Long-Term Care and the Law
Download
Report
Transcript Long-Term Care and the Law
Long-Term Care and the Law
Analyzing and Minimizing
HIPAA/HITECH Risks for
Post-Acute Care Providers
February 20, 2013
Diane Felix, Anthony Munns, Suzanne Sheldon
Myth #1 – The government is only
after the big guys and the huge
breaches.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Reality:
• 1 stolen lap-top with unencrypted PHI of 441 hospice
patients = $50,000 penalty
• 5-physician cardiothoracic practice sending unencrypted
PHI via emails + using publicly-accessible appointment
calendar = $100,000 penalty
• 41-bed hospital with 1 stolen lap-top
with unencrypted PHI =
$1,500,000 penalty
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Myth #2 – We don’t have an EMR
system, so we don’t need to worry
about ePHI security.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Reality:
• If you have PHI on laptops or other portable
devices, or staff texting or emailing information
that includes PHI, then security requirements
are an issue for you.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Myth #3 – Business Associate
Agreements are just forms we need to
get signed and have in our files to
satisfy the government.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Reality:
• The terms of those agreements – or what’s not
there – could cost you big time if there is a data
breach.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Points to ponder:
• Size doesn’t matter.
• Loss or theft of laptop = likely OCR investigation.
• Failure to perform risk analysis + failure to
implement policies and procedures + breach = likely
big penalty.
• Encryption is a critical factor.
• Increased penalties under HIPAA Final Omnibus
Rule have substantially increased your risks.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
PRIVACY
A Brief Overview
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Key Concepts
• Covers protected health information (PHI) in
any form
• Applies to covered entities (health care
providers, health plans and health care
clearinghouses) and business associates
• Patient rights
• Civil and criminal liabilities
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Protected Health Information
• PHI: Individually identifiable health
information (IIHI) that is:
▫ Transmitted by electronic media;
▫ Maintained in electronic media; or
▫ Transmitted or maintained in any other form or
medium
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
HIPAA Privacy Rule
• Requires Covered Entities (CEs) and Business
Associates (BAs) to have safeguards in place to
ensure the privacy of PHI
• Denotes under what circumstances a CE or BA
may use or disclose PHI
• Gives individuals the right to examine, request a
copy and make corrections to their PHI
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
HIPAA Basics - cont’d
• Minimum Necessary Rule: When using,
disclosing or requesting PHI, CEs and BAs must
make reasonable efforts to limit PHI to the
minimum necessary to accomplish the intended
purpose of the use, disclosure or request
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
USE and DISCLOSURE
• Required Disclosures
▫ To the individual when requested
▫ To HHS in matters relating to the investigation or determination of
compliance with the Privacy Rule
• Permitted Disclosures
▫
▫
▫
▫
▫
Individual (with some exceptions)
TPO (Treatment/Payment/Health Care Operations)
Opportunity to Agree or Object
Public Policy
Incidental (as long as comply with minimum necessary requirements
and used reasonable safeguards)
▫ Limited Data Set
▫ Authorized
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
BREACH
• An impermissible use, acquisition or disclosure
that compromises the security or privacy of the
protected health information.
• Before HFOR, a breach was defined to
“compromise security or privacy” only if it posed
a “significant risk of financial, reputational, or
other harm” to the individual.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
BREACH FINAL RULE
FINAL RULE: An impermissible use or disclosure of PHI is
presumed to be a breach and notification is required
unless the CE or BA demonstrates there is a low
probability that the PHI was compromised.
“Low probability” must be demonstrated and documented
with a risk assessment.
