing PHI.
‣
Prior to using or disclosing PHI for any purpose,
the purpose of the use of disclosure should be
determine and used and disclosed only as required
or permitted by the Privacy Standards.
‣
‣
Always ask 2 questions:
‣
‣
Who is the requestor?
What is the purpose of the request?
Prior to requesting PHI for any purpose, the
purpose of the request should be determined and
requested only as permitted under the Privacy
Standards.
Palmetto Care Connections
webinar
www.nexsenpruet.com
34
General Rules: Privacy Standards
‣
‣
Only two required disclosures:
‣
‣
MUST provide access to the individual (with some
exceptions)
MUST provide access to the Secretary of the USDHHS
All of the rest of the disclosures are permissive
disclosures under the Privacy Standards.
Palmetto Care Connections
webinar
www.nexsenpruet.com
35
General Rules: Privacy Standards
‣ MAY use or disclose protected health
information only as permitted under the
Privacy Standards (Policies/Procedures):
‣
‣
‣
‣
‣
‣
‣
For treatment, payment and health care operations;
Pursuant to an HIPAA authorization;
Notification purposes: family members/friends;
Governmental agencies (DHEC; LLR; OSHA;FDA;ETC.);
Law enforcement;
Legal proceedings;
Business Associates..
Palmetto Care Connections
webinar
www.nexsenpruet.com
36
‣
General Rules: Privacy Standards
Need policies and procedures for all of the foregoing and:
‣
‣
‣
‣
‣
‣
‣
‣
‣
Designation of the Privacy Officer;
Privacy Training;
Notice of Privacy Practices;
Patient Directory;
Minimum Necessary Standard;
Amendment of PHI;
Accounting of Disclosures;
Restrictions on the Use and Disclosure of PHI;
Confidential Communications
Palmetto Care Connections
webinar
www.nexsenpruet.com
37
General Rules: Privacy Standards
‣
‣
‣
‣
‣
‣
‣
‣
‣
Complaints
Safeguarding PHI;
Sanctions;
Mitigation;
Non-retaliation;
Fundraising;
Marketing;
Research;
. . . etc.
Palmetto Care Connections
webinar
www.nexsenpruet.com
38
‣
‣
‣
Telemedicine Issues: Privacy Standards
Privacy Training;
‣
‣
‣
Make the determination by “following the PHI” Hardware vendors;
Software/application vendors.
NPP;
‣
Does your NPP anticipate using and disclosing PHI via telemedicine?
Designated Record Set;
‣
‣
Does your DRS policy/procedure include audio/video formatted PHI
as part of your DRS?
Why does that matter?
Palmetto Care Connections
webinar
www.nexsenpruet.com
39
Telemedicine Issues: Privacy Standards
‣
‣
Access to PHI;
‣
When a patient requests a copy of or access to their
PHI, have you anticipated how to provide a copy of the
audio/videoed telemedicine encounter?
Amendment of PHI;
‣
If a telemedicine encounter is going to be recorded as
part of the DRS, how do you accommodate a request for
amendment to the recorded encounter?
Palmetto Care Connections
webinar
www.nexsenpruet.com
40
Telemedicine Issues: Privacy Standards
‣
Marketing: Contacts by BA telemedicine vendors:
‣
‣
General Rule: If you are going to use or disclose PHI for marketing
purposes, you must obtain an authorization from the patient.
Very narrow exceptions that do not apply to telemedicine:
‣
‣
‣
‣
‣
‣
Face-to-face communications (NOT over the telephone);
Provision of a nominal gift;
Refill reminders;
For treatment to direct a patient to an alternative treatment, therapy,
health care provider or setting of care;
Describe a health-related product or service included in a plan of benefits;
Case management or care coordination, contacting individuals about
treatment alternatives and related function to the extent these activities do
not fall within the definition of treatment.
Palmetto Care Connections
webinar
www.nexsenpruet.com
41
‣
‣
General Rules: Security Standards
CEs and BAs must protect the security of all E-PHI in
manner consistent with the Security Standards.
