HIPAA Update - NMHIMA · HIPAA Update . Jamie Sorley . U.S. Department of Health and Human Services . Office for Civil Rights . New Mexico Health Information Management Association

HIPAA Update

Jamie Sorley U.S. Department of Health and Human Services

Office for Civil Rights

New Mexico Health Information Management Association Conference April 11, 2014

Albuquerque, NM

Recent Enforcement Activities

U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014| page 2

HIPAA Privacy, Security, Breach Compliance and Enforcement

– Resolution Agreements/Corrective Action Plans • 5 RA/CAPs in CY13 • Total Resolution Amounts of $3,740,780

– Investigated Complaints/Compliance Reviews • 4,459 investigative closures in CY13 • 3,467 closed with corrective action

– Breach Reports • 930 Breaches involving 500 or more individuals • Over 113,000 Breaches involving fewer than 500

individuals

U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014| page 3

Breach Notification: 500+ Breaches by Type of Breach

Data as of March 25, 2014.

U.S. Department of Health and Human Services, Office for Civil Rights

Theft 47%

Loss 11%

Unauthorized Access/Disclosure

18%

Hacking/IT Incident 8%

Improper Disposal 4%

Other 10%

Unknown 2%

April 11, 2014| page 4

Breach Notification: 500+ Breaches by Location of Breach

Data as of March 25, 2014.


Paper Records 21%

Desktop Computer 14%

Laptop 23%

Portable Electronic Device

11%

Network Server 12%

Email 5%

EMR 3%

Other 11%

April 11, 2014| page 5

Recent Large Breaches

• Hacking network server – 780,000 affected • Backup tapes stored at hospital cannot be

found and are presumed lost– 315,000 affected

• Unencrypted emails sent to employee’s unsecured email address -- 228,435 affected

• Theft of laptop from employee’s vehicle– 116,506 affected

• Unauthorized access to e-PHI stored in database-- 105,646 affected

• Hacking database stored on network server – 70,000 affected

U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 | page 6

Recent Major Enforcement Actions

• Adult & Pediatric Dermatology, P.C. ($150,000)

– Unencrypted thumb drive stolen from employee vehicle affecting 2,200 patients

– Covered entity did not have breach policies and procedures

• Affinity Health Plan, Inc. ($1.2M) – Breach affecting up to 344,000 individuals – Covered entity had not properly erased photocopier hard drives

prior to sending the photocopiers to a leasing company

• Massachusetts Eye and Ear Institute ($1.5M) – Stolen personal laptop of physician using device as desktop

substitute – Covered entity had not implemented a program to mitigate

identified risks to e-PHI


Recent Major Enforcement Actions • Hospice of Northern Idaho ($50K)

– Breach affecting 400 individuals when laptop stolen – Provider had not conducted a risk assessment or taken other

measures to safeguard e-PHI as required by Security Rule

• Idaho State University ($400,000) – Disabled firewall left the PHI of approx. 17,500 patients unsecured – Risk analyses and risk management plans were incomplete or out

of date

• Shasta Regional Medical Center ($275,000) – Senior management disclosed patient information to the media

and to the workforce without patient authorization – CE failed to sanction workforce members in accordance with its

internal policy


HIPAA Omnibus Changes

U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 9

Omnibus Final Rule – Important Dates

• Published in Federal Register – January 25, 2013

• Effective Date – March 26, 2013

• Compliance Date – September 23, 2013

• Conform BA contracts – September 22, 2014


Omnibus Components

• HITECH Privacy & Security – Business associates

(BA) – Marketing &

Fundraising – Sale of protected

health information (PHI)

– Right to request restrictions

– Electronic access

• HITECH Breach Notification

• HITECH Enforcement

• GINA Privacy

• Other Modifications – Research – Notice of privacy

practices (NPP) – Decedents – Student immunizations


• HITECH Accounting of Disclosures Rule

• HITECH Distribution of Penalties/Settlements to Harmed Individuals Rule

• HITECH Minimum Necessary Guidance

• HIPAA/CLIA Patient Access to Laboratory Test Reports Rule

Not in Omnibus


Omnibus Final Rule – What’s New for Consumers

• Right to Electronic Copy of Electronic Health Record – Right to direct copy to designated third party

• Prohibition on Sale of PHI without Authorization • Marketing Communications Paid for by Third Party

