HIPAAThe New HIPAA Laws Now HaveREAL Penalties; Criminal & Civil

Legal Information Is Not Legal AdviceThis site provides information about the law designed to help users safely cope with their own legal needs. But legal information is not the same as legal advice -- the application of law to an individual's specific circumstances. Although we go to great lengths to make sure our information is accurate and useful, we recommend you consult a lawyer if you want professional assurance that our information, and your interpretation of it, is appropriate to your particular situation.

ARRA & HITECH ActIncreased

Bureaucracy Overlap

The Old HIPAA

Shredded Old Medical Records

Added Silly Screen Privacy Devices

Removed The Fax From Patient Hallway Disaster Recovery Plan?

The OLD HIPPASheriff

No private right of action

HIPAA RebootThere Is A Real Sheriff In Town

Feds to Train State AGs To Enforce HIPAABreaking News, March 10, 2011

The Department of Health and Human Services' Office for Civil Rights will host four regional meetings to train staff from state and territorial attorneys general offices on enforcement of the HIPAA privacy and security rules.

The HITECH Act gives attorneys general authority to enforce the privacy and security rules through civil actions. In a statement on its Web site, OCR welcomes collaboration with attorneys general seeking to bring actions to enforce the rules, and will provide information upon request about pending or concluded OCR actions against covered entities or business associates related to state investigations.

The training sessions will provide an overview of the privacy and security rules and related HITECH Act provisions, investigative techniques for identifying and prosecuting potential violations, a review of HIPAA and state laws, OCR's enforcement role, state attorneys general roles and responsibilities under HIPAA and HITECH, resources for states in pursuing alleged violations, and HIPAA enforcement support and results.

What Is New In The HIPAA Reboot?

New Enforcement Rules

New HIPAA Penalties

Breach Notifications to Consumers

BAs Must Comply with HIPAA Security Rule

No Selling of PHI

New Restrictions on Marketing & Fundraising

HIPAA Privacy Rule Accounting of Disclosures Under the HealthInformation Technology for Economicand Clinical Health Act

Summary of Recent HIPAA Changes

What You Don’t KnowCAN Hurt You.

New Enforcement RulesThe Sheriff Has A Posse!

• Mandatory investigations for “willful neglect” cases.• Mandatory civil penalties for “willful neglect” violations.• Periodic compliance audits for CE’s and BA’s.• Fines & penalties paid will go to OCR for increased

investigations & enforcement.• Harmed individuals will get a percent (t.b.d.) of CMP or

settlement.• In addition to CE’s, individuals now made subject to HIPAA

criminal provisions.• State AG’s can bring civil suits in federal courts on behalf

of state residents.

New HIPAA PenaltiesSheriff Has A Cash “Jail”

Four tiers of penalties, depending on nature of offense… Tier A - Offender didn’t know, and by reasonable diligence would not have known, that he or she

violated the law. • $100 per violation • $25,000 annual maximum total per violator

Tier B - Violation due to reasonable cause and not willful neglect. • $1,000 per violation • $100,000 annual maximum total per violator

Tier C - Violation due to willful neglect but was corrected. • $10,000 per violation • $250,000 annual maximum total per violator

Tier D - Violation due to willful neglect and was not corrected. • $50,000 per violation • $1,500,000 annual maximum total per violator

Breach Notifications to ConsumersSheriff Wants The Word Out

Breach Notifications to Consumers

CE’s, BA’s, and PHR Vendors are subject to breach notification requirements. Notify consumers if “unsecured” PHI was accessed, acquired, or disclosed in breach. “Unsecured” essentially means “unencrypted” data, including all physical media. Notices must be sent “without reasonable delay” – no later than 60 days after breach. Minimum content of notifications is specified in the regs. Notices sent by 1st class mail – email only if consumer stated a preference for email. If 10 or more victims can’t be located, notice on website or in media must be posted. Breaches involving > 500 victims: Mandatory, immediate reporting to HHS. Breaches involving < 500 victims. Entity keeps log, provides to HHS annually. If over 500 victims, HHS will publicly post on Internet. PHR breaches get reported to FTC, and FTC in turn notifies HHS. LA State breach requirements also in effect “encrypted or unencrypted”

Business Associates Must Comply with HIPAA Security RuleSheriff Sees “Guilt By Association”

Business Associates Must Comply with HIPAA Security Rule

BA’s subject to same civil & criminal penalties as CE’s.

BA’s must comply with Administrative, Technical, and Physical Safeguards.

BA’s must establish and maintain appropriate policies and procedures.