Burden of proof of “low probability” lies with the CE and/or
BA, as appropriate.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
BREACH RISK ASSESSMENT
A risk assessment must include at least the
following factors:
▫ Nature and extent of the PHI involved, including
types of identifiers and chance of re-identification
▫ The unauthorized person who used the PHI or to
whom the disclosure was made
▫ Whether the PHI was actually acquired or viewed
▫ The extent to which the risk to the PHI has been
mitigated
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
BREACH RISK ASSESSMENT – cont’d
• HHS expects the risk assessments to be “thorough,
completed in good faith and for the conclusions
reached to be reasonable”
• A CE or BA may, at their discretion, provide
notifications without performing the risk
assessment
• HHS plans to provide additional guidance in the
future for the handling of “frequently occurring”
situations
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
BREACH NOTIFICATION RULE
• CEs must notify both the U.S. Department of
Health & Human Services (HHS) + the affected
individual of the loss, theft, or other impermissible
use or disclosure of PHI
• Breaches that affect 500 or more individuals must
be promptly reported to the media and HHS
▫ Breaches that affect 500 or more are publicly reported
on the HHS/Office of Civil Rights (OCR) website
• OCR has discretion to investigate even where there’s
no willful neglect
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
BREACH NOTIFICATION REQUIREMENTS
• Individual Notice
▫ In written form by first-class mail, or email if individual has
agreed to receive communications electronically
▫ Within 60 days of the discovery of the breach
• Media Notice
▫ If breach affects >500 residents of a State or Jurisdiction
▫ No later than 60 days
• Notice to the Secretary
▫ Via the HHS web site
No later than 60 days if > 500
If < 500, may notify on an annual basis
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
TOP 5 ISSUES IN
INVESTIGATED CASES
1.
2.
3.
4.
5.
Impermissible uses and disclosures of protected health
information
Lack of safeguards of protected health information
Lack of patient access to their protected health information
Uses or disclosures of more than the minimum necessary
protected health information
Lack of administrative safeguards of electronic protected
health information
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Penalties – 4 Tiers
1.
If CE/BA didn’t know of a violation, and wouldn’t have known by
exercising due diligence = $100 - $50,000 per violation
2. If CE/BA knew, or with “reasonable diligence” would have known
an act or omission violated requirement, but did not act with
“willful negligence” = $1,000 - $50,000 per violation
3. If there was “conscious, intentional failure or reckless indifference
to the obligation to comply with the provision violated,” but it was
corrected = $10,000 - $50,000 per violation
4. If there was “conscious, intentional failure or reckless indifference
to the obligation to comply with the provision violated,” and it was
not corrected = $50,000 per violation
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Factors In Penalty Amount
• HHS will determine penalty amounts on case-by-case
basis and may consider factors such as:
▫ Number and extent of violations, which may include #
of individuals affected, and time period involved.
▫ Nature and extent of harm resulting from violation,
which may include whether violation caused physical
or financial harm, harm to reputation, or hindered
individual’s ability to obtain healthcare.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Penalty Amount – cont’d
▫ CE/BA’s prior compliance, which may include
whether:
Current violation is same or similar to previous “indications of
noncompliance”
Correction of previous “indications of noncompliance”
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Security
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Basic Security Requirements
• Designate a security officer (can also be the privacy
officer)
• Implement policy on workplace use and dissemination of
PHI
• Implement policy on workstation use, procedures for
storage and disposal of PHI
• Implement procedures for data backup and disaster
recovery
• Develop and implement data access control procedures
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Basic Security Requirements – cont’d
• Implement an audit trail for access to PHI
• Sign and amend contracts with business associates to
protect the security of PHI
• Provide security awareness training to all designated
personnel
• Implement technical security mechanisms to prevent
unauthorized access
• Establish a reporting and response system for security
violations
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Security Rule Implementation
Specifications
• Safeguards identified as either “Required” or
“Addressable”
▫ “Addressable” doesn’t = optional. Choices are:
Implement it,
Implement alternative measure(s) that accomplish purpose,
OR
Don’t implement anything – but must have written
documentation of factors considered and results of risk
assessment.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Security Standards Matrix - examples
Sections
Implementation Specifications
(R) = Required, (A) = Addressable
Security Management Process
164.308(a)(1)
Risk Analysis (R)
Risk Management (R)
Sanction Policy (R)
Information System Activity Review (R)
Assigned Security
Responsibility
164.308(a)(2)
(R)
Workforce Security
164.308(a)(3
Authorization and/or Supervision (A)
Workforce Clearance Procedure Termination Procedures (A)
Information Access
Management
164.308(a)(4)
Isolating Healthcare Clearinghouse Function (R)
Access Authorization (A)
Access Establishment and Modification (A)
Standards
Administrative Safeguards
Physical Safeguards
Facility Access Controls
164.310(a)(1)
Workstation Use
164.310(b)
Contingency (A)
Facility Security Plan (A)
Access Control and Validation Procedures (A)
Maintenance Records (A)
(R)
Workstation Security
164.310(c)
(R)
164.310(d)(1)
Disposal (R)
Media Re-use (R)
Accountability (A)
Data Backup and Storage (A)
Device and Media Controls
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Factors to take into account in deciding
which security measures to use
• Size, complexity, and capabilities of the Covered Entity
or Business Associate;
• CE’s and BA’s technical infrastructure, hardware, and
software security capabilities;
• Costs of security measures;
• Likelihood and impact of potential risks to ePHI; and
• Preamble to the Security Rule states: “Cost is not meant
to free covered entities from this responsibility.”
