HERE - Synergy Solutions
Download
Report
Transcript HERE - Synergy Solutions
HIPAA
The New HIPAA Laws Now Have
REAL Penalties; Criminal & Civil
Legal Information Is Not Legal Advice
This site provides information about the law designed to help users safely cope with their own legal needs. But legal information is
not the same as legal advice -- the application of law to an individual's specific circumstances. Although we go to great lengths to
make sure our information is accurate and useful, we recommend you consult a lawyer if you want professional assurance that our
information, and your interpretation of it, is appropriate to your particular situation.
ARRA & HITECH Act
Increased
Bureaucracy Overlap
The Old HIPAA
Shredded Old
Medical Records
Added Silly Screen Privacy Devices
The OLD HIPPA
Sheriff
No private right of action
Removed The Fax From Patient Hallway
Disaster Recovery Plan?
HIPAA Reboot
There Is A Real Sheriff In Town
Feds to Train State AGs To Enforce HIPAA
Breaking News, March 10, 2011
The Department of Health and Human Services' Office for Civil Rights will host four regional
meetings to train staff from state and territorial attorneys general offices on enforcement of the
HIPAA privacy and security rules.
The HITECH Act gives attorneys general authority to enforce the privacy and security rules
through civil actions. In a statement on its Web site, OCR welcomes collaboration with attorneys
general seeking to bring actions to enforce the rules, and will provide information upon request
about pending or concluded OCR actions against covered entities or business associates related to
state investigations.
The training sessions will provide an overview of the privacy and security rules and related HITECH
Act provisions, investigative techniques for identifying and prosecuting potential
violations, a review of HIPAA and state laws, OCR's enforcement role, state attorneys general roles
and responsibilities under HIPAA and HITECH, resources for states in pursuing alleged violations,
and HIPAA enforcement support and results.
What Is New In The HIPAA Reboot?
New Enforcement Rules
New HIPAA Penalties
Breach Notifications to Consumers
BAs Must Comply with HIPAA Security Rule
No Selling of PHI
New Restrictions on Marketing & Fundraising
What You Don’t Know
CAN Hurt You.
HIPAA Privacy Rule
Accounting of Disclosures
Under the Health
Information Technology
for Economic
and Clinical Health Act
Summary
of Recent
HIPAA
Changes
New Enforcement Rules
The Sheriff Has A Posse!
•
•
•
•
Mandatory investigations for “willful neglect” cases.
Mandatory civil penalties for “willful neglect” violations.
Periodic compliance audits for CE’s and BA’s.
Fines & penalties paid will go to OCR for increased
investigations & enforcement.
• Harmed individuals will get a percent (t.b.d.) of CMP or
settlement.
• In addition to CE’s, individuals now made subject to HIPAA
criminal provisions.
• State AG’s can bring civil suits in federal courts on behalf
of state residents.
New HIPAA Penalties
Sheriff Has A Cash “Jail”
Four tiers of penalties, depending on nature of offense…
Tier A - Offender didn’t know, and by reasonable diligence would not have known,
that he or she violated the law.
• $100 per violation
• $25,000 annual maximum total per violator
Tier B - Violation due to reasonable cause and not willful neglect.
• $1,000 per violation
• $100,000 annual maximum total per violator
Tier C - Violation due to willful neglect but was corrected.
• $10,000 per violation
• $250,000 annual maximum total per violator
Tier D - Violation due to willful neglect and was not corrected.
• $50,000 per violation
• $1,500,000 annual maximum total per violator
Breach Notifications to Consumers
Sheriff Wants The Word Out
Breach Notifications to Consumers
CE’s, BA’s, and PHR Vendors are subject to breach notification requirements.
Notify consumers if “unsecured” PHI was accessed, acquired, or disclosed in
breach.
“Unsecured” essentially means “unencrypted” data, including all physical media.
Notices must be sent “without reasonable delay” – no later than 60 days after
breach.
Minimum content of notifications is specified in the regs.
Notices sent by 1st class mail – email only if consumer stated a preference for
email.
If 10 or more victims can’t be located, notice on website or in media must be
posted.
Breaches involving > 500 victims: Mandatory, immediate reporting to HHS.
Breaches involving < 500 victims. Entity keeps log, provides to HHS annually.
If over 500 victims, HHS will publicly post on Internet.
PHR breaches get reported to FTC, and FTC in turn notifies HHS.
LA State breach requirements also in effect “encrypted or unencrypted”
Business Associates Must Comply with HIPAA Security Rule
Sheriff Sees “Guilt By Association”
Business Associates Must Comply with HIPAA Security Rule
BA’s subject to same civil & criminal penalties as CE’s.
BA’s must comply with Administrative, Technical, and Physical Safeguards.
BA’s must establish and maintain appropriate policies and procedures.
