Jeanne M. Born, RN, [email protected] CURRENT LEGAL ISSUES IN TELEMEDICINE WEBINAR:...

Jeanne M. Born, RN, JD [email protected]

CURRENT LEGAL ISSUES INTELEMEDICINE WEBINAR:

CONFIDENTIALITY AND HIPAA ISSUES IN TELEMEDICINE

AUGUST 26, 2015

2Palmetto Care Connections www.nexsenpruet.com webinar 2

Patient Confidentiality‣ Every State and Federal law that protects the

confidentiality, privacy and security of protected health information that is created in a face-to-face encounter apply to virtual encounters.

‣ Telemedicine creates new challenges:

‣ Increases the number of people who may/will have access to health information:

‣ Clinical professionals;

‣ Technical professionals:

‣ Site where the patient is located +

‣ Telemedicine provider +

‣ Distant site.


Patient Confidentiality‣ Health information is being transmitted as it is being created:

‣ Subject to increased privacy and security risks

‣ Increased number of people who have access;

‣ Data management issues: Information may be in formats not previously part of the medical record (audio and video recordings);

‣ How and where is this new information to be stored?

‣ Data sharing issues: Who is the owner of medical record:

‣ The site where the patient is located?

‣ The distant site where the physician is located?

‣ Potential for unauthorized persons viewing/hacking:

‣ Fear of “unseen persons” during the telemedicine session;

‣ Fear about the reliability of security with telemedicine hardware/devices/applications.

4Palmetto Care Connections www.nexsenpruet.com webinar

PATIENT CONFIDENTIALITY/HIPAA

‣ Examples of issues with Telemedicine/Telehealth can create increased risk exposure:

‣ Interoperability in cooperating locations' systems could increase risks (breach; medical errors);

‣ Interruptions in connectivity mid-examination/procedure;

‣ Differences in operational procedures and technology implementations could increase risk exposure

‣ Treatment could be viewed by unauthorized individuals without patient knowledge or permission

‣ Electronic communications could be hacked by unauthorized individuals

‣ Locally stored PHI could be accessed or altered by people with system-level privileges.


Patient Confidentiality/Privacy/Security

‣ Address concerns by conducting a thorough review of the entire process:

‣ Comply with applicable State and Federal confidentiality / privacy / security laws;

‣ Apply appropriate administrative, physical and technical safeguards;

‣ Educate both patients and staff (clinical and technical).


Patient Confidentiality: State Laws‣ Examples of professional licensing standards that require

confidentiality:

‣ Physicians - S.C. Code Regs. 81-60 § D

‣ Nurses – S.C. Code Ann. § 40-33-110(A)(8)

‣ Psychologists – S.C. Code Regs. 100-4 § B.2

‣ Social Workers – S.C. Code Regs. 110-20 § 15

‣ Professional counselors, associate counselors and marriage and family therapists - S.C. Code Ann. § 40-75-190

‣ Emergency Medical Technicians - S.C. Code Regs. 61-7 § 110.A.9

‣ Violations can result in disciplinary action. See S.C. Board of Medical Examiners v. Hedgepath,480 S.E.2d 724 (S.C. 1997).


Patient Confidentiality: State Laws

‣ Examples of institutional licensing laws affecting confidentiality:

‣ Abortion Clinics - S.C. CODE REGS. 61-12 § 402

‣ Hospitals - S.C. CODE REGS. 61-16 § 1107.A

‣ Nursing Homes - S.C. Code Ann. § 44-81-40(H)

‣ Physician Offices – S.C. Code Ann. § 44-115-40

‣ Day Care Facilities for Adults - S.C. CODE REGS. 61-75 § 901.A.6

‣ Home Health Agencies - S.C. CODE REGS. 61-77 §§ 801.A.3 & 902.C

‣ Hospices - S.C. CODE REGS. 61-78 § 701

‣ Facilities that Treat Individuals for Psychoactive Substance Abuse or Dependence - S.C. CODE REGS. 61-93 § 703.B


South Carolina Case Law

‣ Breach of confidence:

‣ McCormick v. England: Established the tort of “breach of confidence” for a physician who disclosed a patient’s information to a third party without the patient’s consent or legal compulsion. 494 S.E.2d 431 (S.C. App. 1997).

