HIPAA Update - NMHIMA · HIPAA Update . Jamie Sorley . U.S. Department of Health and Human Services...
Transcript of HIPAA Update - NMHIMA · HIPAA Update . Jamie Sorley . U.S. Department of Health and Human Services...
HIPAA Update
Jamie Sorley U.S. Department of Health and Human Services
Office for Civil Rights
New Mexico Health Information Management Association Conference April 11, 2014
Albuquerque, NM
Recent Enforcement Activities
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014| page 2
HIPAA Privacy, Security, Breach Compliance and Enforcement
– Resolution Agreements/Corrective Action Plans • 5 RA/CAPs in CY13 • Total Resolution Amounts of $3,740,780
– Investigated Complaints/Compliance Reviews • 4,459 investigative closures in CY13 • 3,467 closed with corrective action
– Breach Reports • 930 Breaches involving 500 or more individuals • Over 113,000 Breaches involving fewer than 500
individuals
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014| page 3
Breach Notification: 500+ Breaches by Type of Breach
Data as of March 25, 2014.
U.S. Department of Health and Human Services, Office for Civil Rights
Theft 47%
Loss 11%
Unauthorized Access/Disclosure
18%
Hacking/IT Incident 8%
Improper Disposal 4%
Other 10%
Unknown 2%
April 11, 2014| page 4
Breach Notification: 500+ Breaches by Location of Breach
Data as of March 25, 2014.
U.S. Department of Health and Human Services, Office for Civil Rights
Paper Records 21%
Desktop Computer 14%
Laptop 23%
Portable Electronic Device
11%
Network Server 12%
Email 5%
EMR 3%
Other 11%
April 11, 2014| page 5
Recent Large Breaches
• Hacking network server – 780,000 affected • Backup tapes stored at hospital cannot be
found and are presumed lost– 315,000 affected
• Unencrypted emails sent to employee’s unsecured email address -- 228,435 affected
• Theft of laptop from employee’s vehicle– 116,506 affected
• Unauthorized access to e-PHI stored in database-- 105,646 affected
• Hacking database stored on network server – 70,000 affected
U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 | page 6
Recent Major Enforcement Actions
• Adult & Pediatric Dermatology, P.C. ($150,000)
– Unencrypted thumb drive stolen from employee vehicle affecting 2,200 patients
– Covered entity did not have breach policies and procedures
• Affinity Health Plan, Inc. ($1.2M) – Breach affecting up to 344,000 individuals – Covered entity had not properly erased photocopier hard drives
prior to sending the photocopiers to a leasing company
• Massachusetts Eye and Ear Institute ($1.5M) – Stolen personal laptop of physician using device as desktop
substitute – Covered entity had not implemented a program to mitigate
identified risks to e-PHI
U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 | page 7
Recent Major Enforcement Actions • Hospice of Northern Idaho ($50K)
– Breach affecting 400 individuals when laptop stolen – Provider had not conducted a risk assessment or taken other
measures to safeguard e-PHI as required by Security Rule
• Idaho State University ($400,000) – Disabled firewall left the PHI of approx. 17,500 patients unsecured – Risk analyses and risk management plans were incomplete or out
of date
• Shasta Regional Medical Center ($275,000) – Senior management disclosed patient information to the media
and to the workforce without patient authorization – CE failed to sanction workforce members in accordance with its
internal policy
U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 | page 8
HIPAA Omnibus Changes
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 9
Omnibus Final Rule – Important Dates
• Published in Federal Register – January 25, 2013
• Effective Date – March 26, 2013
• Compliance Date – September 23, 2013
• Conform BA contracts – September 22, 2014
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 10
Omnibus Components
• HITECH Privacy & Security – Business associates
(BA) – Marketing &
Fundraising – Sale of protected
health information (PHI)
– Right to request restrictions
– Electronic access
• HITECH Breach Notification
• HITECH Enforcement
• GINA Privacy
• Other Modifications – Research – Notice of privacy
practices (NPP) – Decedents – Student immunizations
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 11
• HITECH Accounting of Disclosures Rule
• HITECH Distribution of Penalties/Settlements to Harmed Individuals Rule
• HITECH Minimum Necessary Guidance
• HIPAA/CLIA Patient Access to Laboratory Test Reports Rule
Not in Omnibus
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 12
Omnibus Final Rule – What’s New for Consumers
• Right to Electronic Copy of Electronic Health Record – Right to direct copy to designated third party
• Prohibition on Sale of PHI without Authorization • Marketing Communications Paid for by Third Party
Require Authorization – Limited exceptions for refill reminders and current
prescriptions • Right to Restrict Disclosures to Health Plans of
Treatment/Services Paid for Out of Pocket
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 13
GINA Provisions
• Requires “Genetic Information” to be treated as PHI
• Prohibits Health Plans from using/disclosing genetic information for underwriting purposes
• Terms and definitions track regulations prohibiting discrimination in provision of health insurance based on genetic information
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 14
Omnibus Final Rule – Non-statutory Provisions