BA’s must document all Security Rule compliance activities.
BA’s must report breaches just like CE’s.
BA Contracts must be created or amended to include new requirements.
BA’s don’t comply with Privacy Rule, but are restricted from PHI uses and
disclosures not incompliance with BA contract. This represents “de-facto”
Privacy compliance.
PHR Vendors and Health Information Exchanges become Business Associates
Does The New Sheriff Have A “Bite”?
One Breach occurred at Stanford’s Lucile
Packard Children’s Hospital in January 2010,
when a desktop computer holding the medical
records of 532 patients was stolen from the
heart center by an employee. Hospital officials
said at the time that no patient information
was compromised.
But California’s Department of Public Health
fined the hospital $250,000, the maximum
allowed, for failing to report the breach
within five days of discovery, as is required
under state law. State officials contend it took
the hospital 19 days to disclose.
Does The New Sheriff Have A “Bite”?
Massachusetts General Hospital in Boston,
which trains Harvard medical students, agreed
this year to pay a $1 million federal fine after
an employee left paper medical records on a
subway train while commuting to work. The
pages contained the names of 192 patients,
and diagnoses for about a third of them,
including for H.I.V./AIDS. They were never
recovered.
The Department of Health and Human Services
viewed the breach as a potential violation
of the Health Insurance Portability and
Accountability Act, the 1996 law that requires
protection of medical records.
Does The New Sheriff Have A “Bite”?
A former UCLA Health System employee
became the first person in the nation to be
sentenced to federal prison for violating
HIPAA.
Huping Zhou, 47, of Los Angeles, was
sentenced to four months in prison on April 27
after pleading guilty in January to four
misdemeanor counts of accessing and reading
the confidential medical records of his
supervisors and high-profile celebrities,
according to the U.S. Attorney’s Office for the
Central District of California. Zhou was also
fined $2,000.
Does The New Sheriff Have A “Bite”?
Sheriff Has Deputies! (Secondary Liability)
A recent decision by an appellate court in North
Carolina, however, demonstrates that HIPAA may
form the basis of a lawsuit by a patient,
notwithstanding the absence of a private right of
action created by Congress. In the case, Acosta v.
Byrum, 638 S.E.2d 246 (Ct. App. December 19, 2006),
a patient sued her doctor on the theory of negligent
infliction of emotional distress.
The trial court dismissed the patient's claim in part
on the ground that HIPAA did not provide for a
private right of action. The appellate court reversed,
however, stating that the patient had not asserted
her claim under HIPAA, but had merely used HIPAA
to define the standard of care that the physician
should have followed to protect her medical
information. In other words, the claim is based on
the theory that a violation of HIPAA's privacy
regulations is negligence per se, which would make
unnecessary a jury's determination of the
reasonableness of the doctor's conduct.
Does The New Sheriff Have A “Bite”?
Sheriff Has Deputies! (Secondary Liability)
The use of HIPAA privacy violations as a
standard of care for negligence under
common law theories of liability is likely to
be adopted by other patients whose
healthcare information is disclosed,
inadvertently or otherwise.
This additional litigation risk suggests that
strict adherence to HIPAA regulations is
important not only to avoid regulatory
enforcement, but also to avoid individual
lawsuits, which pose a more prevalent and
expensive risk.
RS 51:3071
CHAPTER 51. DATABASE SECURITY BREACH NOTIFICATION LAW
Annual Report to
Congress
on Breaches of
Unsecured
Protected Health
Information
Louisiana
Database
Security Breach
Notification Law
§3071. Short title
This Chapter may be cited as the "Database Security Breach Notification Law".
Acts 2005, No. 499, §1, eff. Jan. 1, 2006.
§3072. Legislative findings
The legislature hereby finds and declares that:
(1) The privacy and financial security of individuals are increasingly at risk due to the ever more
widespread collection of personal information.
(2) Credit card transactions, magazine subscriptions, telephone numbers, real estate records,
automobile registrations, consumer surveys, warranty registrations, credit reports, and Internet
web sites are all sources of personal information and form the source material of identity theft.
(3) The crime of identity theft is on the rise in the United States. Criminals who steal personal
information use the information to open credit card accounts, write bad checks, buy automobiles,
and commit other financial crimes using the identity of another person.
(4) Identity theft is costly to the marketplace and to consumers.
(5) Victims of identity theft must act quickly to minimize the damage; therefore, expeditious
notification of possible misuse of a person's personal information is imperative.
Acts 2005, No. 499, §1, eff. Jan. 1, 2006.
§3073. Definitions
As used in this Chapter, the following terms shall have the following meanings:
(1) "Agency" means the state, a political subdivision of the state, and any officer, agency, board,
commission, department or similar body of the state or any political subdivision of the state.
