ccpa seminar: a hipaa update september 11, 2012 pamela h. del negro robinson & cole llp 1
TRANSCRIPT
1
CCPA Seminar: A HIPAA UPDATE
September 11, 2012
Pamela H. Del Negro
Robinson & Cole LLP
2
Agenda• HIPAA Overview• HIPAA Audit Protocols• What to include in your HIPAA Policies and
Procedures Manual• HIPAA Training for Employees and Staff• Recent Enforcement Efforts and Upcoming
Regulatory Updates
3
HIPAA PRIVACY
4
WHAT INFORMATION IS PROTECTED UNDER HIPAA?
• Protected Health Information (“PHI”) is individually identifiable health information in any form that relates to the health or condition of an individual or the payment for health care
• Does not include de-identified information or employment records
5
PERMITTED USES AND DISCLOSURES OF PHI
• To the individual• Treatment, payment & health care
operations• Pursuant to valid authorization• Business associates
6
DISCLOSURE PERMITTED AFTER OPPORTUNITY TO AGREE OR OBJECT
• Facility directory (sign in sheet/hospital log)– Disclose limited information (i.e., name,
location in facility, general description of condition, religious affiliation, etc.)
• Persons involved in care– If patient is present, ask whether disclosure is
permitted– If patient is not present, use professional
judgment, infer from circumstances– Limit disclosure to information directly
relevant to such person’s involvement
7
USES AND DISCLOSURES WITHOUT AUTHORIZATION
Under limited circumstances, the following uses and disclosures do not require authorization or opportunity to object:
• Decedent’s Information• Organ/Tissue Donation• Avert a Serious Threat to Safety• Specialized Government Functions• Research (if IRB waives requirement)• Workers’ Compensation
• Public Health Activities• Reporting Victims of Abuse, Neglect, or
Domestic Violence• Health Oversight• Judicial or Administrative Proceedings• Law Enforcement Purposes
CONSULT STATE LAW!
8
AUTHORIZATION
• A more specific and detailed form of permission designed to allow other uses or disclosures of PHI
• Required for all uses and disclosures not specifically permitted by HIPAA and required for uses or disclosures of certain sensitive information
• Individual has a right to revoke the authorization• Generally cannot condition treatment on the
individual providing an authorization• Not necessary if special circumstances (i.e.
emergency) apply
9
HOW MUCH PHI CAN I USE OR DISCLOSE?
• In general, must make reasonable efforts to limit the use or disclosure of PHI to the minimum necessary
• Comply with policies and procedures that limit the amount of information to the minimum necessary to perform your job
• Your job description may limit your level of information access
10
HOW MUCH PHI CAN I USE OR DISCLOSE?
• Special rules:– Treatment purposes – no limits– Authorized disclosures - limited to the terms of the
authorization – To the individual – no limits– Compliance purposes – no limits– Other legally required disclosures – as limited by law
11
PERSONAL REPRESENTATIVES
• Person with authority to act on behalf of individual, for example:– Parent of a minor– Court appointed guardian/conservator
• Has all rights of individual with respect to relevant PHI
12
• May choose not to treat an individual as a personal representative if:– Not in the individual’s best interest, and– The individual suspected to be victim of abuse or
neglect by the personal representative, or– Treating the individual as the personal representative
could endanger the individual
ABUSE, NEGLECT, AND ENDANGERMENT
13
VERIFICATION
• Verify the identity of a person requesting information and determine that the person has the authority to receive the information
14
PRIVACY OFFICER
• DUTIES OF THE PRIVACY OFFICER (OR AS DELEGATED)
– Develop Privacy Policies and Procedures– Coordinate with administration to implement privacy
requirements– Develop administrative, technical, and physical safeguards– Maintain documentation and records for required time periods– Conduct periodic audits– Serve as a privacy consultant– Serve as liaison to government oversight agency– Receive (as contact person) and respond to individual complaints – Attempt to mitigate harm caused by improper disclosures
15
NOTICE OF PRIVACY PRACTICES
• Must be provided to all individuals prior to service delivery
• Identifies the types of uses and disclosures that are permitted and required by you
• Sets forth description of individual’s rights
• States your duties to maintain the confidentiality of the PHI
• Outlines the process for an individual to submit a complaint concerning a suspected privacy violation
16
ACKNOWLEDGMENT /CONSENT FORM
• Patient acknowledges receipt of Notice of Privacy Practices
• Consent to use for treatment, payment and health care operations
• Not the same as an Authorization
17
• Basic rights of individuals under HIPAA– Access– Amendment– Accounting of disclosures– Restrictions on use and disclosures– Confidential communications– Complaint process
RIGHTS OF INDIVIDUALS
18
RETALIATION AND WAIVER
• Retaliation: You may not intimidate, threaten, coerce, discriminate against or take retaliatory action against another person for:– Exercising a right provided by HIPAA– Filing a complaint with OCR– Assisting in a HIPAA-related investigation or hearing– Opposing any act unlawful under HIPAA
• Waiver: You may not require individuals to waive rights to file a complaint under HIPAA as a condition of treatment.