CEs and BAs must:
‣
‣
‣
‣
Ensure the confidentiality, integrity, and availability of all E-PHI CE or BA
creates, receives, maintains, or transmits;
Protect against any reasonably anticipated threats or hazards to the
security or integrity of such information;
Protect against any reasonably anticipated uses or disclosures of such
information that are not permitted or required under the Security Standards;
Ensure compliance with the Security Standards by its workforce.
Palmetto Care Connections
webinar
www.nexsenpruet.com
42
General Rules: Security Standards
‣
‣
CEs and BAs may use any security measures that allow it to
reasonably and appropriately implement the standards and
implementation specifications as specified in the Security
Standards.
In deciding which security measures to use, CEs and BAs
must take into account the following factors:
‣
‣
‣
‣
The size, complexity, and capabilities of it’s facility;
The CE and BA’s technical infrastructure, hardware, and software
security capabilities;
The costs of security measures;
The probability and criticality of potential risks to E-PHI.
Palmetto Care Connections
webinar
www.nexsenpruet.com
43
General Rules: Security Standards
‣
‣
If the applicable Security Standard implementation
specification is required, then the CE or BA must implement
that Security Standard implementation specification;
If the applicable Security Standard implementation
specification is addressable, then the CE or BA must:
‣
‣
Implement the implementation specification if reasonable and
appropriate; or
If implementing the implementation specification is not reasonable
and appropriate:
‣
‣
Document why it would not be reasonable and appropriate to
implement the implementation specification; and
Implement an equivalent alternative measure if reasonable and
appropriate.
Palmetto Care Connections
webinar
www.nexsenpruet.com
44
‣
‣
‣
‣
‣
‣
‣
‣
‣
General Rules: Security Standards
Risk Analysis;
Risk Management;
Sanctions;
Information System Review Activity;
Security Official;
Information Access Policy;
Security Awareness Training;
Identify and Respond to Security Incidents;
Contingency Plan
Palmetto Care Connections
webinar
www.nexsenpruet.com
45
General Rules: Security Standards
‣
‣
‣
‣
‣
‣
‣
‣
‣
Evaluate Security Policies;
Facility Access Controls;
Workstation Use and Security;
Device and Media Controls;
Technical Access Controls;
Audit Controls;
Integrity;
Person of Entity Authentication; and
Transmission Security.
Palmetto Care Connections
webinar
www.nexsenpruet.com
46
‣
‣
‣
General Rules: Security Standards
Review all of your Security policies/procedures to determine
whether updates are necessary;
Conduct a risk analysis to identify the additional security
concerns that arise with the development of telemedicine;
Focus on:
‣
‣
Device and Media Controls;
Technical Access Controls
Palmetto Care Connections
webinar
www.nexsenpruet.com
47
Special Issues with Device and Media Controls
and Technical Access Controls with Telemedicine
‣
‣
‣
‣
More and more telemedicine apps are being used on portable
devices
Be mindful of where you are using portable devices and whether you
have appropriate security (technical and physical)
Use only those portable devices that are approved by the CE or BA’s
IT and those portable devices that comply with your device and
media controls policy.
Case in point: Stolen mobile device.
Palmetto Care Connections
webinar
www.nexsenpruet.com
48
CMP for Stolen Mobile Device
‣
‣
‣
‣
‣
Massachusetts Eye and Ear Infirmary and its associated physician practice
Self-reported the theft of an unencrypted laptop containing PHI of > 500 patients from an
employed physician while on vacation
No finding of financial or reputational harm to the patients
Findings: Failure to . . .
‣
‣
‣
Restrict access to ePHI from unauthorized users/portable devices and be able to
track access
Track movement of both Hospital/personal portable devices on and off premises
Implement encryption or appropriate alternatives to encryption
9/17/2012 – Agreement (3 years)
‣
‣
‣
$1.5 Million CMP
A Corrective Action Plan (includes a framework for updating policies/procedures and
compliance plans for mobile devices)
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/meei-agreement-pdf.pdf
Palmetto Care Connections
webinar
www.nexsenpruet.com
49
‣
‣
‣
Special Issues with Technical Access Controls
Encryption is considered an “addressable” implementation
specification.
