HIPAA – Current Issues & Implications for Nursing Homes
Transcript of HIPAA – Current Issues & Implications for Nursing Homes
HIPAA – Current Issues & Implications for Nursing HomesMarch 20, 2007
Leadership Health Care Spring 2007 Conference
Katherine M. LaymanCozen O’ConnorPhiladelphia, PA215-665-2746
3
PRIVACY STANDARDSnn Limit the Use and Disclosure of Protected Limit the Use and Disclosure of Protected
Health InformationHealth Information
nn Due to the constraints imposed by scope of Due to the constraints imposed by scope of HIPAA, privacy regulation is applicable only HIPAA, privacy regulation is applicable only to:to:nn “ Covered” Entities“ Covered” Entities — Health care Providers, Health
Plans, and Clearinghouses; Business Associates.
nn “Protected” Health Information (PHI)“Protected” Health Information (PHI) —Information created by or received from a covered entity related to health, treatment or payment that is transmitted or maintained in any form or medium (electronic, written and oral) by a covered entity
4
HIPAA Privacy Rule
n General Rule: A covered entity (health care provider, health plan and health care clearinghouse) may not use or disclose PHI except at permitted by the Privacy Rule.
5
HIPAA Analysis
n Is there a covered entity?n business associate
n Is there PHI?n Is an authorization needed?
6
HIPAA Privacy Rule: Individual Rights
n Notice of privacy practicesn Right of accessn Right of amendmentn Right to request privacy protectionsn Right to an accounting
7
nn ““Floor” of ProvisionsFloor” of Provisions — Does not preempt more stringent state laws, potentially requiring some dual obligations
n Stronger state laws applyn Further limit use or disclosure of PHIn Create greater right to access PHIn Strengthen authorization protection
n Significant confusion and litigation
State Law Preemption
8
Pennsylvania Laws
n AIDS/HIV Testing –n Mental Health Records – heightened
authorization requirements prior to most disclosures
n Non-public personal health info held by insurance companies – prohibits disclosure of a consumer’s personal health info, except with the consumer’s written authorization
9
Pennsylvania Laws
n Drug & Alcohol – strict limits n DNA Records – Need authorization n Sexual Assault Victim Records
10
Privacy Rule and Personal Representativesn Stands in their shoes: State Law governs
n Privacy Rule requires CEs to treat an individual’s personal representative as the individual with respect to uses and disclosures of the individual’s PHI & rights under the Rule
n Access to PHI that is relevant to such representationn Are there limitations??n Limited Power of Attorneyn Deceased individual
n Treating physicians of family members – no authorization neededn Executor or next of kin
n Authorize disclosures of PHI
11
Sources of Complaints
n Patients or their family membersn Employees or other members of
workforcen BA’s, vendors, etc.n Governmental or law enforcement
agencies
12
HIPAA Myths - #1
n May providers discuss a patient’s medical condition with family members only if the patient has expressly authorized it?
13
#1 Talking to Family Members -Permitted
n To a family member, other relative, close personal friend identified by the individual
n Medical information or payment relevant to that person’s involvement with the patient
ORn If the patient is present, the provider may
disclose PHI if the patient does not object
14
HIPAA Myths - #2
n Must nursing homes that send patients to an outpatient radiology facility have a business associate agreement with the radiology provider before they send residents for X-rays?
15
#2 Business Associates
Business Associate is:n A person or entity that performs certain
functions or activities involving the use of PHI on behalf of, or provides services to, a covered entityn BA Functions (i.e. claims processing)n BA Services (legal, etc.)
16
#2 Business Associates
Exceptions:n Disclosures by a covered entity to a
provider for treatmentn Disclosures to a sponsor by a health
plan - so long as the Plan Documents have been amended
n Miscellaneous situations where BAA is not required
20
PRIVACY AND SECURITYWHAT IS THE DISTINCTION?
n Privacy generally refers to the rights of an individual to limit the use and disclosure of protected health information.
n Security generally refers to the obligations of Covered Entities to safeguard health information from improper use or disclosure
21
The “E” in EPHI
n EPHI includes any medium used to store, transmit, or receive PHI electronically
n Examples include:n Personal Computersn External portable hard drives, including iPods, n Magnetic tape or disks n Removable storage devices such as USB memory
sticks/keys, CDs, DVDs, and floppy diskettes n PDA’s, smartphones n Electronic transmission includes data exchange (e.g., email
or file transfer) via wireless, modem, DSL or cable network connections
22
n The regulations tell covered entities what to do but NOT how to do it.
n Covers only electronic informationn Privacy Rule – mini security rule
SECURITY RULES ARE FLEXIBLE
23
HIPAA: Security Standards
Each person who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical and physical safeguardsn to ensure the integrity and confidentiality of the
information, andn to protect against any reasonably anticipated:
n threats or hazards to the security or integrity of the information and
n any unauthorized uses or disclosures of the information
24
FTC: Key Security Ideas
TAKE STOCK. Know what personal information you have in your files and on your computers.
