CURRENT LEGAL ISSUES IN TELEMEDICINE WEBINAR: CONFIDENTIALITY AND HIPAA ISSUES IN TELEMEDICINE AUGUST 26, 2015 Jeanne M. Born, RN, JD Jborn@nexsenpruet.com ‣ ‣ Patient Confidentiality Every State and Federal law that protects the confidentiality, privacy and security of protected health information that is created in a face-to-face encounter apply to virtual encounters. Telemedicine creates new challenges: ‣ Increases the number of people who may/will have access to health information: ‣ ‣ Clinical professionals; Technical professionals: ‣ ‣ ‣ Site where the patient is located + Telemedicine provider + Distant site. Palmetto Care Connections webinar www.nexsenpruet.com 2 ‣ Patient Confidentiality Health information is being transmitted as it is being created: ‣ Subject to increased privacy and security risks ‣ ‣ ‣ ‣ Increased number of people who have access; Data management issues: Information may be in formats not previously part of the medical record (audio and video recordings); ‣ How and where is this new information to be stored? Data sharing issues: Who is the owner of medical record: ‣ ‣ The site where the patient is located? The distant site where the physician is located? Potential for unauthorized persons viewing/hacking: ‣ ‣ Fear of “unseen persons” during the telemedicine session; Fear about the reliability of security with telemedicine hardware/devices/applications. Palmetto Care Connections webinar www.nexsenpruet.com 3 PATIENT CONFIDENTIALITY/HIPAA ‣ Examples of issues with Telemedicine/Telehealth can create increased risk exposure: ‣ ‣ ‣ ‣ ‣ ‣ Interoperability in cooperating locations' systems could increase risks (breach; medical errors); Interruptions in connectivity mid-examination/procedure; Differences in operational procedures and technology implementations could increase risk exposure Treatment could be viewed by unauthorized individuals without patient knowledge or permission Electronic communications could be hacked by unauthorized individuals Locally stored PHI could be accessed or altered by people with system-level privileges. Palmetto Care Connections webinar www.nexsenpruet.com 4 Patient Confidentiality/Privacy/Security ‣ Address concerns by conducting a thorough review of the entire process: ‣ ‣ ‣ Comply with applicable State and Federal confidentiality / privacy / security laws; Apply appropriate administrative, physical and technical safeguards; Educate both patients and staff (clinical and technical). Palmetto Care Connections webinar www.nexsenpruet.com 5 ‣ Patient Confidentiality: State Laws Examples of professional licensing standards that require confidentiality: ‣ ‣ ‣ ‣ ‣ ‣ ‣ Physicians - S.C. Code Regs. 81-60 § D Nurses – S.C. Code Ann. § 40-33-110(A)(8) Psychologists – S.C. Code Regs. 100-4 § B.2 Social Workers – S.C. Code Regs. 110-20 § 15 Professional counselors, associate counselors and marriage and family therapists - S.C. Code Ann. § 40-75-190 Emergency Medical Technicians - S.C. Code Regs. 61-7 § 110.A.9 Violations can result in disciplinary action. See S.C. Board of Medical Examiners v. Hedgepath,480 S.E.2d 724 (S.C. 1997). Palmetto Care Connections webinar www.nexsenpruet.com 6 ‣ Patient Confidentiality: State Laws Examples of institutional licensing laws affecting confidentiality: ‣ ‣ ‣ ‣ ‣ ‣ ‣ ‣ Abortion Clinics - S.C. CODE REGS. 61-12 § 402 Hospitals - S.C. CODE REGS. 61-16 § 1107.A Nursing Homes - S.C. Code Ann. § 44-81-40(H) Physician Offices – S.C. Code Ann. § 44-115-40 Day Care Facilities for Adults - S.C. CODE REGS. 61-75 § 901.A.6 Home Health Agencies - S.C. CODE REGS. 61-77 §§ 801.A.3 & 902.C Hospices - S.C. CODE REGS. 61-78 § 701 Facilities that Treat Individuals for Psychoactive Substance Abuse or Dependence - S.C. CODE REGS. 61-93 § 703.B Palmetto Care Connections webinar www.nexsenpruet.com 7 South Carolina Case Law ‣ Breach of confidence: ‣ ‣ McCormick v. England: Established the tort of “breach of confidence” for a physician who disclosed a patient’s information to a third party without the patient’s consent or legal compulsion. 494 S.E.2d 431 (S.C. App. 1997). But see, Evans v. Rite Aid Corp. where the S.C. Supreme Court found that neither a pharmacist nor a pharmacy had a duty of confidentiality to a customer. 478 S.E.2d 846 (S.C. 1996). ‣ Following this case the S.C. Legislature passed the Prescription Information Privacy Act. S.C. Code Ann. §§ 44117-10 through -380. Palmetto Care Connections webinar www.nexsenpruet.com 8 Patient Confidentiality: Behavioral Health ‣ Behavioral Health information: ‣ ‣ S.C. Code Ann. § 19-11-95 – creates both a privilege and a confidentiality obligation for behavioral health providers (not physicians) – a provider may not knowingly reveal a confidence of his patient, use a confidence of his patient to the disadvantage of the patient or use a confidence of his patient for the advantage of himself or of a third person unless the patient gives written authorization after disclosure to him of what confidences is to be used and how it is to be used except when permitted by law. Requires providers to pass on confidentiality/re-disclosure obligations