‣ But see, Evans v. Rite Aid Corp. where the S.C. Supreme Court found that neither a pharmacist nor a pharmacy had a duty of confidentiality to a customer. 478 S.E.2d 846 (S.C. 1996).

‣ Following this case the S.C. Legislature passed the Prescription Information Privacy Act. S.C. Code Ann. §§ 44-117-10 through -380.


Patient Confidentiality: Behavioral Health

‣ Behavioral Health information:

‣ S.C. Code Ann. § 19-11-95 – creates both a privilege and a confidentiality obligation for behavioral health providers (not physicians) – a provider may not knowingly reveal a confidence of his patient, use a confidence of his patient to the disadvantage of the patient or use a confidence of his patient for the advantage of himself or of a third person unless the patient gives written authorization after disclosure to him of what confidences is to be used and how it is to be used except when permitted by law.

‣ Requires providers to pass on confidentiality/re-disclosure obligations downstream.


Patient Confidentiality: Behavioral Health

‣ Exceptions: a provider may disclose confidential information:

‣ With written authorization;

‣ As allowed by law;

‣ To prevent the commission of a crime/prevent harm to the patient;

‣ Collect fee for service;

‣ In the course of diagnosis, counseling, or treatment, confidences necessary to promote care within the generally recognized and accepted standards, practices, and procedures of the provider's profession; and

‣ For peer review participation.



‣ Information held by the Department of Mental Heath:

‣ S.C. CODE ANN. § 44-22-90 – Communications between patients and mental health professionals including general physicians, psychiatrists, psychologists, psychotherapists, nurses, social workers, or other staff members employed in a patient therapist capacity or employees under supervision of them are considered privileged. A patient may refuse to disclose and may prevent a witness from disclosing privileged information with certain exceptions.


Patient Confidentiality: State Laws‣ Exceptions:

‣ To other staff on a “need to know” basis;

‣ For involuntary commitment proceedings;

‣ In an emergency to prevent the patient from self-harm;

‣ In the course of court-ordered psychiatric examination if the information is admissible only on issues involving the patient’s mental condition;

‣ In a civil proceeding when the patient introduces his/her mental condition as an element of his/her claim or defense if the court finds that the need for the disclosure outweighs the need to protect the psychiatrist /patient relationship;

‣ With consent of the patient or legal representative; or

‣ As otherwise permitted by law.



‣ S.C. CODE ANN. § 44-22-100 - Certificates, applications, records, and reports made by the DMH that directly or indirectly identifying a mentally ill or alcohol and drug abuse patient or former patient or individual whose commitment has been sought, must be kept confidential, and must not be disclosed except:

‣ With patient or legal representative’s consent;

‣ Court decides that failure to disclose in a proceeding is contrary to public interest;

‣ Required for research by the DMH or DAODAS with patient consent;

‣ Necessary to cooperate with law enforcement, health, welfare and other State agencies or when furthering the welfare of the patient/patient’s family;

‣ Disclosure is necessary to carry out the provisions of Chapters 9, 11, 13, 15, 17, 20, 23, 24, 25, 27 & 52 of Title 44 of the S.C. Code.



‣ S. C. CODE ANN. § 44-26-130 Communications between clients and intellectual disability professionals, including general physicians, psychiatrists, psychologists, nurses, social workers, members of interdisciplinary teams, or other staff members employed in a client-therapist capacity or an employee under supervision of them are considered confidential. Certificates, applications, records, and reports made for the purpose of Chapter 26 that directly or indirectly identify a client, as well as privileged communications, must be kept confidential and must not be disclosed by a person with exceptions.


Patient Confidentiality: State Laws‣ Exceptions:

‣ The client of legal representative consents;

‣ Court decides that failure to disclose in a proceeding is contrary to public interest;

‣ Required for research conducted by the Department;

‣ Necessary to cooperate with law enforcement, health, welfare and other State agencies, schools, and county entities;

‣ Necessary to carry out Chapter 26.

‣ Also:

‣ To the next of kin upon inquiry;

‣ For educational purposes if the client’s identity is concealed;

‣ To the ombudsman or S.C. Protection and Advocacy System for the handicapped, Inc.


Patient Confidentiality: State Laws‣ Protects information regarding STDs.

‣ All information which is reported to DHEC regarding STDs must be kept completely confidential with extremely limited exceptions.