19
BUSINESS ASSOCIATES
• Perform functions, activities or services on behalf of covered entities involving the use or disclosure of PHI, including:– Functions or Activities
• Claims processing or administration• Data analysis• Utilization Review• Quality Assurance• Billing• Benefit Management• Practice Management
– Services• Legal• Actuarial• Accounting• Administrative • Financial
20
PENALTIES
• Civil Penalties– Unknowingly - $100/violation– Reasonable cause – at least $1,000/violation– Willful neglect – HHS will conduct an
investigation• If willful neglect but corrected, no less than $10,000,
not to exceed $50,000• If not corrected, $50,000 per violation, not to exceed
$1,500,000/year. – State Attorney General
• Criminal Penalties (e.g. intent to sell)
21
BREACH NOTIFICATION REQUIREMENTS
22
Breach Notice Requirement• Part of HITECH
• Notify each individual whose Unsecured PHI has been or
is reasonably believed to have been accessed, acquired, used or disclosed as a result of a breach of Unsecured PHI (“Affected Individual”)
• “Unsecured PHI” is any PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through encryption or destruction
23
Definition of Breach
• “Breach” is the unauthorized acquisition, access, use or disclosure of PHI that (i) violates the HIPAA privacy rules and (ii) compromises the security or privacy of such PHI
• “Compromises the security or privacy of PHI” = poses a significant risk of financial, reputational, or other harm to the Affected Individual
24
Definition of Breach (cont.)• Exclusions to definition of “breach”
– Unintentional acquisition/access/use of PHI by a workforce member or individual acting under the authority of a covered entity or business associate if:• made in good faith • within the course and scope of authority• does not result in further use or disclosure
25
Definition of Breach (cont.)• Exclusions (cont.)
– Inadvertent disclosures by individual authorized to access PHI to another individual authorized to access PHI at the same entity and such information is not further used or disclosed
– Disclosure with good faith belief that the unauthorized individual to whom PHI has been disclosed would not reasonably have been able to retain the information
• Document the reasons why such use ordisclosure satisfies the respective exception
26
Risk Assessment
• Fact specific analysis that varies with each impermissible use or disclosure
• If there is less than a significant risk of harm then no notice is required
• Document risk assessments
27
When a Breach is Considered Discovered
• As of the first day the breach is known or, by exercising reasonable diligence, would have
been known • Knowledge of workforce member or agent is
imputed
28
Content of NoticeCovered entities must provide breach notices that are written in plain language and include:
• What happened• Types of Unsecured PHI involved (E.g. full name, SSN) • Steps the Affected Individuals should take to protect
themselves from potential harm• Covered entity’s actions to investigate the breach, mitigate
harm to the Affected Individual, and protect against any further breaches
• Contact procedures that Affected Individuals can use to ask questions or learn additional information
29
Delivery of Notice • Sent by first-class mail (or by electronic mail if the Affected
Individual has specified such preference)
• “Without unreasonable delay,” but no later than 60 days after the discovery of such breach
• No current contact information for one or more Affected Individuals, notify through substitute form as soon as reasonably possible– Less than 10 Affected Individuals
• Alternative written means– More than 10 Affected Individuals
• Conspicuous posting for a period of 90 days on home page of Web site or in major print or broadcast media
30
Notice to HHS and Media Outlets• Less than 500 Affected Individuals
– Maintain a log of breaches– Notify HHS of breaches 60 days after end of calendar year
in manner specified on HHS website
• More than 500 Affected Individuals– Notify HHS contemporaneously with the notice provided to
the Affected Individuals– If reside in the same state
• Notify prominent media outlets serving the state • Written notice to the Affected Individuals • Notify HHS of such breach
• HHS to specify on its Web site the information that covered entities must submit to HHS and how such information should be submitted to HHS
31
Business Associate Requirements• Notify covered entity upon discovery of breach of Unsecured
PHI
• “Without unreasonable delay” and in no case later than 60 days after discovery of breach
• Identity of each individual subject to breach
• Provide other available information that covered entity is required to include in notice to Affected Individual
• Provide information even if not available until after notifications have been sent to Affected Individuals or after 60-day period has elapsed.
