HIPAA/HITECH Privacy and Security in the Current Regulatory and Technical Environment What It Means for Your Organization March 24, 2015 HFMA Revenue Cycle

HIPAA/HITECH Privacy and Security in the Current

Regulatory and Technical Environment

What It Means for Your Organization

March 24, 2015

HFMA Revenue Cycle Meeting

Lindsay Darling Petrosky, Esq.Three Gateway Center401 Liberty Avenue, Suite 1500Pittsburgh, PA 15222(412) [email protected]

Rachel D. Ludwig, Esq.500 Lee Street EastSuite 1600Charleston, WV 25301(304) [email protected]

http://www.jacksonkelly.com/attorney_bio.aspx?a=10824

http://www.jacksonkelly.com/attorney_bio.aspx?a=11571

w w w . j a c k s o n k e l l y . c o m

2

AGENDA

• HIPAA/HITECH History• Privacy• Security• Current Enforcement Trends• Breaches• Technology Security Issues• Protections


3

HIPAA/HITECH – Important Dates

• HIPAA – 1996

– Privacy Rule Implemented by DHHS

• HITECH – February 17, 2009

― Requiring notification of breaches of unsecured information.

— Making certain HIPAA privacy requirements applicable to BAs

• Omnibus Final Rule

— January 2013 effective March 26, 2013

— Compliance required by September 23, 3013


4

Privacy Rule

• Comprehensive federal protection for privacy and confidentiality of Individual Identifiable Health Information (IIHI)

• Promote strong privacy protections, while not interfering with patient access to, or quality of healthcare services.


5

Privacy Rule Governs PHI• Protected Health Information (PHI) in any form (electronic, paper, or

verbal) • PHI = IIHI that is:

– Held or maintained by a CE or its BA acting for the CE.– Transmitted or maintained in any form or medium.

• PHI includes:– Identifiable demographic information– information relating to an individual’s past, present or future

physical or mental health, or condition. – Also includes genetic information.– Information concerning the provision of or payment for health

care services


6

Privacy Rule Requirements

• The Privacy Rule requires that a CE:– Notify individuals about their privacy rights and how

their information can be used.– Adopt and implement privacy procedures.– Train employees so that they understand the privacy

procedures.– Designate an individual responsible for ensuring that

privacy procedures are adopted and followed.– Secure patient records containing PHI.


7

MINIMUM NECESSARY

• Use reasonable efforts to limit use or disclosure of and request for PHI to the minimum amount necessary to accomplish the intended use

• Must maintain appropriate administrative, technical, and physical safeguards to limit incidental uses and disclosures.


8

MINIMUM NECESSARY EXCEPTIONS

• Required by law• To the individual who is the subject of the

information• Pursuant to a valid, signed authorization• Treatment• Required to comply with other HIPAA

provisions or to HHS for enforcement


9

Post-HITECHSome everyday changes you may have noticed:

• Individual’s right to an electronic copy of their record• Individual may designate a third party to receive copy

— Must be in writing— Clearly identify the designated person— Clearly identify where to send the copy


10

Timing • Access must be provided within 60 days of request• CE must respond within 30 days of request• CEs may obtain a one-time 30 day extension if the CE

provides:– Written notice to the individual, including reason for delay

and expected date of completion


11

Copy Fees

• State v. HIPAA• Must be reasonable, cost-based fee

– Cost of supplies may be charged– Postage may be charged– No charges permitted for system maintenance, storage

cost, new technology, or search or retrieval fees– See W. Va. Code § 16-29-2


12

Decedents and Access to PHI • PHI protected for 50 years following death• If an individual is deceased, the CE may disclose to friends

and family who were involved prior to death; to the extent the PHI is relevant to the individual’s involvement.

• Disclosure must be consistent with any prior expressed preference of the individual that is known to the CE

• This 50 year period of protection is not a record retention requirement.

• Note: States are beginning to regulate decedent’s right to privacy more stringently than HIPAA

• For example, Virginia recently passed The Privacy Expectation Afterlife and Choices Act


13

Recent Updates Affecting the Privacy Rule

• September 2014 – US v. Windsor – DOMA unconstitutional – Spouse & Marriage now include:

• “Spouse” includes individuals in a valid same-sex marriage sanctioned by a state, territory or foreign jurisdiction, provided that, with regard to a foreign jurisdiction, a U.S. jurisdiction would recognize the marriage.

• “Marriage” includes both same-sex and opposite-sex marriage.

• “Family member” includes dependents of same-sex and opposite-sex marriages.