‣ Confidentiality of information encourages persons who may be infected to obtain testing and counseling, which in turn protects the public health.

‣ In order to ensure the confidentiality of records relating to sexually transmitted diseases, DHEC must keep information related to known or suspected cases of sexually transmitted disease strictly confidential. S.C. Code Ann. § 44-29-135.


Patient Confidentiality: State Laws‣ Drug and Alcohol Treatment: (creates a privilege)

‣ S. C. CODE ANN. § 44-53-140 - Whenever a holder of the privilege shall seek counselling, treatment, or therapy for any drug problem from a confidant, no statement made by such holder and no observation or conclusion derived from such confidant shall be admissible against such holder in any proceeding. The results of any examination to determine the existence of illegal or prohibited drugs in a holder's body shall not be admissible in any proceeding against such holder.

‣ The privilege belongs to the holder and if he waives the right to claim the privilege the communication between the holder of the privilege and the confidant shall be admissible in evidence in any proceeding.

‣ There is no privilege if the services of a confidant are sought to enable the holder of the privilege to commit or plan to commit a crime or a tort.


Patient Confidentiality: Federal Laws

‣ Constitutional Protections:

‣ Fifth Amendment – The U.S. Supreme Court held that there is a right to privacy which is an interest related to personal autonomy and an interest in avoiding disclosure of personal matters.

‣ Fourteenth Amendment – The right to protection against an invasion of privacy extends to a person’s documents, which include a person’s health information.

‣ Whalen v. Doe, 429 U.S. 589 (1977).


Patient Confidentiality: Federal Laws‣ Privacy Act of 1974 – Enacted to help protect

personal information collected by the federal government including medical information collected in the Medicare and Medicaid programs. 5 U.S.C. § 552a.

‣ The confidentiality protection under this federal statute is riddled with exceptions. Persons/agencies with access to these records are: (1) employees of the agency maintaining the record; (2) recipients who provide advance notice that records will be used for statistical research; (3) federal government agencies enforcing civil/criminal law; (4) persons showing a compelling need; and (5) may be disclosed to a private firm for transcription or copying. Id.



‣ Medicare/Medicaid Conditions of Participation:

‣ Hospitals: 42 C.F.R. § 482.24(b)(3)

‣ Critical Access Hospitals: 42 C.F.R. § 485.638(b)(1)

‣ Home Health Services: 42 C.F.R. § 484.10(d)

‣ Hospice: 42 C.F.R. § 418.52(c)(5)

‣ Community Mental Health Centers: 42 C.F.R. § 485.910(c)(3)



‣ Alcohol and Drug Rehab Act – Severely limits access to records of alcohol and drug abuse patients.

‣ 42 U.S.C. § 290 dd-2; 42 C.F.R. Part 2.

‣ Applies only to programs holding themselves out as providing drug and alcohol treatment;

‣ Applies to Medicare participating hospitals only if:

‣ Has an identified unit that provides drug and alcohol diagnosis, treatment or referral; or

‣ Medical personnel or other staff whose primary function is the provision of such care.



‣ Disclosures may be made:

‣ With prior written consent of the patient, under the circumstance and purpose expressed in the consent (requires a specific consent);

‣ With or without patient consent when made to medical personnel to the extent necessary to handle a bona fide medical emergency;

‣ Without consent for research, management audit, or program evaluation purposes as long as patient's identity is not revealed; or

‣ Without patient consent pursuant to a court order upon application showing good cause. Good cause= public interest in the need to disclose vs. potential injury to the patient, the physician-patient relationship, and the treatment program.



‣ Good cause in a civil case:

‣ Other ways of obtaining the information are unavailable or ineffective; &

‣ The public interest and need for disclosure outweigh the potential injury to the patient, the physician-patient relationship, and the treatment services.

‣ Good cause in a criminal case:

‣ Extremely serious crime (ex: homicide, rape, kidnapping);

‣ Information will be of substantial value in the case;

‣ Other ways of obtaining the information are unavailable or ineffective;

‣ Injury to the patient, physician/patient relationship & the program is outweighed by public interest in making the disclosure; &

‣ The applicant & person holding the records has been afforded counsel.