32
Delaying Notice• Delay if law enforcement official determines that providing
notice would impede a criminal investigation or cause damage to national security
• If notice of delay is provided in writing and includes length of time that notice must be delayed, delay providing notice for time specified
• If notice of delay is given orally, document statement and identity of official and delay notification for no longer than 30 days, unless written statement is provided
33
Step-by-Step Analysis
• Practical steps when determining whether a breach of Unsecured PHI has occurred:
Step 1: Determine whether there has been an impermissible use or disclosure of PHI that would violate the HIPAA privacy rules
Step 2: Perform a risk assessment to determine harm
Step 3: Determine whether exception to definition of “breach” applies
• If there has been a breach of Unsecured PHI, provide appropriate notice
34
STATE PREEMPTION
35
HIPAA or State Law?
• HIPAA is a federal floor of privacy and security protections
• General rule: State laws contrary to HIPAA are preempted by HIPAA
• State laws providing greater protection than HIPAA are not preempted by HIPAA
36
HIPAA SECURITY
37
HIPAA Security Rule
• Protects the confidentiality, integrity and availability of protected health information that is maintained or transmitted electronically (“ePHI”)
38
HIPAA Security Rule
• CONFIDENTIALITY – ePHI must not be made available or disclosed to an unauthorized person or process, including employees who do not have a need to use the information
• INTEGRITY – ePHI must not be altered or destroyed in an unauthorized manner
• AVAILABILITY- ePHI must be accessible and useable by an authorized person at all times
39
What Information is Protected Under Security Rule?
• Electronic transmissions of ePHI within the company, as well as transmissions to outside entities – Extends to all members of the workforce,
including those who work at home• Exceptions:
– Facsimile– Telephone systems (voice or keypad)– Copy machines– Videoconferencing systems– Voicemail
40
Who Must Comply with Security Rule?
• Covered entities and business associates are required to comply with the Security Rule
• The HIPAA Security Rule mandates that certain safeguards be implemented to protect ePHI including:– Administrative safeguards– Physical safeguards– Technical safeguards
• Safeguards include:– Controls to limit access to ePHI by workforce– Audits to determine who accessed ePHI and when
ePHI was accessed
41
Who is Responsible for Implementing Security Safeguards?• “Security Officer” is responsible for:
– Developing and implementing security safeguards to protect ePHI– Addressing security concerns– Periodically auditing and assessing the security of ePHI
• The designation of a Security Officer must be documented and may be the same person as the Privacy Officer
• Security Standards must be addressed
• Implementation Specifications– Required– Addressable
• If not reasonable and appropriate Document reasons
42
Administrative Safeguards
• Documented policies and procedures for:– Managing day-to-day operations– The conduct and access of workforce members to
ePHI– The selection, development and use of security
controls
43
• Standard: Security Management Process • Risk analysis (required)• Risk management (required)• Sanction policy (required)• Information system activity overview (required)
• Standard: Security Responsibility
• Standard: Workforce Security• Authorization and/or Supervision (addressable)• Workforce Clearance Procedure (addressable)• Termination Procedure (addressable)
Administrative Safeguards (cont.)
