HIPAA UPDATE Georgia Hospital Association Compliance Officer Meeting September 3-5, 2014 Gina G. Greenwood, J.D. Baker, Donelson, Bearman, Caldwell & Berkowitz,

HIPAA UPDATE

Georgia Hospital Association

Compliance Officer Meeting

September 3-5, 2014

Gina G. Greenwood, J.D.Baker, Donelson, Bearman, Caldwell & Berkowitz, PCMonarch Plaza | 3414 Peachtree Road, N.E.Atlanta, Georgia [email protected](404) 589-0009 office (404) 909-0665 cell

2www.bakerdonelson.com© 2014 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC

OCR Enforcement Trends

• OCR received 97,702 complaints between April 14, 2003 and May 31, 2014.

• 32,795 of those complaints have been investigated (over 57,000 were not eligible for OCR enforcement action).

• Corrective action has been obtained in 22,613 cases (69%).

• No violation was found in 10,182 cases (31%).

• OCR settled 21 cases (reserved for serious cases).


OCR Enforcement Trends

• Common Problem Areas Under OCR / Governmental Scrutiny:

− Failure to conduct adequate (or any) risk analysis

− Failure to have appropriate policies and procedures (e.g., portable devices)

− Unencrypted hardware: laptops, thumb drives, etc.

− Sending unencrypted emails containing PHI

− Sending emails to unsecure accounts (e.g., Gmail)

− Making ePHI accessible on the Internet

− Failing to properly dispose of PHI


Latest Threats

• Chinese hackers who hack for huge profit

• Identify theft

• Terrorism !!! Ugh!!


Recent OCR Enforcement Actions

• August 2014: Federal investigation is underway after Community Health Systems, a 206-hospital system, announced that hackers accessed data, including Social Security numbers, for approximately 4.5 million patients.

• June 2014: $800,000 settlement with Parkview Health System, Inc. for allegations that Parkview employees left 71 cardboard boxes of patient medical records in the driveway of a retiring physician’s home. − Primary Issue: Failure to appropriately and reasonably

safeguard all protected health information, from acquisition through disposition.



• May 2014: $4.8 million settlement, the largest HIPAA settlement to date, with New York and Presbyterian Hospital and Columbia University for allegations that patient information on the institutions’ shared data network became accessible by internet search engines when a Columbia employee attempted to deactivate a server on the network. − Primary Issues: Failure to conduct an accurate and thorough

risk analysis and lack of technical safeguards.

• April 2014: $1,725,220 settlement with Concentra Health Services and $250,000 settlement with QCA Health Plan, Inc., both for allegations that unencrypted laptops containing patient information were stolen. Concentra had previously identified lack of encryption as a major risk, but had failed to take sufficient corrective measures. QCA encrypted its devices following the breach, but had failed to comply with HIPAA’s requirements since the compliance date.− Primary Issue: Failure to encrypt data on computer hardware.



• March 2014: $215,000 settlement with Skagit County, Washington after an investigation revealed that PHI of nearly 1,600 individuals was exposed when it was inadvertently moved to a publicly accessible server maintained by the County. The files included information related to testing and treatment of infectious diseases.− Primary Issue: Failure to store data on a secure server.

• December 2013: $150,000 settlement with Adult & Pediatric Dermatology, P.C. for not having policies and procedures in place to address the breach notification provisions of HITECH when an unencrypted thumb drive containing ePHI of 2,200 individuals was stolen from an employee’s car.− Primary Issues: Failure to conduct an accurate and thorough

risk analysis of security management policies and failure to have breach notification policies and procedures in place.



• August 2013: $1,215,780 settlement with Affinity Health Plan for failing to erase PHI of up to 344,579 individuals from photocopier hard drives when it returned the copiers to leasing agents.− Primary Issues: Failure to incorporate the ePHI stored on copier

hard drives into the required risk analysis and failure to properly clear electronic hard drives before returning them.

• July 2013: $1.7 million settlement with WellPoint Inc. for a security weakness in an online application database during a systems upgrade that made ePHI of 612,402 individuals accessible online.− Primary Issues: Failure to implement policies and procedures

for authorizing access to the database, failure to perform an appropriate technical evaluation after a software upgrade, and failure to have safeguards in place to verify identities of users.



