HIPAA, HITECH, and Omnibus Rule: What You Need to Know to A - PowerPoint Presentation

Slide1

HIPAA, HITECH, and Omnibus Rule: What You Need to Know to Avoid Liability

© 2014 Jonathan P. Tomes, EMR Legal, Veterans Press

GSOP

2014 Annual MeetingSlide2

Introduction & Overview of HIPAA and the HITECH Act

HIPAA

1996

Privacy

Rule

2001-03

Security

Rule

2003-05

HITECHAct 2009

Omnibus

Rule

2013Slide3

Why Have “Administrative Simplification?”

Standardize the claims processes for efficiency and auditingPatient privacy concernsPeople they know will use the information against themPeople they don’t know will use the information against them (ID theft)Inaccurate information could result in adverse consequencesSlide4

The Sensitive Nature of Medical Information

Medical records contain a vast amount of personal information:Demographic information.Financial information.Medical information.Lifestyle information.Slide5

Concerns with Automated Records

Collect more informationObtain more sophisticated informationBroader commercial use of collected informationComputers make the information more useful - Do computers really increase risks of breach of confidentiality?Slide6

So, We Have HIPAA!

Health information- Any information, whether oral or recorded, in any form or medium that is created or received by a health care provider, etc. and related to :Past, present or future physical or mental health or condition of an individual,The provision of health care to an individual, or,To the past, present, or future payment for the provision of health care to an individual.Slide7

Under HIPAA

Health care providers who maintain or transmit health information . . . must maintain reasonable and appropriate administrative, technical, and physical safeguards—To ensure integrity and confidentiality of the information.To protect against reasonably anticipated—

Threats or hazards to the security or integrity of the information.

Unauthorized uses or disclosures of the information.Slide8

Under HIPAA

Organizational commitment to privacy and security.Ensure compliance by the organization’s officers and employees.Slide9

Criminal Enforcement of HIPAA

HIPAA

ViolationSlide10

HIPAA’s Criminal Penalties

Knowingly obtains or discloses individually identifiable health information:$50,000 fine and imprisonment for one year.Same done under false pretenses:$100,000 fine and imprisonment for five yearsWith the intent to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm.maximum fine of $250,000 and/or up to 10 years in prisonSlide11

Who is liable?

Employees who obtain or disclose such information without authorization Certain directors, officers, and employees of [covered] entities may be liable for failing to be HIPAA compliant, thereby encouraging the perpetrator to commit the HIPAA crime or, at least, failing to prevent itBusiness Associates: i.e. companies you contract with to provide services like document shredding, data storage, copy services, if they do not have adequate security protections

The HITECH Act extended HIPAA’s criminal liability to employees and other individuals.Slide12

Civil Enforcement of HIPAA

On the RiseSlide13

OIG Audits/OCR Complaints

HITECH Act requires DHHS to conduct periodic audits of both covered entities and business associates.Approximately one-third of providers’ and insurers’ noncompliance problems stemmed from lack of awareness of requirements47 out of 61 health care providers audited haven’t done a satisfactory security risk analysis, either. 77,277 OCR complaints since enforcement began in April 2003. Individuals whose PHI was the subject of an OCR enforcement action will get a percentage of any penaltiesSlide14

Examples

Massachusetts Eye and Ear Infirmary: $1.5 million for theft of unencrypted employee laptop

Affinity Health Plan, Inc.: $1,215,780 for impermissibly disclosing PHI

(returned copiers

to a leasing agent without erasing the data on the copier hard

drives.)

Idaho State University: $400,000 for leaving a server firewall down

.Cignet Health: $4.3 million for denying patient access and obstructing the investigation.WellPoint, Inc.: $1.7 million for not adequately implementing policies for authorizing access

/for failing to have technical safeguards in place to verify the person or entity seeking access to electronic protected health information (“EPHI”) maintained in its application database. Shasta Regional Medical Center: $275,000 for improper disclosure of PHI and failure to sanction workforce members for HIPAA violations.MN AG v. Accretive Health, Inc.: $2.5 million (stolen, unencrypted laptop)Slide15

Increased Penalties under HITECH

$1,000 per violation for a violation due to “reasonable cause and not to willful neglect” (max $100,000)$10,000 for each violation that was due to willful neglect and is corrected ($250,000 max) $50,000 for each violation if the violation is not corrected properly (max $1.5 mill per year).