• Student Immunization – Makes it easier for parents to permit providers to
release student immunization records to schools • Research
– Allows researchers to use single authorization for more than one research purpose
– Relaxes policy on authorizations for future research
• Notice of Privacy Practices – Updates required to Notices of Privacy Practices – Relaxes distribution requirements for Health Plans
• Decedent Information – Protections limited to 50 years after death – Eases access to friends and families
U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 | page 15
Omnibus Final Rule – What’s New for Breach
• Breach Notification Provisions – Replaces “harm to individual” with more
objective measure of compromise to the data as threshold for breach notification
– Other provisions of 2009 IFR adopted without major change
U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 | page 16
Omnibus Final Rule – What’s New for Enforcement
• Enforcement Provisions – Adopts increased CMP amounts and
tiered levels of culpability from 2009 IFR
– Clarifies “Reasonable Cause” Tier – Willful Neglect Penalties do not
require informal resolution – Intentional wrongful disclosures may
be subject to civil, rather than criminal, penalties
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 17
HITECH Enforcement Raises CMP Levels
Violation Category Each Violation All Identical Violations
per Calendar Year
Did Not Know $100 -$50,000
$1,500,000
Reasonable Cause $1,000 -$50,000
$1,500,000
Willful Neglect-Corrected
$10,000 -$50,000
$1,500,000
Willful Neglect-Not Corrected
$50,000 $1,500,000
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 18
Omnibus Final Rule – What’s New for Business Associates
New definition of Business Associate (45 C.F.R. §160.103): (1) Except as provided in paragraph (4) of this definition, business associate
means, with respect to a covered entity, a person who: (i) On behalf of such covered entity or of an organized health care
arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or
(ii) Provides, other than in the capacity of a member of the workforce of such
covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in §164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 19
Omnibus Final Rule – What’s New for Business Associates
New definition of Business Associate, cont. (2) A covered entity may be a business associate of another covered
entity. (3) Business associate includes: (i) A Health Information Organization, E-prescribing Gateway, or
other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.
(ii) A person that offers a personal health record to one or more
individuals on behalf of a covered entity. (iii) A subcontractor that creates, receives, maintains, or transmits
protected health information on behalf of the business associate.
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 20
Omnibus Final Rule – What’s New for Business Associates
• BAs must comply with the technical, administrative, and physical safeguard requirements under the Security Rule – Must conduct a security risk analysis and implement a risk
management plan – Must implement safeguards to protect EPHI – Liable for Security Rule violations
• BAs must comply with use or disclosure limitations expressed in its contract and those in the Privacy Rule
– Criminal and civil liabilities for violations
• Clarification that BAs are liable whether or not they have an agreement in place with the CE
• If CE delegates Privacy Rule obligation to BA (e.g., providing NPPs to individuals), contract must require BA to perform in compliance with Rule
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 21
Omnibus Final Rule – What’s New for Business Associates
• Direct liability – Impermissible uses and disclosures (including more than
minimum necessary) – Failure to comply with Security Rule – Failure to provide breach notification – Failure to provide e-access as provided in BA contract – Failure to disclose PHI to HHS for compliance and
enforcement – Failure to provide HITECH accounting (final rule not
issued)
• Contractual liability for requirements of the BA contract
U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 | page 22
Marketing
• Communications about health-related products/services by covered entity (CE) to individuals now marketing & require authorization if paid for by third party
• Applies to receipt of financial remuneration only; does not include receipt of non-financial benefits
• Authorization must state that communication is paid for
• Authorization can be obtained to make subsidized communications generally – Scope of authorization need not be limited to single
product/service or products/services of one third party
U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 | page 23
Marketing
• Limited exception for refill reminders (and similar communications) – Includes generic equivalents, adherence
communications, drug delivery systems – Payment must be reasonably related to cost of
communication • Face to face marketing communications and
promotional gifts of nominal value still permitted without authorization
U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 | page 24
Sale of PHI
• Even where disclosure is permitted, CE is prohibited from disclosing PHI (without individual authorization) in exchange for remuneration – Includes remuneration received directly or
indirectly from recipient – Not limited to financial remuneration
