Investigating Privacy Breaches under HITECH and HIPAA

Transcript Investigating Privacy Breaches under HITECH and HIPAA

Investigating Privacy Breaches under HITECH and HIPAA

Presented by:

Barry Herrin

Smith Moore Leatherwood LLP 1180 W. Peachtree St. NW, Suite 2300 Atlanta, Georgia 30309 T (404) 962-1027 F (404) 962-1200

Allyson Jones Labban

Smith Moore Leatherwood LLP 300 N. Greene Street, Suite 1400 Greensboro, North Carolina 17401 T (336) 378-5261 F (336) 378-5400 To ask a question during the presentation, click the Q&A menu at the top of this window, type your question in the Q&A text box, and then click “Ask.” Smith Moore Leatherwood LLP T: queued and most will be answered at the end of the meeting as time allows. © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

What is “HITECH”?

• Health Information Technology for Economic and Clinical Health Act • Enacted as part of the American Recovery and Reinvestment Act of 2009 (“Stimulus Bill”), P.L. 111-5 © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

What is “HITECH”?

• Two primary components: – Encourages implementation of health information technology and transition from paper records to EHR – Amends HIPAA to impose significant new duties on covered entities

and

What is “HITECH”?

• Notification requirement went into effect on

September 23, 2009

• Enforcement begins on

February 17, 2010

• Recent Ponemon Institute survey of 77 health care organizations revealed that 94% will not be ready to comply with HITECH by February 2010.

Definitions

• “Unsecured PHI”: PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of encryption technologies or methods of physical destruction approved by the Secretary of the Federal Department of Health and Human Services (“HHS”) – Approved technologies/destruction methods are listed at 74 Fed. Reg. 42742 © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Definitions

• “Breach”: – The acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under the HIPAA privacy rule (45 C.F.R. § 164.500, et seq.) – that compromises the security or privacy of the PHI © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Definitions

• “Significant Risk of Harm”: Fact-based inquiry that focuses on financial, reputational, or other harm that may result to the patient as a result of the use or disclosure.

To Be or Not to Be . . . A Breach

• Should not assume every use/disclosure is a “breach” • A use/disclosure is not a breach: – When the PHI is properly encrypted/destroyed – When the use/disclosure is permitted under HIPAA – When a HITECH exception applies – When the privacy or security of the data is not compromised © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Step 1: Is the information unsecured PHI?

Step 1: Unsecured PHI

• PHI is secured: – Encrypted (for approved encryption methods, see 74 Fed. Reg. 42742 list of National Institute of Standards and Technology publications, available at

http://www.csrc.nist.gov)

Step 1: Unsecured PHI

• Also not a breach if: – Individually identifiable health information held by covered entity or business associate in its capacity as an employer – De-identified in accordance with HIPAA guidelines © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Step 1: Unsecured PHI

• Also not a breach if the PHI: – Is de-identified pursuant to 45 C.F.R. § 164.514(e)(2); and – Does not include the patient’s zip code; and – Does not include the patient’s date of birth.

Step 2: Is the acquisition, access, use or disclosure permitted under HIPAA?

Step 2: Permissible Use/Disclosure (HIPAA)

• A breach is an

impermissible

use or disclosure; if HIPAA permits or requires the use/disclosure, not a breach • If use/disclosure not permitted under HIPAA, must still ask: – Does the use/disclosure compromise the security or privacy of the PHI?

– Not every impermissible disclosure = breach,

but may be a violation of the privacy rule!)

Step 3: Does the acquisition, access, use or disclosure fit within one of the exceptions to HITECH?

Step 3: HITECH Exceptions

• HITECH contains three narrowly construed exceptions • If an acquisition, access, use, or disclosure fits within an exception, it is not a breach, even if information was unsecured PHI and the disclosure is not permitted under HIPAA • This is a departure from the order set forth in the regulation © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Step 3: HITECH Exceptions

• Exception 1: Unintentional access to, or acquisition or use of, PHI: – By a workforce member for the covered entity or BA – Acting in good faith – Within the course and scope of duties – If the access, acquisition, or use does not result in any further use or disclosure in a manner not permitted by HIPAA © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Step 3: HITECH Exceptions

• Example: Billing employee receives and opens an e-mail containing patient’s PHI that was mistakenly sent to her. Billing employee notifies the sender of the error, and then deletes the e-mail without further using or disclosing the information.

Exception applies – no breach.