• PHI includes genetic information and HIPAA has added definitions consistent with GINA


14

The Security Rule• Applies only to ePHI• Establishes information technology

standards and best practices for safeguarding ePHI

• Primary Goal –– Protect the confidentiality, integrity, and

availability of ePHI when it is stored, maintained, or transmitted


15

The Security Rule

• Administrative, physical, and technical safeguards

• Policy and procedure requirements

• Documentation requirements

• Direct liability for violations

• Applies to both CEs and BAs

– Security considered a major area of non-compliance for many BAs


16

SECURITY OF PHI

• Conduct risk assessment of your EHR• Chief Security Officer• Adopt policies and procedures• Perform workforce training• Adopt workforce sanctions


17

ADMINISTRATIVE SECURITY OF PHI

• Security management process• Assigned security responsibility• Workforce security• Information access management• Security awareness and training• Security incident procedures• Contingency plan• Evaluation• Business associate contracts and other arrangements


18

PHYSICAL SECURITY OF PHI

• Facility access controls• Workstation use• Workstation security• Mobile devise and media controls• Disposal and re-use


19

TECHNICAL SECURITY OF PHI• Access Controls

– Authentication– Automatic logoff

• Transmission Security– Encryption of data at rest– Encryption of data in motion

• Audit controls• Integrity• Person or Entity Authentication


20


21

So What About Enforcement

?


22


23


24


25


26

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

26

OCR Comments on Enforcement


27

OCR Resolution Agreements• Providence Health & Services ($100K)

• CVS Pharmacy ($2.25M)

• Rite-Aid ($1M)

• Management Services Organization of Washington ($35K)

• Cignet ($4.3M)

• Massachusetts General Hospital ($1M)

• UCLA Health Services ($865K)

• Blue Cross Blue Shield of Tennessee ($1.5M)

• Alaska Medicaid ($1.7M)

• Phoenix Cardiac Surgery, P.C. ($100K)

• Massachusetts Eye and Ear Infirmary ($1.5M)

• Hospice of North Idaho ($50K)

• Idaho State University ($400K)

• Shasta Regional Medical Center ($275K)

• WellPoint ($1.7M)

• Affinity Health Plan ($1.2M)

• Adult & Pediatric Dermatology, P.C. of Massachusetts ($150K)

• Skagit County, Washington ($215K)

• QCA Health Plan, Inc. ($250K)

• Concentra Health Services ($1.725M)

• New York and Presbyterian Hospital ($3.3M)

• Columbia University ($1.5M)

• Parkview Health System ($800K)


28

Categories of Violations and PenaltiesCategory 1 – Did not know of violation and would not have known of violation by exercising reasonable diligence

Minimum of $100/violation Maximum of $50,000 per violation; or Maximum total of $1.5 million for identical violations during a calendar year

Category 2 – Violations due to reasonable cause but not due to willful neglect

Minimum of $1,000/violation Maximum of $50,000 per violation; or Maximum total of $1.5 million for identical violations during a calendar year

Category 3 – Violations due to willful neglect that are corrected within 30 days

Minimum of $10,000/violation Maximum of $50,000 per violation; or Maximum total of $1.5 million for identical violations during a calendar year

Category 4 – Violations due to willful neglect that are not corrected within 30 days of knowledge

Minimum of $50,000/violation Maximum total of $1.5 million for identical violations during a calendar year


29


30

Where are the threats?

• Inside threats

‒ Employee negligence

Security failures

Lost mobile devices

‒ Employee ignorance

Improper disposal of personal information (dumpsters)

Lack of education and awareness

‒ Malicious employees

• Outside threats

‒ Hackers

Malware

Phishing and Spear Phishing

‒ Thieves (including Social Engineering Tools)

‒ Vendors


31

Baseline definition of a breach remains unchanged.

• § 164.402: Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under Subpart E of this part which compromises the security or privacy of the protected health information.

What is a breach?


32

• An acquisition, access, use, or disclosure of protected health information in a manner not permitted . . . is presumed to be a breach

• Unless, the CE or BA can demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment

• Compromise is not defined

Breach Analysis


33

Infamous Breaches• Anthem – 80 million people• Sony PlayStation Network• iCloud – Re: Jennifer Lawrence• SnapChat – The “no big deal” incident• Target – 40 million people’s financial data• Neiman Marcus – 1.1 million credit cards• AIG – Stolen computer w/ customer data (700k)• University of Maryland – 2 Breaches!


34

Infamous Breaches• Indiana University – Personal data for 146k

students• IRS – Employee took home personal data on 20k

individuals• Montana Dept of HHS – 1.3M client records• eBay – 145M user names and emails• American Express – 76k customers• Home Depot – unknown – probably every

customer from any of the 2200 stores


35

And Yet Another• On March 17th, Premera Blue Cross announced

cyberattack that exposed the medical and financial data of 11 million customers.

