HIPAA/HITECH Privacy and Security in the Current Regulatory and Technical Environment What It Means for Your Organization March 24, 2015 HFMA Revenue Cycle Meeting Lindsay Darling Petrosky, Esq. Three Gateway Center 401 Liberty Avenue, Suite 1500 Pittsburgh, PA 15222 (412) 434-8814 ldpetrosky@jacksonkelly.com Rachel D. Ludwig, Esq. 500 Lee Street East Suite 1600 Charleston, WV 25301 (304) 340-1185 rdludwig@jacksonkelly.com AGENDA • • • • • • • HIPAA/HITECH History Privacy Security Current Enforcement Trends Breaches Technology Security Issues Protections 2 www.jacksonkelly.com HIPAA/HITECH – Important Dates • HIPAA – 1996 – Privacy Rule Implemented by DHHS • HITECH – February 17, 2009 ― Requiring notification of breaches of unsecured information. — Making certain HIPAA privacy requirements applicable to BAs • Omnibus Final Rule — January 2013 effective March 26, 2013 — Compliance required by September 23, 3013 3 www.jacksonkelly.com Privacy Rule • Comprehensive federal protection for privacy and confidentiality of Individual Identifiable Health Information (IIHI) • Promote strong privacy protections, while not interfering with patient access to, or quality of healthcare services. 4 www.jacksonkelly.com Privacy Rule Governs PHI • Protected Health Information (PHI) in any form (electronic, paper, or verbal) • PHI = IIHI that is: – Held or maintained by a CE or its BA acting for the CE. – Transmitted or maintained in any form or medium. • PHI includes: – Identifiable demographic information – information relating to an individual’s past, present or future physical or mental health, or condition. – Also includes genetic information. – Information concerning the provision of or payment for health care services 5 www.jacksonkelly.com Privacy Rule Requirements • The Privacy Rule requires that a CE: – Notify individuals about their privacy rights and how their information can be used. – Adopt and implement privacy procedures. – Train employees so that they understand the privacy procedures. – Designate an individual responsible for ensuring that privacy procedures are adopted and followed. – Secure patient records containing PHI. 6 www.jacksonkelly.com MINIMUM NECESSARY • Use reasonable efforts to limit use or disclosure of and request for PHI to the minimum amount necessary to accomplish the intended use • Must maintain appropriate administrative, technical, and physical safeguards to limit incidental uses and disclosures. 7 www.jacksonkelly.com MINIMUM NECESSARY EXCEPTIONS • Required by law • To the individual who is the subject of the information • Pursuant to a valid, signed authorization • Treatment • Required to comply with other HIPAA provisions or to HHS for enforcement 8 www.jacksonkelly.com Post-HITECH Some everyday changes you may have noticed: • Individual’s right to an electronic copy of their record • Individual may designate a third party to receive copy — Must be in writing — Clearly identify the designated person — Clearly identify where to send the copy 9 www.jacksonkelly.com Timing • Access must be provided within 60 days of request • CE must respond within 30 days of request • CEs may obtain a one-time 30 day extension if the CE provides: – Written notice to the individual, including reason for delay and expected date of completion 10 www.jacksonkelly.com Copy Fees • State v. HIPAA • Must be reasonable, cost-based fee – Cost of supplies may be charged – Postage may be charged – No charges permitted for system maintenance, storage cost, new technology, or search or retrieval fees – See W. Va. Code § 16-29-2 11 www.jacksonkelly.com Decedents and Access to PHI • PHI protected for 50 years following death • If an individual is deceased, the CE may disclose to friends and family who were involved prior to death; to the extent the PHI is relevant to the individual’s involvement. • Disclosure must be consistent with any prior expressed preference of the individual that is known to the CE • This 50 year period of protection is not a record retention requirement. • Note: States are beginning to regulate decedent’s right to privacy more stringently than HIPAA • For example, Virginia recently passed The Privacy Expectation Afterlife and Choices Act 12 www.jacksonkelly.com Recent Updates Affecting the Privacy Rule • September 2014 – US v. Windsor – DOMA unconstitutional – Spouse & Marriage now include: • “Spouse” includes individuals in a valid same-sex marriage sanctioned by a state, territory or foreign jurisdiction, provided that, with regard to a foreign jurisdiction, a U.S. jurisdiction would recognize the marriage. • “Marriage” includes both same-sex and opposite-sex marriage. • “Family member” includes dependents of same-sex and opposite-sex marriages. • PHI includes genetic information and HIPAA has added definitions consistent with GINA 13 www.jacksonkelly.com The Security Rule • Applies only to ePHI • Establishes information technology standards and best practices for safeguarding ePHI • Primary Goal – – Protect the confidentiality, integrity, and availability of ePHI