The Security Rule does not require that encryption be used
BUT, recall for addressable standards, if the CE or BA
determines that the specification is not reasonable, then the
CE or BA must explain why in writing and implement an
equivalent measure if reasonable and appropriate.
Weigh the benefits and costs with implementing encryption
(for data in motion and data at rest).
Palmetto Care Connections
webinar
www.nexsenpruet.com
50
Special Issues with Technical Access Controls
‣
‣
‣
Encryption Industry Standards:
‣
‣
Data at rest – NIST Special Publication 800-111
Data in motion – FIPS 140-2 (Includes NIST Special
Publications 800-52, 800-77 or 800-113)
FIPS: www.itl.nist.gov/fipspubs/index.htm
NIST: www.nist.gov/
Palmetto Care Connections
webinar
www.nexsenpruet.com
51
Notification of Breach
‣ The nature of the technology
enabling telemedicine increases
the potential for there to be
unauthorized access.
Palmetto Care Connections
webinar
www.nexsenpruet.com
52
Notification of Breach: HITECH Act
‣
‣
General Rule:
‣
BAs shall notify the CE of such breaches.
A CE that accesses, maintains, retains, modifies,
records, stores, destroys, or otherwise holds,
uses or discloses unsecured protected health
information shall, in the case of a breach, notify
the individual whose unsecured protected health
information has been or is reasonably believed
by the CE to have been accessed, acquired, or
disclosed as a result of such breach.
Palmetto Care Connections
webinar
www.nexsenpruet.com
53
Breach: HITECH Final Rule
‣ “Breach’’ means the acquisition, access, use, or
disclosure of PHI in a manner not permitted
under the Privacy Standards which
compromises the security or privacy of such
information . . .
Palmetto Care Connections
webinar
www.nexsenpruet.com
54
‣
‣
‣
Breach: Exceptions
Any unintentional acquisition, access, or use of PHI by a
workforce member or person acting under the authority of a
CE or BA if such acquisition, access, or use was made in
good faith and within the scope of authority and does not
result in further use or disclosure in a manner not permitted
under Privacy Standards;
Any inadvertent disclosure by a person who is authorized
to access PHI at a CE or BA to another person authorized
to access PHI at same CE or BA or OHCA in which the CE
participates, and the PHI received as a result of such
disclosure is not further used or disclosed in a manner not
permitted under the Privacy Standards; and
A disclosure of PHI where a CE or BA has a good faith
belief that an unauthorized person to whom the disclosure
was made would not reasonably have been able to retain
such information.
Palmetto Care Connections
webinar
www.nexsenpruet.com
55
Definition of Breach: Interim Final Rule
‣
Added a “harm” standard by defining “compromises
the security or privacy of [protected health]
information” as follows:
‣
‣
‣
Posed a significant risk of financial reputational or other
harm to the individual
Senator Waxman did not like this change and
informed Secretary Sebilius by letter dated October 1,
2009.
The HITECH Final Rule significantly modified the
meaning of “compromises the security and privacy of
PHI”.
Palmetto Care Connections
webinar
www.nexsenpruet.com
56
Whether a Reportable Breach
Occurred: Low Probability Standard
‣
Depends upon a risk assessment of four factors:
‣
‣
‣
‣
‣
The nature and extent of the PHI involved, including the
types of identifiers and the likelihood of reidentification;
The unauthorized person who used the PHI or to whom the
disclosure was made;
Whether the PHI was actually acquired or viewed; and
The extent to which the risk to the PHI has been mitigated.
If after the consideration of each of the foregoing
factors the CE has determined that there is a low
probability that the privacy or security of the PHI has
been compromised, then no breach notification is
required.
Palmetto Care Connections
webinar
www.nexsenpruet.com
57
Unsecured PHI: HITECH Act (Update
HITECH Final Rule)
‣
‣
Unsecured Protected Health Information
(“Unsecured PHI”): PHI that is not secured by a
technology standard that renders PHI unusable,
unreadable, or indecipherable to unauthorized
individuals persons and is developed or
endorsed by a standards developing organization
that is accredited by the American National
Standards Institute.