These changes are immediately effectiveSlide16

Security RuleSlide17

Five Categories of Security Requirements

General Rules.Administrative Safeguards.Physical Safeguards.Technical Safeguards.

Documentation Requirement.

Each category has a number of standards, and most standards have a number of implementation specifications, either required or addressable.Slide18

1. General Provisions§ 164.306(a)

Ensure confidentiality, integrity, and availability of electronic PHI (“EPHI”).

Protect against reasonably anticipated threats or hazards to the security or integrity of EPHI.

Protect against uses or disclosures not permitted by Privacy Rule.

Ensure compliance by workforce.

Applies to all EPHI regardless of format.

Internal and external communications.Slide19

Security Considerations

Size, complexity, and capabilities of your organizationYour technical infrastructure, hardware, and software security capabilities.Costs of security measuresProbability and importance of potential risks to EPHI.Slide20

Standards

A covered entity must comply with all of the standards.Implementation specifications tell how to meet the standard.A covered entity must comply with all required implementation specifications.Addressable specifications may or may not require the covered entity to follow them.Slide21

Addressable Specifications

The covered entity must assess whether each addressable specification is a reasonable and appropriate safeguard in its environment with reference to its likely contribution to protecting EPHI; andImplement it if reasonable and appropriate, or if implementing it is not reasonable or appropriate—Document why it would not be reasonable and appropriate to implement it; andImplement an equivalent alternative measure if reasonable and appropriate.Slide22

2. Administrative Safeguards

§ 164.308Security management process.Assigned security responsibility.Workforce security.Information access management.

Security awareness and training.

Security incident procedures.

Contingency plan.

Evaluation.

Business associate contracts and other arrangements.Slide23

Security Management Process

Implement policies and procedures to prevent, detect, contain, and correct security violations.Implementation specifications:Risk analysis (required).Risk management (required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.Sanction Policy (required). Apply appropriate sanctions to workforce members who fail to comply with security policies and procedures.

Information System Activity Review (required). Implement procedures to regularly review records of system activity, such as audit logs, access reports, and security incident tracking reports.Slide24

Assigned Security Responsibility

Identify the security official who is responsible for the development and implementation of the policies and procedures required by the Security Rule.No implementation specifications—that is, no particular credentials required.Slide25

Workforce Security

Implement policies and procedures to ensure that all workforce members have appropriate access to EPHI and to prevent those who do not have access from obtaining access.Implementation specifications:Authorization and/or supervision (addressable). Implement procedures for the authorization and/or supervision of workforce members who work with EPHI.Workforce Clearance Procedure (addressable). Implement procedures to determine whether access of a workforce member is appropriate.

Termination Procedures (addressable). Implement procedures for terminating access to EPHI upon end of employment or end of need for access.Slide26

Information Access Management

Implement policies and procedures for authorizing access to EPHI.Implementation specifications: Isolating health care clearinghouse functions (required). If a clearinghouse is a member of a larger organization, it must implement policies and procedures that protect EPHI from unauthorized access by the larger organization. Access authorization (addressable). Implement policies and procedures for granting access to EPHI, such as through access to a workstation, transaction, program, process, or other mechanism.Access establishment and modification (addressable). Implement policies and procedures based on access authorization policies that establish, document, review, and modify a user’s right of access.Slide27

Security Awareness and Training

Implement a security awareness and training program for all members of the workforce, including management.Implementation specifications:Security reminders (addressable). Periodic security updates.Protection from malicious software (addressable). Procedures for guarding against, detecting, and reporting malicious software. Log-in monitoring (addressable). Procedures for monitoring log-in attempts and reporting discrepancies.