BA’s must document all Security Rule compliance activities.

BA’s must report breaches just like CE’s.

BA Contracts must be created or amended to include new requirements.

BA’s don’t comply with Privacy Rule, but are restricted from PHI uses and disclosures not incompliance with BA contract. This represents “de-facto” Privacy compliance.

PHR Vendors and Health Information Exchanges become Business Associates

Does The New Sheriff Have A “Bite”?

One Breach occurred at Stanford’s Lucile Packard Children’s Hospital in January 2010, when a desktop computer holding the medical records of 532 patients was stolen from the heart center by an employee. Hospital officials said at the time that no patient information was compromised.

But California’s Department of Public Health fined the hospital $250,000, the maximumallowed, for failing to report the breach within five days of discovery, as is required under state law. State officials contend it took the hospital 19 days to disclose.

Does The New Sheriff Have A “Bite”?

Massachusetts General Hospital in Boston, which trains Harvard medical students, agreedthis year to pay a $1 million federal fine after an employee left paper medical records on asubway train while commuting to work. The pages contained the names of 192 patients,and diagnoses for about a third of them, including for H.I.V./AIDS. They were neverrecovered.The Department of Health and Human Services viewed the breach as a potential violationof the Health Insurance Portability and Accountability Act, the 1996 law that requiresprotection of medical records.

Does The New Sheriff Have A “Bite”?

A former UCLA Health System employee became the first person in the nation to be sentenced to federal prison for violating HIPAA.Huping Zhou, 47, of Los Angeles, was sentenced to four months in prison on April 27 after pleading guilty in January to four misdemeanor counts of accessing and reading the confidential medical records of his supervisors and high-profile celebrities, according to the U.S. Attorney’s Office for the Central District of California. Zhou was also fined $2,000.

Does The New Sheriff Have A “Bite”?Sheriff Has Deputies! (Secondary Liability)

A recent decision by an appellate court in North Carolina, however, demonstrates that HIPAA may form the basis of a lawsuit by a patient, notwithstanding the absence of a private right of action created by Congress. In the case, Acosta v. Byrum, 638 S.E.2d 246 (Ct. App. December 19, 2006), a patient sued her doctor on the theory of negligent infliction of emotional distress. The trial court dismissed the patient's claim in part on the ground that HIPAA did not provide for a private right of action. The appellate court reversed, however, stating that the patient had not asserted her claim under HIPAA, but had merely used HIPAA to define the standard of care that the physician should have followed to protect her medical information. In other words, the claim is based on the theory that a violation of HIPAA's privacy regulations is negligence per se, which would make unnecessary a jury's determination of the reasonableness of the doctor's conduct.

Does The New Sheriff Have A “Bite”?Sheriff Has Deputies! (Secondary Liability)

The use of HIPAA privacy violations as a standard of care for negligence under common law theories of liability is likely to be adopted by other patients whose healthcare information is disclosed, inadvertently or otherwise.

This additional litigation risk suggests that strict adherence to HIPAA regulations is important not only to avoid regulatory enforcement, but also to avoid individual lawsuits, which pose a more prevalent and expensive risk.

Annual Report to Congresson Breaches of Unsecured Protected Health Information

Coping with Breaches, Enforcement, and Other Fallout under HITECH’s Breach Reporting & Enforcement Rules

LouisianaDatabase Security Breach Notification Law

RS 51:3071

CHAPTER 51. DATABASE SECURITY BREACH NOTIFICATION LAW

§3071. Short title

This Chapter may be cited as the "Database Security Breach Notification Law".

Acts 2005, No. 499, §1, eff. Jan. 1, 2006.

§3072. Legislative findings

The legislature hereby finds and declares that:

(1) The privacy and financial security of individuals are increasingly at risk due to the ever more widespread collection of personal information.

(2) Credit card transactions, magazine subscriptions, telephone numbers, real estate records, automobile registrations, consumer surveys, warranty registrations, credit reports, and Internet web sites are all sources of personal information and form the source material of identity theft.

(3) The crime of identity theft is on the rise in the United States. Criminals who steal personal information use the information to open credit card accounts, write bad checks, buy automobiles, and commit other financial crimes using the identity of another person.

(4) Identity theft is costly to the marketplace and to consumers.

(5) Victims of identity theft must act quickly to minimize the damage; therefore, expeditious notification of possible misuse of a person's personal information is imperative.

Acts 2005, No. 499, §1, eff. Jan. 1, 2006.

