HIPAA Privacy, Security, Breach Overview
50
Don’t Get Hit by the HIPAA Omnibus: Are You Ready for Sept 23?
-
Upload
healthcare-too-llc -
Category
Health & Medicine
-
view
269 -
download
5
description
Presentation on HIPAA Privacy, Security, Breach for Dublin Entrepreneurial Center (DEC) at Metro Data Center on Sept 12, 2013
Transcript of HIPAA Privacy, Security, Breach Overview
Don’t Get Hit by the HIPAA Omnibus:Are You Ready for Sept 23?
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Disclaimers
The material in this presentation and/or any remarks made by HealthCare Too, LLC personnel are NOT meant to provide legal advice or counsel.We intend this session to provide you with highlights of the new HIPAA Omnibus for your edification and for your own use at your own professional discretion.
8/6/
13
2
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Scope
45 CFR Parts 160 and 164 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination ActOr “The HIPAA Omnibus” was 138 pages when released on Jan 25, 2013. This presentation introduces several major changes at a high level but does not present all changes.
8/6/
13
3
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Your Presenters
• Tim Perry, MPA, CHTS-IS• Chief Information Officer, HealthCare Too, LLC• 25+ years of Health Information Technology and
Compliance experience• Chief Technology Officer, Ecommerce, LLC (Cloud & Hosting)• Senior Vice President of Infrastructure Services, Reed Elsevier• Global IT Director, Johnson & Johnson• Consulting engagements at SmithKline Beecham, Merck
• Education• Master of Technology Management, Univ of Pennsylvania• Master of Public Administration, The Ohio State University• Bachelor of Arts, The Ohio State University
8/6/
13
4
8/6/
13
5
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
What’s in a Name?
• Mega Rule• Omnibus• Final Rule
8/6/
13
6
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Protected Health Information (PHI)
8/6/
13
Individually identifiable Health Information
List of 18 Identifiers• Names• All geographic subdivisions smaller than state• All elements of dates except year• Phone numbers• Fax numbers• Electronic mail addresses• Social Security numbers• Medical record numbers• Health plan beneficiary numbers• Account numbers• Certificate/license numbers• Vehicle identifiers and serial numbers• Device identifiers and serial numbers;• Web Universal Resource Locators (URLs);• Internet Protocol (IP) address numbers;• Biometric identifiers• Full face photographic images • Any other unique identifying number
Health information means any information, including genetic information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse;
and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
7
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry8/
6/13
8
“Some Incident”
Breach
[A]cquisition, access, use, or disclosure of protected health information in a manner not permitted
Risk Assessment
Document & Done
No Breach
OCR Agreement for Corrective Action,
Settlement, or Formal Finding and Fine
Breach Verified
Complaint
A person who believes a covered entity or business associate is not complying with the administrative simplification provisions may file a complaint with the Secretary
OCR Intake / Review
Document & Done
No ViolationPossible Violation
OCR Investigation
Document & Done
No Violation
ViolationFound
[F]ailure to comply with an administrative simplification provision.
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry8/
6/13
9
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Leon Rodriguez
“I am the first Director of the Office of Civil Rights to come to the Office with experience, extensive experience, both in law enforcement and a healthcare provider lawyer and its my commitment to ramp up the enforcement of the Office.”
8/6/
13
Oral Testimony to Senate Judiciary Subcommittee on Privacy, Technology, and Law “Your Health and Your Privacy: Protecting Health Information in a Digital World.”, Nov 2, 2011.