Password management (addressable). Procedures for creating, changing, and safeguarding passwords.Slide28

Security Incident Reporting

Implement policies and procedures to address security incidents.Implementation specification: Response and reporting (required):Identify and respond to suspected or known security incidents.Mitigate, to the extent possible, harmful effects of security incidents known to the covered entity.Now must notify the subject of the breach of

unsecured

PHI if your risk analysis demonstrates a risk of harm from the breach—compliance date was September 24, 2010.

Document security incidents and their outcomes.Slide29

Security Incident: Secured PHI and Risk Assessment

The DHHS Interim Final Rule specifies encryption and destruction as the only “safe harbor” methods for making PHI secure.Must perform a risk assessment and determine and document whether the breach has compromised PHI security or privacy.Nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.Unauthorized person who used the PHI or to whom the disclosure was made.

Whether the PHI was actually acquired or viewed.

Extent to which the risk to the PHI has been mitigated.Slide30

Security Incident: Breach defined

The unauthorized acquisition, access, use, or disclosure of PHI that compromises the security, privacy, or integrity of PHI.The term does not include any unintentional acquisition, access, use, or disclosure by an employee or agent of the covered entity or business associate if it was done in good faith and within the scope of employment and if it was not further acquired, accessed, used, or disclosed by such employee or agent.Slide31

Security Incident Reporting

Breach involving 500 or more patients:Must be immediately reported to DHHS, who will then post the name of the provider on its public website.If the patients reside in the same area, must be reported to the local media.If fewer than 500 individuals:

must report all breaches to the Secretary of Health and Human Services, but the report may be in the form of a log on an annual basis.

Providers and health plans must comply with state security breach laws “to the extent that they exceed the new security breach notifications provisions of the [HITECH Act].”

Business associates must report a notice of a breach, to provider, including the identity of the patient(s)Slide32

Security Incident: Patient Notice

First-class mail to individual or next of kin at last known address or, if specified by the individual, by emailSubstitute method if contact information is insufficientA conspicuous posting (if 10+ affected) on the home page of the covered entity or notice in major media in the geographic area where the individuals likely reside.

If urgency exists because of imminent misuse of PHI, may use

telephone

or other means of notice.

Content:

Description of information involvedDescription of investigation, loss mitigation and future protectionContact information for questions or additional information (toll-free number, email address, website or postal address)Slide33

Contingency Plan

Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence that damages systems that contain EPHI.Implementation specifications:Data backup plan (required). Establish and implement procedures to create and maintain retrievable exact copies of EPHI.Disaster recovery plan (required). Establish (and implement as needed) procedures to restore any loss of data.Emergency mode operation plan (required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of EPHI while operating in emergency mode.

Testing and revision procedures (addressable). Implement procedures for periodic testing and revision of contingency plans.

Application and data criticality analysis (addressable). Implement procedures for periodic testing and revision of contingency plans.Slide34

Evaluation

Perform periodic technical and nontechnical evaluations that establishes the extent to which an entity’s security policies and procedures meet the Security Rule’s requirements. based initially upon the standards implemented under this rule; andsubsequently in response to environmental or operational changes affecting the security of EPHI

No implementation specifications—that is, you determine how often to update your risk analysis.Slide35

Business Associates

A covered entity may permit a business associate to create, receive, maintain, or transmit EPHI on the covered entity’s behalf only if it obtains satisfactory assurances that the business associate will appropriately safeguard the information.Business associates may also have business associates (sub-contractors) which are subject to the same requirements

Note that covered entities are not required to get business associate contracts in place with their business associates’ subcontractors.

Covered entities and business associates are liable for the acts of their business associate agents if they have control over performance of the serviceSlide36

3. Physical Safeguards§ 164.310

Facility access controls.Workstation use.Workstation security.Device and media controls.Slide37

Facility Access Controls

P/P to limit physical access to EPHI systems and facilities in which they are housed, while ensuring that properly authorized access is allowed.Implementation specifications:Contingency operations

(addressable). P/P to support restoration of lost data under the disaster recovery/emergency plans

Facility security plan

(addressable). P/P to safeguard the facility and equipment from unauthorized physical access.

