HIPAA/HITECH
Privacy and Security in the Current
Regulatory and Technical Environment
What It Means for Your Organization
March 24, 2015
HFMA Revenue Cycle Meeting
Lindsay Darling Petrosky, Esq.
Three Gateway Center
401 Liberty Avenue, Suite 1500
Pittsburgh, PA 15222
(412) 434-8814
ldpetrosky@jacksonkelly.com
Rachel D. Ludwig, Esq.
500 Lee Street East
Suite 1600
Charleston, WV 25301
(304) 340-1185
rdludwig@jacksonkelly.com
AGENDA
•
•
•
•
•
•
•
HIPAA/HITECH History
Privacy
Security
Current Enforcement Trends
Breaches
Technology Security Issues
Protections
2
www.jacksonkelly.com
HIPAA/HITECH – Important Dates
• HIPAA – 1996
– Privacy Rule Implemented by DHHS
• HITECH – February 17, 2009
― Requiring notification of breaches of unsecured information.
— Making certain HIPAA privacy requirements applicable to BAs
• Omnibus Final Rule
— January 2013 effective March 26, 2013
— Compliance required by September 23, 3013
3
www.jacksonkelly.com
Privacy Rule
• Comprehensive federal protection for
privacy and confidentiality of Individual
Identifiable Health Information (IIHI)
• Promote strong privacy protections, while
not interfering with patient access to, or
quality of healthcare services.
4
www.jacksonkelly.com
Privacy Rule Governs PHI
• Protected Health Information (PHI) in any form (electronic, paper, or
verbal)
• PHI = IIHI that is:
– Held or maintained by a CE or its BA acting for the CE.
– Transmitted or maintained in any form or medium.
• PHI includes:
– Identifiable demographic information
– information relating to an individual’s past, present or future
physical or mental health, or condition.
– Also includes genetic information.
– Information concerning the provision of or payment for health
care services
5
www.jacksonkelly.com
Privacy Rule Requirements
• The Privacy Rule requires that a CE:
– Notify individuals about their privacy rights and how
their information can be used.
– Adopt and implement privacy procedures.
– Train employees so that they understand the privacy
procedures.
– Designate an individual responsible for ensuring that
privacy procedures are adopted and followed.
– Secure patient records containing PHI.
6
www.jacksonkelly.com
MINIMUM NECESSARY
• Use reasonable efforts to limit use or
disclosure of and request for PHI to the
minimum amount necessary to
accomplish the intended use
• Must maintain appropriate administrative,
technical, and physical safeguards to limit
incidental uses and disclosures.
7
www.jacksonkelly.com
MINIMUM NECESSARY
EXCEPTIONS
• Required by law
• To the individual who is the subject of the
information
• Pursuant to a valid, signed authorization
• Treatment
• Required to comply with other HIPAA
provisions or to HHS for enforcement
8
www.jacksonkelly.com
Post-HITECH
Some everyday changes you may have noticed:
• Individual’s right to an electronic copy of their record
• Individual may designate a third party to receive copy
— Must be in writing
— Clearly identify the designated person
— Clearly identify where to send the copy
9
www.jacksonkelly.com
Timing
• Access must be provided within 60 days of request
• CE must respond within 30 days of request
• CEs may obtain a one-time 30 day extension if the CE
provides:
– Written notice to the individual, including reason for delay
and expected date of completion
10
www.jacksonkelly.com
Copy Fees
• State v. HIPAA
• Must be reasonable, cost-based fee
– Cost of supplies may be charged
– Postage may be charged
– No charges permitted for system maintenance, storage
cost, new technology, or search or retrieval fees
– See W. Va. Code § 16-29-2
11
www.jacksonkelly.com
Decedents and Access to PHI
• PHI protected for 50 years following death
• If an individual is deceased, the CE may disclose to friends
and family who were involved prior to death; to the extent the
PHI is relevant to the individual’s involvement.