downstream. Palmetto Care Connections webinar www.nexsenpruet.com 9 Patient Confidentiality: Behavioral Health ‣ Exceptions: a provider may disclose confidential information: ‣ ‣ ‣ ‣ ‣ ‣ With written authorization; As allowed by law; To prevent the commission of a crime/prevent harm to the patient; Collect fee for service; In the course of diagnosis, counseling, or treatment, confidences necessary to promote care within the generally recognized and accepted standards, practices, and procedures of the provider's profession; and For peer review participation. Palmetto Care Connections webinar www.nexsenpruet.com 10 Patient Confidentiality: State Laws ‣ Information held by the Department of Mental Heath: ‣ S.C. CODE ANN. § 44-22-90 – Communications between patients and mental health professionals including general physicians, psychiatrists, psychologists, psychotherapists, nurses, social workers, or other staff members employed in a patient therapist capacity or employees under supervision of them are considered privileged. A patient may refuse to disclose and may prevent a witness from disclosing privileged information with certain exceptions. Palmetto Care Connections webinar www.nexsenpruet.com 11 ‣ Patient Confidentiality: State Laws Exceptions: ‣ ‣ ‣ ‣ ‣ ‣ ‣ To other staff on a “need to know” basis; For involuntary commitment proceedings; In an emergency to prevent the patient from self-harm; In the course of court-ordered psychiatric examination if the information is admissible only on issues involving the patient’s mental condition; In a civil proceeding when the patient introduces his/her mental condition as an element of his/her claim or defense if the court finds that the need for the disclosure outweighs the need to protect the psychiatrist /patient relationship; With consent of the patient or legal representative; or As otherwise permitted by law. Palmetto Care Connections webinar www.nexsenpruet.com 12 Patient Confidentiality: State Laws ‣ S.C. CODE ANN. § 44-22-100 - Certificates, applications, records, and reports made by the DMH that directly or indirectly identifying a mentally ill or alcohol and drug abuse patient or former patient or individual whose commitment has been sought, must be kept confidential, and must not be disclosed except: ‣ ‣ ‣ ‣ ‣ With patient or legal representative’s consent; Court decides that failure to disclose in a proceeding is contrary to public interest; Required for research by the DMH or DAODAS with patient consent; Necessary to cooperate with law enforcement, health, welfare and other State agencies or when furthering the welfare of the patient/patient’s family; Disclosure is necessary to carry out the provisions of Chapters 9, 11, 13, 15, 17, 20, 23, 24, 25, 27 & 52 of Title 44 of the S.C. Code. Palmetto Care Connections webinar www.nexsenpruet.com 13 Patient Confidentiality: State Laws ‣ S. C. CODE ANN. § 44-26-130 Communications between clients and intellectual disability professionals, including general physicians, psychiatrists, psychologists, nurses, social workers, members of interdisciplinary teams, or other staff members employed in a client-therapist capacity or an employee under supervision of them are considered confidential. Certificates, applications, records, and reports made for the purpose of Chapter 26 that directly or indirectly identify a client, as well as privileged communications, must be kept confidential and must not be disclosed by a person with exceptions. Palmetto Care Connections webinar www.nexsenpruet.com 14 ‣ Patient Confidentiality: State Laws Exceptions: ‣ ‣ ‣ ‣ ‣ ‣ The client of legal representative consents; Court decides that failure to disclose in a proceeding is contrary to public interest; Required for research conducted by the Department; Necessary to cooperate with law enforcement, health, welfare and other State agencies, schools, and county entities; Necessary to carry out Chapter 26. Also: ‣ ‣ ‣ To the next of kin upon inquiry; For educational purposes if the client’s identity is concealed; To the ombudsman or S.C. Protection and Advocacy System for the handicapped, Inc. Palmetto Care Connections webinar www.nexsenpruet.com 15 Patient Confidentiality: State Laws ‣ ‣ ‣ ‣ Protects information regarding STDs. All information which is reported to DHEC regarding STDs must be kept completely confidential with extremely limited exceptions. Confidentiality of information encourages persons who may be infected to obtain testing and counseling, which in turn protects the public health. In order to ensure the confidentiality of records relating to sexually transmitted diseases, DHEC must keep information related to known or suspected cases of sexually transmitted disease strictly confidential. S.C. Code Ann. § 44-29-135. Palmetto Care Connections webinar www.nexsenpruet.com 16 ‣ Patient Confidentiality: State Laws Drug and Alcohol Treatment: (creates a privilege) ‣ ‣ ‣ S. C. CODE ANN. § 44-53-140 - Whenever a holder of the privilege shall seek counselling, treatment, or therapy for any drug problem from a confidant, no statement made by such holder and no observation or conclusion