Texas Privacy Update Ana E. Cowan, Associate Deborah C. Hiser, Partner Brown McCarroll LLP A Look at...

Texas Privacy Update

Ana E. Cowan, AssociateDeborah C. Hiser, Partner

Brown McCarroll LLP

A Look at HITECH and H.B.300 Developments

H.B. 300H.B. 300How are Things Different?How are Things Different?

H.B. 300 Effective September 1, 2012

•Completely New Framework for Enforcement– Audits– AG initiated action– Hefty fines– If you did not take HIPAA seriously before—it is time

•Update Policies and Procedures– Training– Breach Notification – Marketing– Sale of PHI– NPP– Update of Business Associate Contracts– Authorization for Electronic Disclosure– Access to Medical Record

3

Complaints Received by OCR Complaints Received by OCR

*****

Allison- Please confirm that this is Privacy Complaints--I am almost postive, but want to make sure.

4

Top 5 Issues in Investigated Cases Top 5 Issues in Investigated Cases Closed with Corrective Action Closed with Corrective Action

Year Issue 1 Issue 2 Issue 3 Issue 4 Issue 5

2010Impermissible Uses

& Disclosures Safeguards AccessMinimum

Necessary Notice



Necessary Complaints to

Covered Entity



Necessary Complaints to

Covered Entity



Necessary Notice



Necessary Notice



Necessary Mitigation



Necessary Authorizations

Partial2003 Safeguards

ImpermissibleUses &

Disclosures Access Notice Minimum Necessary

5

Breach Notification:500+ Breaches Breach Notification:500+ Breaches by Type of Breachby Type of Breach

5

6

OCR Enforcement CasesOCR Enforcement Cases

OCR has stated that they will investigate every reported breach

Rite Aid

• Take away: Must dispose of PHI correctly.

– Rite Aid pharmacies disposed of labeled prescription bottles containing PHI in containers accessible by the public.

$1 million

– Entered into a 3 year CAP and a 20 year FTC Order which requires Rite Aid to: • Develop Privacy and Security policies to safeguard PHI during the disposal process, • Train employees on how to properly dispose of PHI, • Sanction offending employees, and• Obtain external assessments of Rite Aid’s compliance.

6

7


Cignet Health

• Take away: Must give patients their medical records within 15 days of request. Always comply with OCR’s requests.

– Cignet denied 41 patients access to their medical records. During OCR investigation, Cignet ignored OCR’s requests to produce records.

$4.3 Million

7

8

• Take Away:» Small providers must comply» Pay attention to fundamentals of security—standards are flexible and

scalable» Security in the “Cloud”

– Failed to secure appointment calendaring app– Failed to have risk analysis and risk management process under

Security Rule

$100,000

– Entered into a Corrective Action Plan (CAP) which requires a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules.

Phoenix Cardiac Surgery


9

Section 13411 of the HITECH Act

The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements.

Authority for HIPAA AuditsAuthority for HIPAA Audits

10

The Initial 20 AuditsThe Initial 20 Audits

Quick OCR/KPMG HIPAA AUDIT UPDATE – 1ST 20 Audits

Quick OCR/KPMG HIPAA AUDIT UPDATE – 1ST 20 Audits

Large providers/ payors with more than $1 billion in revenue and/ or assets

Large regional hospital systems/ Regional payor with between $300 million and $ 1 billion in revenue and/ or assets.

Community hospitals ambulatory surgery centers, regional pharmacies (with between $50 million)

Small providers and community pharmacies with less than $50 million in revenue and/ or assets

11

Audits: What to ExpectAudits: What to Expect

12


13


The Questions HHS Might Ask: Lessons Learned From Piedmont

1. Establishing and terminating user’s access to systems housing ePHI

2. Emergency access to electronic information systems3. Inactive computer sessions (periods of inactivity)4. Recording and examining activity in information systems that

contain or use ePHI5. Risk assessments and analysis of relevant information that house

or process ePHI data.6. Employee sanction policies7. Incident reports8. Audit logs and access reports9. Listing of all network perimeter devices, i.e. firewalls and routers

14


The Questions HHS Might Ask (continued)

10. Remote access activity (network infrastructure platform, access servers, authentication and encryption software)

11. Password and server configurations

12. Antivirus software

13. Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas

15


Additional Questions HHS Might Ask (continued)1. Information systems that house ePHI data, as well as network

diagrams, including all hardware and software that are used to collect, store, process, or transmit ePHI