• Disclosure must be consistent with any prior expressed
preference of the individual that is known to the CE
• This 50 year period of protection is not a record retention
requirement.
• Note: States are beginning to regulate decedent’s right to privacy more
stringently than HIPAA
• For example, Virginia recently passed The Privacy Expectation Afterlife
and Choices Act
12
www.jacksonkelly.com
Recent Updates Affecting the
Privacy Rule
• September 2014 – US v. Windsor – DOMA unconstitutional
– Spouse & Marriage now include:
• “Spouse” includes individuals in a valid same-sex marriage
sanctioned by a state, territory or foreign jurisdiction,
provided that, with regard to a foreign jurisdiction, a U.S.
jurisdiction would recognize the marriage.
• “Marriage” includes both same-sex and opposite-sex
marriage.
• “Family member” includes dependents of same-sex and
opposite-sex marriages.
•
PHI includes genetic information and HIPAA has added definitions consistent
with GINA
13
www.jacksonkelly.com
The Security Rule
• Applies only to ePHI
• Establishes information technology
standards and best practices for
safeguarding ePHI
• Primary Goal –
– Protect the confidentiality, integrity, and
availability of ePHI when it is stored,
maintained, or transmitted
14
www.jacksonkelly.com
The Security Rule
• Administrative, physical, and technical safeguards
• Policy and procedure requirements
• Documentation requirements
• Direct liability for violations
• Applies to both CEs and BAs
– Security considered a major area of non-compliance for many BAs
15
www.jacksonkelly.com
SECURITY OF PHI
•
•
•
•
•
Conduct risk assessment of your EHR
Chief Security Officer
Adopt policies and procedures
Perform workforce training
Adopt workforce sanctions
16
www.jacksonkelly.com
ADMINISTRATIVE SECURITY OF PHI
•
•
•
•
•
•
•
•
•
Security management process
Assigned security responsibility
Workforce security
Information access management
Security awareness and training
Security incident procedures
Contingency plan
Evaluation
Business associate contracts and other arrangements
17
www.jacksonkelly.com
PHYSICAL SECURITY OF PHI
•
•
•
•
•
Facility access controls
Workstation use
Workstation security
Mobile devise and media controls
Disposal and re-use
18
www.jacksonkelly.com
TECHNICAL SECURITY OF PHI
• Access Controls
– Authentication
– Automatic logoff
• Transmission Security
– Encryption of data at rest
– Encryption of data in motion
• Audit controls
• Integrity
• Person or Entity Authentication
19
www.jacksonkelly.com
20
www.jacksonkelly.com
So What About Enforcement
?
21
www.jacksonkelly.com
22
www.jacksonkelly.com
23
www.jacksonkelly.com
24
www.jacksonkelly.com
25
www.jacksonkelly.com
OCR Comments on Enforcement
“This final omnibus rule marks the most sweeping changes
to the HIPAA Privacy and Security Rules since they were
first implemented. These changes not only greatly enhance
a patient’s privacy rights and protections, but also
strengthen the ability of my office to vigorously enforce
the HIPAA privacy and security protections, regardless of
whether the information is being held by a health plan, a
health care provider, or one of their business associates.”