derived from such confidant shall be admissible against such holder in any proceeding. The results of any examination to determine the existence of illegal or prohibited drugs in a holder's body shall not be admissible in any proceeding against such holder. The privilege belongs to the holder and if he waives the right to claim the privilege the communication between the holder of the privilege and the confidant shall be admissible in evidence in any proceeding. There is no privilege if the services of a confidant are sought to enable the holder of the privilege to commit or plan to commit a crime or a tort. Palmetto Care Connections webinar www.nexsenpruet.com 17 Patient Confidentiality: Federal Laws ‣ Constitutional Protections: ‣ ‣ ‣ Fifth Amendment – The U.S. Supreme Court held that there is a right to privacy which is an interest related to personal autonomy and an interest in avoiding disclosure of personal matters. Fourteenth Amendment – The right to protection against an invasion of privacy extends to a person’s documents, which include a person’s health information. Whalen v. Doe, 429 U.S. 589 (1977). Palmetto Care Connections webinar www.nexsenpruet.com 18 ‣ ‣ Patient Confidentiality: Federal Laws Privacy Act of 1974 – Enacted to help protect personal information collected by the federal government including medical information collected in the Medicare and Medicaid programs. 5 U.S.C. § 552a. The confidentiality protection under this federal statute is riddled with exceptions. Persons/agencies with access to these records are: (1) employees of the agency maintaining the record; (2) recipients who provide advance notice that records will be used for statistical research; (3) federal government agencies enforcing civil/criminal law; (4) persons showing a compelling need; and (5) may be disclosed to a private firm for transcription or copying. Id. Palmetto Care Connections webinar www.nexsenpruet.com 19 Patient Confidentiality: Federal Laws ‣ Medicare/Medicaid Conditions of Participation: ‣ ‣ ‣ ‣ ‣ Hospitals: 42 C.F.R. § 482.24(b)(3) Critical Access Hospitals: 42 C.F.R. § 485.638(b)(1) Home Health Services: 42 C.F.R. § 484.10(d) Hospice: 42 C.F.R. § 418.52(c)(5) Community Mental Health Centers: 42 C.F.R. § 485.910(c)(3) Palmetto Care Connections webinar www.nexsenpruet.com 20 Patient Confidentiality: Federal Laws ‣ ‣ ‣ ‣ Alcohol and Drug Rehab Act – Severely limits access to records of alcohol and drug abuse patients. 42 U.S.C. § 290 dd-2; 42 C.F.R. Part 2. Applies only to programs holding themselves out as providing drug and alcohol treatment; Applies to Medicare participating hospitals only if: ‣ ‣ Has an identified unit that provides drug and alcohol diagnosis, treatment or referral; or Medical personnel or other staff whose primary function is the provision of such care. Palmetto Care Connections webinar www.nexsenpruet.com 21 Patient Confidentiality: Federal Laws ‣ Disclosures may be made: ‣ ‣ ‣ ‣ With prior written consent of the patient, under the circumstance and purpose expressed in the consent (requires a specific consent); With or without patient consent when made to medical personnel to the extent necessary to handle a bona fide medical emergency; Without consent for research, management audit, or program evaluation purposes as long as patient's identity is not revealed; or Without patient consent pursuant to a court order upon application showing good cause. Good cause= public interest in the need to disclose vs. potential injury to the patient, the physician-patient relationship, and the treatment program. Palmetto Care Connections webinar www.nexsenpruet.com 22 ‣ ‣ Patient Confidentiality: Federal Laws Good cause in a civil case: ‣ ‣ Other ways of obtaining the information are unavailable or ineffective; & The public interest and need for disclosure outweigh the potential injury to the patient, the physician-patient relationship, and the treatment services. Good cause in a criminal case: ‣ ‣ ‣ ‣ ‣ Extremely serious crime (ex: homicide, rape, kidnapping); Information will be of substantial value in the case; Other ways of obtaining the information are unavailable or ineffective; Injury to the patient, physician/patient relationship & the program is outweighed by public interest in making the disclosure; & The applicant & person holding the records has been afforded counsel. Palmetto Care Connections webinar www.nexsenpruet.com 23 HIPAA: Privacy and Security Palmetto Care Connections webinar www.nexsenpruet.com 24 HIPAA/HITECH Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) American Recovery and Reinvestment Act of 2009 • Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”); • Subtitle D – Privacy Palmetto Care Connections New HITECH Implementing Regulations: 78 F.R. 5566 (“HITECH Final Rule”) published January 25, 2013 – effective March 26, 2013 – enforcement begins September 22, 2013 webinar HITECH Final Rule also implements changes necessary in the Patient Safety & Quality Improvement Act (“PSQIA”) and the Genetic Information Nondiscrimination Act (“GINA”) www.nexsenpruet.com 25 HIPAA/HITECH = Assumptions ‣ I will