Add to collection(s) Add to saved
  1. Social Science
  2. Law

HB-300-Presentation

advertisement 
Texas Privacy Update
A Look at HITECH and H.B.300
Developments
Ana E. Cowan, Associate
Deborah C. Hiser, Partner
Brown McCarroll LLP
H.B. 300
How are Things Different?
H.B. 300  Effective September 1, 2012
•
•
Completely New Framework for Enforcement
– Audits
– AG initiated action
– Hefty fines
– If you did not take HIPAA seriously before—it is time
Update Policies and Procedures
– Training
– Breach Notification
– Marketing
– Sale of PHI
– NPP
– Update of Business Associate Contracts
– Authorization for Electronic Disclosure
– Access to Medical Record
Complaints Received by OCR
3
Top 5 Issues in Investigated Cases
Closed with Corrective Action
Year
Issue 1
2010
Impermissible Uses
& Disclosures
2009
Impermissible Uses
& Disclosures
2008
Impermissible Uses
& Disclosures
2007
Impermissible Uses
& Disclosures
2006
Impermissible Uses
& Disclosures
2005
Impermissible Uses
& Disclosures
2004
Partial
2003
Issue 2
Issue 3
Issue 4
Issue 5
Safeguards
Access
Minimum
Necessary
Notice
Safeguards
Access
Minimum
Necessary
Complaints to
Covered Entity
Access
Minimum
Necessary
Complaints to
Covered Entity
Access
Minimum
Necessary
Notice
Access
Minimum
Necessary
Notice
Safeguards
Access
Minimum
Necessary
Mitigation
Impermissible Uses
& Disclosures
Safeguards
Access
Minimum
Necessary
Authorizations
Safeguards
Impermissible
Uses &
Disclosures
Access
Notice
Minimum Necessary
Safeguards
Safeguards
Safeguards
4
Breach Notification:500+ Breaches
by Type of Breach
5
OCR Enforcement Cases
OCR has stated that they will investigate every reported breach
Rite Aid
•
Take away: Must dispose of PHI correctly.
– Rite Aid pharmacies disposed of labeled prescription bottles containing PHI in
containers accessible by the public.
$1 million
–
Entered into a 3 year CAP and a 20 year FTC Order which requires Rite Aid to:
•
•
•
•
Develop Privacy and Security policies to safeguard PHI during the disposal process,
Train employees on how to properly dispose of PHI,
Sanction offending employees, and
Obtain external assessments of Rite Aid’s compliance.
6
OCR Enforcement Cases
Cignet Health
• Take away: Must give patients their medical
records within 15 days of request. Always
comply with OCR’s requests.
– Cignet denied 41 patients access to their medical
records. During OCR investigation, Cignet ignored
OCR’s requests to produce records.
$4.3 Million
7
OCR Enforcement Cases
• Take Away:
Phoenix Cardiac Surgery
» Small providers must comply
» Pay attention to fundamentals of security—standards are flexible and
scalable
» Security in the “Cloud”
– Failed to secure appointment calendaring app
– Failed to have risk analysis and risk management process under
Security Rule
$100,000
– Entered into a Corrective Action Plan (CAP) which requires a review of
recently developed policies and other actions taken to come into full
compliance with the Privacy and Security Rules.
8
Authority for HIPAA Audits
Section 13411 of the HITECH Act
The Secretary shall provide for periodic audits
to ensure that covered entities and business
associates that are subject to the
requirements of this this subtitle and subparts
C and E of part 164 of title 45, Code of
Federal Regulations, as such provisions are
in effect as of the date of enactment of this
Act, comply with such requirements.
9
The Initial 20 Audits
Quick OCR/KPMG
HIPAA AUDIT UPDATE – 1ST 20 Audits
Level 1 Entities
Large providers/ payors with more than
$1 billion in revenue and/ or assets
Level 3 Entities
Community hospitals ambulatory
surgery centers, regional pharmacies
(with between $50 million)
Level 2 Entities
Large regional hospital systems/
Regional payor with between $300
million and $ 1 billion in revenue and/
or assets.
Level 4 Entities
Small providers and community
pharmacies with less than $50 million
in revenue and/ or assets
10
Audits: What to Expect
11
Audits: What to Expect
12
Audits: What to Expect
The Questions HHS Might Ask: Lessons Learned From Piedmont
1.
2.
3.
4.
5.
6.
7.
8.
9.
Establishing and terminating user’s access to systems housing
ePHI
Emergency access to electronic information systems
Inactive computer sessions (periods of inactivity)
Recording and examining activity in information systems that
contain or use ePHI
Risk assessments and analysis of relevant information that house
or process ePHI data.
Employee sanction policies
Incident reports
Audit logs and access reports
Listing of all network perimeter devices, i.e. firewalls and routers
13
Audits: What to Expect
The Questions HHS Might Ask (continued)
10. Remote access activity (network infrastructure platform, access
servers, authentication and encryption software)
11. Password and server configurations
12. Antivirus software
13. Maintenance and repairs of hardware, walls, doors, and locks in
sensitive areas
14
Audits: What to Expect
Additional Questions HHS Might Ask (continued)
1.