26
www.jacksonkelly.com
26
OCR Resolution Agreements
• Providence Health & Services ($100K)
• Idaho State University ($400K)
• CVS Pharmacy ($2.25M)
• Shasta Regional Medical Center ($275K)
• Rite-Aid ($1M)
• Management Services Organization of
Washington ($35K)
• Cignet ($4.3M)
• Massachusetts General Hospital ($1M)
• WellPoint ($1.7M)
• Affinity Health Plan ($1.2M)
• Adult & Pediatric Dermatology, P.C. of
Massachusetts ($150K)
• UCLA Health Services ($865K)
• Skagit County, Washington ($215K)
• Blue Cross Blue Shield of Tennessee
($1.5M)
• QCA Health Plan, Inc. ($250K)
• Alaska Medicaid ($1.7M)
• Concentra Health Services ($1.725M)
• Phoenix Cardiac Surgery, P.C. ($100K)
• New York and Presbyterian Hospital
($3.3M)
• Massachusetts Eye and Ear Infirmary
($1.5M)
• Columbia University ($1.5M)
• Hospice of North Idaho ($50K)
• Parkview Health System ($800K)
27
www.jacksonkelly.com
Categories of Violations and Penalties
Category 1 –
Minimum of $100/violation
Did not know of violation and
would not have known of violation by exercising reasonable diligence
Maximum of $50,000 per violation; or
Maximum total of $1.5 million for identical violations during a calendar
year
Category 2 –
Minimum of $1,000/violation
Violations due to reasonable cause but not due to willful neglect
Maximum of $50,000 per violation; or
Maximum total of $1.5 million for identical violations during a calendar
year
Category 3 –
Minimum of $10,000/violation
Violations due to willful neglect that are corrected within 30 days
Maximum of $50,000 per violation; or
Maximum total of $1.5 million for identical violations during a calendar
year
Category 4 –
Minimum of $50,000/violation
Violations due to willful neglect that are not corrected within 30 days of
knowledge
Maximum total of $1.5 million for identical violations during a calendar
year
28
www.jacksonkelly.com
29
www.jacksonkelly.com
Where are the threats?
• Inside threats
‒ Employee negligence
• Outside threats
‒ Hackers

Security failures

Malware

Lost mobile devices

Phishing and Spear
Phishing
‒ Employee ignorance


Improper disposal of
personal information
(dumpsters)
‒ Thieves (including Social
Engineering Tools)
‒ Vendors
Lack of education and
awareness
‒ Malicious employees
30
www.jacksonkelly.com
What is a breach?
Baseline definition of a breach remains unchanged.
• § 164.402: Breach means the acquisition, access, use, or
disclosure of protected health information in a manner not
permitted under Subpart E of this part which compromises
the security or privacy of the protected health information.
31
www.jacksonkelly.com
Breach Analysis
• An acquisition, access, use, or disclosure of protected
health information in a manner not permitted . . . is
presumed to be a breach
• Unless, the CE or BA can demonstrate that there is a
low probability that the PHI has been compromised
based on a risk assessment
• Compromise is not defined
32
www.jacksonkelly.com
Infamous Breaches
•
•
•
•
•
•
•
•
Anthem – 80 million people
Sony PlayStation Network
iCloud – Re: Jennifer Lawrence
SnapChat – The “no big deal” incident
Target – 40 million people’s financial data
Neiman Marcus – 1.1 million credit cards
AIG – Stolen computer w/ customer data (700k)
University of Maryland – 2 Breaches!
33
www.jacksonkelly.com
Infamous Breaches
• Indiana University – Personal data for 146k
students
• IRS – Employee took home personal data on 20k
individuals
• Montana Dept of HHS – 1.3M client records
• eBay – 145M user names and emails
• American Express – 76k customers
• Home Depot – unknown – probably every
customer from any of the 2200 stores
34
www.jacksonkelly.com
And Yet Another
• On March 17th, Premera Blue Cross announced
cyberattack that exposed the medical and
financial data of 11 million customers.
• The largest breach to date involving medical
information.
• April 2014 Audit – indicating security risks
• Breach occurred on May 5, 2014
• Discovered the same day the Anthem breach
was disclosed – January 29, 2015
35
www.jacksonkelly.com
Security has 3 Phases
• Prevention: Know your risks via risk assessment,
protection of data, secure authentication
• Detection: Regular monitoring and audits,
documentation of these activities
• Response: Incident handling response processes,
breach notification processes, disciplinary actions
(sanctions)
36
www.jacksonkelly.com
General Security Awareness
• Security (protecting the system and the information
it contains) includes protecting against unauthorized
access from outside and misuse from within
•
•
•
•
•
•
Hardware and software (Physical Computer Systems)
Personnel policies
Information practice policies
Develop disaster/intrusion/response and recovery plans
Designate security responsibilities
Develop protocols regarding activities and security at personnel
and work station level
• Safeguards from fire, natural and environmental hazards and
intrusions
37
www.jacksonkelly.com
Password Management
•
•
•
•
•
Don’t tell anyone your password
Don’t write your password down
Do Change password if others know it
Do Enter your password in private
Do use a pass phrase
38
www.jacksonkelly.com
No Auto Logoff
• High Risk
• PC’s when left unattended should logoff
after a reasonable time
• PC’s in very busy area should auto logoff
no <5 minutes as a rule
39
www.jacksonkelly.com
Smart Phones and Personal Devices
• Huge HIPAA Security Risk Factor
• Many have company email on phone which could
contain ePHI
• Always password protect!