assume that you all speak “HIPAA” Palmetto Care Connections webinar www.nexsenpruet.com 26 HIPAA/HITECH HITECH made multiple changes in the existing HIPAA Statutes, Privacy Standards and Security Standards that directly affect covered entities, business associates and others. Palmetto Care Connections webinar www.nexsenpruet.com 27 HIPAA/HITECH HITECH Act Definitions: Generally, all definitions are the same as under prior law with the exception of the terms further described in this presentation Palmetto Care Connections HITECH Final Rule provides more definitions: Including HITECH, PSQIA & GINA webinar www.nexsenpruet.com 28 Abbreviations: KEY ‣ ‣ ‣ ‣ ‣ ‣ ‣ ‣ Covered Entity: CE Business Associate: BA Business Associate Agreement: BAA Individually Identifiable Health Information: IIHI Protected Health Information: PHI Electronic Protected Health Information: E-PHI Civil Money Penalty: CMP Notice of Privacy Practices: NPP Palmetto Care Connections webinar www.nexsenpruet.com 29 ‣ HIPAA HIPAA applies to health plans, health care clearinghouses and health care providers that transmit PHI in a HIPAA covered transaction including: ‣ ‣ ‣ ‣ ‣ ‣ ‣ ‣ ‣ health claims or equivalent encounter information; health claims attachments; enrollment and disenrollment in a health plan; eligibility for a health plan; health care payment and remittance advice; health plan premium payments; first report or injury; health claim status; and referral certification and authorization. Palmetto Care Connections webinar www.nexsenpruet.com 30 HIPAA ‣ HIPAA purposes: ‣ Standardize the transmission of information between health care providers and payors ‣ Protect the privacy and security of health information Palmetto Care Connections webinar www.nexsenpruet.com 31 HIPAA ‣ Various regulations have been promulgated under HIPAA and HITECH: ‣ ‣ ‣ ‣ ‣ ‣ Security Standards Privacy Standards Identifier standards: ‣ ‣ ‣ Provider; Health Plan; & Employer Transaction Standards Enforcement Standards Breach Standards Palmetto Care Connections webinar www.nexsenpruet.com 32 General Rules ‣ ‣ ‣ Must have policies and procedures to comply with the Privacy Standards and the Security Standards. Prior to HITECH, the Privacy and Security Standards applied only the CEs. After HITECH many of the provisions of the Privacy and Security Standards apply to BAs. Palmetto Care Connections webinar www.nexsenpruet.com 33 General Rules: Privacy Standards ‣ Privacy Standards are all about using and disclosing PHI. ‣ Prior to using or disclosing PHI for any purpose, the purpose of the use of disclosure should be determine and used and disclosed only as required or permitted by the Privacy Standards. ‣ ‣ Always ask 2 questions: ‣ ‣ Who is the requestor? What is the purpose of the request? Prior to requesting PHI for any purpose, the purpose of the request should be determined and requested only as permitted under the Privacy Standards. Palmetto Care Connections webinar www.nexsenpruet.com 34 General Rules: Privacy Standards ‣ ‣ Only two required disclosures: ‣ ‣ MUST provide access to the individual (with some exceptions) MUST provide access to the Secretary of the USDHHS All of the rest of the disclosures are permissive disclosures under the Privacy Standards. Palmetto Care Connections webinar www.nexsenpruet.com 35 General Rules: Privacy Standards ‣ MAY use or disclose protected health information only as permitted under the Privacy Standards (Policies/Procedures): ‣ ‣ ‣ ‣ ‣ ‣ ‣ For treatment, payment and health care operations; Pursuant to an HIPAA authorization; Notification purposes: family members/friends; Governmental agencies (DHEC; LLR; OSHA;FDA;ETC.); Law enforcement; Legal proceedings; Business Associates.. Palmetto Care Connections webinar www.nexsenpruet.com 36 ‣ General Rules: Privacy Standards Need policies and procedures for all of the foregoing and: ‣ ‣ ‣ ‣ ‣ ‣ ‣ ‣ ‣ Designation of the Privacy Officer; Privacy Training; Notice of Privacy Practices; Patient Directory; Minimum Necessary Standard; Amendment of PHI; Accounting of Disclosures; Restrictions on the Use and Disclosure of PHI; Confidential Communications Palmetto Care Connections webinar www.nexsenpruet.com 37 General Rules: Privacy Standards ‣ ‣ ‣ ‣ ‣ ‣ ‣ ‣ ‣ Complaints Safeguarding PHI; Sanctions; Mitigation; Non-retaliation; Fundraising; Marketing; Research; . . . etc. Palmetto Care Connections webinar www.nexsenpruet.com 38 ‣ ‣ ‣ Telemedicine Issues: Privacy Standards Privacy Training; ‣ ‣ ‣ Make the determination by “following the PHI” Hardware vendors; Software/application vendors. NPP; ‣ Does your NPP anticipate using and disclosing PHI via telemedicine? Designated Record Set; ‣ ‣ Does your DRS policy/procedure include audio/video formatted PHI as part of your DRS? Why does that matter? Palmetto Care Connections webinar www.nexsenpruet.com 39 Telemedicine Issues: Privacy Standards ‣ ‣ Access to PHI; ‣ When a patient requests a copy of or access to their PHI, have you anticipated how to provide a copy of the audio/videoed telemedicine encounter? Amendment of PHI; ‣ If a telemedicine encounter is going to be recorded as part of