Upload
gavin-miller
View
219
Download
0
Tags:
Embed Size (px)
Citation preview
© Copyright 2014 Saul Ewing LLP
The Coalition for Academic Scientific Computation
HIPAA Legal Framework and Breach Analysis
Presented by:
Bruce D. Armon, [email protected]
Karilynn Bayus, [email protected]
Saul Ewing LLPMarch 31, 2015
© Copyright 2014 Saul Ewing LLP
Why are we here today?• HIPAA Privacy and
Security Rule Overview
• Understand the HIPAA Breach Rule
• Learn lessons from HIPAA Breaches in the News
2
© Copyright 2014 Saul Ewing LLP
HIPAAWhat Is This About?
3
© Copyright 2014 Saul Ewing LLP
Breaches in the News• This is not a
movie
• This is a real issue 1 billion data
records compromised in 2014
4
© Copyright 2014 Saul Ewing LLP
2014 Year in Review• 1,023,108,267 records breached in
2014• 1,541 breach incidents• 78% increase in breached records from
2013
Source: 2014 Breach Level Index
5
© Copyright 2014 Saul Ewing LLP
Breaches in the News• Affects every sector of the economy
6
© Copyright 2014 Saul Ewing LLP
Breaches in the News• Education
7
© Copyright 2014 Saul Ewing LLP
Breaches in the News• Healthcare
8
© Copyright 2014 Saul Ewing LLP
HIPAA OverviewThe Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191) (HIPAA). •In 2009 Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act as part of the American Recovery and Reinvestment Act of 2009, which made changes to HIPAA, including a new breach notification requirement•The HITECH final rule has been in effect since September 23, 2013
9
© Copyright 2014 Saul Ewing LLP
Administrative “Simplification”
10
• Privacy Standards• Electronic Transactions
and Code Sets Standards
• Security Standards• Breach Notification • Enforcement Provisions
© Copyright 2014 Saul Ewing LLP
What is the Privacy Rule?• The Privacy Rule sets
national standards to protect the privacy of individuals’ “protected health information” and applies to “covered entities”
11
© Copyright 2014 Saul Ewing LLP
Individually Identifiable Health Information
• Individually Identifiable Health Information (IIHI) is the health information that identifies an individual or there is a reasonable basis to believe it could be used to identify an individual.
• “Health Information” is any information (including genetic), whether oral or recorded in any form or medium, that:
12
© Copyright 2014 Saul Ewing LLP
Individually Identifiable Health Information (cont’d)
Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
13
© Copyright 2014 Saul Ewing LLP
Protected Health Information
The focus of the Privacy Rule is Protected Health Information (PHI). PHI is IIHI that is transmitted or maintained in electronic or any other form or medium, with limited exceptions.
14
© Copyright 2014 Saul Ewing LLP
Applicability
• Health Care Providers that transmit health information in electronic form in connection with a covered transaction
• Health Plans • Health Care Clearinghouses
15
Privacy Rule applies to covered entities:
© Copyright 2014 Saul Ewing LLP
Uses and Disclosures of PHI•General Rule:
• Covered entities may not use or disclose PHI except as permitted by the Privacy Rules
•When PHI is to be disclosed for purposes of• Treatment• Payment• Health Care Operations
An individual’s consent is not required
16
© Copyright 2014 Saul Ewing LLP
PHI and Research• PHI may be used or disclosed for research
without a patient’s authorization if the waiver of an authorization has been approved by an IRB or privacy board.
• Otherwise, a patient’s authorization is required for use or disclosure of PHI for a research study.
17
© Copyright 2014 Saul Ewing LLP
My University and HIPAA • How does my university fit in?• Are we a covered entity?• Are we a business Associate?• What documentation do we have in
place?
18
© Copyright 2014 Saul Ewing LLP
HIPAA Security Rule Standards
9 Administrative Safeguard Standards 12 Required Implementation Specifications 11 Addressable Implementation Specifications
4 Physical Safeguard Standards 4 Required Implementation Specifications 6 Addressable Implementation Specifications
5 Technical Safeguard Standards 4 Required Implementation Specifications 5 Addressable Implementation Specifications
19
© Copyright 2014 Saul Ewing LLP
9 Administrative Safeguard Standards
Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts and Other
Arrangements14
© Copyright 2014 Saul Ewing LLP
4 Physical Safeguard Standards
Facility Access Controls Workstation Use Workstation Security Device and Media Controls
21
© Copyright 2014 Saul Ewing LLP
5 Technical Safeguard Standards
Access Control Audit Controls Integrity Person or Entity Authentication Transmission Security
22
© Copyright 2014 Saul Ewing LLP
We think there was a breach….
• What do we need to do?
23
© Copyright 2014 Saul Ewing LLP
Breach Notification: General Rule
• Covered entities are required to report breaches of unsecured PHI to the individuals involved, the Secretary of HHS and possibly the media.
24
© Copyright 2014 Saul Ewing LLP
Breach Definition A “breach” is an acquisition, access, use or
disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI. Three exclusions:
● Good faith, unintentional acquisition, access or use by a workforce member that does not result in further use or disclosure;
● Inadvertent disclosure by authorized person to another authorized person and info is not further used or disclosed;
● Disclosure by which info could not be reasonably retained.
25
© Copyright 2014 Saul Ewing LLP
Risk Assessments•Risk Assessments must include at least the following factors:
(1) Nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification;(2) Unauthorized person who used the PHI or to whom the disclosure was made; (3) Whether PHI was actually acquired or viewed; and(4) The extent to which the risk to the PHI has been mitigated.
26
© Copyright 2014 Saul Ewing LLP
Notification RequirementsAlways to the individual(s) affected – without unreasonable delay and no later than 60 days
Always to Secretary – timing depends on whether more than 500 individuals• If less than 500 individuals, must keep a log of breaches and report to HHS within 60 days of the end of a calendar year
To the media if more than 500 residents of a State or jurisdiction affected – without unreasonable delay and no later than 60 days
27
© Copyright 2014 Saul Ewing LLP
Recent HIPAA Resolution Agreements – University
Related• New York and Presbyterian
Hospital and Columbia University paid HHS $4.8 million for failing to secure electronic PHI on their network (May 2014)
• Idaho State University paid HHS $400,000 for unsecured PHI caused by the disabling of fire wall protections at servers maintained by the University (May 2013)
28
© Copyright 2014 Saul Ewing LLP
How To Respond If There Is A Breach
• Hit the ground running• Gather evidence• Disclose and inform• Customer/Patient relations• Media strategy
Source: IT Governance USA Blog
29
© Copyright 2014 Saul Ewing LLP
Hypothetical Scenarios
30
© Copyright 2014 Saul Ewing LLP
Takeaways
• Make sure e-PHI is secured and risk assessments are regularly performed
• Know your institution’s policies and procedures for reporting breaches
• Err on the side of caution• Do not make system changes without
confirmation on the effect of security of e-PHI
31
© Copyright 2014 Saul Ewing LLP
Thank you!
32