Guidance published April 17, 2009.
Palmetto Care Connections
webinar
www.nexsenpruet.com
58
‣
Breach Notification not required if the PHI is
not “Unsecured PHI”
The technologies and methodologies that render PHI unusable,
unreadable, or indecipherable to unauthorized individuals are:
‣
‣
Electronic PHI that has been encrypted
‣
‣
Data in motion – FIPS 140-2 (Includes NIST Special Publications
800-52, 800-77 or 800-113)
Media on which PHI is stored or recorded has been destroyed:
‣
‣
‣
‣
Data at rest – NIST Special Publication 800-111
Paper, film or hard copy: shredded or destroyed such that it
cannot be reconstructed
Electronic media: cleared or purged consistent with NIST Special
Publication 800-88
FIPS: www.itl.nist.gov/fipspubs/index.htm
NIST: www.nist.gov/
Palmetto Care Connections
webinar
www.nexsenpruet.com
59
Breaches Treated as Discovered
‣
‣
‣
‣
A breach is discovered on the first day the breach is
known or by exercising reasonable diligence, would
have been known by the CE;
A breach is discovered by a BA on the first day the
breach is known or by exercising reasonable
diligence, would have been known by the BA;
A BA or Subcontractor is required to report the breach
to the CE in accordance with the terms of the BA;
Clarified in the HITECH Final Rule: A CE will be
deemed to have discovered a breach on the first day
the breach was discovered by a BA only if the BA is
acting as an agent of the CE.
Palmetto Care Connections
webinar
www.nexsenpruet.com
60
Breach Treated as Discovered
‣
‣
‣
‣
‣
Whether a BA is an agent of the CE is determined by the
application of the federal common law of agency:
Although there are multiple factors, DHHS found these four
(4) to be most important in a “facts and circumstances” test:
(1) The time, place, and purpose of a BA agent's conduct;
(2) whether a BA agent engaged in a course of conduct
subject to a CE's control (manner and means by which the
product is accomplished);
(3) whether a BA agent's conduct is commonly done by a
BA to accomplish the service performed on behalf of a CE;
and
(4) whether or not the CE reasonably expected that a BA
agent would engage in the conduct in question.
Palmetto Care Connections
webinar
www.nexsenpruet.com
61
‣
‣
‣
‣
Notification of Breach
Notice must be made within 60 days of when the CE knows
or should have reasonably known of the breach.
Individuals: notice is provided in writing by first class mail or
by e-mail if the individual provided a preference.
If contact information is out of date (including 10 or more
such individuals), post a toll free number on the CE’s website
where individuals can learn if their unsecured PHI has been
breached.
Regulations add provisions for Personal Representatives of
deceased individuals and when contact information is
insufficient or out of date:
‣
‣
Fewer than 10: alternative form of written notice, telephone or other
means
10 or greater: conspicuous posting for 90 days on CE’s webpage
or in major broadcast media AND contact information
Palmetto
Palmetto Care
Care Connections
Connections
webinar
webinar
www.nexsenpruet.com
www.nexsenpruet.com
62
‣
‣
‣
Notification of Breach
If notification is urgent because of possible misuse, may
telephone the individual(s)
If 500 or more individuals are involved, notice must be
provided to prominent media outlets.
Notice must be provided to the Secretary of DHHS;
‣
‣
‣
If 500 or more individuals are involved, this notice must be given
immediately
If less that 500, the CE may keep and log and disclose to the
Secretary annually.
The Secretary of DHHS will post the identities of the CEs
involved in breaches where more than 500 individuals are
involved.