• Remote wipe capability
• Do NOT text ePHI
• Who has access to your mobile device?
– (i.e. family member, friends)
40
www.jacksonkelly.com
Unsecure Email
• High Risk
• Do NOT email using unsecure methods
• If unsecure – limit email to de-identified
information
• Patient may sign off/accept risk of
unsecure email
41
www.jacksonkelly.com
Thumb Drives and Laptops
•
•
•
•
High Risk Factor
Sometimes used to backup data
If taken off site – MUST be encrypted
If taken out of a secure location, MUST be
encrypted
• Easy to lose – look at list of breaches
42
www.jacksonkelly.com
Improper Disposal
• If your device has ePHI
– Must be wiped clean prior to disposal
– Many security compromises come from old
hard drives
• Talk to your employers IT department to
see how this is handled
43
www.jacksonkelly.com
Wireless Networks
• High risk
• Must be encrypted if transmitting ePHI
• Guest networks at your office should be
separate from your main network
44
www.jacksonkelly.com
Social Media
• Patient information should never be
discussed
• Employer can be liable for employee
posting PHI
• Employee is also liable individually for
wrongful disclosures
• Examples
45
www.jacksonkelly.com
Case Study: Placenta Picture
• Premature baby born at Cedars-Sinai
Medical Center still inside amniotic sac
• Doctor’s first reaction
– Dr. snapped a photograph with his cellphone.
46
www.jacksonkelly.com
In the News
• “Health care files a rich trove for identity thieves”
–
March 16 Pittsburgh Post Gazette
• “Prison Term in HIPAA Violation Case”
–
February 20 Data Breach Today
• “Experts warn 2015 could be ‘Year of the Healthcare Hack”
–
February 11 Reuters
• “No encryption means HIPAA breach for 45K”
–
February 10 Health IT News
47
www.jacksonkelly.com
AWARENESS
• Security Awareness and Training is KEY
• Staff needs to be trained on IT security at
least once per year
• Constantly reinforce security
– Talk about it, post it, email it
– Creating a culture of compliance and security
48
www.jacksonkelly.com
Conclusion
• HIPAA compliance is not just about
technology – its about people. This
includes everyone you work with from a
receptionist to the highest ranking doctor.
• ALWAYS maintain a “HIPAA-Aware”
mindset
• Remember “The biggest vulnerability is
still individual users doing dumb things.”
•
(John Christriansen, Seattle-based health care technology attorney PPG March 16, 2016)
49
www.jacksonkelly.com
TOP PRIVACY & SECURITY
PRACTICES
When in doubt, don’t give information out.
Log off before you walk off from your computer.
Double check fax numbers before sending.
Do not send e-mails or use the internet unless the connection is secure
and approved.
5. Authenticate identity of the caller before releasing confidential information.
6. Never share your password with anyone.
7. Maintain the security of all patient information in all its medium, including
paper, electronic and oral.
8. Discuss patient information in private locations.
9. Access information on a need to know basis, only to do your job.
10. Dispose of confidential information according to proper procedures, (i.e.,
locked shred bins, have electronic media wiped).
11. An educated workforce helps reduce the possibility of breaches.
1.
2.
3.
4.
50
www.jacksonkelly.com