HIPAA: Privacy and Security

Palmetto Care Connections www.nexsenpruet.com webinar

Administrative Simplification

provisions of the Health Insurance Portability and

Accountability Act of 1996 (“HIPAA”)

American Recovery and Reinvestment Act of 2009• Health

Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”); • Subtitle D –

Privacy

New HITECH Implementing

Regulations: 78 F.R. 5566

(“HITECH Final Rule”) published January 25, 2013 – effective March

26, 2013 – enforcement

begins September 22, 2013

HITECH Final Rule also implements

changes necessary in the Patient Safety &

Quality Improvement Act (“PSQIA”) and the

Genetic Information

Nondiscrimination Act (“GINA”)

HIPAA/HITECH

25



‣ I will assume that you all speak “HIPAA”

HIPAA/HITECH = Assumptions

26



HITECH made multiple changes in the existing HIPAA Statutes, Privacy Standards and Security Standards that directly affect covered entities, business associates and

others.

HIPAA/HITECH

27



HITECH Act Definitions: Generally, all definitions are the same as under

prior law with the exception of the terms

further described in this presentation

HITECH Final Rule provides more

definitions: Including HITECH, PSQIA & GINA

HIPAA/HITECH

28



‣ Covered Entity: CE

‣ Business Associate: BA

‣ Business Associate Agreement: BAA

‣ Individually Identifiable Health Information: IIHI

‣ Protected Health Information: PHI

‣ Electronic Protected Health Information: E-PHI

‣ Civil Money Penalty: CMP

‣ Notice of Privacy Practices: NPP

Abbreviations: KEY

29



HIPAA‣ HIPAA applies to health plans, health care clearinghouses

and health care providers that transmit PHI in a HIPAA covered transaction including:

‣ health claims or equivalent encounter information;

‣ health claims attachments;

‣ enrollment and disenrollment in a health plan;

‣ eligibility for a health plan;

‣ health care payment and remittance advice;

‣ health plan premium payments;

‣ first report or injury;

‣ health claim status; and

‣ referral certification and authorization.


HIPAA

‣HIPAA purposes:

‣Standardize the transmission of information between health care providers and payors

‣Protect the privacy and security of health information


HIPAA

‣ Various regulations have been promulgated under HIPAA and HITECH:

‣ Security Standards

‣ Privacy Standards

‣ Identifier standards:

‣ Provider;

‣ Health Plan; &

‣ Employer

‣ Transaction Standards

‣ Enforcement Standards

‣ Breach Standards


General Rules

‣ Must have policies and procedures to comply with the Privacy Standards and the Security Standards.

‣ Prior to HITECH, the Privacy and Security Standards applied only the CEs.

‣ After HITECH many of the provisions of the Privacy and Security Standards apply to BAs.


General Rules: Privacy Standards‣Privacy Standards are all about using and

disclosing PHI.

‣ Prior to using or disclosing PHI for any purpose, the purpose of the use of disclosure should be determine and used and disclosed only as required or permitted by the Privacy Standards.

‣ Always ask 2 questions:

‣ Who is the requestor?

‣ What is the purpose of the request?

‣ Prior to requesting PHI for any purpose, the purpose of the request should be determined and requested only as permitted under the Privacy Standards.


General Rules: Privacy Standards

‣ Only two required disclosures:

‣ MUST provide access to the individual (with some exceptions)

‣ MUST provide access to the Secretary of the USDHHS

‣ All of the rest of the disclosures are permissive disclosures under the Privacy Standards.


General Rules: Privacy Standards‣MAY use or disclose protected health

information only as permitted under the Privacy Standards (Policies/Procedures):

‣ For treatment, payment and health care operations;

‣ Pursuant to an HIPAA authorization;

‣ Notification purposes: family members/friends;

‣ Governmental agencies (DHEC; LLR; OSHA;FDA;ETC.);

‣ Law enforcement;

‣ Legal proceedings;

‣ Business Associates..



‣ Need policies and procedures for all of the foregoing and:

‣ Designation of the Privacy Officer;

‣ Privacy Training;

‣ Notice of Privacy Practices;

‣ Patient Directory;

‣ Minimum Necessary Standard;

‣ Amendment of PHI;

‣ Accounting of Disclosures;

‣ Restrictions on the Use and Disclosure of PHI;

‣ Confidential Communications



‣ Complaints

‣ Safeguarding PHI;

‣ Sanctions;

‣ Mitigation;

‣ Non-retaliation;

‣ Fundraising;

‣ Marketing;

‣ Research;

‣ . . . etc.