Step 3: HITECH Exceptions

• Example: Receptionist, who is not authorized to access PHI, decides to browse through patient files to find out information about a friend’s treatment.

Exception does not apply –breach.

Step 3: HITECH Exceptions

• Example: A physician on the medical staff, who is authorized to access PHI, looks through the medical records of patients she has not treated and whose cases she has not been asked to consult.

Exception does not apply –breach.

Step 3: HITECH Exceptions

• Exception 2: Inadvertent disclosure of PHI – From one workforce member at the covered entity or BA to another at the same covered entity or BA – Where both workforce members are authorized to access the information – If the access, acquisition, or use does not result in any further use or disclosure in a manner not permitted by HIPAA © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Step 3: HITECH Exceptions

• Example: Inadvertent disclosure by a member of the hospital medical staff, even if she is not a hospital employee, to a hospital employee who is authorized to receive PHI, provided that the employee does not subsequently inappropriately use or disclose the information.

Exception applies – no breach

Step 3: HITECH Exceptions

• Example: A member of the medical staff deliberately discloses information to another member of the medical staff regarding a patient for whom the receiving medical staff member has no treatment or consultation responsibilities.

Exception does not apply –breach

Step 3: HITECH Exceptions

• Exception 3: Unauthorized disclosure to an unauthorized person of PHI: – Where there is a reasonable good faith belief – That the unauthorized recipient would not reasonably have been able to retain the information © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Step 3: HITECH Exceptions

• Example: A nurse mistakenly hands Patient A the discharge instructions for Patient B. The nurse immediately recognizes his error and retrieves the document before Patient A has a chance to review the information.

Exception applies – no breach.

Step 3: HITECH Exceptions

• Example: The billing office, due to a lack of reasonable safeguards, send a number of patient statements to the wrong individuals. Some of the statements are returned unopened, marked “undeliverable.”

Exception applies – no breach.

The other statements that were sent to the wrong addresses, however, are not returned.

Exception does not apply – breach.

Step 4: Does the disclosure result in a significant risk of harm to the patient?

Step 4: Risk Assessment

• Must determine whether the patient is at significant risk of financial, reputational, or other harm as a result of the use or disclosure • Involves a fact-specific weighing of various factors © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Step 4: Risk Assessment

• Who impermissibly used the information / to whom was the information impermissibly disclosed?

– Disclosure to another entity subject to HIPAA: likely small risk of harm – Disclosure to member of the general public: likely high risk of harm © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Step 4: Risk Assessment

• What steps were taken to mitigate the impermissible use or disclosure?

– Obtain recipient’s satisfactory assurance that information will be destroyed and not used: likely small risk of harm – Information is returned before it is accessed (laptop analysis reveals no access): likely small risk of harm © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Step 4: Risk Assessment

• What information was the subject of the impermissible use or disclosure?

– Information concerning STDs and abuse: deemed to be significant risk of reputational harm – Information concerning fact of treatment: depends on nature of treatment (“General Hospital” – likely small risk of harm; “Communicable Disease Clinic” – likely high risk of harm) – Information that is vulnerable to identity theft (social security number, etc.): likely high risk of harm © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

If a significant risk of harm to the patient exists, the breach notification requirements must be followed

Breach Notification

• Breaches Involving Fewer than 500 Individuals: Notice must be provided: – To the individuals whose information was breached – To the Secretary of HHS using the online form at http://www.hhs.gov/ocr/privacy/hipaa/administrativ e/breachnotificationrule/brinstruction.html

Breach Notification

• Breaches Involving More than 500 Individuals: Notice must be provided: – To the individuals whose information was breached – To the Secretary of HHS using the online form at http://www.hhs.gov/ocr/privacy/hipaa/administrativ e/breachnotificationrule/brinstruction.html

Breach Notification

• Business associates now have an affirmative duty to notify the covered entity of a breach • Business associate agreements, as well as agreements with subcontractors, should be revised to explicitly memorialize this duty to report © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Breach Notification

• Notifications to individuals must be written in plain language and include: – A brief description of the incident (date of breach and date of discovery, if known) – A description of the

types

Breach Notification

– Steps the individual should take to protect himself or herself from potential harm resulting from the breach – A brief description of the steps being taken to investigate, mitigate, and prevent future breaches – Contact procedures by which the individual can contact the covered entity about the breach (toll-free number, e-mail, web site) © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Breach Notification