• June 2013: $275,000 settlement with Shasta Regional Medical Center after senior hospitals leaders disclosed patient information to media outlets and the entire workforce without a valid authorization.− Primary Issues: Disclosure of patient information without

authorization and failure to sanction workforce members for such disclosure pursuant to the hospital’s internal sanction policy.

• May 2013: $400,000 settlement with Idaho State University for disabling of firewall protections at servers maintained by ISU resulting in vulnerability of ePHI for approximately 17,500 patients for at least 10 months.− Primary Issues: Failure to conduct a complete and adequate

risk analysis of ISU clinics and failure to apply proper security measures to firewall protection, which could have detected the breach much sooner.


Interesting Non–Healthcare Industry Breach: Target in Numbers

• December 2013: Big-box retailer Target spent $61,000,000 in the final months of 2013 and its CEO resigned, after a data breach exposed the personal data of approximately 110,000,000 customers who used their debit and credit cards at the store during the holiday season. Legal action is still ongoing.− Thieves stole 40,000,000 credit and debit card numbers and

other information about 70,000,000 customers.− Target’s profits dropped 46% in the fourth quarter of 2013.− The estimated cost to banks and credit unions for reissuing

just half of the compromised cards has been $200,000,000.− Target says it will spend $100,000,000 upgrading payment

terminals to support Chip-and-PIN enabled cards.− Between 1,000,000 and 3,000,000 cards were successfully

sold on the black market and used for fraud. Thieves made over 50,000,000 in profit.


OCR Enforcement: General Advice

• “As we say in healthcare, an ounce of prevention is worth a pound of cure.”

- Former OCR Director Leon Rodriguez

• Conduct privacy and security audits proactively • Thorough training programs• Get insurance and carve HIE out if can • Assess and manage all risks under the written plan• Maintain documentation that you reported the risk to your supervisor and Board



• What to Do if You Think You May be Dealing with a Breach:

DON’T ignore it. Get out in front of a potential HIPAA breach and manage it. Carefully document. DON’T wait 60 days to notify/report. The 60-day reporting deadline is is too late. OCR often says 60 days is too long. Some laws relating to

identify theft require much faster reporting.

BUT, DO conduct a forensic audit. Where applicable and possible, make reasonably sure a breach occurred before reporting. Don’t report it if you can ethically disprove it!



• Don’t Forget About State Requirements:

− State consumer protection and data breach notification laws often contain different disclosure requirements than federal.

− Beware of particularly onerous state laws. For example:

Connecticut (*regulated by the Dept. of Insurance) Florida (*this law is new) California Texas Massachusetts


Business Associate Agreement Requirements

• The deadline to revise Business Associate Agreements (“BAAs”) for compliance with the HIPAA – HITECH Omnibus Rule is September 23, 2014.− In the January 2013 Omnibus Rule, OCR released new

requirements for BAAs with a compliance date of September 23, 2013.

− The rule grandfathered BAAs already in place as of January 25, 2013 until the earlier of: Their renewal or modification, if after September 23, 2013, or September 23, 2014.


HIPAA Amendment Regarding CLIA Laboratories

• As of October 6, 2014 (compliance date), a patient’s right to access his or her medical records includes the right to request and receive laboratory test results directly from any laboratory that is a “covered entity” under HIPAA. − This new rule removes the HIPAA access exemption for CLIA labs and CLIA

exempt labs.

• A “covered entity” laboratory must update its Notice of Privacy Practices to “inform individuals of their right to obtain reports directly from the laboratory, provide a brief description of how to exercise this right, and . . . remove any statements to the contrary.”

• This amendment preempts Georgia law, stating test results to “be reported only to or as directed by the licensed physician, dentist, or other authorized person requesting such test.” (O.C.G.A. § 31-22-4(c))


MU Audits and Electronic Health Information Incentives

• Meaningful Use post- and pre-payment audits are underway.• Example Meaningful Use Stage 2 Objective:

− “Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities.”

• Accompanying Stage 2 Measure: − “Conduct or review a security risk analysis in accordance with

the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process for EPs.”


