HIPAA 101 - What is PHI?

advertisement
HIPAA in a Post-HITECH World
Stephen L. Page
RegionalCare Hospital Partners
stephen.page@regionalcare.net
(615) 844-9849
Elizabeth Warren
Bass Berry Sims PLC
ewarren@bassberry.com
(615) 742-7719
1
2
2014 HIPAA TOPICS
 Overview of HIPAA Basics
 Liability Risks with Business Associates
 OCR Enforcement 2014
 OCR 2014 Guidance
 HIPAA Audits
 Data Breaches
 New Frontiers (and some old ones)
3
HIPAA 101
 HIPAA refers to the Health Insurance
Portability and Accountability Act of 1996
 HIPAA prohibits the unauthorized use or
disclosure of protected health information
unless an exception applies
 HIPAA impacts covered entities and business
associates of covered entities
 HITECH Act of 2009 revised certain parts of
HIPAA
4
HIPAA 101 - What is PHI?
 Individually identifiable information
 Relating to condition, treatment, or payment
 Created or received by a provider, plan,
employer, or clearinghouse
 Transmitted or stored electronically or in any
other form
5
HIPAA 101 - Who is covered by
HIPAA?
 Covered Entities (CEs)
Health Plans (including group health plans)
Clearinghouses
Providers
 Business Associates of Covered Entities (BAs)
Including law firms that handle PHI for
clients who are CEs or BAs
6
HIPAA 101 – Uses and Disclosures
 The Privacy Rule defines and limits how an
individual’s PHI may be used or disclosed by
CEs
 The CE may not use or disclose PHI except:
as the Privacy Rule permits or requires
(without an authorization), OR
as authorized in writing by the individual who
is subject of the information
7
HIPAA 101 – HIPAA Authorizations
 A HIPAA authorization is a specific type of
written permission
 Must contain a number of mandatory elements
(who, what, why, etc.)
 A “2 sentence” type permission is not compliant
 May not be combined with other types of
permission (with very narrow exceptions such
as for research)
8
HIPAA 101 – HIPAA Patient Rights
 Access
 Amendment
 Accounting of certain disclosures
 Privacy notice
 Restrictions and confidential communications
 Complaints
9
HIPAA 101 – Additional
Requirements:
 Minimum necessary
 Safeguards (all PHI)
 Business associate agreements
 Privacy officer
 Policies and procedures
 Training
10
Liability Risks with Business
Associates
• HITECH: increased risk of being held liable for
BA acts
• Actions of business associate vendors can
create breach notification obligations for
covered entities
• Client view may be: “we didn’t cause this so, not
our problem.” Wrong response
• OCR view: “no get out of jail free card for
covered entity.”
11
Liability Risks with Business
Associates
• How to prevent/mitigate issues with BA
compliance?
• Consider indemnification clauses
• Consider reviewing key BA security
safeguards—but watch out for risks
• Confirm policies address process for
providing access to BAs
12
Liability Risks with Business Associates
Risks for BA oversight:
 If you know about issues and don’t
address them . . .
 Be careful what you ask for and how
wide of a net you cast
 Will your oversight trigger the BA being
viewed as an agent?
13
Enforcement
 Since April 2003, HHS has received over
99,957 HIPAA complaints
 OCR has resolved 96% of complaints received
(over 96,741 cases)
 OCR found violations of HIPAA in over 22,927
cases
 OCR found no violation in 10,390 cases
 OCR found 63,424 cases that were not eligible
for enforcement
14
Enforcement
 Jail time for HIPAA criminal violations: still
happening
-10/2013 nursing assistant in Florida sentenced
to 3 years for stealing and selling patient
records
 First penalty for failure to have breach
notification policies: $150,000 penalty
imposed on dermatology practice (involved
stolen unencrypted thumb drive)
15
Enforcement
 Don’t leave PHI on the curb:$800,000 Settlement
for 2009 conduct (Parkview; June 2014)
 Don’t post PHI on the internet: $4.8 Million record
settlement (NY Presby/Columbia; May 2014)
 Do encrypt laptops
-$1,725,220 (Concentra; April 2014)
-$250,000 (QCA; April 2014)
16
Enforcement: Lawsuits
 West Virginia case allowed to proceed based on
state law
 Many class actions based on breaches still
dismissed
 FCRA claims?
17
Enforcement: Lessons Learned or Not
 Hard to predict amount of penalties or when




conduct gets penalized
Enforcement actions may take years
Increasing pressure to allow private causes of
action
Criminal penalties may help with internal training
Sources of complaints/investigations broadening
-unions
-covered entity in response to BA breach notice
-payers
18
New OCR Guidance
 Guidance on lawfully married same sex spouses
 Sharing Information related to Mental Health
 Security Risk Assessment tool released
19
On the Horizon: New Audits
 Audits of some 350 healthcare providers and
another 50 of their business associates will
likely start in early 2015; they were originally
set to begin in October 2014
 Per OCR, will ask audited CEs for list of BAs
and draw from that pool for the 50 audited BAs
 Per OCR, will be tied to enforcement
20
Breach Notification Standard
• Presumption of breach applies to any non-
permissible use or disclosure
• Risk assessment using at least 4 factors
• Nature and extent of PHI
• Who received?
• Accessed or not?
• Mitigated?
• Little guidance on how to apply these 4 factors
21
Data Breach
22
Data Breaches
OCR investigated since September 2009:
 Breach involving greater than 500 individuals 1,176 incidents
 Breaches involving fewer than 500 individuals122,000 incidents
 60% of data breaches could have been
prevented if Covered Entities or Business
Associates had encrypted data
23
Recent Notable Data Breaches and
Issues
 CHS
-new concern: hacking
 Concentra (laptops)
 Identity theft a real risk (not just dealing with
mistakes but with deliberate acts)
 HR issues often result in breaches
 The “social media defense” breach risk
24
State Law Privacy Risks
State law risks
 California: 5 day standard; AG has brought
lawsuits-Alere case
 Florida: new, stricter breach notification law
(30 days timing requirement)
 Massachusetts: not limited to enforcing within
its borders (RI case)
25
New Frontiers
 False Claims Liability
 Medicare Number certifications relating to
Business Associate Agreements
 Meaningful Use Certifications
 FDA Issues Cybersecurity Guidelines for
Medical Devices
 FTC enforcement
26
New Frontiers
 HIPAA as barrier to technology innovation
 The remote use documentation on HHS’s
website pre-dates Apple’s iPhone rollout (last
updated in December 2006)
 It does not include information on any new
Apple iOS or Android phones or tablets,
making it challenging for developers that want
to ensure their apps meet HIPAA regulations
27
Old Frontiers
 BAA templates still lacking for many Covered
Entities
 Still battles of the forms
 Still working to get BAAs in place where needed
 Some CEs still lack comprehensive HIPAA
policies or awareness
 BAs often are still behind the curve
28
Questions?
29
29
Download