Information systems that house ePHI data, as well as network
diagrams, including all hardware and software that are used to
collect, store, process, or transmit ePHI
2.
Terminated employees
3.
New Hires
4.
Outsourced individuals and contractors with access to ePHI.
Provide a copy of the contract for these individuals
5.
Organizational Charts
6.
List of all users with access to ePHi data
7.
Identify each user’s access rights and privileges
8.
List of systems administrators, backup operators, and users
9.
List of all users with remote access capabilities
10. Regularly review OCR website and review CAPs
15
Audits: What to Expect
Step 3: Site Visits
•
•
•
•
Personal Interviews with CE leadership
Up Close and Personal Examination
Policy Consistency
Observation
16
Audits: What to Expect
Step 4: Auditor Reports
• Auditors will develop a draft report
• Final report submitted to OCR
• OCR may initiate compliance review for
serious issues
• If they do, you will be subject to a CAP
17
New Civil Monetary
Penalty System
• Accidental
– $100 each violation
– Up to $25,000 for identical violations, per year
• Not Willful Neglect, but Not Accidental
– $1,000 each violation
– Up to $100,000 for identical violations, per year
• Willful Neglect, Not Corrected
– $50,000 each violation
– Up to $1.5 million per year
18
And…Don’t forget about
Criminal Penalties
• “Knowingly"
– $50,000
– Imprisonment up to one year.
• False pretenses
– Up to $100,000 fine
– Up to five years in prison.
• Intent to sell, transfer, or use for commercial advantage,
or for personal gain or malicious harm
– $250,000
– Imprisonment for up to ten years.
19
H.B. 300
Audits
H.B. 300 TX Health & Safety Code § 181.206
Audits of Covered Entities
• If there appears to be a pattern of violations, the
Texas Commission of HHS may:
– Require the covered entity to submit a risk analysis
regarding the potential risks and vulnerabilities to the
confidentiality, integrity, and availability of PHI, and
– If the covered entity is licensed by a Texas agency,
request the agency to conduct an audit.
20
Texas H.B. 300
AG Action
H.B. 300 TX Health & Safety Code § 181.154
AG Initiated Action
• AG may sue a covered entity for violation of the
Texas Privacy Law.
• AG may bring an action only if the agency the
entity is licensed by refers the violation to the
AG.
• AG may retain a reasonable amount of the civil
penalty.
21
H.B. 300
Texas Attorney General Enforcement
In May 2011, OCR invited the 50 state
attorneys for in person HIPAA training so
that they may properly enforce HIPAA and
HITECH in their respective state.
22
Texas H.B. 300
It comes down to $$$$
H.B. 300 TX Health & Safety Code § 181.154
Civil Penalties in Addition to Injunctive
(May Not Exceed)
$5,000 per violation per year  negligently
$25,000 per violation per year  knowingly
or intentionally
$250,000 per violation per year  financial
gain
23
Texas H.B. 300
It comes down to $$$$
• Civil penalties may not exceed $25K for
violation(s) of authorization and notice
requirements for disclosure of PHI if the
disclosure was only made to another covered
entity and was only for the purposes of
treatment, payment, operations, or insurance,
and the PHI was:
– Encrypted or transmitted using encryption technology,
– PHI recipient did not use or release PHI, and
– At time of disclosure, the covered entity had
developed, implemented, and maintained security
policies, including education and training of
employees responsible for PHI security.
24
Texas H.B. 300
It comes down to $$$$
• If court finds violations occurred enough times to
constitute a pattern, a fine not to exceed $1.5 million
may be assessed.
• In determining the penalty amount, the court should
consider:
– Seriousness of the violation,
– Covered entity's compliance history and effort to correct the
violation,
– If the violation poses a significant risk of financial,
reputational, or other harm to individual,
– The required amount to deter future violations, and
– If the covered entity was THSA certified at time of the
violation.
25
Texas H.B. 300
Training
H.B. 300  TX Health & Safety Code § 181.101
Training Requirements
•
Covered Entities are required to train employees on
state and federal laws as they related to:
–
–
•
•
•
•
The CE in its particular course of business
The employee’s scope of employment
60 day Requirement
Must provide for Training at least once every 2 years
Employees must attest to being trained
H.B. 300 Action Item Update your policy and
procedures
26
Texas H.B. 300
Access
H.B. 300  TX Health & Safety Code § 181.102
Access Requirements
• Electronic Health Records System
• Provide record electronically within 15 days of
written request
• H.B. 300 Action Item Update your
policy and procedures
Texas H.B. 300
Sale of PHI
H.B. 300  TX Health & Safety Code § 181.153
Sale of PHI
• Covered entities may not disclose PHI in
exchange for direct or indirect remuneration,
unless the disclosure is for treatment, payment,
health care operations, or insurance.
• The remuneration the covered entity receives
may not exceed the covered entity's reasonable
costs for preparing or transmitting the PHI.
• NPRM: Provides that CE disclose in NPP
28
Texas H.B. 300
Sale of PHI
H.B. 300  TX Health & Safety Code § 181.153
(b) If a covered entity uses or discloses protected health information to
send a written marketing communication through the mail, the
communication must be sent in an envelope showing only the names
and addresses of sender and recipient and must:
1. state the name and toll-free number of the entity sending the
marketing communication; and
2. explain the recipient’s right to have the recipient’s name
removed from the sender’s mailing list.