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Is Encryption Required? No, but...
• Encrypted data is considered “secure” under
HIPAA, and thus is exempted from breach
notification requirements.
• Consider:
▫ BitLocker – supplied with MS-Windows 7 and
later
▫ Use HTTPS or secure messaging systems
▫ Use encrypted USB drives or block their use
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Useful information
• Advanced Encryption Standard (AES) is a
specification for the encryption of electronic data
established by the U.S. National Institute of
Standards and Technology (NIST)
• For more information about encryption, see NIST
Special Publication 800-111, Guide to Storage
Encryption Technologies for End User Devices,
National Institute of Standards and Technology,
(Nov., 2007)
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Risk Analysis
• Scope – potential risks and vulnerabilities to the
confidentiality, availability and integrity of all e-PHI
that an organization creates, receives, maintains, or
transmits.
• Data Collection – identify where e-PHI is stored,
received, maintained or transmitted.
• Identify & Document Potential Threats and
Vulnerabilities.
• Assess Current Security Measures.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Risk Analysis
• Determine Likelihood of Threat Occurrence.
• Determine Potential Impact of Threat
Occurrence.
• Determine the Level of Risk.
• Finalize Documentation.
• Periodic Review & Updates to the Risk
Assessment.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Vendor Management Programs
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
• Even before HFOR, there have been frequent
reminders of how badly things can go wrong
when CEs fail to do due diligence with vendors
who have access to PHI, and when BA
Agreements are inadequate – or missing
altogether.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Four Massachusetts pathology practices
were fined $110,000 for failing to have
appropriate safeguards in place
regarding PHI provided to a billing firm.
• A newspaper photographer for the Boston Globe
found medical records at a recycling station after
dropping off his own trash.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Kaiser Permanente gave patient
medical records to a couple to store
• The couple’s document storage firm kept the records
in a warehouse shared with a party rental business,
and in a Ford Mustang.
• Kaiser’s lawsuit against the couple claimed that the
couple left two computer hard drives in their garage
with the door open.
• State and Federal agencies are investigating.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Costs of vendors behaving badly can be crippling
• Aside from the costs to an organization’s reputation,
the costs of investigating, and the notification costs,
there are the costs of mitigating the effects of a data
breach.
▫ For example, credit monitoring at $20 per month, per
individual, means that if a stolen laptop with
unencrypted data has PHI for only a 100 individuals,
that’s still $24,000 for a year’s worth.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Changed obligations for BAs and independent
contractors under HITECH and HFOR make
adequate vendor management even more
important.
• Business Associates are now directly responsible for compliance
with HIPAA as modified by HITECH, and have direct responsibility
for penalties.
• The definition of Business Associate has been expanded to cover:
▫ Subcontractors of BAs.
▫ Entities that create, receive, maintain, or transmit PHI in
connection with services provided to a CE.