Telemedicine Issues: Privacy Standards

‣ Privacy Training;

‣ Make the determination by “following the PHI” -

‣ Hardware vendors;

‣ Software/application vendors.

‣ NPP;

‣ Does your NPP anticipate using and disclosing PHI via telemedicine?

‣ Designated Record Set;

‣ Does your DRS policy/procedure include audio/video formatted PHI as part of your DRS?

‣ Why does that matter?



‣ Access to PHI;

‣ When a patient requests a copy of or access to their PHI, have you anticipated how to provide a copy of the audio/videoed telemedicine encounter?

‣ Amendment of PHI;

‣ If a telemedicine encounter is going to be recorded as part of the DRS, how do you accommodate a request for amendment to the recorded encounter?



‣ Marketing: Contacts by BA telemedicine vendors:

‣ General Rule: If you are going to use or disclose PHI for marketing purposes, you must obtain an authorization from the patient.

‣ Very narrow exceptions that do not apply to telemedicine:

‣ Face-to-face communications (NOT over the telephone);

‣ Provision of a nominal gift;

‣ Refill reminders;

‣ For treatment to direct a patient to an alternative treatment, therapy, health care provider or setting of care;

‣ Describe a health-related product or service included in a plan of benefits;

‣ Case management or care coordination, contacting individuals about treatment alternatives and related function to the extent these activities do not fall within the definition of treatment.


General Rules: Security Standards

‣ CEs and BAs must protect the security of all E-PHI in manner consistent with the Security Standards.

‣ CEs and BAs must:

‣ Ensure the confidentiality, integrity, and availability of all E-PHI CE or BA creates, receives, maintains, or transmits;

‣ Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;

‣ Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Security Standards;

‣ Ensure compliance with the Security Standards by its workforce.



‣ CEs and BAs may use any security measures that allow it to reasonably and appropriately implement the standards and implementation specifications as specified in the Security Standards.

‣ In deciding which security measures to use, CEs and BAs must take into account the following factors:

‣ The size, complexity, and capabilities of it’s facility;

‣ The CE and BA’s technical infrastructure, hardware, and software security capabilities;

‣ The costs of security measures;

‣ The probability and criticality of potential risks to E-PHI.



‣ If the applicable Security Standard implementation specification is required, then the CE or BA must implement that Security Standard implementation specification;

‣ If the applicable Security Standard implementation specification is addressable, then the CE or BA must:

‣ Implement the implementation specification if reasonable and appropriate; or

‣ If implementing the implementation specification is not reasonable and appropriate:

‣ Document why it would not be reasonable and appropriate to implement the implementation specification; and

‣ Implement an equivalent alternative measure if reasonable and appropriate.



‣ Risk Analysis;

‣ Risk Management;

‣ Sanctions;

‣ Information System Review Activity;

‣ Security Official;

‣ Information Access Policy;

‣ Security Awareness Training;

‣ Identify and Respond to Security Incidents;

‣ Contingency Plan



‣ Evaluate Security Policies;

‣ Facility Access Controls;

‣ Workstation Use and Security;

‣ Device and Media Controls;

‣ Technical Access Controls;

‣ Audit Controls;

‣ Integrity;

‣ Person of Entity Authentication; and

‣ Transmission Security.



‣ Review all of your Security policies/procedures to determine whether updates are necessary;

‣ Conduct a risk analysis to identify the additional security concerns that arise with the development of telemedicine;

‣ Focus on:

‣ Device and Media Controls;

‣ Technical Access Controls


Special Issues with Device and Media Controls and Technical Access Controls with Telemedicine

‣ More and more telemedicine apps are being used on portable devices

‣ Be mindful of where you are using portable devices and whether you have appropriate security (technical and physical)

‣ Use only those portable devices that are approved by the CE or BA’s IT and those portable devices that comply with your device and media controls policy.

‣ Case in point: Stolen mobile device.


CMP for Stolen Mobile Device

‣ Massachusetts Eye and Ear Infirmary and its associated physician practice

‣ Self-reported the theft of an unencrypted laptop containing PHI of > 500 patients from an employed physician while on vacation

‣ No finding of financial or reputational harm to the patients

‣ Findings: Failure to . . .