Access control and validation procedures

(addressable). P/P to control and validate a person’s access to facilities based on the person’s role or function, including visitor control.Maintenance records (addressable)

. P/P to document repairs and modifications to the physical components of a facility that are related to security, such as hardware, walls, doors, and locks.Slide38

Workstation Use and Security

Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstations that can access EPHI.No implementation specifications. I.e., you determine how to do this.

Implement physical safeguards for all workstations that access EPHI to restrict access to authorized users.

No implementation specifications

.

I.e.,

you determine how to do this.Slide39

Device and Media Controls

Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain EPHI into and out of a facility and the movement of EPHI within the facility.Implementation specifications:Disposal (required). Implement policies and procedures to address the final disposition of EPHI and/or the hardware or electronic media on which it is stored.

Affinity Health Plan, Inc., settled HIPAA violations for $1,215,780 (failure to wipe copy machines).Slide40

4. Technical Safeguards

Access control.Audit controls.Integrity.Person or entity authentication.Transmission security.Slide41

Access Control

P/P for electronic information systems that maintain EPHI to allow access only to those persons or software programs that have been granted access rightsImplementation:Unique user identification (required). Emergency access procedure (required). Establish (and implement as necessary) procedures for obtaining necessary EPHI during an emergency.Automatic logoff (addressable). P/P that terminate an electronic session after a predetermined time of inactivity.

Encryption and decryption (addressable). Implement a mechanism to encrypt and decrypt EPHI. Slide42

Audit Controls, Integrity, Authentication

Audit Controls: Implement mechanisms that record and examine activity in information systems that contain or use electronic PHI.Integrity: P/P to protect EPHI from improper alteration or destruction.Implementation specification: Mechanism to authenticate EPHI (addressable). Implement electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner.Person/Entity Authentication: P/P to verify that each person or entity seeking access to EPHI is the one claimed.Slide43

Transmission Security

Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network.Implementation specifications:Integrity controls (addressable). Implement security measures to ensure that EPHI is not improperly modified without detection until disposed of.Encryption (addressable). Implement a mechanism to encrypt EPHI whenever deemed appropriate.Slide44

5. P/P and Documentation Requirements

Must implement reasonable and appropriate written policies and proceduresIf changes needed, document and implement themIf an action, activity, or assessment is required by this Rule, maintain a written (may be electronic) record it

Implementation specifications:

Time limit (required). Retain the documentation for six (6) years from the date of its creation or the date that it was last in effect, whichever is later.

Availability (required). Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.

Updates (required). Review documentation periodically and update, as needed, in response to environmental or operational changes affecting the security of EPHI.Slide45

Privacy RuleSlide46

Privacy Update

Applies to all PHI, not just EPHI. Applies to covered entities and business associates.Don’t use or disclose except as the rule provides!Under the modified regulations, covered entities may use protected information:With individual authorization (of course) and without authorization:For treatment, payment, and health care operations, or,

For specific public and public policy purposes, or,

When required by law.Slide47

HIPAA Gives Specific Rights

Some of these rights can be more comprehensive than existing state law. These rights include the following:Right of access (inspect and copy).Right to an accounting of nonroutine disclosures.

Notice of information practices.

Right to request restrictions on use and disclosure.

Right to alternate communications.

Right to request correction/amendment.Slide48

HITECH Changes Regarding Patient Rights

Right to request restriction is now a right to restrict if the disclosure is to a health plan for purposes of carrying out payment or health care operations (not treatment) and the PHI pertains solely to an item or service for which the provider has been paid in full.Example: Mental health client doesn’t want his PHI to go to his employer’s self-funded health plan and pays entire amount himself.Slide49

Administrative Requirements

Covered entities must do the following:Have a Privacy Officer.Develop a privacy training program.Implement safeguards to protect health information from misuse.Establish a complaint system.Develop a sanction system.Slide50

Privacy Rule Problem Areas

Right of access.Communications with family members.Overreaction to perceived potential breaches.Slide51

Do You Provide Patients/Clients Their Right of Access?