State Privacy and Data Laws: Florida

• Florida Information Protection Act of 2014, effective July 1, 2014• Applies to all businesses possessing Floridians’ personal information• Replaces Florida’s existing data breach law

− Shortens the breach notification deadline from 45 to 30 days− Requires businesses to notify the Florida Department of Legal Affairs of

breaches affecting 500 or more individuals in Florida− Requires notice to individuals, but notice in accordance with rules of the

business’s primary federal regulating agency satisfies the requirement

• Requires businesses to take reasonable steps to dispose of consumer records in any form that contain personal information when those records are “no longer to be retained.” − No specific length of time for retention is mandated− Destruction means “shredding, erasing, or otherwise modifying the personal

information in the records to make it unreadable or undecipherable.”


Patient Portals Launched

• Patient Portals are being launched -- − Policy and procedures for provisioning users ? − Disclaimers in place ? − Factored into risk assessment / management plan ? − Reviewed your Terms of Use ? − Trained staff who will be monitoring not to practice medicine

without a license and how to risk manage ? − Service Agreement and BAA in place with vendor ?


42 C.F.R. Part 2 Data

• IMPOSSIBLE TO DEAL WITH • Do you know how you could get pulled into this law? • Have you assessed risks??? • Payer disclosure issues• Consent needed• Re-disclosure notices• DO YOU HAVE A PART 2 POLICY???


Health Information Exchanges

• When linking data to other Health Information Exchange, consider:

− Whether the Notice of Privacy Practices informs patients of the relationship with the Health Information Exchange

− What indemnification provisions and procedures are in place

− Whether your EHR / Health Information Exchange should be set up as a separate and distinct legal entity

− Who will have access to data and procedures for protection of sensitive data


OCR Audits Are Here!!

• OCR is responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules

• The HITECH Act requires DHHS to perform periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules − Audited CEs− Supposedly auditing BAs in 2014


OCR Audits

The OCR HIPAA Audit Program: Processes Controls Policies

The Audit Focuses On:

The seven fundamental practices of the Privacy RuleThe administrative, physical, and technical safeguards of the Security RuleThe requirements of the Breach Notification Rule


OCR Audits

Areas of Review:

Risk assessment (last three years but OCR breach investigations are going

back 6 plus years)

Workforce training

Access control – user activity monitoring

Workstation security

Business Associate contracts

Minimum necessary

Patient access to records

Authorizations


Preparing For and Responding to Audit / Investigation

• CE / BA should --

− Ensure that is risk assessment and risk management plan and privacy, security and breach notification policies/procedures/audit plans are up to date; retain old versions

− Perform self-assessments of compliance program using the OCR Audit Protocols and NIST security risk tool

− Create a file/binder with all key documents needed for response

− Train workforces annually and after breaches

− Conduct mock interviews of workforce to ensure appropriate knowledge and preparedness


Gina Ginn Greenwood, J.D.(404) 589-0009 office [email protected]

• Gina Greenwood practices from the Atlanta/Macon offices of Baker Donelson and concentrates her practice on a wide range of matters, including cyber liability and identity theft; HIPAA Privacy and Security Rule compliance and breach notification; IT and certified EHR implementation; meaningful use; fraud and abuse (Stark Law, Anti-Kickback Statute, and FCA) compliance and investigations; EMTALA compliance, CMS and State licensure survey plans of correction responses and hearings; Joint Commission training and compliance; self reporting; risk management strategies; peer review; corporate health care transactions; contract drafting and general business advice; and many other regulatory matters pertinent to all types of health care entities and companies.

• Gina has authored numerous health care materials and is a frequent speaker for Georgia Hospital Association and professional compliance organizations on fraud and abuse, HIPAA compliance, breaches & EMTALA compliance.

• Gina was recognized by Chambers USA as a leading health care lawyer in America (2011 and 2012). Voted Georgia Trend Legal Elite in Healthcare. Served as 2014 expert witness on EMTALA and mental health to US Congressional Committee in Washington, DC.

Documents

HIPAA UPDATE Georgia Hospital Association Compliance Officer Meeting September 3-5, 2014 Gina G. Greenwood, J.D. Baker, Donelson, Bearman, Caldwell & Berkowitz,