10
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry8/
6/13
11
HIPAA Resolutions by Type and Year (based on OCR data)
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Reported 500+ Breaches in OH
8/6/
13
12
Patients Affected
Date of Breach Type of Breach Location of Breach
60998 3/27/10 Theft Laptop1001 4/22/10 Unauthorized Access/Disclosure Email1200 6/13/10 Improper Disposal Paper1309 6/11/10 Loss Laptop
13867 6/7/10 Theft Laptop2123 7/29/10 Improper Disposal Paper1000 11/15/10 Improper Disposal Paper
501 11/5/10 Theft Laptop, Computer78,042 6/3/11 Theft Laptop
500 10/1/10 Improper Disposal Other (X-ray film)
15,00010/01/2010
- 03/21/2012 Unauthorized Access/Disclosure Other
1500010/1/2010
- 03/21/2012 Unauthorized Access/Disclosure Other850 12/2/12 Theft Laptop, Network Server
2500 3/19/13 Theft Other
50004/14/2013
- 04/19/2013 Loss Laptop2203 5/29/13 Other Paper
78542 TOTAL
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Notable SettlementsEntity Amount Year
WellPoint, Inc.(unattended weaknesses in online database)
$1.7 million July 2013
Walgreens(pharmacist looked up a woman’s history)
$1.44 million July 2013
MN AG & Accretive Health (started from July 2011 lost laptop)
$2.5 million July 2013
Shasta Regional Med Center(disclosure of patient info to Media)
$275,000 June 2013
Idaho State University(left a firewall down for 10 mos after maint)
$400,000 May 2013
Goldthwait Associates & 4 Pathology GroupsMA Attorney General(disposed of patient data at dump)
$140,000 January 2013
8/6/
13
13
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Compliance Deadline
Omnibus HIPAA Final Rule • Published in Federal Register – January 25, 2013 • Effective Date – March 26, 2013 • Compliance Date – September 23, 2013 • Transition Period to Conform BA Contracts – Up
to September 22, 2014, for Qualifying Contracts
8/6/
13
14
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Covered Entities, Business Associates, and Subcontractors, Oh My!
8/6/
13
15
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
“Covered Entity”
• (1) A health plan.
• (2) A health care clearinghouse.
• (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.• Note: if an electronic transaction is made on a
provider’s behalf… it is considered the provider’s
8/6/
13
16
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
“Business Associate”What it says What it means
“functions, activities or services on behalf of covered entities”
“Create, receive, maintain, or transmit PHI”
An employee of a CE is NOT a BA.
Clarifies definition of BA to include:• Patient Safety Organizations, • Health Information Exchanges, • Personal Health Records
Must have BAA in place
Clarification that BAs are liable whether or not they have an agreement in place with the CE .(Marissa Gordon-Nguyen, JD, MPH Office for Civil Rights)
8/6/
13
17
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
“Subcontractors”What it says What it means
"a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate." (45 CFR 160.103)
"under the final rule, covered entities must ensure that they obtain satisfactory assurances required by the Rules from their BAs, and BAs must do the same with regard to subcontractors, and so on, no matter how far 'down the chain' the information flows."
Subcontractors are BAs:• Subject to HIPAA provisions• Directly liable for HIPAA violations• BA must have BAA with every
subcontractor• Subcontractor must have BAA with its
subcontractors, who are also BAs
8/6/
13
18
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Agency
• Covered Entities can be held liable for the violations caused by their Business Associates.
• Business Associates can be held liable for the violations caused by their sub-contractors.
• Federal common law of Agency will govern whether an agency relationship exists between the parties - regardless of what the contract actually says.
(WEDI presentation by Joseph R. McClure, Esq. Legal Counsel, Siemens Medical Solutions USA WEDI Privacy & Security Co-Chair)
8/6/
13
19
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Your PHI Ecosystem is Explicit
8/6/
13
20
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry8/
6/13
211 – 2 million ? ???
Never directly liable for HIPAA… until now.
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry8/
6/13
WEDI Privacy & Security Workgroup, Business Associate Sub-Workgroup
22
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry8/
6/13
WEDI Privacy & Security Workgroup, Business Associate Sub-Workgroup
23
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Typical BA Functions (Again)
• Claims processing or administration
• Data analysis, processing or administration
• Utilization review• Quality assurance billing• Benefit management• Practice management• Repricing
8/6/
13
• Data Storage / Hosting• Legal• Actuarial• Accounting • Consulting • Data aggregation • Management • Administrative • Accreditation • Financial
24
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Business Associates Must:
1. Comply with the HIPAA Security Rule 2. Report to Covered Entity any breach of
unsecured PHI 3. Enter into BAAs with subcontractors imposing
the same obligations that apply to the Business Associate
4. Comply with the HIPAA Privacy Rule to the extent Business Associate is carrying out a Covered Entity’s Privacy Rule obligations
8/6/
13
(WEDI presentation by Joseph R. McClure, Esq. Legal Counsel, Siemens Medical Solutions USA WEDI Privacy & Security Co-Chair)
25
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Breach
Unauthorized acquisition, access, use or disclosure that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.
8/6/
13
26
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Four-Factor PHI Breach Assessment1. Nature and extent of PHI involved2. Unauthorized person who used PHI or to
whom disclosure was made3. Whether PHI was actually acquired or viewed4. Extent to which risk to PHI has been mitigated
8/6/
13
“Guilty until proven innocent”Breach is now presumed
27
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Breach NotificationLess Than 500 Patient Records 500+ Patient Records
Individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach
Notify HHS on an annual basis.
Individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach
Notify the Secretary without unreasonable delay and in no case later than 60 days following a breach.
Provide notice to prominent media outlets serving the State or jurisdiction
8/6/
13
HHS provides “safe harbor” for PHI that is encrypted or properly disposed of in keeping with early guidance.
Note: When you notify of a breach, you are self-reporting a HIPAA violation and should make your counsel aware as well as conduct a new risk analysis with corrective actions.
28
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry8/
6/13
Breach Discovered
Risk Assessment
1. Nature and extent of PHI involved2. Unauthorized person who used PHI or to
whom disclosure was made3. Whether PHI was actually acquired or
viewed4. Extent to which risk to PHI has been
mitigated
Document & Done
No Breach
Less Than 500?
Notify IndividualsNotify HHS Annually
Notify IndividualsNotify HHS w/i 60 days
Notify Media
Breach
Yes
No
29
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Where?
• Privacy Rule applies to any form of PHI• It’s about disclosures
• Security Rule applies to electronic forms of PHI• Desktop• Laptop• Tablet Computer• Smart Phone• Cloud• USB “thumb drive”• CD / DVD• Floppy disk (if those even still exist)• ….
8/6/
13
30
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Greater Use of Health Information Technology
8/6/
13
31
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry8/
6/13
http://www.himss-oregon.org/events/pdf/ChrisGough-BigDataKeynote.pdf
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry8/
6/13
The Size of the Issue….
2 Kilobytes: A Typewritten page1 Megabyte: A small novel
1 Gigabyte: A pickup truck filled with paper 1 Terabyte is 50,000 trees made into paper and printed1 Petabyte of music would take ~2,000 years to play
1 Exabyte: 100,000X the printed material in the Lib of Congress1 Zettabyte: ~62 Billion iPhones (stacked would pass the moon)
http://highscalability.com/blog/2012/9/11/how-big-is-a-petabyte-exabyte-zettabyte-or-a-yottabyte.html
To store a Yottabyte on terabyte sized hard drives would require a million city block size data-centers… as big as the states of Delaware and Rhode Island
http://en.wikipedia.org/
POINT
PHI is gr
owing!!!
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Privacy RulePrivacy Rule
Covered Entity • Marketing & Fundraising • Sale of protected health information (PHI) • Right to request restrictions • Electronic access for patient• Delegates• Genetic info for underwriting prohibited• Immunization records with parent approval• Decedent PHI protected for 50 years
Business Associate BAA at least as strict as CE
Subcontractor BAA at least as strict as BA
8/6/
13
34
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry8/
6/13
35
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Security Rule: Phys Safeguards
Required Addressable
Workstation Use (R)Workstation Security (R)Disposal (R)Media Re-use (R)
Contingency Operations (A)Facility Security Plan (A)Access Control and Validation Procedures (A)Maintenance Records (A)Accountability (A)Data Backup and Storage (A)
8/6/
13
36
Applies to: Covered Entity, Business Associates, and Subcontractors
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Security Rule: Admin Safeguards
Required Addressable
Risk Analysis (R)Risk Management (R)Sanction Policy (R)Information System Activity Review (R)Assigned Security Responsibility (R)Isolating Health Care Clearinghouse Function (R)Response and Reporting (R)Data Backup Plan (R)Disaster Recovery Plan (R)Emergency Mode Operation Plan (R)Evaluation (R)Written Contract or Other Arrangement (R)
Authorization and/or Supervision (A)Workforce Clearance Procedure (A)Termination Procedures (A)Access Authorization (A)Access Establishment and Modification (A)Security Reminders (A)Protection from Malicious Software (A)Log-in Monitoring (A)Password Management (A)Testing and Revision Procedure (A)Applications and Data Criticality Analysis (A)
8/6/
13
37
Applies to: Covered Entity, Business Associates, and Subcontractors
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Security Rule: Tech Safeguards
Required Addressable
Unique User Identification (R)Emergency Access Procedure (R)Audit Controls (R)Person or Entity Authentication (R)
Automatic Logoff (A)Encryption and Decryption (A)Mechanism to Authenticate Electronic PHI (A)Integrity Controls (A)Encryption (A)
8/6/
13
38
Applies to: Covered Entity, Business Associates, and Subcontractors
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Security Rule: Org Reqmnts
Required Addressable
Business Associate Contracts (R) Group Health Plans (R)
DocumentationTime Limit (R)Availability (R)Updates (R)
8/6/
13
39
Applies to: Covered Entity, Business Associates, and Subcontractors
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
2007
Original Omnibus
8/6/
13
40
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry8/
6/13
41
For example, a data storage companythat has access to protected healthinformation (whether digital or hardcopy) qualifies as a business associate,even if the entity does not view theinformation or only does so on arandom or infrequent basis.