44
• Standard: Information Access Management– Access Authorization (addressable)– Access Establishment and Modification (addressable)
• Standard: Security Awareness and Training– Security Reminders (addressable)– Protection from Malicious Software (addressable)– Log-in Monitoring (addressable)– Password Management (addressable)
• Standard: Security Incident Procedures– Response and Reporting (required)
Administrative Safeguards (cont.)
45
• Standard: Contingency Plan– Data Backup Plan (required)– Disaster Recovery Plan (required)– Emergency Mode Operation Plan (required)– Testing and Revision Procedures (addressable)– Applications and Data Criticality Analysis (addressable)
• Standard: Evaluation
• Standard: Business Associate Contracts and Other Arrangements– Written Contract or Other Arrangement (required)
Administrative Safeguards (cont.)
46
Physical Safeguards
Physical measures and policies and procedures that protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion
47
• Standard: Facility Access Controls– Contingency Operations (addressable)– Facility Security Plan (addressable)– Access Control and Validation Procedures (addressable)– Maintenance Records (addressable)
• Standard: Workstation Use
• Standard: Workstation Security
• Standard: Device and Media Controls– Disposal (required)– Media Re-use (required)– Accountability (addressable)– Data Backup and Storage (addressable)
Physical Safeguards (cont.)
48
Technical Safeguards
The technology and the policy and procedures that protect ePHI and control access to it
49
• Standard: Access Control– Unique User Identification (required)– Emergency Access Procedure (required)– Automatic Logoff (addressable)– Encryption and Decryption (addressable)
• Standard: Audit Controls
• Standard: Integrity– Mechanism to Authenticate ePHI (addressable)
Technical Safeguards (cont.)
50
• Standard: Person or Entity Authentication
• Standard: Transmission Security– Integrity Controls (addressable)– Encryption (addressable)
• Standard: Policies and Procedures
• Standard: Documentation Requirements– Time Limit (required)– Availability (required)– Updates (required)
Technical Safeguards (cont.)
51
Documentation Requirements
• Retain documentation in paper or electronic format for 6 years or longer if required by state law, including:– Policies and procedures related to Security Rule
compliance – Documentation of any activity, action or
assessment required by the Security Rule• Policies and procedures must be reviewed and updated
periodically in order to address environmental or operational changes affecting the security of ePHI
52
HIPAA Audit Protocols
53
Stimulus Act – Generally
Effects on HIPAA Expanded protection of PHI
Increased privacy and
security obligations for covered
entities and business associates
Generally effective February 17, 2010
54
HITECH Act: HIPAA Audits
• Requires HHS to conduct periodic audits on covered entities and business associates to ensure compliance with:– Privacy Rule– Security Rule– Breach Notification
• Congressional mandate is the floor. OCR has discretion.
• Up to 150 audits originally planned, at this time adjusted to 115
55
Objectives of the Audit Program
• Consider methods of compliance• Ascertain best practices• Identify risks/vulnerabilities not identified
through previous enforcement efforts• Foster compliance efforts
56
Previous HIPAA Enforcement Efforts
• Complaints – large volume, but generally did not result in formal action
• Compliance Reviews – incident-based• Breach Reports
Reactive in nature, Congress wanted to be more proactive.
57
OCR Uses Contractors for Audits
Source: http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-2_lsanches_ocr-audit.pdf
Description Vendor Status/Timeframe
Audit program development study
Booz Allen Hamilton
Closed 2010
Covered entity & business associate identification and catalog
Booz Allen Hamilton
Closed 2012
Develop audit protocol and conduct audit
KPMG, Inc. Open 2011 – 2012
Evaluation of Audit Program
TBD To be Awarded – Conclude in 2013
58
The Audit Protocols
• Developed by contractor• Three areas:
– Privacy– Security– Breach Notification
• Focus on:– Management inquiries– Reviewing policies and procedures– Evidence of implementation– Documentation of reasons why not implemented
• Currently located at: http://ocrnotifications.hhs.gov/hipaa.html
59
Who Can be Audited?