‣ Restrict access to ePHI from unauthorized users/portable devices and be able to track access

‣ Track movement of both Hospital/personal portable devices on and off premises

‣ Implement encryption or appropriate alternatives to encryption

‣ 9/17/2012 – Agreement (3 years)

‣ $1.5 Million CMP

‣ A Corrective Action Plan (includes a framework for updating policies/procedures and compliance plans for mobile devices)

‣ http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/meei-agreement-pdf.pdf


Special Issues with Technical Access Controls

‣ Encryption is considered an “addressable” implementation specification.

‣ The Security Rule does not require that encryption be used BUT, recall for addressable standards, if the CE or BA determines that the specification is not reasonable, then the CE or BA must explain why in writing and implement an equivalent measure if reasonable and appropriate.

‣ Weigh the benefits and costs with implementing encryption (for data in motion and data at rest).


Special Issues with Technical Access Controls

‣ Encryption Industry Standards:

‣ Data at rest – NIST Special Publication 800-111

‣ Data in motion – FIPS 140-2 (Includes NIST Special Publications 800-52, 800-77 or 800-113)

‣ FIPS: www.itl.nist.gov/fipspubs/index.htm

‣ NIST: www.nist.gov/

http://www.itl.nist.gov/fipspubs/index.htm




Notification of Breach

‣The nature of the technology enabling telemedicine increases the potential for there to be unauthorized access.


‣ General Rule:

‣ A CE that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses unsecured protected health information shall, in the case of a breach, notify the individual whose unsecured protected health information has been or is reasonably believed by the CE to have been accessed, acquired, or disclosed as a result of such breach.

‣ BAs shall notify the CE of such breaches.

Notification of Breach: HITECH Act

53



‣ “Breach’’ means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Standards which compromises the security or privacy of such information . . .

Breach: HITECH Final Rule

54



‣ Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a CE or BA if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under Privacy Standards;

‣ Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at same CE or BA or OHCA in which the CE participates, and the PHI received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Standards; and

‣ A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

Breach: Exceptions

55



‣ Added a “harm” standard by defining “compromises the security or privacy of [protected health] information” as follows:

‣ Posed a significant risk of financial reputational or other harm to the individual

‣ Senator Waxman did not like this change and informed Secretary Sebilius by letter dated October 1, 2009.

‣ The HITECH Final Rule significantly modified the meaning of “compromises the security and privacy of PHI”.

Definition of Breach: Interim Final Rule

56



‣ Depends upon a risk assessment of four factors:

‣ The nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification;

‣ The unauthorized person who used the PHI or to whom the disclosure was made;

‣ Whether the PHI was actually acquired or viewed; and

‣ The extent to which the risk to the PHI has been mitigated.

‣ If after the consideration of each of the foregoing factors the CE has determined that there is a low probability that the privacy or security of the PHI has been compromised, then no breach notification is required.

Whether a Reportable Breach Occurred: Low Probability Standard

57



‣ Unsecured Protected Health Information (“Unsecured PHI”): PHI that is not secured by a technology standard that renders PHI unusable, unreadable, or indecipherable to unauthorized individuals persons and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.

‣ Guidance published April 17, 2009.

Unsecured PHI: HITECH Act (Update HITECH Final Rule)

58



‣ The technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals are:

‣ Electronic PHI that has been encrypted

‣ Data at rest – NIST Special Publication 800-111

‣ Data in motion – FIPS 140-2 (Includes NIST Special Publications 800-52, 800-77 or 800-113)

‣ Media on which PHI is stored or recorded has been destroyed:

‣ Paper, film or hard copy: shredded or destroyed such that it cannot be reconstructed

‣ Electronic media: cleared or purged consistent with NIST Special Publication 800-88

‣ FIPS: www.itl.nist.gov/fipspubs/index.htm

‣ NIST: www.nist.gov/

Breach Notification not required if the PHI is not “Unsecured PHI”

59






‣ A breach is discovered on the first day the breach is known or by exercising reasonable diligence, would have been known by the CE;

‣ A breach is discovered by a BA on the first day the breach is known or by exercising reasonable diligence, would have been known by the BA;

‣ A BA or Subcontractor is required to report the breach to the CE in accordance with the terms of the BA;

‣ Clarified in the HITECH Final Rule: A CE will be deemed to have discovered a breach on the first day the breach was discovered by a BA only if the BA is acting as an agent of the CE.