the DRS, how do you accommodate a request for amendment to the recorded encounter? Palmetto Care Connections webinar www.nexsenpruet.com 40 Telemedicine Issues: Privacy Standards ‣ Marketing: Contacts by BA telemedicine vendors: ‣ ‣ General Rule: If you are going to use or disclose PHI for marketing purposes, you must obtain an authorization from the patient. Very narrow exceptions that do not apply to telemedicine: ‣ ‣ ‣ ‣ ‣ ‣ Face-to-face communications (NOT over the telephone); Provision of a nominal gift; Refill reminders; For treatment to direct a patient to an alternative treatment, therapy, health care provider or setting of care; Describe a health-related product or service included in a plan of benefits; Case management or care coordination, contacting individuals about treatment alternatives and related function to the extent these activities do not fall within the definition of treatment. Palmetto Care Connections webinar www.nexsenpruet.com 41 ‣ ‣ General Rules: Security Standards CEs and BAs must protect the security of all E-PHI in manner consistent with the Security Standards. CEs and BAs must: ‣ ‣ ‣ ‣ Ensure the confidentiality, integrity, and availability of all E-PHI CE or BA creates, receives, maintains, or transmits; Protect against any reasonably anticipated threats or hazards to the security or integrity of such information; Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Security Standards; Ensure compliance with the Security Standards by its workforce. Palmetto Care Connections webinar www.nexsenpruet.com 42 General Rules: Security Standards ‣ ‣ CEs and BAs may use any security measures that allow it to reasonably and appropriately implement the standards and implementation specifications as specified in the Security Standards. In deciding which security measures to use, CEs and BAs must take into account the following factors: ‣ ‣ ‣ ‣ The size, complexity, and capabilities of it’s facility; The CE and BA’s technical infrastructure, hardware, and software security capabilities; The costs of security measures; The probability and criticality of potential risks to E-PHI. Palmetto Care Connections webinar www.nexsenpruet.com 43 General Rules: Security Standards ‣ ‣ If the applicable Security Standard implementation specification is required, then the CE or BA must implement that Security Standard implementation specification; If the applicable Security Standard implementation specification is addressable, then the CE or BA must: ‣ ‣ Implement the implementation specification if reasonable and appropriate; or If implementing the implementation specification is not reasonable and appropriate: ‣ ‣ Document why it would not be reasonable and appropriate to implement the implementation specification; and Implement an equivalent alternative measure if reasonable and appropriate. Palmetto Care Connections webinar www.nexsenpruet.com 44 ‣ ‣ ‣ ‣ ‣ ‣ ‣ ‣ ‣ General Rules: Security Standards Risk Analysis; Risk Management; Sanctions; Information System Review Activity; Security Official; Information Access Policy; Security Awareness Training; Identify and Respond to Security Incidents; Contingency Plan Palmetto Care Connections webinar www.nexsenpruet.com 45 General Rules: Security Standards ‣ ‣ ‣ ‣ ‣ ‣ ‣ ‣ ‣ Evaluate Security Policies; Facility Access Controls; Workstation Use and Security; Device and Media Controls; Technical Access Controls; Audit Controls; Integrity; Person of Entity Authentication; and Transmission Security. Palmetto Care Connections webinar www.nexsenpruet.com 46 ‣ ‣ ‣ General Rules: Security Standards Review all of your Security policies/procedures to determine whether updates are necessary; Conduct a risk analysis to identify the additional security concerns that arise with the development of telemedicine; Focus on: ‣ ‣ Device and Media Controls; Technical Access Controls Palmetto Care Connections webinar www.nexsenpruet.com 47 Special Issues with Device and Media Controls and Technical Access Controls with Telemedicine ‣ ‣ ‣ ‣ More and more telemedicine apps are being used on portable devices Be mindful of where you are using portable devices and whether you have appropriate security (technical and physical) Use only those portable devices that are approved by the CE or BA’s IT and those portable devices that comply with your device and media controls policy. Case in point: Stolen mobile device. Palmetto Care Connections webinar www.nexsenpruet.com 48 CMP for Stolen Mobile Device ‣ ‣ ‣ ‣ ‣ Massachusetts Eye and Ear Infirmary and its associated physician practice Self-reported the theft of an unencrypted laptop containing PHI of > 500 patients from an employed physician while on vacation No finding of financial or reputational harm to the patients Findings: Failure to . . . ‣ ‣ ‣ Restrict access to ePHI from unauthorized users/portable devices and be able to track access Track movement of both Hospital/personal portable devices on and off premises Implement encryption or appropriate alternatives to encryption 9/17/2012 – Agreement (3 years) ‣ ‣ ‣ $1.5 Million CMP A Corrective Action Plan (includes a framework for