2. Terminated employees3. New Hires4. Outsourced individuals and contractors with access to ePHI.

Provide a copy of the contract for these individuals5. Organizational Charts6. List of all users with access to ePHi data7. Identify each user’s access rights and privileges8. List of systems administrators, backup operators, and users9. List of all users with remote access capabilities10. Regularly review OCR website and review CAPs

16


Step 3: Site Visits• Personal Interviews with CE leadership• Up Close and Personal Examination • Policy Consistency• Observation

17


Step 4: Auditor Reports

• Auditors will develop a draft report

• Final report submitted to OCR

• OCR may initiate compliance review for serious issues

• If they do, you will be subject to a CAP

18

New Civil MonetaryNew Civil MonetaryPenalty SystemPenalty System

• Accidental– $100 each violation– Up to $25,000 for identical violations, per year

• Not Willful Neglect, but Not Accidental– $1,000 each violation– Up to $100,000 for identical violations, per year

• Willful Neglect, Not Corrected– $50,000 each violation– Up to $1.5 million per year

19

And…Don’t forget about And…Don’t forget about Criminal PenaltiesCriminal Penalties

• “Knowingly"

– $50,000– Imprisonment up to one year.

• False pretenses – Up to $100,000 fine– Up to five years in prison.

• Intent to sell, transfer, or use for commercial advantage, or for personal gain or malicious harm– $250,000– Imprisonment for up to ten years.

20

H.B. 300H.B. 300AuditsAudits

H.B. 300 TX Health & Safety Code § 181.206

Audits of Covered Entities

• If there appears to be a pattern of violations, the Texas Commission of HHS may: – Require the covered entity to submit a risk analysis

regarding the potential risks and vulnerabilities to the confidentiality, integrity, and availability of PHI, and

– If the covered entity is licensed by a Texas agency, request the agency to conduct an audit.

21

Texas H.B. 300Texas H.B. 300AG ActionAG Action


AG Initiated Action• AG may sue a covered entity for violation of the

Texas Privacy Law. • AG may bring an action only if the agency the

entity is licensed by refers the violation to the AG.

• AG may retain a reasonable amount of the civil penalty.

22

H.B. 300 H.B. 300 Texas Attorney General EnforcementTexas Attorney General Enforcement

In May 2011, OCR invited the 50 state attorneys for in person HIPAA training so that they may properly enforce HIPAA and HITECH in their respective state.

23

Texas H.B. 300Texas H.B. 300It comes down to $$$$It comes down to $$$$


Civil Penalties in Addition to Injunctive(May Not Exceed)

$5,000 per violation per year negligently$25,000 per violation per year knowingly

or intentionally$250,000 per violation per year financial

gain

24

Texas H.B. 300Texas H.B. 300 It comes down to $$$$ It comes down to $$$$

• Civil penalties may not exceed $25K for violation(s) of authorization and notice requirements for disclosure of PHI if the disclosure was only made to another covered entity and was only for the purposes of treatment, payment, operations, or insurance, and the PHI was:– Encrypted or transmitted using encryption technology, – PHI recipient did not use or release PHI, and – At time of disclosure, the covered entity had

developed, implemented, and maintained security policies, including education and training of employees responsible for PHI security.

25

Texas H.B. 300 Texas H.B. 300 It comes down to $$$$ It comes down to $$$$

• If court finds violations occurred enough times to constitute a pattern, a fine not to exceed $1.5 million may be assessed.

• In determining the penalty amount, the court should consider: – Seriousness of the violation,– Covered entity's compliance history and effort to correct the

violation,– If the violation poses a significant risk of financial,

reputational, or other harm to individual, – The required amount to deter future violations, and – If the covered entity was THSA certified at time of the

violation.

26

Texas H.B. 300Texas H.B. 300TrainingTraining

H.B. 300 TX Health & Safety Code § 181.101Training Requirements

• Covered Entities are required to train employees on state and federal laws as they related to:

– The CE in its particular course of business– The employee’s scope of employment

• 60 day Requirement• Must provide for Training at least once every 2 years• Employees must attest to being trained• H.B. 300 Action Item Update your policy and

procedures

Texas H.B. 300Texas H.B. 300AccessAccess


Access Requirements

• Electronic Health Records System• Provide record electronically within 15 days of

written request

• H.B. 300 Action Item Update your policy and procedures

28

Texas H.B. 300Texas H.B. 300Sale of PHISale of PHI


Sale of PHI• Covered entities may not disclose PHI in

exchange for direct or indirect remuneration, unless the disclosure is for treatment, payment, health care operations, or insurance.