Probably the right that is most likely to generate a complaint to DHHS.Too many complaints, and . . .

Failure to provide copies to patients cost

Cignet

$4.3 million in fines!Slide52

Right to Inspect and Copy PHI

Notice of Privacy Practices must inform the individual of this right and the procedures for exercising this right.Covered entity may charge a reasonable cost-based fee for copies.Slide53

Can You Ever Deny Access?

A covered entity may deny access to an individual if the information was obtained from someone other than a health care provider under a promise of confidentiality and the access would be reasonably likely to reveal the source of the information or a licensed health care professional has determined that the access is reasonably likely to endanger the life or physical safety of the individual or another person.Denials of access require the covered entity to permit the person to obtain review of the decision to deny access. 45 C.F.R. § 164.524.Slide54

Disclosures to Family Members

May disclose PHI to family members involved in the patient’s care and for notification purposes under § 164.510(b) unless the patient objects.Not only family members, but also other relatives or close personal friends.May disclose PHI that is directly relevant to that care or payment for that care.

May also disclose to notify such persons of the patient’s location, condition, or death.

Emphasize this practice in your Notice of Privacy Practices.

Under Omnibus Rule, may communicate with family members after the patient’s death.Slide55

Overreaction to Perceived Potential Breaches

Have you heard?You can’t call out patient names in the waiting room.You can’t place a chart in the box outside the doctor’s office.

All email containing PHI must be encrypted.

Others?Slide56

None of These Concerns Is Necessarily True!

Rather, you perform a risk analysis to determine whether a risk of improper disclosure exists in, for example, calling out a patient’s name.If a risk exists, then what is a reasonable, cost-effective way to protect against it?This question leads to our final topic—how to perform that risk analysis.Slide57

Risk AnalysisSlide58

Risk Analysis

The key to cost‑effective compliance.And even more important with the final Security Rule!Now essential with the dramatic effects of the HITECH Act on HIPAA.If you haven’t done a formal, written risk analysis, any breach would result from willful neglect!Slide59

Importance of Risk Analysis

Besides risk analysis being a required implementation specification in the Security Management Process standard, it is how you decide whether you must implement an addressable implementation specification.§ 164.308 requires risk analysis to “reduce risks and vulnerabilities to a reasonable and appropriate” level to comply with

§

164.306(a).Slide60

And Don’t Forget the Security Provisions of the Privacy Rule

§ 164.530(c)(1) of the final privacy regulations require covered entities to have reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.You cannot select “appropriate safeguards” without first having performed a good risk analysis.Slide61

How Do You Perform Risk Analysis?

A methodology.Assemble a good team.Identify assets.Determine what risks exist.Evaluate the likelihood of the risks occurring and the harm if they do.Select security measures to guard against those risks.

Test and revise.Slide62

Assemble a Good Team

Consider involving the following individuals:Director of information management.Director of health information.Risk manager.

Representatives of the medical staff and nursing staff.

Patient representative.

General counsel or other lawyer.

Technical representative.

Human resources representative.

Business office personnel.Quality assurance.Slide63

Identify Assets

Often a real eye‑opener . . .Identify information that you must protect.Identify components of the system that the information resides in.Identify all system assets, not just hardware.Identify existing security assets.Slide64

Identify Risks

What are the risks to your system and its assets, including the data residing therein? Consider risks in the following areas:Threats to patient information.In both proper and improper use.In both proper and improper disclosure.Electronic threats.

System threats.