(c) A person who receives a request under subsection (b)(2) to remove
a person’s name from a mailing list shall remove the person’s name not
later than the 45th day after the date the person receives the request.
29
Texas H.B. 300
Sale of PHI
• This is complicated—Don’t try to figure it
out on your own.
• EVEN THE FEDS DON’T KNOW HOW
TO DEFINE TREATMENT
• H.B. 300 Action Item Update policy and
procedures. Texas law stricter.
• Need to be on look out for NPRM 
NPP statement
Texas H.B. 300
Notice and Authorization
TX Health & Safety Code § 181.154
Notice and Authorization Required for Electronic
Disclosure of PHI
• CE must Post Notice:
– Written notice in covered entity's place of business,
– Notice on covered entity's website, or
– Notice in any other place where individuals are likely to see the
notice.
• Obtain Authorization: Even if the above notice is posted,
CE may not electronically disclose an individual’s PHI
without the individual’s authorization.
– EXCEPTION: Disclosure is to another CE for the purpose of
treatment, payment, operations, or insurance.
31
Texas H.B. 300
Notice and Authorization
TX Health & Safety Code § 181.154
Notice and Authorization Required for Electronic Disclosure of
PHI
• H.B. 300 Action Items
– Update policy and procedures
– Update HIPAA authorization form to take electronic
disclosure into consideration
– Post Notice (either in office or NPP)
32
Texas H.B. 300
Breach
H.B. 300  TX Business and Commerce Code
§ 521.002-521.053
Breach
•
•
•
A person who conducts business in this state and owns or licenses computerized data that
includes sensitive personal information must disclose any breach of system security.
“Breach of system security" means unauthorized acquisition of computerized data that
compromises the security, confidentiality, or integrity of sensitive personal information maintained
by a person, including data that is encrypted if the person accessing the data has the key required
to decrypt the data.
Applies only if the individual whose sensitive personal information was or is reasonably believed
to have been acquired by an unauthorized person is a resident of this state or another state that
does not have notification laws.
• H.B. 300 Action Item Update policy and
procedures-Texas law is different than HITECH
•
33
Sobering Thoughts
Sec. 181.202. DISCIPLINARY ACTION
• In addition to the penalties prescribed by this chapter, a violation of
this chapter by a covered entity that is licensed by an agency of this
state is subject to investigation and disciplinary proceedings,
including probation or suspension by the licensing agency. If there is
evidence that the violations of this chapter are egregious and
constitute a pattern or practice, the agency may:
1. Revoke the covered entity’s license; or
2. refer the covered entity’s case to the attorney general for the
institution of an action for civil penalties under Section
181.201(b).
34
Sobering Thoughts
Sec.181.203. EXCLUSION FROM STATE PROGRAMS
• In addition to the penalties prescribed by this chapter, a
covered entity shall be excluded from participating in any
state-funded health care program if a court finds the covered
entity engaged in a pattern or practice of violating this
chapter.
35
Texas H.B. 300
Business Associate Contracts
• Business Associate Contracts – Contract between a
HIPAA covered entity and a HIPAA business associate.
The contract protects personal health information (PHI)
in accordance with HIPPA guidelines.
• Remember that Your Business Associates are
considered a CE under Texas law
• H.B. 300 Action Items Need to Update BA
–
–
–
–
–
Provisions to prohibit the sale and marketing of PHI
Update Training provisions
Update Access provisions
Update breach provisions (HITECH and H.B. 300)
DON’T FORGET TO INDEMNIFY
36
Final Thoughts
• Change in Enforcement Landscape
• Update Policies and Procedures for HB 300 Changes
–
–
–
–
–
–
–
–
Training Policy
Notice of Privacy Practices
Authorization
Business Associate Contracts
Access Policy
Marketing
Breach Policy
Do Not Ignore Security Rules
• Train, Train, Train
37
Questions?
Thank You
38
Contact
Ana E. Cowan
512-703-5791
acowan@brownmccarroll.com
Deborah C. Hiser
512-703-5718
dhiser@brownmccarroll.com
111 Congress
Suite 1400
Austin, Texas 78701
39
Related documents
GASTROINTESTINAL AND LIVER CLINIC, PC
GASTROINTESTINAL AND LIVER CLINIC, PC
HIPAA Privacy and Security Quiz 1. Who may release information to
HIPAA Privacy and Security Quiz 1. Who may release information to
Information Security Policies and Standards
Information Security Policies and Standards
1 The best definition of an accounting system is: a Journals, ledgers
1 The best definition of an accounting system is: a Journals, ledgers
Understanding HIPAA Compliance
Understanding HIPAA Compliance
Confidentiality Policy - Indiana University Kokomo
Confidentiality Policy - Indiana University Kokomo
word - New England Neurological Associates, PC
word - New England Neurological Associates, PC
privacy issues & the increasing use of information technology
privacy issues & the increasing use of information technology
Download
advertisement