• Notifications to the media must be written in plain language and include: – A brief description of the incident (date of breach and date of discovery, if known) – A description of the

types

Breach Notification

– Steps individuals should take to protect themselves from potential harm resulting from the breach – A brief description of the steps being taken to investigate, mitigate, and prevent future breaches – Contact procedures by which individuals can contact the covered entity about the breach (toll-free number, e-mail, web site) © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Breach Notification

• Notification to individuals must be sent via first-class mail or, if the person agreed to electronic notice, by e mail • Where the individual is deceased, notice should be sent to the next-of-kin © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Breach Notification

• Substitute notice may be provided if no valid contact information: – Fewer than 10 individuals: By telephone, alternate form of written notice, or other means – More than 10 individuals: By conspicuous notice on the entity’s web site or in local print or broadcast media; must include a toll-free information number valid for at least 90 days © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Breach Notification

• Deadlines for notice key off date the breach was discovered • Breach is “discovered” as of the first day on which the entity knew

or should have known

through the exercise of reasonable diligence that a breach occurred.

Breach Notification

• Notice to Individuals: “Without unreasonable delay,” and no later than 60 calendar days after discovery of the breach • Notice to the Media: “Without unreasonable delay,” and no later than 60 calendar days after discovery of a breach involving 500 or more individuals © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Breach Notification

• Notice to the Secretary: – Fewer than 500 individuals: Covered entity must maintain a log and submit the log within 60 calendar days after the end of the calendar year – More than 500 individuals: Notice must be provided contemporaneously with that provided to the individuals – Reporting is to be done electronically © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Breach Notification

• Notice by a Business Associate: A business associate must provide notice to the covered entity “without unreasonable delay,” and no later than 60 calendar days after discovery of the breach © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Breach Notification

• HITECH permits covered entities and business associates to delay notification if law enforcement states that notification would impede a criminal investigation or damage national security • Length of delay depends on manner in which law enforcement requests the delay © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Breach Notification

• If the law enforcement statement is in writing and specifies the time for which delay is required, follow the written notification • If the statement is made orally, document the statement and identity of the law enforcement official, then delay no more than 30 days from the date of the oral statement, unless a subsequent written statement is provided © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Breach Penalties

• Four new penalty tiers have been implemented, effective November 30, 2009 • For violations occurring on or after

February 18, 2010:

– CMPs ranging from $100 to $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the entity did not and, by exercising reasonable diligence, would not have known that a violation occurred; © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Breach Penalties

– CMPs ranging from $1,000 to $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the violation was due to “reasonable cause” and not willful neglect (reasonable cause = “circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply”); © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Breach Penalties

– CMPs ranging from $10,000 to $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the violation was due to willful neglect and was corrected during the 30 day period following the date the covered entity knew or should have known the violation occurred © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Breach Penalties

– CMPs of at least $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the violation was due to willful neglect and was not corrected during the 30 day period following the date the covered entity knew or should have known the violation occurred © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Breach Penalties

• Penalties may be avoided if the entity can demonstrate: – Violation is the result of a knowing, criminal act by an individual that is punishable under 42 U.S.C. § 1320d-6; or – Violation is not due to willful neglect and was corrected within the 30 days following discovery or such additional period as the Secretary deems appropriate © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Breach Penalties

• Secretary may waive an imposed CMP if the CMP would be excessive if the violation was due to “reasonable cause,” even where the violation was not corrected during the 30 day period following discovery or other period deemed appropriate by the Secretary.

Action Steps

• Revise policies and procedures to reflect HITECH investigation and notification requirements • Assemble privacy investigation team • Train staff members on new breach requirements • Scrutinize policies regarding the use of e-mail, laptops, and handheld devices to transmit or store PHI © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Action Steps

• Work closely with IT staff to evaluate feasibility of encryption technologies • Evaluate current IT systems for ability to track disclosures of e-PHI • Implement amended business associate agreements and subcontractor agreements • Consult with insurance advisors regarding enhancing risk protections (increased coverage and limits for losses and defense costs) © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Action Steps

• Keep an eye out for additional HITECH rule updates and implementation specifications – www.healthcarelawnote.com – www.legalHIMformation.com © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

HIPAA/HITECH Team

Atlanta

Barry Herrin (404) 962-1027 [email protected]

Greensboro

Maureen Demarest Murray (336) 378-5258 Allyson Jones Labban (336) 378-5261 [email protected] [email protected]

Raleigh

Trish Markus (919) 755-8850 [email protected]

QUESTIONS?