Transcript HIPAA Compliance Program

Importance of the
Information Risk Assessment
Compliance Programs are intended to
proactively audit and assess an organization’s
operations to detect and prevent improper or
illegal activities.
Effective Compliance Programs can support
mitigation of fines and penalties, but it must be
effective within the organization
HIPAA requires organizations that handle
protected health information to regularly
review:
administrative,
physical; and
technical safeguards
they have in place to protect the security of the
information
On March 28, 2014, a new security risk
assessment (SRA) tool to help guide health care
providers in small to medium sized offices
conduct risk assessments of their organizations
was made available from HHS.
http://www.HealthIT.gov/security-riskassessment
The scope of risk analysis that the Security Rule
encompasses includes the potential risks
and vulnerabilities to the confidentiality,
availability and integrity of all e-PHI that an
organization creates, receives, maintains, or
transmits. (45 C.F.R. § 164.306(a)
Administrative actions, and policies and
procedures, to manage the selection,
development, implementation, and
maintenance of security measures to protect
electronic protected health information and to
manage the conduct of the covered entity’s
workforce in relation to the protection of that
information





Security
Management
Process
Assigned Security
Responsibility
Workforce Security
Information Access
Management
Security Awareness
and Training
Security Incident
Procedures
 Contingency Plan
Evaluation
 Business Associate
Contracts and Other
Arrangements

physical measures, policies, and procedures to
protect a covered entity’s electronic information
systems and related buildings and equipment,
from natural and environmental hazards, and
unauthorized intrusion

Facility Access
Controls



Device and Media
Controls
Workstation Use
Workstation
Security
the technology and the policy and procedures
for its use that protect electronic protected
health information and control access to it

Access Control

Audit Controls



Integrity
Person or Entity
Authentication
Transmission
Security
•
Certain entities now explicitly included in definition of “business
associate”
◦ Health Information Organizations, E-prescribing Gateways and other persons that provide
data transmission services to a covered entity that require access on a routine basis to PHI
◦ Patient Safety Organizations
◦ Any person offering PHRs on behalf of a covered entity
•
•
Data transmission organization that acts as a mere conduit for the
transport of PHI and does not access PHI other than on a random or
infrequent basis is NOT a business associate (transient vs. persistent
analysis)
Subcontractors of BAs are considered BAs if they handle PHI
1
3
•
•
•
A “subcontractor” is any person to whom BA delegates a
function, activity or service, other than as a member of BA’s
workforce
Subcontractor is a BA if it creates, receives, maintains or
transmits PHI on behalf of a business associate
Person who receives or accesses PHI to assist BA with BA’s
own management and administration or legal responsibilities
is not a subcontractor and therefore not a BA
◦ But BA must obtain “reasonable assurances”
•
Status as business associate flows “down the chain”
1
4
•
•
•
•
•
•
•
•
Comply with applicable requirements of Security Rule
Provide security breach notification to CE
Use and disclose PHI only as permitted by BA Agreement
Not use or disclose PHI in a way that would violate the HIPAA Privacy Rule if
done by covered entity (subject to narrow exceptions)
Execute BA Agreements with subcontractors that create, receive or maintain
PHI on BA’s behalf
If subcontractor engages in pattern or practice in material breach of its BA
Agreement, take reasonable steps to cure breach or terminate if feasible
Use reasonable efforts to limit PHI to minimum necessary
Disclose PHI
◦
◦
•
To covered entity, individual or individual’s designee when required to provide electronic copy
of PHI
To Secretary of HHS when required
Provide accounting of disclosures
1
5
•
New elements
•
Compliance deadlines
◦ BA must comply with applicable provisions of Security Rule
◦ BA must report any use or disclosure not in compliance with agreement (existing
requirement), specifically including breaches of unsecured PHI
◦ BA must ensure that any subcontractor that creates, receives or maintains PHI on its
behalf enters into BA Agreement
◦ To the extent BA is to carry out CE’s obligations under Privacy Rule, BA must comply
with requirements of Privacy Rule that apply to CE in performing obligations
◦ BA Agreements must comply by 9/23/13 unless grandfathered
◦ Grandfathered agreements:
 If prior to 1/25/13, had BA or subcontractor agreement in place that was
compliant with pre-HITECH standards, and agreement not renewed or
modified between 3/26/13 and 9/23/13, agreement is deemed compliant
until earlier of (i) renewed or modified or (ii) 9/22/14
 Automatic or “evergreen” renewal does not end deemed compliance period
1
6