updating policies/procedures and compliance plans for mobile devices) http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/meei-agreement-pdf.pdf Palmetto Care Connections webinar www.nexsenpruet.com 49 ‣ ‣ ‣ Special Issues with Technical Access Controls Encryption is considered an “addressable” implementation specification. The Security Rule does not require that encryption be used BUT, recall for addressable standards, if the CE or BA determines that the specification is not reasonable, then the CE or BA must explain why in writing and implement an equivalent measure if reasonable and appropriate. Weigh the benefits and costs with implementing encryption (for data in motion and data at rest). Palmetto Care Connections webinar www.nexsenpruet.com 50 Special Issues with Technical Access Controls ‣ ‣ ‣ Encryption Industry Standards: ‣ ‣ Data at rest – NIST Special Publication 800-111 Data in motion – FIPS 140-2 (Includes NIST Special Publications 800-52, 800-77 or 800-113) FIPS: www.itl.nist.gov/fipspubs/index.htm NIST: www.nist.gov/ Palmetto Care Connections webinar www.nexsenpruet.com 51 Notification of Breach ‣ The nature of the technology enabling telemedicine increases the potential for there to be unauthorized access. Palmetto Care Connections webinar www.nexsenpruet.com 52 Notification of Breach: HITECH Act ‣ ‣ General Rule: ‣ BAs shall notify the CE of such breaches. A CE that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses unsecured protected health information shall, in the case of a breach, notify the individual whose unsecured protected health information has been or is reasonably believed by the CE to have been accessed, acquired, or disclosed as a result of such breach. Palmetto Care Connections webinar www.nexsenpruet.com 53 Breach: HITECH Final Rule ‣ “Breach’’ means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Standards which compromises the security or privacy of such information . . . Palmetto Care Connections webinar www.nexsenpruet.com 54 ‣ ‣ ‣ Breach: Exceptions Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a CE or BA if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under Privacy Standards; Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at same CE or BA or OHCA in which the CE participates, and the PHI received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Standards; and A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. Palmetto Care Connections webinar www.nexsenpruet.com 55 Definition of Breach: Interim Final Rule ‣ Added a “harm” standard by defining “compromises the security or privacy of [protected health] information” as follows: ‣ ‣ ‣ Posed a significant risk of financial reputational or other harm to the individual Senator Waxman did not like this change and informed Secretary Sebilius by letter dated October 1, 2009. The HITECH Final Rule significantly modified the meaning of “compromises the security and privacy of PHI”. Palmetto Care Connections webinar www.nexsenpruet.com 56 Whether a Reportable Breach Occurred: Low Probability Standard ‣ Depends upon a risk assessment of four factors: ‣ ‣ ‣ ‣ ‣ The nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification; The unauthorized person who used the PHI or to whom the disclosure was made; Whether the PHI was actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated. If after the consideration of each of the foregoing factors the CE has determined that there is a low probability that the privacy or security of the PHI has been compromised, then no breach notification is required. Palmetto Care Connections webinar www.nexsenpruet.com 57 Unsecured PHI: HITECH Act (Update HITECH Final Rule) ‣ ‣ Unsecured Protected Health Information (“Unsecured PHI”): PHI that is not secured by a technology standard that renders PHI unusable, unreadable, or indecipherable to unauthorized individuals persons and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute. Guidance published April 17, 2009. Palmetto Care Connections webinar www.nexsenpruet.com 58 ‣ Breach Notification not required if the PHI is not “Unsecured PHI” The technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals are: ‣ ‣ Electronic PHI that has been encrypted ‣ ‣ Data in motion – FIPS 140-2 (Includes NIST Special Publications 800-52, 800-77 or 800-113) Media on which PHI is stored or recorded has been destroyed: ‣ ‣ ‣ ‣ Data at rest – NIST Special Publication 800-111 Paper, film or hard copy: shredded or destroyed such that it cannot be reconstructed Electronic media: cleared or purged consistent with NIST Special Publication 800-88 FIPS: www.itl.nist.gov/fipspubs/index.htm NIST: www.nist.gov/ Palmetto Care Connections webinar www.nexsenpruet.com 59 Breaches Treated as Discovered ‣ ‣ ‣ ‣ A breach is discovered on the first day the breach is known or by exercising reasonable diligence, would have been known by the CE; A breach is discovered by a BA on the first day the breach is known or by exercising reasonable diligence, would have been known by the BA; A BA or Subcontractor is required to report the breach to the CE in accordance with the terms of the