Require Authorization – Limited exceptions for refill reminders and current

prescriptions • Right to Restrict Disclosures to Health Plans of

Treatment/Services Paid for Out of Pocket


GINA Provisions

• Requires “Genetic Information” to be treated as PHI

• Prohibits Health Plans from using/disclosing genetic information for underwriting purposes

• Terms and definitions track regulations prohibiting discrimination in provision of health insurance based on genetic information


Omnibus Final Rule – Non-statutory Provisions

• Student Immunization – Makes it easier for parents to permit providers to

release student immunization records to schools • Research

– Allows researchers to use single authorization for more than one research purpose

– Relaxes policy on authorizations for future research

• Notice of Privacy Practices – Updates required to Notices of Privacy Practices – Relaxes distribution requirements for Health Plans

• Decedent Information – Protections limited to 50 years after death – Eases access to friends and families


Omnibus Final Rule – What’s New for Breach

• Breach Notification Provisions – Replaces “harm to individual” with more

objective measure of compromise to the data as threshold for breach notification

– Other provisions of 2009 IFR adopted without major change


Omnibus Final Rule – What’s New for Enforcement

• Enforcement Provisions – Adopts increased CMP amounts and

tiered levels of culpability from 2009 IFR

– Clarifies “Reasonable Cause” Tier – Willful Neglect Penalties do not

require informal resolution – Intentional wrongful disclosures may

be subject to civil, rather than criminal, penalties


HITECH Enforcement Raises CMP Levels

Violation Category Each Violation All Identical Violations

per Calendar Year

Did Not Know $100 -$50,000

$1,500,000

Reasonable Cause $1,000 -$50,000

$1,500,000

Willful Neglect-Corrected

$10,000 -$50,000

$1,500,000

Willful Neglect-Not Corrected

$50,000 $1,500,000


Omnibus Final Rule – What’s New for Business Associates

New definition of Business Associate (45 C.F.R. §160.103): (1) Except as provided in paragraph (4) of this definition, business associate

means, with respect to a covered entity, a person who: (i) On behalf of such covered entity or of an organized health care

arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or

(ii) Provides, other than in the capacity of a member of the workforce of such

covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in §164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.



New definition of Business Associate, cont. (2) A covered entity may be a business associate of another covered

entity. (3) Business associate includes: (i) A Health Information Organization, E-prescribing Gateway, or

other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.

(ii) A person that offers a personal health record to one or more

individuals on behalf of a covered entity. (iii) A subcontractor that creates, receives, maintains, or transmits

protected health information on behalf of the business associate.



• BAs must comply with the technical, administrative, and physical safeguard requirements under the Security Rule – Must conduct a security risk analysis and implement a risk

management plan – Must implement safeguards to protect EPHI – Liable for Security Rule violations

• BAs must comply with use or disclosure limitations expressed in its contract and those in the Privacy Rule

– Criminal and civil liabilities for violations

• Clarification that BAs are liable whether or not they have an agreement in place with the CE

• If CE delegates Privacy Rule obligation to BA (e.g., providing NPPs to individuals), contract must require BA to perform in compliance with Rule



• Direct liability – Impermissible uses and disclosures (including more than

minimum necessary) – Failure to comply with Security Rule – Failure to provide breach notification – Failure to provide e-access as provided in BA contract – Failure to disclose PHI to HHS for compliance and

enforcement – Failure to provide HITECH accounting (final rule not

issued)

• Contractual liability for requirements of the BA contract


Marketing

• Communications about health-related products/services by covered entity (CE) to individuals now marketing & require authorization if paid for by third party

• Applies to receipt of financial remuneration only; does not include receipt of non-financial benefits

• Authorization must state that communication is paid for

• Authorization can be obtained to make subsidized communications generally – Scope of authorization need not be limited to single

product/service or products/services of one third party


Marketing

• Limited exception for refill reminders (and similar communications) – Includes generic equivalents, adherence

communications, drug delivery systems – Payment must be reasonably related to cost of

communication • Face to face marketing communications and

promotional gifts of nominal value still permitted without authorization


Sale of PHI

• Even where disclosure is permitted, CE is prohibited from disclosing PHI (without individual authorization) in exchange for remuneration – Includes remuneration received directly or

indirectly from recipient – Not limited to financial remuneration

• If authorization obtained, authorization must state that disclosure will result in remuneration