• The remuneration the covered entity receives may not exceed the covered entity's reasonable costs for preparing or transmitting the PHI.

• NPRM: Provides that CE disclose in NPP


H.B. 300 TX Health & Safety Code § 181.153(b) If a covered entity uses or discloses protected health information to send a written marketing communication through the mail, the communication must be sent in an envelope showing only the names and addresses of sender and recipient and must:

1. state the name and toll-free number of the entity sending the marketing communication; and

2. explain the recipient’s right to have the recipient’s name removed from the sender’s mailing list.

(c) A person who receives a request under subsection (b)(2) to remove a person’s name from a mailing list shall remove the person’s name not later than the 45th day after the date the person receives the request.

29


• This is complicated—Don’t try to figure it out on your own.

• EVEN THE FEDS DON’T KNOW HOW TO DEFINE TREATMENT

• H.B. 300 Action Item Update policy and procedures. Texas law stricter.

• Need to be on look out for NPRM NPP statement

31

Texas H.B. 300Texas H.B. 300Notice and AuthorizationNotice and Authorization

TX Health & Safety Code § 181.154

Notice and Authorization Required for Electronic Disclosure of PHI

• CE must Post Notice:– Written notice in covered entity's place of business,– Notice on covered entity's website, or – Notice in any other place where individuals are likely to see the

notice.

• Obtain Authorization: Even if the above notice is posted, CE may not electronically disclose an individual’s PHI without the individual’s authorization. – EXCEPTION: Disclosure is to another CE for the purpose of

treatment, payment, operations, or insurance.

Texas H.B. 300Texas H.B. 300Notice and AuthorizationNotice and Authorization

TX Health & Safety Code § 181.154

Notice and Authorization Required for Electronic Disclosure of PHI

• H.B. 300 Action Items – Update policy and procedures– Update HIPAA authorization form to take electronic

disclosure into consideration– Post Notice (either in office or NPP)

32

Texas H.B. 300 Texas H.B. 300 Breach Breach

H.B. 300 TX Business and Commerce Code § 521.002-521.053

Breach

• A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information must disclose any breach of system security.

• “Breach of system security" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.

• Applies only if the individual whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person is a resident of this state or another state that does not have notification laws.

• H.B. 300 Action Item Update policy and procedures-Texas law is different than HITECH

•

33

Sobering ThoughtsSobering Thoughts

Sec. 181.202. DISCIPLINARY ACTION •In addition to the penalties prescribed by this chapter, a violation of this chapter by a covered entity that is licensed by an agency of this state is subject to investigation and disciplinary proceedings, including probation or suspension by the licensing agency. If there is evidence that the violations of this chapter are egregious and constitute a pattern or practice, the agency may:

1. Revoke the covered entity’s license; or

2. refer the covered entity’s case to the attorney general for the institution of an action for civil penalties under Section

181.201(b).

34

Sobering ThoughtsSobering Thoughts

Sec.181.203. EXCLUSION FROM STATE PROGRAMS• In addition to the penalties prescribed by this chapter, a covered entity shall be excluded from participating in any state-funded health care program if a court finds the covered entity engaged in a pattern or practice of violating this chapter.

35

Texas H.B. 300 Texas H.B. 300 Business Associate ContractsBusiness Associate Contracts

• Business Associate Contracts – Contract between a HIPAA covered entity and a HIPAA business associate. The contract protects personal health information (PHI) in accordance with HIPPA guidelines.

• Remember that Your Business Associates are considered a CE under Texas law

• H.B. 300 Action Items Need to Update BA– Provisions to prohibit the sale and marketing of PHI– Update Training provisions– Update Access provisions– Update breach provisions (HITECH and H.B. 300)– DON’T FORGET TO INDEMNIFY

36

37

Final ThoughtsFinal Thoughts

• Change in Enforcement Landscape• Update Policies and Procedures for HB 300 Changes

– Training Policy– Notice of Privacy Practices– Authorization– Business Associate Contracts– Access Policy– Marketing– Breach Policy– Do Not Ignore Security Rules

• Train, Train, Train

Questions?Thank You

38

Contact Contact

Ana E. Cowan 512-703-5791

[email protected]

Deborah C. Hiser512-703-5718

[email protected]

111 CongressSuite 1400

Austin, Texas 7870139

Texas Privacy Update Ana E. Cowan, Associate Deborah C. Hiser, Partner Brown McCarroll LLP A Look at...

Documents

Transcript of Texas Privacy Update Ana E. Cowan, Associate Deborah C. Hiser, Partner Brown McCarroll LLP A Look at...