BA; Clarified in the HITECH Final Rule: A CE will be deemed to have discovered a breach on the first day the breach was discovered by a BA only if the BA is acting as an agent of the CE. Palmetto Care Connections webinar www.nexsenpruet.com 60 Breach Treated as Discovered ‣ ‣ ‣ ‣ ‣ Whether a BA is an agent of the CE is determined by the application of the federal common law of agency: Although there are multiple factors, DHHS found these four (4) to be most important in a “facts and circumstances” test: (1) The time, place, and purpose of a BA agent's conduct; (2) whether a BA agent engaged in a course of conduct subject to a CE's control (manner and means by which the product is accomplished); (3) whether a BA agent's conduct is commonly done by a BA to accomplish the service performed on behalf of a CE; and (4) whether or not the CE reasonably expected that a BA agent would engage in the conduct in question. Palmetto Care Connections webinar www.nexsenpruet.com 61 ‣ ‣ ‣ ‣ Notification of Breach Notice must be made within 60 days of when the CE knows or should have reasonably known of the breach. Individuals: notice is provided in writing by first class mail or by e-mail if the individual provided a preference. If contact information is out of date (including 10 or more such individuals), post a toll free number on the CE’s website where individuals can learn if their unsecured PHI has been breached. Regulations add provisions for Personal Representatives of deceased individuals and when contact information is insufficient or out of date: ‣ ‣ Fewer than 10: alternative form of written notice, telephone or other means 10 or greater: conspicuous posting for 90 days on CE’s webpage or in major broadcast media AND contact information Palmetto Palmetto Care Care Connections Connections webinar webinar www.nexsenpruet.com www.nexsenpruet.com 62 ‣ ‣ ‣ Notification of Breach If notification is urgent because of possible misuse, may telephone the individual(s) If 500 or more individuals are involved, notice must be provided to prominent media outlets. Notice must be provided to the Secretary of DHHS; ‣ ‣ ‣ If 500 or more individuals are involved, this notice must be given immediately If less that 500, the CE may keep and log and disclose to the Secretary annually. The Secretary of DHHS will post the identities of the CEs involved in breaches where more than 500 individuals are involved. Palmetto Care Connections webinar www.nexsenpruet.com 63 Notification to the Secretary Breach notification webpage: http://www.hhs.gov/ocr/privacy/hipaa/adm inistrative/breachnotificationrule/index.htm l Guidance for notifying Secretary of breaches: http://www.hhs.gov/ocr/privacy/hipaa/admi nistrative/breachnotificationrule/brinstructio n.html • Submit Notice of a Breach Affecting 500 or More Individuals • Submit Notice of a Breach Affecting Fewer than 500 Individuals Palmetto Care Connections webinar www.nexsenpruet.com 64 Notification of Breach Content of notice to the individual: Brief description of what happened (include date of breach and date of discovery) A description of the types of Unsecured PHI involved in the breach Palmetto Care Connections The steps that individuals should take to protect themselves from potential harm webinar A brief description of what the CE is doing to investigate, mitigate losses and protect against further breaches Contact information (toll-free telephone number, an e-mail address, web site, or postal address) www.nexsenpruet.com 65 Notification of Breach Notice can be delayed if necessary if law enforcement determines that notice: Palmetto Care Connections • Would impede a criminal investigation • Cause damage to national security webinar www.nexsenpruet.com 66 Notification of Breach ‣ ‣ State law compliance: ‣ S.C. Code Ann. § 39-1-90 Modify your Notification of Breach Policy to also cover your obligations under State law. Palmetto Care Connections webinar www.nexsenpruet.com 67 What happens with a HIPAA violation??? ‣ A/K/A: Why should I care??? ‣ Criminal Penalties ‣ Civil Penalties Palmetto Care Connections webinar www.nexsenpruet.com 68 HITECH Update: Criminal Penalties ‣ ‣ Clarification of Application of criminal penalties for wrongful disclosures Amends HIPAA Statute to make it clear that the criminal penalties apply to employees and other individuals, including physicians Palmetto Care Connections webinar www.nexsenpruet.com 69 HIPAA Criminal Penalties • (a) A person who knowingly and in violation of HIPAA- • (1) uses or causes to be used a unique health identifier; • (2) obtains IIHI relating to an individual; or • (3) discloses IIHI to another person, shall be punished as provided in subsection (b) of this section. • (b) Penalties • A person described in subsection (a) of this section shall-- • (1) be fined not more than $50,000, imprisoned not more than 1 year, or both; • (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and • (3) if the offense is committed with intent to sell, transfer, or use IIHI for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both. Palmetto Care Connections webinar www.nexsenpruet.com 70 Physician