(2) "Breach of the security of the system" means the compromise of the security, confidentiality,
or integrity of computerized data that results in, or there is a reasonable basis to conclude has
resulted in, the unauthorized acquisition of and access to personal information maintained by an
agency or person. Good faith acquisition of personal information by an employee or agent of an
agency or person for the purposes of the agency or person is not a breach of the security of the
system, provided that the personal information is not used for, or is subject to, unauthorized
disclosure.
(3) "Person" means any individual, corporation, partnership, sole proprietorship, joint stock
company, joint venture, or any other legal entity.
Coping with
Breaches,
Enforcement, and
Other Fallout
under HITECH’s
Breach Reporting &
Enforcement Rules
What Constitutes A BREACH Of
Personal Information?
Under Louisiana Law:
"Personal information" means an individual's
first name or first initial and last name in
combination with any one or more of the
following data elements, when the name or
the data element is not encrypted or
redacted:
(i)
Social security number.
(ii) Driver's license number.
(iii) Account number, credit or debit card
number, in combination with any required
security code, access code, or password that
would permit access to an individual's
financial account.
(b) "Personal information" shall not include
publicly available information that is lawfully
made available to the general public from
federal, state, or local government records.
Once The Breach Occurs
Notification Requirements Start
Some States Now Require You To Pay For
Credit Monitoring For Each Patient In The
Breached Data Base
Types Of Data Breaches
Hackers Breaching Security
Poor Internal Network Security
Web Based Phishing, Virus, Worms
Insider Theft
Insiders Cause %48 Of All Breaches
Stolen Hardware
Lost Hardware
Laptops, Thumb Drives, Etc.
Third Party Breach
Business Associates
From Insider
Abuse To
Insider
Accountability
Types Of Data Breaches
The Social Web Based Threat
An aggressive worm known for stealing
sensitive information was found on the
computer network for the agencies handling
unemployment claims in Massachusetts.
W32.QAKBOT is a worm that spreads through network drives and
removable drives. After the initial infection, usually the result of
clicking on a malicious link on a Web page, it can download additional
files, steal information and open a back door on the compromised
machine. The worm also contains a rootkit that allows it to hide its
presence and it works slowly to avoid detection. “Its ultimate goal is
clearly theft of information,” said Shunichi Imano, a Symantec
researcher.
Qakbot is especially aggressive and normally targets online banking,
although it has the ability to mutate itself to switch targets and change
its methods. The cyber-criminals behind the infection could have
remotely instructed the virus to go after names, addresses and Social
Security numbers stored in the state systems instead of focusing on
banking sites.
“In a nutshell, if your computer is compromised, every bit of
information you type into your browser will be stolen,” according to
Patrick Fitzgerald, a senior security response manager at Symantec.
Where Are Employees Surfing On
YOUR Computers?
Cyber-criminals used malware
to steal personal information
from the Massachusetts
unemployment offices,
according to the state agency
The Cost Of Data Breaches
$ 301.00 Per Record Breached!
How much could a data breach incident cost your company?
Know Your business Associates
Your In It With Them
HIPAA Now Requires Comprehensive
Business Associates Agreements
Billing Service
Collection Service
Lawyers
IT Vendor
Medical Record Disposal Co.
EHR Vendor
Answering Service
Transcriptionist
Labs
Imaging Centers
Private Payers
Medical Transport Co.
Cleaning Service
And The List Goes On
Basic Remedial Action
Performing a new risk assessment
Revising policies and procedures
Improving physical security by installing new security systems or by
relocating equipment or records to a more secure area
Training or retraining workforce members who handle protected
health information;
Adopting encryption technologies
Establish Acceptable Use Rules For Internet
REMEMBER
If It Is Not
Documented
It Did Not Happen.
HIPAA Will Want
It In Writing.
Imposing sanctions on workforce members who violated policies and
procedures primarily in response to serious employee errors, removing
protected health information from the facility against policy, and
unauthorized access
Changing passwords
Revising business associate contracts to more explicitly require
protection for confidential information.
In both
Contact Your Liability/Malpractice Insurance Company
Frank J Davis
[email protected]
504-834-9550 ext 116
Synergy Solutions
3200 Ridgelake Dr. Suite 203
Metairie LA 70002
Telephone (504) 834-9550
Facsimile (504) 834-5755
Toll Free 866-834-8030
www.GoToSynergy.com
[email protected]
John Daigle: 504-834-9550 Ext 115
[email protected]
Legal Information Is Not Legal Advice
This site provides information about the law designed to help users safely cope with their own legal needs. But legal information is
not the same as legal advice -- the application of law to an individual's specific circumstances. Although we go to great lengths to
make sure our information is accurate and useful, we recommend you consult a lawyer if you want professional assurance that our
information, and your interpretation of it, is appropriate to your particular situation.