SCALE DOWN. Keep only what you need for business.
LOCK IT. Protect the information you keep.PITCH IT. Properly dispose of what you no
longer need.PLAN AHEAD. Create a plan to respond to
security incidents.
25
SECURITY LANDMINES
n Remote access – portable devicesn CMS Guidance issued December 2006n Security Regulation – standards for secure
storage, maintenance and transmission of ePHI
n Wireless securityn Encryption/secure messagingn Access Control (including remote access)n Employee Termination
26
2006 Healthcare Security Breachesn Detroit hospital nurse’s laptop, with names, medical
records and SSNs of 28,000 patients, stolen from her car
n VA loses data on 25.6M vets - laptop theftn Providence Health System reimburses Oregon
$95,000 as a result of theft of computer disks containing info on 365,000 Providence patients
n Sisters of St. Francis hospital chain – a contractor accidentally left CD with patient billing information for 260,000 patients in a computer bag she returned to a store
27
Tips for Prevention
n Maintain minimum necessary information
n Secure datan Control accessn Encryption
n Manage expectations
28
Tips (cont’d)
n Make security a workforce priorityn Address third party/vendorsn Develop and test security measuresn Plan for potential breaches
29
Security Breach Notice Laws
n As of January 1, 2007, 34 states have passed some sort of data breach notice law
30
PA Breach of Personal Information Notification Act
n Requires owners of computerized data to notify consumers of data security breaches that may compromise the privacy of their personal info
n Applies to individuals, businesses and PA gov’t agencies and subdivisions
n Notification requirement triggered only if data owner “reasonably believes” the breach “has caused or will cause loss or injury” to any PA resident
n Personal info defined as a person’s first name or initial and last name linked to: 1) SS #, 2) driver’s license #, or 3) financial account # with access code
31
Tips – In event of breach
n Internal investigationn Notification – assess when, to whom,
hown Disciplinary Actionsn Mitigate/remedy problems that caused
breach
32
Electronic Health Records
n Support of White House –n Efficiencyn Improved quality of care
n Interoperability – keyn Expensen Significant privacy challengesn Link to P4P
34
Enforcement
n Privacy Rule – Enforced by OCRn Security Rule – Enforced by CMSn Criminal Enforcement – Department of
Justice
35
n Effective March 16, 2006n Expands application of compliance and
enforcement rules to all administrative simplification provisions, not just HIPAA privacy standards
n Establishes guidelines/procedures for the imposition of civil monetary penalties; clarifies investigation process
HIPAA Enforcement Rule
36
Enforcement Statistics
n As of February 2007:n OCR has received and initiated reviews of
25,000+ complaints, 76% of which have been “closed” (due to a lack of jurisdiction, no violation, or voluntary compliance)
n OCR has referred 366 complaints to the DOJ for criminal investigation
n 4 criminal HIPAA violations prosecutedn 0 civil fines imposed!
37
Future Enforcement…
n Should I worry, given the lack of enforcement to date?
n OIG to audit providers nationally for security compliance; audit is the government’s 1st systematic hands-on examination of compliance with any HIPAA regulation
n OIG Work Plan – privacy a focus area
38
Criminal Enforcement
n Only egregious casesn Selling medical recordsn Using patient information for personal gainn U.S. v. Ferrer – went to jury trial
n Information purchased from former employeen $7 million in fraudulent Medicare claims
submitted
39
Recent Developments
n PA federal ct. rejects claim that improper use of PHI under HIPAA is an injury to a property interest (Vavro v. Albers, Aug. 31, 2006)
n PA federal ct. rejects inmate’s claim that release of his medical info violates HIPAA; ct holds that HIPAA does not provide a private right of action or remedy (Carney v. Snyder, Aug. 15, 2006)
40
Recent Developments
n PA fed ct. rejects employee’s claim that employer improperly used her PHI to make an employment-related decision, holding that HIPAA does not provide a private right of action (Rigaud v. Garofalo, May 2, 2005) (employer terminated employee after learning that employee forged a prescription refill authorization)