Palmetto Care Connections
webinar
www.nexsenpruet.com
63
Notification to the Secretary
Breach notification webpage:
http://www.hhs.gov/ocr/privacy/hipaa/adm
inistrative/breachnotificationrule/index.htm
l
Guidance for notifying Secretary of
breaches:
http://www.hhs.gov/ocr/privacy/hipaa/admi
nistrative/breachnotificationrule/brinstructio
n.html
• Submit Notice of a Breach Affecting 500
or More Individuals
• Submit Notice of a Breach Affecting
Fewer than 500 Individuals
Palmetto Care Connections
webinar
www.nexsenpruet.com
64
Notification of Breach
Content of notice to the individual:
Brief
description
of what
happened
(include date
of breach
and date of
discovery)
A description
of the types
of
Unsecured
PHI involved
in the
breach
Palmetto Care Connections
The steps
that
individuals
should take
to protect
themselves
from
potential
harm
webinar
A brief
description of
what the CE is
doing to
investigate,
mitigate losses
and protect
against further
breaches
Contact
information
(toll-free
telephone
number, an
e-mail
address,
web site, or
postal
address)
www.nexsenpruet.com
65
Notification of Breach
Notice can
be delayed
if necessary
if law
enforcement
determines
that notice:
Palmetto Care Connections
• Would impede a
criminal
investigation
• Cause damage to
national security
webinar
www.nexsenpruet.com
66
Notification of Breach
‣
‣
State law compliance:
‣
S.C. Code Ann. § 39-1-90
Modify your Notification of Breach Policy to also
cover your obligations under State law.
Palmetto Care Connections
webinar
www.nexsenpruet.com
67
What happens with a HIPAA violation???
‣ A/K/A:
Why should I care???
‣ Criminal Penalties
‣ Civil Penalties
Palmetto Care Connections
webinar
www.nexsenpruet.com
68
HITECH Update: Criminal Penalties
‣
‣
Clarification of Application of criminal penalties
for wrongful disclosures
Amends HIPAA Statute to make it clear that the
criminal penalties apply to employees and other
individuals, including physicians
Palmetto Care Connections
webinar
www.nexsenpruet.com
69
HIPAA Criminal Penalties
•
(a) A person who knowingly and in violation of HIPAA-
•
(1) uses or causes to be used a unique health identifier;
•
(2) obtains IIHI relating to an individual; or
•
(3) discloses IIHI to another person, shall be punished as provided in
subsection (b) of this section.
•
(b) Penalties
•
A person described in subsection (a) of this section shall--
•
(1) be fined not more than $50,000, imprisoned not more than 1 year, or
both;
•
(2) if the offense is committed under false pretenses, be fined not more than
$100,000, imprisoned not more than 5 years, or both; and
•
(3) if the offense is committed with intent to sell, transfer, or use IIHI for
commercial advantage, personal gain, or malicious harm, be fined not more
than $250,000, imprisoned not more than 10 years, or both.
Palmetto Care Connections
webinar
www.nexsenpruet.com
70
Physician Criminal Conviction Upheld:
5/10/2012
‣
‣
‣
‣
A visiting cardiothoracic surgeon from China (working
as a research assistant) was convicted of
misdemeanor violation of the HIPAA criminal statute
After his termination from UCLA, on at least four
occasions, he accessed four patient records (coworkers and celebrity)
The 9th Circuit upheld the district court’s finding that
he knowingly and in violation of HIPAA obtained IIHI
relating to individuals
Sentence:
‣
‣
Four months in prison, then a year of supervised release;
$2000 fine
Palmetto Care Connections
webinar
www.nexsenpruet.com
71
HITECH: Civil Money Penalties
‣
‣
HITECH significantly revises the HIPAA CMP
Statute to include non-compliance due to willful
neglect and requires DHHS to investigate if a
complaint indicates a violation due to willful
neglect.
CMP $$ collected to go the OCR and are used
for increased enforcement.
Palmetto Care Connections
webinar
www.nexsenpruet.com
72
HITECH: Civil Money Penalty Tiers
‣
(a) $100/violation, the total not to
exceed $25,000 for identical
violations / calendar year;
(b) $ 1,000/violation, the total not
to exceed $100,000 for identical
violations/calendar year;
‣
(c) $ 10,000/violation, the total
not to exceed $250,000 for
identical violations/calendar
year;
‣
A violation due to reasonable cause, but
not willful neglect, the penalty will be not
less than (b) but not more than (d).
A violation due to willful neglect:
‣
(d) $ 50,000/violation, the total
not to exceed $1,500,000 for
identical violations/calendar
year.