• If authorization obtained, authorization must state that disclosure will result in remuneration
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 25
Sale of PHI
• Exceptions: – Treatment & payment – Sale of business – Remuneration to BA for services rendered – Disclosure required by law – Public health – Research, if remuneration limited to cost to
prepare and transmit PHI – Providing access or accounting to individual – Any other permitted disclosure where only
receive reasonable, cost-based fee to prepare and transmit PHI
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 26
Electronic Access
• If individual requests e-copy of PHI maintained electronically in designated record set, CE: – Must provide access in electronic form/format requested, if
readily producible, otherwise in readable electronic form/format as agreed to by CE and individual
• If requested, CE must transmit copy of PHI to individual’s designee (not limited to electronic access) – Request must be in writing & signed – Must clearly identify designated person and where to send
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 27
Electronic Access
• CE may charge for: – Labor for copying
• Time attributable to reviewing request and producing copy
– Cost of electronic media • CD, USB drive, or similar portable media/device, if
individual requests copy on portable media
• CE has 30 days (with one 30-day extension) to act on request for access – Provision allowing initial 60 days for off-site
PHI removed
U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 | page 28
Definition of Breach
• Harm standard removed • New standard – impermissible use/disclosure of
(unsecured) PHI presumed to require notification, unless CE/BA can demonstrate low probability that PHI has been compromised based on a risk assessment of at least: – Nature & extent of PHI involved – Who received/accessed the information – Potential that PHI was actually acquired or viewed – Extent to which risk to the data has been mitigated
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 29
Definition of Breach
• Exceptions for inadvertent, harmless mistakes remain
• Exception for limited data sets without dates of birth & zip codes removed
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 30
Breach Notification
• Makes permanent the notification and other provisions of the 2009 interim final rule (IFR), with only minor changes/clarifications – E.g., clarifies that notification to Secretary of
smaller breaches to occur within 60 days of end of calendar year in which breaches were discovered (versus occurred)
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 31
Guidance and Compliance Tools
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 32
• De-identification Guidance http://www.hhs.gov/ocr/privacy/hipaa/understanding/c
overedentities/De-identification/guidance.html • Sample Business Associate Contract Language
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
• Security Rule Guidance http://www.hhs.gov/ocr/privacy/hipaa/administrative/s
ecurityrule/index.html • Risk Analysis Guidance • NIST HIPAA Security Rule Toolkit • NIST Guidelines for Media Sanitation • FTC Guidance on Copier Data Security • Educational paper series
• Security for Mobile Devices (video/web) http://www.healthit.gov/mobiledevices
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 33
ONC/OCR Mobile Device Program Instructional Video Series
The videos explore mobile device risks and discuss privacy and security safeguards providers and professionals can put into place to mitigate risks.
Securing Your Mobile Device is Important! Dr. Anderson's Office Identifies a Risk A Mobile Device is Stolen Can You Protect Patients' Health Information When Using a Public Wi-Fi Network? Worried About Using a Mobile Device for Work? Here's What To Do!
U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 | page 34
Downloadable Materials www.healthit.gov/mobiledevices
U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 | page 35
• Fact sheets • Posters • Brochures
Mobile Device Program: Tips to Protect
and Secure Health Information
U.S. Department of Health and Human Services, Office for Civil Rights
Use a password or other user authentication. Install and enable encryption. Install and activate wiping and/or remote disabling. Disable and do not install file- sharing applications. Install and enable a firewall. Install and enable security software.
Keep security software up to date. Research mobile apps before downloading. Maintain physical control of your mobile device. Use adequate security to send or receive PHI over public Wi-Fi networks. Delete all stored health information before discarding or reusing the mobile device.
October 28, 2013 | page 36
Sample Notices of Privacy Practices
• Versions for Providers and for Health Plans • Multiple formats • Customizable • In English and Spanish
http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 37
Medscape: Free CME and CE Training
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 38
http://www.medscape.org/viewarticle/762170?src=cmsocr
HIPAA: Creating Awareness and Educating Providers on the Importance of Compliance
Security Rule Assessment Tool
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 39
http://www.healthit.gov/providers-professionals/security-risk-assessment
Questions?
OCR website www.HHS.gov/OCR Jamie Sorley [email protected] (214) 767-8908
U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 | page 40