Criminal Conviction Upheld: 5/10/2012 ‣ ‣ ‣ ‣ A visiting cardiothoracic surgeon from China (working as a research assistant) was convicted of misdemeanor violation of the HIPAA criminal statute After his termination from UCLA, on at least four occasions, he accessed four patient records (coworkers and celebrity) The 9th Circuit upheld the district court’s finding that he knowingly and in violation of HIPAA obtained IIHI relating to individuals Sentence: ‣ ‣ Four months in prison, then a year of supervised release; $2000 fine Palmetto Care Connections webinar www.nexsenpruet.com 71 HITECH: Civil Money Penalties ‣ ‣ HITECH significantly revises the HIPAA CMP Statute to include non-compliance due to willful neglect and requires DHHS to investigate if a complaint indicates a violation due to willful neglect. CMP $$ collected to go the OCR and are used for increased enforcement. Palmetto Care Connections webinar www.nexsenpruet.com 72 HITECH: Civil Money Penalty Tiers ‣ (a) $100/violation, the total not to exceed $25,000 for identical violations / calendar year; (b) $ 1,000/violation, the total not to exceed $100,000 for identical violations/calendar year; ‣ (c) $ 10,000/violation, the total not to exceed $250,000 for identical violations/calendar year; ‣ A violation due to reasonable cause, but not willful neglect, the penalty will be not less than (b) but not more than (d). A violation due to willful neglect: ‣ (d) $ 50,000/violation, the total not to exceed $1,500,000 for identical violations/calendar year. Palmetto Care Connections A violation where the person did not know and by exercising due diligence would not have known, the penalty will be not less than (a) but not more than (d). ‣ webinar If corrected, the penalty will be not less than (c) but not more than (d); If not corrected, the penalty will be not less than (d). www.nexsenpruet.com 73 First CMP: 2/4/2011 ‣ ‣ ‣ ‣ ‣ ‣ Cignet Health: Large multi-healthcare provider group Failed to provide 41 patients access to their PHI (were 41 complaints – all individually filed with the OCR) Initial fine: $1.3 Million for failure to provide access Subsequent fine: $3.0 Million for failure to cooperate with the OCR’s investigation (3/17/2009 – 4/7/2010) Total fine: $4.3 Million Upshot – cooperate with the OCR investigation! Palmetto Care Connections webinar www.nexsenpruet.com 74 OCR sends a message to small physician practices: 4/17/2012 ‣ ‣ Phoenix Cardiac Surgery (5 physician practice) ‣ OCR found a “multiyear, continuing failure” to Complaint: posting surgery and appointment schedules on a publically accessible internet-based calendar ‣ ‣ ‣ ‣ ‣ Implement policies and procedures Document training of employees Identify a security official at the practice Conduct a security analysis Obtain business associate agreements with its internetbased email and scheduling services Palmetto Care Connections webinar www.nexsenpruet.com 75 Phoenix Cardiac Surgery Penalties ‣ ‣ Resolution Agreement: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/pcsurger y_agreement.pdf ‣ ‣ $100,000 CMP Comply with a Corrective Action Plan (one year) ‣ ‣ ‣ ‣ ‣ Develop and implement Privacy and Security policies/procedures and provide to the OCR for approval Implement the policies/procedures within 30 days of approval Distribute the policies/procedures to its workforce and require written certifications of initial compliance from each Assess and update the policies and procedures annually Make reports to the OCR Palmetto Care Connections webinar www.nexsenpruet.com 76 First HIPAA Settlement for Breach of < 500 patients’ PHI (01/02/2013) ‣ ‣ ‣ Hospice of North Idaho (“HONI”) reported the theft of an unencrypted laptop containing the PHI of 441 patients OCR found: ‣ ‣ ‣ HONI failed to conduct risk analysis; HONI failed to implement security measures; HONI failed to have policies and procedures for mobile devices Settlement Agreement: ‣ ‣ ‣ Enter into a CAP CMP of $50,000 http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honiagreement.pdf Palmetto Care Connections webinar www.nexsenpruet.com 77 ‣ PATIENT CONFIDENTIALITY/HIPAA Recommendations: ‣ ‣ ‣ ‣ ‣ ‣ ‣ ‣ ‣ Foster a strong culture related to the privacy & security of PHI; Be sure your cooperative providers also have similar cultures; Encrypt (data in transmission and at rest); Work with your cooperative providers to address interoperability issues up front; Coordinate operational policies and procedures with your cooperative providers; Conduct a thorough risk assessment to identify vulnerabilities, both internal and external threats to the system; Conduct a review of your HIPAA Privacy and Security Standards to address new issues; Be sure your insurance carriers (GL & Cyber) cover telemedicine practice; and Distant site providers: Remember to provide the patient with your Notice of Privacy Practices!! Palmetto Care Connections webinar www.nexsenpruet.com 78 Palmetto Care Connections webinar www.nexsenpruet.com 79 Jeanne M. Born Member 1230 Main Street, Suite 700, Columbia, SC 29201 803.540.2038 Jborn@nexsenpruet.com Palmetto Care Connections webinar www.nexsenpruet.com