Breaches Treated as Discovered

60



‣ Whether a BA is an agent of the CE is determined by the application of the federal common law of agency: Although there are multiple factors, DHHS found these four (4) to be most important in a “facts and circumstances” test:

‣ (1) The time, place, and purpose of a BA agent's conduct;

‣ (2) whether a BA agent engaged in a course of conduct subject to a CE's control (manner and means by which the product is accomplished);

‣ (3) whether a BA agent's conduct is commonly done by a BA to accomplish the service performed on behalf of a CE; and

‣ (4) whether or not the CE reasonably expected that a BA agent would engage in the conduct in question.

Breach Treated as Discovered

61



‣ Notice must be made within 60 days of when the CE knows or should have reasonably known of the breach.

‣ Individuals: notice is provided in writing by first class mail or by e-mail if the individual provided a preference.

‣ If contact information is out of date (including 10 or more such individuals), post a toll free number on the CE’s website where individuals can learn if their unsecured PHI has been breached.

‣ Regulations add provisions for Personal Representatives of deceased individuals and when contact information is insufficient or out of date:

‣ Fewer than 10: alternative form of written notice, telephone or other means

‣ 10 or greater: conspicuous posting for 90 days on CE’s webpage or in major broadcast media AND contact information


62



‣ If notification is urgent because of possible misuse, may telephone the individual(s)

‣ If 500 or more individuals are involved, notice must be provided to prominent media outlets.

‣ Notice must be provided to the Secretary of DHHS;

‣ If 500 or more individuals are involved, this notice must be given immediately

‣ If less that 500, the CE may keep and log and disclose to the Secretary annually.

‣ The Secretary of DHHS will post the identities of the CEs involved in breaches where more than 500 individuals are involved.


63



Breach notification webpage: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html

Guidance for notifying Secretary of breaches: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html• Submit Notice of a Breach Affecting

500 or More Individuals

• Submit Notice of a Breach Affecting Fewer than 500 Individuals

Notification to the Secretary

64


http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html



http://transparency.cit.nih.gov/breach/index.cfm





Content of notice to the individual:

Brief description

of what happened (include date of

breach and date of

discovery)

A description

of the types of

Unsecured PHI

involved in the breach

The steps that

individuals should take to protect

themselves from

potential harm

A brief description of what the CE is doing to investigate,

mitigate losses and

protect against further

breaches

Contact information (toll-free telephone number, an e-mail address, web site, or postal address)


65



•Would impede a criminal investigation

•Cause damage to national security

Notice can be delayed

if necessary

if law enforceme

nt determine

s that notice:


66



‣ State law compliance:

‣ S.C. Code Ann. § 39-1-90

‣ Modify your Notification of Breach Policy to also cover your obligations under State law.


67



What happens with a HIPAA violation???

‣A/K/A: Why should I care???

‣Criminal Penalties

‣Civil Penalties


HITECH Update: Criminal Penalties

‣ Clarification of Application of criminal penalties for wrongful disclosures

‣ Amends HIPAA Statute to make it clear that the criminal penalties apply to employees and other individuals, including physicians


HIPAA Criminal Penalties

• (a) A person who knowingly and in violation of HIPAA-

• (1) uses or causes to be used a unique health identifier;

• (2) obtains IIHI relating to an individual; or

• (3) discloses IIHI to another person, shall be punished as provided in subsection (b) of this section.

• (b) Penalties

• A person described in subsection (a) of this section shall--

• (1) be fined not more than $50,000, imprisoned not more than 1 year, or both;

• (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and

• (3) if the offense is committed with intent to sell, transfer, or use IIHI for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.


Physician Criminal Conviction Upheld: 5/10/2012

‣ A visiting cardiothoracic surgeon from China (working as a research assistant) was convicted of misdemeanor violation of the HIPAA criminal statute

‣ After his termination from UCLA, on at least four occasions, he accessed four patient records (co-workers and celebrity)

‣ The 9th Circuit upheld the district court’s finding that he knowingly and in violation of HIPAA obtained IIHI relating to individuals

‣ Sentence:

‣ Four months in prison, then a year of supervised release;

‣ $2000 fine


HITECH: Civil Money Penalties

‣ HITECH significantly revises the HIPAA CMP Statute to include non-compliance due to willful neglect and requires DHHS to investigate if a complaint indicates a violation due to willful neglect.