§3073. Definitions

As used in this Chapter, the following terms shall have the following meanings:

(1) "Agency" means the state, a political subdivision of the state, and any officer, agency, board, commission, department or similar body of the state or any political subdivision of the state.

(2) "Breach of the security of the system" means the compromise of the security, confidentiality, or integrity of computerized data that results in, or there is a reasonable basis to conclude has resulted in, the unauthorized acquisition of and access to personal information maintained by an agency or person. Good faith acquisition of personal information by an employee or agent of an agency or person for the purposes of the agency or person is not a breach of the security of the system, provided that the personal information is not used for, or is subject to, unauthorized disclosure.

(3) "Person" means any individual, corporation, partnership, sole proprietorship, joint stock company, joint venture, or any other legal entity.

What Constitutes A BREACH Of Personal Information?

"Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when the name or the data element is not encrypted or redacted:

(i) Social security number.

(ii) Driver's license number.

(iii) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

(b) "Personal information" shall not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Under Louisiana Law:

Once The Breach OccursNotification Requirements StartSome States Now Require You To Pay For Credit Monitoring For Each Patient In The

Breached Data Base

Types Of Data Breaches

Hackers Breaching Security Poor Internal Network Security Web Based Phishing, Virus, Worms

Insider Theft Insiders Cause %48 Of All Breaches

Stolen Hardware

Lost Hardware Laptops, Thumb Drives, Etc.

Third Party Breach Business Associates From Insider

Abuse ToInsiderAccountability

Types Of Data BreachesThe Social Web Based Threat

An aggressive worm known for stealing sensitive information was found on the computer network for the agencies handling unemployment claims in Massachusetts.

W32.QAKBOT is a worm that spreads through network drives and removable drives. After the initial infection, usually the result of clicking on a malicious link on a Web page, it can download additional files, steal information and open a back door on the compromisedmachine. The worm also contains a rootkit that allows it to hide its presence and it works slowly to avoid detection. “Its ultimate goal is clearly theft of information,” said Shunichi Imano, a Symantec researcher.

Qakbot is especially aggressive and normally targets online banking, although it has the ability to mutate itself to switch targets and change its methods. The cyber-criminals behind the infection could have remotely instructed the virus to go after names, addresses and Social Security numbers stored in the state systems instead of focusing on banking sites.

“In a nutshell, if your computer is compromised, every bit of information you type into your browser will be stolen,” according to Patrick Fitzgerald, a senior security response manager at Symantec.

Where Are Employees Surfing On YOUR Computers?

Cyber-criminals used malware to steal personal informationfrom the Massachusetts unemployment offices, according to the state agency

The Cost Of Data Breaches

$ 301.00 Per Record Breached!

How much could a data breach incident cost your company?

Know Your business AssociatesYour In It With Them

Billing ServiceCollection ServiceLawyersIT VendorMedical Record Disposal Co.EHR VendorAnswering ServiceTranscriptionistLabsImaging CentersPrivate PayersMedical Transport Co.Cleaning Service

And The List Goes On

HIPAA Now Requires ComprehensiveBusiness Associates Agreements

Basic Remedial Action Performing a new risk assessment Revising policies and procedures

Improving physical security by installing new security systems or by relocating equipment or records to a more secure area

Training or retraining workforce members who handle protected health information;

Adopting encryption technologies

Establish Acceptable Use Rules For Internet

Imposing sanctions on workforce members who violated policies and procedures primarily in response to serious employee errors, removing protected health information from the facility against policy, and unauthorized access

Changing passwords

Revising business associate contracts to more explicitly require protection for confidential information. In both

Contact Your Liability/Malpractice Insurance Company

REMEMBERIf It Is Not

DocumentedIt Did Not Happen.HIPAA Will Want

It In Writing.

Synergy Solutions 3200 Ridgelake Dr. Suite 203

Metairie LA 70002

Telephone (504) 834-9550 Facsimile (504) 834-5755 Toll Free 866-834-8030

John@GoToSynergy.comJohn Daigle: 504-834-9550 Ext 115

GoToSynergy@GMail.com

Frank J DavisFrank@GoToSynergy.com504-834-9550 ext 116

www.GoToSynergy.com

Legal Information Is Not Legal AdviceThis site provides information about the law designed to help users safely cope with their own legal needs. But legal information is not the same as legal advice -- the application of law to an individual's specific circumstances. Although we go to great lengths to make sure our information is accurate and useful, we recommend you consult a lawyer if you want professional assurance that our information, and your interpretation of it, is appropriate to your particular situation.