U NDERSTANDING HIPAA C OMPLIANCE I N 2014: E THICS , T ECHNOLOGY, H EALTHCARE & LIFE JULIE MEADOWS-KEEFE GROSSMAN, FURLOW, AND BAYÓ, LLC 2022-2 RAYMOND DIEHL RD. TALLAHASSEE, FL. 32308 (850) 385-1314 J.MEADOWS-KEEFE@GFBLAWFIRM.COM D OES IT P UT Y OU I N A B AD M OOD ? H OW M UCH P RIVACY D O Y OU H AVE ? How Much Privacy Are You Willing To Give Up? P ERCEIVED B ARRIERS ? W IRED M AGAZINE 11-15-12 The age of the password has come to an end; we just haven’t realized it yet. And no one has figured out what will take its place. What we can say for sure is this: Access to our data can no longer hinge on secrets—a string of characters, 10 strings of characters, the answers to 50 questions—that only we’re supposed to know. The Internet doesn’t do secrets. Everyone is a few clicks away from knowing everything. S O W E R ECOGNIZE W E A RE A LL V ULNERABLE “A stolen medical identity has a $50 street value – whereas a stolen social security number, on the other hand, only sells for $1.00” said Kirk Herath, Nationwide Chief Privacy Officer. FACTS A BOUT M EDICAL I DENTITY T HEFT 1.5 Million American Affected Average cost to restore identity is over $20,000. Medical identity theft comprises 3% of all identity thefts Nearly half of victims lose their coverage Can take a year to discover Healthcare was most breached industry in 2011 S O W HAT D OES HIPAA D O ? HIPAA sets a national standard for accessing and handling medical information Access to your own medical records, prior to HIPAA, was not guaranteed by federal law. Notice of privacy practices about how your medical information is used and disclosed must now be given to you. An accounting of disclosures HIPAA 1996 1996 M AC P OPULAR S ONG & D ANCE IN 1996 I N 1996 Google.com didn’t exist yet. In January 1996 there were only 100,000 websites, compared to more than 160 million in 2008. The web browser of choice was Netscape Navigator, followed by Microsoft Internet Explorer as a distant second (Microsoft launched IE 3 in 1996). Most people used dial-up Internet connections ARRA February 17, 2009. ARRA Signed into Law. Also known as the “Stimulus” $ 25.8 Billion for Health IT Increased Regulation of Organizations Contracting with Covered Entities Covered Entities Must Carefully Monitor Disclosures of PHI Increased Limitations on use of PHI Increased Penalties and Enforcement Mechanisms Breach notification and reporting requirements. E VIDENCE B ASED M EDICINE Conscientious, explicit and judicious use of current best evidence in making decisions about the care of individual patients Use of mathematical estimates of the risk of benefit and harm, derived from high-quality research on population samples, to inform clinical decisionmaking in the diagnosis, investigation or management of individual patients." B IG D ATA How much regulation is needed for electronic health records and systems? How much is too much? Does technology harm patients? How much risk do patients face in the era of "big data?“ Can data reach level of necessary granularity to only show minimum amount of data necessary to provide a particular treatment? E XPRESS S CRIPTS H AS B IG D ATA Provides Pharmacy Benefits to over 100 million people. They see 1.4 billion prescriptions a year, each one of which generates adds a little more data to their pile. They now have 100 people sorting through that information trying to detect fraud. They've got nurses and pharmacists and forensic accountants, along with a group of data nerds investigating thousands of cases of shady dealings a year. S OME F EAR W HAT IS A “B REACH ?” A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. There are three exceptions to the definition of “breach.” The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member acting under the authority of a covered entity or business associate. The second exception applies to the inadvertent disclosure of protected health information from a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception to breach applies if the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information. TAKE -AWAY PLEASE MAKE SURE ALL STAFF ARE UTILIZING ENCRYPTION FOR TRANSMISSION OF PHI. B REACHES B IG IN O MNIBUS the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification the unauthorized person who used the protected health information or to whom the disclosure was made whether the protected health information was actually acquired or viewed the extent to which the risk to the protected health information has been mitigated B REACHES S O FAR January, 2013-First HIPAA breach settlement involving less than 500 patients (Idaho Hospice) April 2012 HHS settles case with Phoenix Cardiac Surgery for lack of HIPAA safeguards A LASKA D EPARTMENT OF H EALTH AND H UMAN S ERVICES Settled for 1.7 million dollars. One lost unencrypted flash drive from an employee’s car led to extensive HHS investigation. Insufficient training and risk assessment. 2013 V ERIZON B REACH R EPORT THREAT ACTORS External 92% Internal 14% Partners 1% T HREAT A CTIONS Malware 10% Hacking 52% Social 29% Misuse 13% Physical 35% Error 2% ATTACKED ENTITIES Financial Organizations 37% Utilities 24% Manufacturing, transportation 20% Healthcare organizations 0.90% B USINESS A SSOCIATE R EQUIREMENTS Extends HIPAA’s requirements, not just to business associates, but to subcontractors that handle protected health information on behalf of business associates N OTICE OF P RIVACY P RACTICES Need to revise to reflect patient’s right to receive breach notifications. R EQUEST FOR R ESTRICTIONS Specifically, covered entities must agree to restrict disclosures of protected health information about the individual if the disclosure is for payment or healthcare operations purposes, is not required by law, and the protected health information pertains solely to a healthcare item or service for which the individual, or someone on the individual's behalf other than the health plan, has paid the covered entity in full. J ULIE ’ S S TORY Real-life experience with too much data being included in an EHR. https://www.youtube.com/watch?v=tK1KeC y5j9Q L ICENSURE Licensure involves providing a full explanation and record documenting any affirmative responses to health questions, including emotional/mental illness, chemical dependency. THANK YOU J ULIE M EADOWS -K EEFE G ROSSMAN , F URLOW, AND B AYÓ 2022-2 R AYMOND D IEHL RD. TALLAHASSEE , FL. 32308 (850) 385-1314 J . MEADOWS - KEEFE @ GFBLAWFIRM . COM