• The largest breach to date involving medical information.

• April 2014 Audit – indicating security risks• Breach occurred on May 5, 2014• Discovered the same day the Anthem breach

was disclosed – January 29, 2015

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0CAMQjRw&url=http://en.wikipedia.org/wiki/File:Premera_Blue_Cross_logo.gif&ei=p18MVcSeKcbIsQSPvoKwAg&psig=AFQjCNGjsK3KW0j_EueL-XCFRPG7th9EuQ&ust=1426960679732134


36

Security has 3 Phases

• Prevention: Know your risks via risk assessment, protection of data, secure authentication

• Detection: Regular monitoring and audits, documentation of these activities

• Response: Incident handling response processes, breach notification processes, disciplinary actions (sanctions)


37

General Security Awareness• Security (protecting the system and the information

it contains) includes protecting against unauthorized access from outside and misuse from within• Hardware and software (Physical Computer Systems)• Personnel policies• Information practice policies• Develop disaster/intrusion/response and recovery plans• Designate security responsibilities• Develop protocols regarding activities and security at personnel

and work station level• Safeguards from fire, natural and environmental hazards and

intrusions


38

Password Management

• Don’t tell anyone your password• Don’t write your password down• Do Change password if others know it• Do Enter your password in private• Do use a pass phrase


39

No Auto Logoff• High Risk • PC’s when left unattended should logoff

after a reasonable time• PC’s in very busy area should auto logoff

no <5 minutes as a rule


40

Smart Phones and Personal Devices

• Huge HIPAA Security Risk Factor• Many have company email on phone which could

contain ePHI• Always password protect!• Remote wipe capability• Do NOT text ePHI• Who has access to your mobile device?

– (i.e. family member, friends)


41

Unsecure Email

• High Risk• Do NOT email using unsecure methods • If unsecure – limit email to de-identified

information• Patient may sign off/accept risk of

unsecure email


42

Thumb Drives and Laptops

• High Risk Factor• Sometimes used to backup data • If taken off site – MUST be encrypted• If taken out of a secure location, MUST be

encrypted • Easy to lose – look at list of breaches


43

Improper Disposal

• If your device has ePHI– Must be wiped clean prior to disposal– Many security compromises come from old

hard drives• Talk to your employers IT department to

see how this is handled


44

Wireless Networks

• High risk• Must be encrypted if transmitting ePHI• Guest networks at your office should be

separate from your main network


45

Social Media

• Patient information should never be discussed

• Employer can be liable for employee posting PHI

• Employee is also liable individually for wrongful disclosures

• Examples


46

Case Study: Placenta Picture• Premature baby born at Cedars-Sinai

Medical Center still inside amniotic sac• Doctor’s first reaction

– Dr. snapped a photograph with his cellphone.


47

In the News

• “Health care files a rich trove for identity thieves”– March 16 Pittsburgh Post Gazette

• “Prison Term in HIPAA Violation Case”– February 20 Data Breach Today

• “Experts warn 2015 could be ‘Year of the Healthcare Hack”– February 11 Reuters

• “No encryption means HIPAA breach for 45K”– February 10 Health IT News


48

AWARENESS

• Security Awareness and Training is KEY• Staff needs to be trained on IT security at

least once per year• Constantly reinforce security

– Talk about it, post it, email it– Creating a culture of compliance and security


49

Conclusion• HIPAA compliance is not just about

technology – its about people. This includes everyone you work with from a receptionist to the highest ranking doctor.

• ALWAYS maintain a “HIPAA-Aware” mindset

• Remember “The biggest vulnerability is still individual users doing dumb things.”

• (John Christriansen, Seattle-based health care technology attorney PPG March 16, 2016)


50

TOP PRIVACY & SECURITY PRACTICES

1. When in doubt, don’t give information out.

2. Log off before you walk off from your computer.

3. Double check fax numbers before sending.

4. Do not send e-mails or use the internet unless the connection is secure and approved.

5. Authenticate identity of the caller before releasing confidential information.

6. Never share your password with anyone.

7. Maintain the security of all patient information in all its medium, including paper, electronic and oral.

8. Discuss patient information in private locations.

9. Access information on a need to know basis, only to do your job.

10. Dispose of confidential information according to proper procedures, (i.e., locked shred bins, have electronic media wiped).

11. An educated workforce helps reduce the possibility of breaches.

Documents

HIPAA/HITECH Privacy and Security in the Current Regulatory and Technical Environment What It Means for Your Organization March 24, 2015 HFMA Revenue Cycle