Palmetto Care Connections
A violation where the person did not
know and by exercising due diligence
would not have known, the penalty will
be not less than (a) but not more than
(d).
‣
webinar
If corrected, the penalty will be not
less than (c) but not more than (d);
If not corrected, the penalty will be
not less than (d).
www.nexsenpruet.com
73
First CMP: 2/4/2011
‣
‣
‣
‣
‣
‣
Cignet Health: Large multi-healthcare provider
group
Failed to provide 41 patients access to their PHI
(were 41 complaints – all individually filed with
the OCR)
Initial fine: $1.3 Million for failure to provide
access
Subsequent fine: $3.0 Million for failure to
cooperate with the OCR’s investigation
(3/17/2009 – 4/7/2010)
Total fine: $4.3 Million
Upshot – cooperate with the OCR investigation!
Palmetto Care Connections
webinar
www.nexsenpruet.com
74
OCR sends a message to small physician
practices: 4/17/2012
‣
‣
Phoenix Cardiac Surgery (5 physician practice)
‣
OCR found a “multiyear, continuing failure” to
Complaint: posting surgery and appointment
schedules on a publically accessible internet-based
calendar
‣
‣
‣
‣
‣
Implement policies and procedures
Document training of employees
Identify a security official at the practice
Conduct a security analysis
Obtain business associate agreements with its internetbased email and scheduling services
Palmetto Care Connections
webinar
www.nexsenpruet.com
75
Phoenix Cardiac Surgery Penalties
‣
‣
Resolution Agreement:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/pcsurger
y_agreement.pdf
‣
‣
$100,000 CMP
Comply with a Corrective Action Plan (one year)
‣
‣
‣
‣
‣
Develop and implement Privacy and Security
policies/procedures and provide to the OCR for approval
Implement the policies/procedures within 30 days of approval
Distribute the policies/procedures to its workforce and require
written certifications of initial compliance from each
Assess and update the policies and procedures annually
Make reports to the OCR
Palmetto Care Connections
webinar
www.nexsenpruet.com
76
First HIPAA Settlement for Breach of <
500 patients’ PHI (01/02/2013)
‣
‣
‣
Hospice of North Idaho (“HONI”) reported the theft of an
unencrypted laptop containing the PHI of 441 patients
OCR found:
‣
‣
‣
HONI failed to conduct risk analysis;
HONI failed to implement security measures;
HONI failed to have policies and procedures for mobile devices
Settlement Agreement:
‣
‣
‣
Enter into a CAP
CMP of $50,000
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honiagreement.pdf
Palmetto Care Connections
webinar
www.nexsenpruet.com
77
‣
PATIENT CONFIDENTIALITY/HIPAA
Recommendations:
‣
‣
‣
‣
‣
‣
‣
‣
‣
Foster a strong culture related to the privacy & security of PHI;
Be sure your cooperative providers also have similar cultures;
Encrypt (data in transmission and at rest);
Work with your cooperative providers to address interoperability issues up front;
Coordinate operational policies and procedures with your cooperative providers;
Conduct a thorough risk assessment to identify vulnerabilities, both internal and
external threats to the system;
Conduct a review of your HIPAA Privacy and Security Standards to address
new issues;
Be sure your insurance carriers (GL & Cyber) cover telemedicine practice; and
Distant site providers: Remember to provide the patient with your Notice of
Privacy Practices!!
Palmetto Care Connections
webinar
www.nexsenpruet.com
78
Palmetto Care Connections
webinar
www.nexsenpruet.com
79
Jeanne M. Born
Member
1230 Main Street, Suite 700, Columbia, SC 29201
803.540.2038
Jborn@nexsenpruet.com
Palmetto Care Connections
webinar
www.nexsenpruet.com
Related documents
Palmetto Realtors
Palmetto Realtors
HMRC is offering a free online seminar (webinar) for people
HMRC is offering a free online seminar (webinar) for people
Purpose
Purpose
Webinars
Webinars
Family Assessment Tools - Kansas Inservice Training System
Family Assessment Tools - Kansas Inservice Training System
- Sacramento Valley Association of Building Officials
- Sacramento Valley Association of Building Officials
Download
advertisement