Security provisions of HIPAA now apply to a
Business Associate of a Covered Entity in
the same manner that such sections apply
to the Covered Entity.
Business associates subject to same
penalties as Covered Entities
Also applies to vendors of personal health
records
18
Applies to any Covered Entity or
BA/vendor that:
 Accesses, maintains, retains, modifies, records,
stores, destroys or otherwise holds, uses, or
discloses unsecured protected health information
 Applies directly to vendors, regardless of whether
a business associated agreement is executed
19
 Unsecured
Protected Health Information
means (Section 13402(h))
◦ protected health information that is not
secured through the use of a technology or
methodology specified by the Secretary in
the guidance issued under this section
20

Obligation to notify triggers upon discovery of
a breach
◦ Discovery determined to be the first day on which
such breach is known or should reasonably have
been known to such entity or associate to have
occurred
◦ Knowledge by any person that is an employee,
officer or other agent of the entity or associate
21

Notice to Individual must include:
◦ Identification of each individual whose
unsecured protected health information has
been, or is reasonably believed to have been
accessed, acquired, or disclosed during such
breach
◦ Brief description of what happened, including
the date of the breach and the date of
discovery of the breach
◦ Description of the types of unsecured
protected health information that were
involved
22
Security and Notice
Requirements



Steps the individual should take to
protect themselves from potential harm
resulting from the breach
Description of what the covered entity
involved is doing to investigate the
breach, to mitigate losses, and to
protect against any further breaches
Contact procedures for individuals to
ask question or learn additional
information
 Notice
to the Secretary by Covered Entities:
 For breaches impacting 500 or more individuals, notify
the Secretary immediately
 For breaches impacting fewer than 500 individuals,
maintain a log and notify the Secretary annually submit
such log
24

Notice Timing:
 Notice must be made without unreasonable delay and in no case
later than 60 calendar days after discovery of a breach
 Delay allowed if a law enforcement official determines that a
notification, notice or posting would impede a criminal
investigation or cause damage to national security

Methods of Notice:
 Written notification by first class mail to individual
 Substitute notice process for insufficient or out of date contact
information

Media notice information for 500 individuals or more
25
 Safe
Harbor from Notification Requirement is
to ensure the data is maintained in a “secure”
manner.
 June 2009 --Requested comments on the
proposed form of “secure” data.
◦ Encryption
◦ De-Identification
26

Of the 90,000 complaints investigated most are, compiled
cumulatively, in order of frequency:

Impermissible uses and disclosures of protected health
information;

Lack of safeguards of protected health information;

Lack of patient access to their protected health information;

Uses or disclosures of more than the minimum necessary
protected health information; and

Lack of administrative safeguards of electronic protected health
information.
28
The most common types of covered entities that have been required
to take corrective action to achieve voluntary compliance are, in
order of frequency:

PRIVATE PRACTICES;

General Hospitals;

Outpatient Facilities;

Health Plans (group health plans and health insurance
issuers); and,

Pharmacies.
29



$800,000 HIPAA Settlement in Medical
Records Dumping Case - June 23, 2014
Data Breach Results in $4.8 Million HIPAA
Settlements - May 7, 2014
Concentra Settles HIPAA Case for $1,725,220
- April 22, 2014


QCA Settles HIPAA Case for $250,000 – April
22, 2014
County Government Settles Potential HIPAA
Violations - March 7, 2014
Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts
(APDerm) -$150,000.00
Affinity Health Plan, Inc. will settle potential violations of the Health
Insurance Portability and Accountability Act of 1996 (HIPAA)
Privacy and Security Rules for $1,215,780.
WellPoint Inc. has agreed to pay the U.S. Department of Health
and Human Services $1.7 million to settle potential violations of
the Health Insurance Portability and Accountability Act of 1996
(HIPAA) Privacy and Security Rules
32
Michele Madison, Partner, Morris, Manning & Martin, LLP
Healthcare & Healthcare IT Practices
[email protected]
Direct: 404-504-7621
33




The materials and information presented and contained
within this document are provided by MMM as general
information only, and do not, and are not intended to
constitute legal advice.
Any opinions expressed within this document are solely
the opinion of the individual author(s) and may not reflect the
opinions of MMM, individual attorneys, or personnel, or the
opinions of MMM clients.
The materials and information are for the sole use of
their recipient and should not be distributed or repurposed
without the approval of the individual author(s) and Morris,
Manning & Martin LLP.
This document is Copyright ©2011 Morris, Manning &
Martin, LLP.
All Rights Reserved worldwide.
3
4