‣ CMP $$ collected to go the OCR and are used for increased enforcement.


HITECH: Civil Money Penalty Tiers

(a) $100/violation, the total not to exceed $25,000 for identical violations / calendar year;

(b) $ 1,000/violation, the total not to exceed $100,000 for identical violations/calendar year;

(c) $ 10,000/violation, the total not to exceed $250,000 for identical violations/calendar year;

(d) $ 50,000/violation, the total not to exceed $1,500,000 for identical violations/calendar year.

‣ A violation where the person did not know and by exercising due diligence would not have known, the penalty will be not less than (a) but not more than (d).

‣ A violation due to reasonable cause, but not willful neglect, the penalty will be not less than (b) but not more than (d).

‣ A violation due to willful neglect:

‣ If corrected, the penalty will be not less than (c) but not more than (d);

‣ If not corrected, the penalty will be not less than (d).


First CMP: 2/4/2011

‣ Cignet Health: Large multi-healthcare provider group

‣ Failed to provide 41 patients access to their PHI (were 41 complaints – all individually filed with the OCR)

‣ Initial fine: $1.3 Million for failure to provide access

‣ Subsequent fine: $3.0 Million for failure to cooperate with the OCR’s investigation (3/17/2009 – 4/7/2010)

‣ Total fine: $4.3 Million

‣ Upshot – cooperate with the OCR investigation!


OCR sends a message to small physician practices: 4/17/2012

‣ Phoenix Cardiac Surgery (5 physician practice)

‣ Complaint: posting surgery and appointment schedules on a publically accessible internet-based calendar

‣ OCR found a “multiyear, continuing failure” to

‣ Implement policies and procedures

‣ Document training of employees

‣ Identify a security official at the practice

‣ Conduct a security analysis

‣ Obtain business associate agreements with its internet-based email and scheduling services


Phoenix Cardiac Surgery Penalties

‣ Resolution Agreement:

‣ http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/pcsurgery_agreement.pdf

‣ $100,000 CMP

‣ Comply with a Corrective Action Plan (one year)

‣ Develop and implement Privacy and Security policies/procedures and provide to the OCR for approval

‣ Implement the policies/procedures within 30 days of approval

‣ Distribute the policies/procedures to its workforce and require written certifications of initial compliance from each

‣ Assess and update the policies and procedures annually

‣ Make reports to the OCR


First HIPAA Settlement for Breach of < 500 patients’ PHI (01/02/2013)

‣ Hospice of North Idaho (“HONI”) reported the theft of an unencrypted laptop containing the PHI of 441 patients

‣ OCR found:

‣ HONI failed to conduct risk analysis;

‣ HONI failed to implement security measures;

‣ HONI failed to have policies and procedures for mobile devices

‣ Settlement Agreement:

‣ Enter into a CAP

‣ CMP of $50,000

‣ http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.pdf


PATIENT CONFIDENTIALITY/HIPAA ‣ Recommendations:

‣ Foster a strong culture related to the privacy & security of PHI;

‣ Be sure your cooperative providers also have similar cultures;

‣ Encrypt (data in transmission and at rest);

‣ Work with your cooperative providers to address interoperability issues up front;

‣ Coordinate operational policies and procedures with your cooperative providers;

‣ Conduct a thorough risk assessment to identify vulnerabilities, both internal and external threats to the system;

‣ Conduct a review of your HIPAA Privacy and Security Standards to address new issues;

‣ Be sure your insurance carriers (GL & Cyber) cover telemedicine practice; and

‣ Distant site providers: Remember to provide the patient with your Notice of Privacy Practices!!


Questions?


Jeanne M. BornMember1230 Main Street, Suite 700, Columbia, SC [email protected]

https://www.facebook.com/pages/Nexsen-Pruet/23434748397

https://twitter.com/NexsenPruet

http://www.linkedin.com/company/49966

Jeanne M. Born, RN, [email protected] CURRENT LEGAL ISSUES IN TELEMEDICINE WEBINAR:...

Documents

Transcript of Jeanne M. Born, RN, [email protected] CURRENT LEGAL ISSUES IN TELEMEDICINE WEBINAR:...