Sale of PHI

• Exceptions: – Treatment & payment – Sale of business – Remuneration to BA for services rendered – Disclosure required by law – Public health – Research, if remuneration limited to cost to

prepare and transmit PHI – Providing access or accounting to individual – Any other permitted disclosure where only

receive reasonable, cost-based fee to prepare and transmit PHI


Electronic Access

• If individual requests e-copy of PHI maintained electronically in designated record set, CE: – Must provide access in electronic form/format requested, if

readily producible, otherwise in readable electronic form/format as agreed to by CE and individual

• If requested, CE must transmit copy of PHI to individual’s designee (not limited to electronic access) – Request must be in writing & signed – Must clearly identify designated person and where to send


Electronic Access

• CE may charge for: – Labor for copying

• Time attributable to reviewing request and producing copy

– Cost of electronic media • CD, USB drive, or similar portable media/device, if

individual requests copy on portable media

• CE has 30 days (with one 30-day extension) to act on request for access – Provision allowing initial 60 days for off-site

PHI removed


Definition of Breach

• Harm standard removed • New standard – impermissible use/disclosure of

(unsecured) PHI presumed to require notification, unless CE/BA can demonstrate low probability that PHI has been compromised based on a risk assessment of at least: – Nature & extent of PHI involved – Who received/accessed the information – Potential that PHI was actually acquired or viewed – Extent to which risk to the data has been mitigated


Definition of Breach

• Exceptions for inadvertent, harmless mistakes remain

• Exception for limited data sets without dates of birth & zip codes removed


Breach Notification

• Makes permanent the notification and other provisions of the 2009 interim final rule (IFR), with only minor changes/clarifications – E.g., clarifies that notification to Secretary of

smaller breaches to occur within 60 days of end of calendar year in which breaches were discovered (versus occurred)


Guidance and Compliance Tools


• De-identification Guidance http://www.hhs.gov/ocr/privacy/hipaa/understanding/c

overedentities/De-identification/guidance.html • Sample Business Associate Contract Language

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

• Security Rule Guidance http://www.hhs.gov/ocr/privacy/hipaa/administrative/s

ecurityrule/index.html • Risk Analysis Guidance • NIST HIPAA Security Rule Toolkit • NIST Guidelines for Media Sanitation • FTC Guidance on Copier Data Security • Educational paper series

• Security for Mobile Devices (video/web) http://www.healthit.gov/mobiledevices


http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html



http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html

http://www.healthit.gov/mobiledevices

ONC/OCR Mobile Device Program Instructional Video Series

The videos explore mobile device risks and discuss privacy and security safeguards providers and professionals can put into place to mitigate risks.

Securing Your Mobile Device is Important! Dr. Anderson's Office Identifies a Risk A Mobile Device is Stolen Can You Protect Patients' Health Information When Using a Public Wi-Fi Network? Worried About Using a Mobile Device for Work? Here's What To Do!


Downloadable Materials www.healthit.gov/mobiledevices


• Fact sheets • Posters • Brochures

http://www.healthit.gov/mobiledevices

Mobile Device Program: Tips to Protect

and Secure Health Information


Use a password or other user authentication. Install and enable encryption. Install and activate wiping and/or remote disabling. Disable and do not install file- sharing applications. Install and enable a firewall. Install and enable security software.

Keep security software up to date. Research mobile apps before downloading. Maintain physical control of your mobile device. Use adequate security to send or receive PHI over public Wi-Fi networks. Delete all stored health information before discarding or reusing the mobile device.

October 28, 2013 | page 36

Sample Notices of Privacy Practices

• Versions for Providers and for Health Plans • Multiple formats • Customizable • In English and Spanish

http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html


Medscape: Free CME and CE Training


http://www.medscape.org/viewarticle/762170?src=cmsocr

HIPAA: Creating Awareness and Educating Providers on the Importance of Compliance

http://www.medscape.org/viewarticle/762170?src=cmsocr

Security Rule Assessment Tool


http://www.healthit.gov/providers-professionals/security-risk-assessment

Questions?

OCR website www.HHS.gov/OCR Jamie Sorley [email protected] (214) 767-8908


http://www.hhs.gov/OCR

Documents

HIPAA Update - NMHIMA · HIPAA Update . Jamie Sorley . U.S. Department of Health and Human Services . Office for Civil Rights . New Mexico Health Information Management Association