The combined threats of the above.Slide65

Consider Potential Threats

Consider threats in three major areas:Threats to the availability of the data.Threats to the integrity of the data.Threats to the confidentiality of the data.Any particular risk that you identify, such as a virus, may be a threat to one, two, or all three of the above areas.Slide66

Evaluate Each Risk Identified

Increasing Risk

High Probability

Low Risk

High Probability

High Risk

Decreasing

Probability

Increasing

Probability

Low Probability

Low Risk

Low Probability

High RiskSlide67

Select Security Measures

Multiply the number of expected occurrences by the expected cost of each occurrence to calculate annual loss expectancy (“ALE”).Where the cost is high, select control measures to protect against the exposure.Compare the cost of the control measure(s) against the ALE to find the true cost.ALE may even be a negative number.Slide68

Test and Revise

Remember the Security Rule’s Evaluation Standard:

Periodic review of security measures to ensure that they remain reasonable and appropriate.Slide69

What Are Standards?

The regulations call them by many different names—policies, procedures, controls.Regardless of what you call them, they differ from the general overall guidance expressed in your security policy.Rather, standards consist of the detailed instructions as to how to comply with the goals of your security policy.Slide70

The Requirement to Have Standards

The security regulations require plans, policies, procedures, and controls, such as these:Sanction policy (also required by the Privacy Rule).Data backup plan.Disaster recovery plan and emergency mode operation plan.

Facility security plan.

Testing and revision procedure.

The privacy rules require other standards, such as how patients may request correction of inaccurate information and how the facility will handle the request.Slide71

DHHS Audit Protocols

The OCR HIPAA Audit program analyzes processes, controls, and policies of covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.

The

audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of

disclosures.

The

protocol covers Security Rule requirements for administrative, physical, and technical safeguards.The protocol covers requirements for the Breach Notification Rule.

For the entire audit protocol go to “Audit Program Protocol" at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html.Slide72

Unavoidable Employee Misconduct Defense

No HIPAA decisions on this defense as yet.Other federal compliance areas have, however, recognized the unavailable employee misconduct defense. It can be a defense for liability for Occupational Health and Safety Act (“OSHA”). For

an organization charged with an OSHA violation to prove the defense of unavoidable employee misconduct, it must show that the

organization—

Established work rules to prevent safety

violations.

Adequately informed employees of the rules.Effectively enforced the rules upon discovering a

violation.These elements of the defense are consistent with our guidance:Screen your employees before giving them access.Train them and retain training records (adequately inform them).Conduct a risk analysis and implement reasonable and appropriate security measures, including policies and procedures (establish work rules).Enforce your security measures and policies (effectively enforce the rules).

Conduct compliance audits (effectively enforce the rules).Slide73

Release of Information Policy

Verify the identity of the requester and the requester’s authority to receive the information. If you cannot verify the authority, deny the request.Compare the facts and circumstances of the request to the detailed criteria of the relevant category or categories under § 164.512 of the DHHS privacy regulations (see relevant appendices to Release of Information Policy).Slide74

Appendix D. Victims of a crime

[Name of organization] may disclose PHI in response to a law enforcement official’s request for such information about an individual who is suspected to be a victim of a crime if (1) the individual agrees to the disclosure or (2) [name of organization] is unable to obtain the individual’s agreement because of incapacity or other emergency circumstance, provided that the following conditions apply:Slide75

Appendix D. Victims of a crime (cont’d)

Law enforcement official represents that such information is needed to determine whether a violation of law by a person other than the victim has occurred and that such information is not intended to be used against the victim.Law enforcement official represents that immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure.Disclosure is in the best interests of the individual as determined by [name of organization], in the exercise of professional judgment.Slide76

Release of Information Policy (cont’d)

If the facts and circumstances do not meet all of the relevant criteria of at least one category under § 164.512 of the privacy regulations, do not release the information. If the facts and circumstances do meet all of the relevant criteria of at least one category under § 164.512, do not release the information until after you have determined whether another state or federal law prohibits or restricts the disclosure.Slide77

Good Luck!

For additional information call 855.341.8783 x 311or hipaa@veteranspress.com

Please sign up for my free blog on www.veteranspress.com

www.emrlegal.com

www.veteranspress.com

www.tomesdvorak.comSlide78

Resources & Tools for HIPAA Compliance

HIPAA Compliance Library