• The “primary” BA is required to obtain “satisfactory assurances”
from subcontractors that the subcontractor will appropriately
safeguard the PHI.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Examples of “Due Diligence” Questions
to Consider
• Do you or the vendor have sufficient resources
or insurance coverage to cover the costs that will
be involved in responding to any breach?
• Does your BA Agreement make clear how
quickly notification must be made to the CE of a
suspected breach, to whom the notice must go,
and what information must be provided?
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Questions- cont’d
• Is the vendor’s access to and use and disclosure
of PHI limited to the minimum necessary to
accomplish the specific purpose?
• Is there any mechanism for monitoring
compliance by the vendor with HIPAA/HITECH
requirements?
• Have the responsibilities/liabilities of
subcontractors been taken into consideration?
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Preparing for OCR HIPAA
Compliance Audits
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
• The Security Rule details areas that require the following
of CEs:
▫ Policies
▫ Procedures
▫ Documentation (think audit trail)
• The first institution audited – Atlanta’s Piedmont
Hospital – was presented with a list of 42 items that
HHS wanted within 10 days.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Piedmont was asked for 24 specific policies
and procedures, including:
• Establishing and terminating users' access to systems
housing ePHI.
• Emergency access to electronic information systems.
• Inactive computer sessions (periods of inactivity).
• Recording and examining activity in information
systems that contain or use ePHI.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
• Risk assessments and analyses of relevant information
systems that house or process ePHI data.
• Employee violations (sanctions).
• Electronically transmitting ePHI.
• Preventing, detecting, containing and correcting security
violations (incident reports).
• Regularly reviewing records of information system
activity, such as audit logs, access reports and security
incident tracking reports.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Section 13411 of the HITECH Act requires
HHS to provide for periodic audits to ensure
that covered entities and business
associates are complying with the HIPAA
Privacy and Security Rules and Breach
Notification standards.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
• To implement this mandate, OCR piloted a program
to perform 115 audits of covered entities to assess
privacy and security compliance.
• KPMG was then retained to perform the audits.
• Audits conducted during the pilot phase began
November 2011 and concluded in December 2012.
• So far, all the audits have been of Covered Entities.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
The OCR HIPAA Audit program analyzes processes,
controls, and policies of selected covered entities
pursuant to the HITECH Act audit mandate.
OCR established a comprehensive audit protocol that
contains the requirements to be assessed through these
performance audits. The entire audit protocol is
organized around modules, representing separate
elements of privacy, security, and breach notification.
The combination of these multiple requirements may vary
based on the type of covered entity selected for review.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
The audit protocol covers:
• Privacy Rule requirements:
▫
▫
▫
▫
▫
▫
▫
notice of privacy practices for PHI,
rights to request privacy protection for PHI,
access of individuals to PHI,
administrative requirements,
uses and disclosures of PHI,
amendment of PHI, and
accounting of disclosures.
• Security Rule requirements for administrative, physical,
and technical safeguards.
• Requirements for the Breach Notification Rule.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
There are 169 audit tests: Privacy has
81, Security 78 and Breach 10.
So far the protocol has not been
updated for the HIPAA Omnibus Rule.
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon
Speakers’ Contact Information
Diane E. Felix, J.D. - Partner
Armstrong Teasdale LLP
7700 Forsyth Blvd., Suite 1800
St. Louis, MO 63105
(314) 342.8001
(314) 612.2243 (fax)
[email protected]
Anthony J. Munns, CISA, FBCS, CITP - Partner, Risk Services
Brown Smith Wallace LLC
1050 N. Lindbergh Blvd.
St. Louis, MO 63132
314.983.1297 Direct / 314.614.6582 Cell
314.983.1200 Main / 314.983.1300 Fax
[email protected]
Suzanne Sheldon, J.D. – Director of Risk Management and Corporate Compliance
Lutheran Senior Services
1150 Hanley Industrial Ct.
St. Louis, MO 63144
(314) 446.2577
(314) 446.2550 (fax)
[email protected]
Analyzing and Minimizing HIPAA/HITECH Risks
for Post-Acute Providers – Felix/Munns/Sheldon