when it is stored, maintained, or transmitted 14 www.jacksonkelly.com The Security Rule • Administrative, physical, and technical safeguards • Policy and procedure requirements • Documentation requirements • Direct liability for violations • Applies to both CEs and BAs – Security considered a major area of non-compliance for many BAs 15 www.jacksonkelly.com SECURITY OF PHI • • • • • Conduct risk assessment of your EHR Chief Security Officer Adopt policies and procedures Perform workforce training Adopt workforce sanctions 16 www.jacksonkelly.com ADMINISTRATIVE SECURITY OF PHI • • • • • • • • • Security management process Assigned security responsibility Workforce security Information access management Security awareness and training Security incident procedures Contingency plan Evaluation Business associate contracts and other arrangements 17 www.jacksonkelly.com PHYSICAL SECURITY OF PHI • • • • • Facility access controls Workstation use Workstation security Mobile devise and media controls Disposal and re-use 18 www.jacksonkelly.com TECHNICAL SECURITY OF PHI • Access Controls – Authentication – Automatic logoff • Transmission Security – Encryption of data at rest – Encryption of data in motion • Audit controls • Integrity • Person or Entity Authentication 19 www.jacksonkelly.com 20 www.jacksonkelly.com So What About Enforcement ? 21 www.jacksonkelly.com 22 www.jacksonkelly.com 23 www.jacksonkelly.com 24 www.jacksonkelly.com 25 www.jacksonkelly.com OCR Comments on Enforcement “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.” 26 www.jacksonkelly.com 26 OCR Resolution Agreements • Providence Health & Services ($100K) • Idaho State University ($400K) • CVS Pharmacy ($2.25M) • Shasta Regional Medical Center ($275K) • Rite-Aid ($1M) • Management Services Organization of Washington ($35K) • Cignet ($4.3M) • Massachusetts General Hospital ($1M) • WellPoint ($1.7M) • Affinity Health Plan ($1.2M) • Adult & Pediatric Dermatology, P.C. of Massachusetts ($150K) • UCLA Health Services ($865K) • Skagit County, Washington ($215K) • Blue Cross Blue Shield of Tennessee ($1.5M) • QCA Health Plan, Inc. ($250K) • Alaska Medicaid ($1.7M) • Concentra Health Services ($1.725M) • Phoenix Cardiac Surgery, P.C. ($100K) • New York and Presbyterian Hospital ($3.3M) • Massachusetts Eye and Ear Infirmary ($1.5M) • Columbia University ($1.5M) • Hospice of North Idaho ($50K) • Parkview Health System ($800K) 27 www.jacksonkelly.com Categories of Violations and Penalties Category 1 – Minimum of $100/violation Did not know of violation and would not have known of violation by exercising reasonable diligence Maximum of $50,000 per violation; or Maximum total of $1.5 million for identical violations during a calendar year Category 2 – Minimum of $1,000/violation Violations due to reasonable cause but not due to willful neglect Maximum of $50,000 per violation; or Maximum total of $1.5 million for identical violations during a calendar year Category 3 – Minimum of $10,000/violation Violations due to willful neglect that are corrected within 30 days Maximum of $50,000 per violation; or Maximum total of $1.5 million for identical violations during a calendar year Category 4 – Minimum of $50,000/violation Violations due to willful neglect that are not corrected within 30 days of knowledge Maximum total of $1.5 million for identical violations during a calendar year 28 www.jacksonkelly.com 29 www.jacksonkelly.com Where are the threats? • Inside threats ‒ Employee negligence • Outside threats ‒ Hackers Security failures Malware Lost mobile devices Phishing and Spear Phishing ‒ Employee ignorance Improper disposal of personal information (dumpsters) ‒ Thieves (including Social Engineering Tools) ‒ Vendors Lack of education and awareness ‒ Malicious employees 30 www.jacksonkelly.com What is a breach? Baseline definition of a breach remains unchanged. • § 164.402: Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under Subpart E of this part which compromises the security or privacy of the protected health information. 31 www.jacksonkelly.com Breach Analysis • An acquisition, access, use, or disclosure of protected health information in a manner not permitted . . . is presumed to be a breach • Unless, the CE or BA can demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment • Compromise is not defined 32 www.jacksonkelly.com Infamous Breaches • • • • • • • • Anthem – 80 million people Sony PlayStation Network iCloud – Re: Jennifer Lawrence SnapChat – The “no big deal” incident Target – 40 million people’s financial data Neiman Marcus – 1.1 million credit cards AIG – Stolen computer w/ customer data (700k) University of Maryland – 2 Breaches! 