-HIPAA Omnibus
If I Store Data Online Does HIPAA Apply to the Hoster?
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
What’s Your Hosting Service?
8/6/
13
42
Shared Dedicated Medical-grade Cloud
Price ~$7.95/month ~$50+ / month ~$300+ / month
BA Agreement Violation? Violation?
Risk Analysis Violation? Violation?
24 X 7 Monitoring Violation? Violation?
Encryption Violation? Violation?
Audit Logs Violation? Violation?
Monthly Report Violation? Violation?
DR Plan Violation? Violation?
Data Backup Violation? Violation?
Disposal Policy Violation? Violation?
Unique User ID Violation? Violation?
AND MUCH, MUCH, MUCH MORE
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Fine Structure
8/6/
13
Violation Category Per Violation Per Calendar Year
Did Not Know $100 - $50,000 $1,500,000
Reasonable Cause $1,000 - $50,000 $1,500,000
Willful Neglect – Corrected
$10,000 - $50,000 $1,500,000
Willful Neglect – Not Corrected
$50,000 $1,500,000
43
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Last year we had a $1.5M settlement with BCBS TN that had 57 hard drives stolen from a storage facility. The citation that drove the penalty was NOT the breach. Rather, the penalty was applied because of the failure to implement appropriate administrative safeguards, not performing a risk assessment, and failure to implement access controls for physical safeguards. They could have turned that storage facility into Fort Knox, and it might have still been breached. But the problem was they didn’t implement any preventive policies or procedures or appropriate administrative or physical safeguards. This is a great example of the lack of ongoing attention to compliance.
8/6/
13
HIPAA in a HITECH World: HIPAA Violations on the Rise, According to Director of OCRPosted on March 22, 2013 by April Sage
Leon Rodriguez, Director Office for Civil Rights
44
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Another Real Life ExampleBreach of less than 500 patients' PHI
• Hospice of North Idaho fined $50,000• Unencrypted laptop was stolen from an
employee's car.• OCR found that HONI (1) did not conduct a risk
analysis to safeguard ePHI and (2) did not have policies/procedures in place to address mobile device security.
8/6/
13
45
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Patient Rights over PHIWhat it says What it means
In this final rule, we strengthen anindividual’s right to receive anelectronic copy of his or her protectedhealth information.
The final rule requires that a coveredhealth care provider agree in most casesto an individual’s request to restrictdisclosure to a health plan of theindividual’s protected healthinformation that pertains to a healthcare service for which the individualhas paid the health care provider in fullout of pocket.
If you use an EHR, you must provide an e-copy of PHI to patients upon request, within timeframe and costs of Final Rule.
Patients may pay for treatment and ask provider to withhold PHI from insurer.
8/6/
13
46
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Street Value of Medical Records
A thief downloading and stealing data can get $50 on the street for a medical identification number compared to just $1 for a Social Security number. For those receiving the medical ID number and using it to defraud a health care organization, the average payout is more than $20,000,” according to Pam Dixon, executive director of the World Privacy Forum. "Compare that to just $2,000 for the average payout for regular ID theft.
8/6/
13
“Protected Health Information (PHI): High Value to Hackers: Medical Facilities at Risk”, http://www.prweb.com/releases/2013/2/prweb10412883.htm
47
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry8/
6/13
Value of Protected Health Information
Big Data / Internet of Things
Aging US Pop
Gene Data
EHRs / HIEs
Social Nets / PHRs
Cyber Crimes Data GovernanceNon-compliance
Hea
lthCa
re T
oo, L
LC P
ropr
ieta
ry
Resources• Jan 17, 2013 New Release on Omnibus
http://www.hhs.gov/news/press/2013pres/01/20130117b.html• Poyner Spruill Summary of HIPAA Omnibus http
://www.poynerspruill.com/publications/Pages/summaryofNewHIPAARules.aspx
• Health Information Privacy http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html
• Enforcement Exampleshttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html
• HHS “Wall of Shame”http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
8/6/
13
49
