HIPAA in a Post-HITECH World Stephen L. Page RegionalCare Hospital Partners stephen.page@regionalcare.net (615) 844-9849 Elizabeth Warren Bass Berry Sims PLC ewarren@bassberry.com (615) 742-7719 1 2 2014 HIPAA TOPICS Overview of HIPAA Basics Liability Risks with Business Associates OCR Enforcement 2014 OCR 2014 Guidance HIPAA Audits Data Breaches New Frontiers (and some old ones) 3 HIPAA 101 HIPAA refers to the Health Insurance Portability and Accountability Act of 1996 HIPAA prohibits the unauthorized use or disclosure of protected health information unless an exception applies HIPAA impacts covered entities and business associates of covered entities HITECH Act of 2009 revised certain parts of HIPAA 4 HIPAA 101 - What is PHI? Individually identifiable information Relating to condition, treatment, or payment Created or received by a provider, plan, employer, or clearinghouse Transmitted or stored electronically or in any other form 5 HIPAA 101 - Who is covered by HIPAA? Covered Entities (CEs) Health Plans (including group health plans) Clearinghouses Providers Business Associates of Covered Entities (BAs) Including law firms that handle PHI for clients who are CEs or BAs 6 HIPAA 101 – Uses and Disclosures The Privacy Rule defines and limits how an individual’s PHI may be used or disclosed by CEs The CE may not use or disclose PHI except: as the Privacy Rule permits or requires (without an authorization), OR as authorized in writing by the individual who is subject of the information 7 HIPAA 101 – HIPAA Authorizations A HIPAA authorization is a specific type of written permission Must contain a number of mandatory elements (who, what, why, etc.) A “2 sentence” type permission is not compliant May not be combined with other types of permission (with very narrow exceptions such as for research) 8 HIPAA 101 – HIPAA Patient Rights Access Amendment Accounting of certain disclosures Privacy notice Restrictions and confidential communications Complaints 9 HIPAA 101 – Additional Requirements: Minimum necessary Safeguards (all PHI) Business associate agreements Privacy officer Policies and procedures Training 10 Liability Risks with Business Associates • HITECH: increased risk of being held liable for BA acts • Actions of business associate vendors can create breach notification obligations for covered entities • Client view may be: “we didn’t cause this so, not our problem.” Wrong response • OCR view: “no get out of jail free card for covered entity.” 11 Liability Risks with Business Associates • How to prevent/mitigate issues with BA compliance? • Consider indemnification clauses • Consider reviewing key BA security safeguards—but watch out for risks • Confirm policies address process for providing access to BAs 12 Liability Risks with Business Associates Risks for BA oversight: If you know about issues and don’t address them . . . Be careful what you ask for and how wide of a net you cast Will your oversight trigger the BA being viewed as an agent? 13 Enforcement Since April 2003, HHS has received over 99,957 HIPAA complaints OCR has resolved 96% of complaints received (over 96,741 cases) OCR found violations of HIPAA in over 22,927 cases OCR found no violation in 10,390 cases OCR found 63,424 cases that were not eligible for enforcement 14 Enforcement Jail time for HIPAA criminal violations: still happening -10/2013 nursing assistant in Florida sentenced to 3 years for stealing and selling patient records First penalty for failure to have breach notification policies: $150,000 penalty imposed on dermatology practice (involved stolen unencrypted thumb drive) 15 Enforcement Don’t leave PHI on the curb:$800,000 Settlement for 2009 conduct (Parkview; June 2014) Don’t post PHI on the internet: $4.8 Million record settlement (NY Presby/Columbia; May 2014) Do encrypt laptops -$1,725,220 (Concentra; April 2014) -$250,000 (QCA; April 2014) 16 Enforcement: Lawsuits West Virginia case allowed to proceed based on state law Many class actions based on breaches still dismissed FCRA claims? 17 Enforcement: Lessons Learned or Not Hard to predict amount of penalties or when conduct gets penalized Enforcement actions may take years Increasing pressure to allow private causes of action Criminal penalties may help with internal training Sources of complaints/investigations broadening -unions -covered entity in response to BA breach notice -payers 18 New OCR Guidance Guidance on lawfully married same sex spouses Sharing Information related to Mental Health Security Risk Assessment tool released 19 On the Horizon: New Audits Audits of some 350 healthcare providers and another 50 of their business associates will likely start in early 2015; they were originally set to begin in October 2014 Per OCR, will ask audited CEs for list of BAs and draw from that pool for the 50 audited BAs Per OCR, will be tied to enforcement 20 Breach Notification Standard • Presumption of breach applies to any non- permissible use or disclosure • Risk assessment using at least 4 factors • Nature and extent of PHI • Who received? • Accessed or not? • Mitigated? • Little guidance on how to apply these 4 factors 21 Data Breach 22 Data Breaches OCR investigated since September 2009: Breach involving greater than 500 individuals 1,176 incidents Breaches involving fewer than 500 individuals122,000 incidents 60% of data breaches could have been prevented if Covered Entities or Business Associates had encrypted data 23 Recent Notable Data Breaches and Issues CHS -new concern: hacking Concentra (laptops) Identity theft a real risk (not just dealing with mistakes but with deliberate acts) HR issues often result in breaches The “social media defense” breach risk 24 State Law Privacy Risks State law risks California: 5 day standard; AG has brought lawsuits-Alere case Florida: new, stricter breach notification law (30 days timing requirement) Massachusetts: not limited to enforcing within its borders (RI case) 25 New Frontiers False Claims Liability Medicare Number certifications relating to Business Associate Agreements Meaningful Use Certifications FDA Issues Cybersecurity Guidelines for Medical Devices FTC enforcement 26 New Frontiers HIPAA as barrier to technology innovation The remote use documentation on HHS’s website pre-dates Apple’s iPhone rollout (last updated in December 2006) It does not include information on any new Apple iOS or Android phones or tablets, making it challenging for developers that want to ensure their apps meet HIPAA regulations 27 Old Frontiers BAA templates still lacking for many Covered Entities Still battles of the forms Still working to get BAAs in place where needed Some CEs still lack comprehensive HIPAA policies or awareness BAs often are still behind the curve 28 Questions? 29 29