33 www.jacksonkelly.com Infamous Breaches • Indiana University – Personal data for 146k students • IRS – Employee took home personal data on 20k individuals • Montana Dept of HHS – 1.3M client records • eBay – 145M user names and emails • American Express – 76k customers • Home Depot – unknown – probably every customer from any of the 2200 stores 34 www.jacksonkelly.com And Yet Another • On March 17th, Premera Blue Cross announced cyberattack that exposed the medical and financial data of 11 million customers. • The largest breach to date involving medical information. • April 2014 Audit – indicating security risks • Breach occurred on May 5, 2014 • Discovered the same day the Anthem breach was disclosed – January 29, 2015 35 www.jacksonkelly.com Security has 3 Phases • Prevention: Know your risks via risk assessment, protection of data, secure authentication • Detection: Regular monitoring and audits, documentation of these activities • Response: Incident handling response processes, breach notification processes, disciplinary actions (sanctions) 36 www.jacksonkelly.com General Security Awareness • Security (protecting the system and the information it contains) includes protecting against unauthorized access from outside and misuse from within • • • • • • Hardware and software (Physical Computer Systems) Personnel policies Information practice policies Develop disaster/intrusion/response and recovery plans Designate security responsibilities Develop protocols regarding activities and security at personnel and work station level • Safeguards from fire, natural and environmental hazards and intrusions 37 www.jacksonkelly.com Password Management • • • • • Don’t tell anyone your password Don’t write your password down Do Change password if others know it Do Enter your password in private Do use a pass phrase 38 www.jacksonkelly.com No Auto Logoff • High Risk • PC’s when left unattended should logoff after a reasonable time • PC’s in very busy area should auto logoff no <5 minutes as a rule 39 www.jacksonkelly.com Smart Phones and Personal Devices • Huge HIPAA Security Risk Factor • Many have company email on phone which could contain ePHI • Always password protect! • Remote wipe capability • Do NOT text ePHI • Who has access to your mobile device? – (i.e. family member, friends) 40 www.jacksonkelly.com Unsecure Email • High Risk • Do NOT email using unsecure methods • If unsecure – limit email to de-identified information • Patient may sign off/accept risk of unsecure email 41 www.jacksonkelly.com Thumb Drives and Laptops • • • • High Risk Factor Sometimes used to backup data If taken off site – MUST be encrypted If taken out of a secure location, MUST be encrypted • Easy to lose – look at list of breaches 42 www.jacksonkelly.com Improper Disposal • If your device has ePHI – Must be wiped clean prior to disposal – Many security compromises come from old hard drives • Talk to your employers IT department to see how this is handled 43 www.jacksonkelly.com Wireless Networks • High risk • Must be encrypted if transmitting ePHI • Guest networks at your office should be separate from your main network 44 www.jacksonkelly.com Social Media • Patient information should never be discussed • Employer can be liable for employee posting PHI • Employee is also liable individually for wrongful disclosures • Examples 45 www.jacksonkelly.com Case Study: Placenta Picture • Premature baby born at Cedars-Sinai Medical Center still inside amniotic sac • Doctor’s first reaction – Dr. snapped a photograph with his cellphone. 46 www.jacksonkelly.com In the News • “Health care files a rich trove for identity thieves” – March 16 Pittsburgh Post Gazette • “Prison Term in HIPAA Violation Case” – February 20 Data Breach Today • “Experts warn 2015 could be ‘Year of the Healthcare Hack” – February 11 Reuters • “No encryption means HIPAA breach for 45K” – February 10 Health IT News 47 www.jacksonkelly.com AWARENESS • Security Awareness and Training is KEY • Staff needs to be trained on IT security at least once per year • Constantly reinforce security – Talk about it, post it, email it – Creating a culture of compliance and security 48 www.jacksonkelly.com Conclusion • HIPAA compliance is not just about technology – its about people. This includes everyone you work with from a receptionist to the highest ranking doctor. • ALWAYS maintain a “HIPAA-Aware” mindset • Remember “The biggest vulnerability is still individual users doing dumb things.” • (John Christriansen, Seattle-based health care technology attorney PPG March 16, 2016) 49 www.jacksonkelly.com TOP PRIVACY & SECURITY PRACTICES When in doubt, don’t give information out. Log off before you walk off from your computer. Double check fax numbers before sending. Do not send e-mails or use the internet unless the connection is secure and approved. 5. Authenticate identity of the caller before releasing confidential information. 6. Never share your password with anyone. 7. Maintain the security of all patient information in all its medium, including paper, electronic and oral. 8. Discuss patient information in private locations. 9. Access information on a need to know basis, only to do your job. 10. Dispose of confidential information according to proper procedures, (i.e., locked shred bins, have electronic media wiped). 11. An educated workforce helps reduce the possibility of breaches. 1. 2. 3. 4. 50 www.jacksonkelly.com