• Every type and size of covered entity is eligible for an audit
• Randomly selected based on type, size and geography, not prior incidents. Criteria includes:– Public vs. Private– Level of assets/revenue– Number of patients/employees
• To date, approximately 50% of audited entities have been health care providers
• Business associates may be included in future audits
60
What is the audit process?
• Entity receives notice of audit from OCR. Notice includes a request for documentation– By registered mail– Addressed to CEO – redirect as soon as it arrives!– In some instances, you may know in advance of
written notice– Audit response team takes action
• Walk-throughs, mock interviews– Notify support team (internal/external)
61
What is the audit process? (con’t)
• Assemble and submit documentation by deadline• Documentation may include:
– Policies and procedures• Breach notification process• Risk assessments• Security incident management plan• Business continuity/disaster recovery plan• Disaster recovery exercise documentation • Information security training and awareness• Organizational chart
– Forms– Previous audit reports and assessments
62
What is the audit process? (con’t)
• Auditor reviews documentation (min. 15 days)• On-site visit
– Conducted 30-90 days from receipt of notice– Lasts 3-10 business days (5-10 days is most common)– Personnel interviews (all levels, clinical and non-
clinical)– Walk-throughs– Operational reviews– Requests for additional information
The Audit Protocols are a guideline,
each audit is unique
63
What is the audit process? (con’t)
• Draft Audit Report – 20-30 days after on-site visit– Follow-up questions and additional requests for
information are likely
You will likely know what many of the findings will be, and should focus on preparing a response
64
What is the audit process? (con’t)
• Review and Respond to Draft Report– Report includes findings and recommendations– 10 business days to respond– Review closely!– Identify mitigating information – Consider plan for remediation– Consult with consultants/legal counsel (e.g. legal
arguments re: how rules are applied)– Challenge findings if warranted (e.g., inaccuracies,
justification of approach for implementation)
65
What is the audit process? (con’t)
• Final Report– Submitted to OCR– Within 30 days of covered entity’s response– Includes steps taken to resolve compliance issues
• Action by Covered Entity– Consider implementing recommendations for
compliance– Ongoing compliance efforts– Cooperation with OCR
66
What happens next?
• OCR reviews final report• Primarily a compliance improvement tool• Not intended to investigate particular violations• Best practices will be shared• Targeted compliance guidance will be published• Serious compliance issues may trigger separate
investigation and enforcement action
67
Initial 20 Findings Analysis Overview
68
Initial 20 Findings Analysis Overview
69
Initial 20 Findings Analysis Overview
70
Initial 20 Findings Analysis Overview
71
Initial 20 Findings Analysis Overview
72
Initial 20 Findings Analysis Overview
73
Initial 20 Findings Analysis Overview
74
Initial 20 Findings Analysis Overview
75
Initial 20 Findings Analysis Overview
76
Initial 20 Findings Analysis Overview
Source for tables and charts: http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-2_lsanches_ocr-audit.pdf
77
Why is this important?
• Likelihood of being chosen for audit is small, but short turnaround time if chosen
• Ongoing audit efforts, increased enforcement• Reason to review policies, procedures and actual
operations• Identify/resolve weaknesses and concerns
78
What to include in your HIPAA Policies and Procedures Manual
79
Where is your PHI?
• Paper• Electronic, even if no EHR • Computers, laptops, smart phones• On-site/Off-site• Movement within organization• To/from third parties
80
Written Policies and Procedures
• Implement policies and procedures for HIPAA compliance including privacy, security and breach notification
• Organized, easy to search/find
• Centralized index for compliance documents
• Review for completeness, ensure they are up-to-date
• Maintain for 6 years and make available to HHS upon request
81
Privacy Policies: What to Include?
Use and disclosure of PHI Patient’s rights
Notice of uses and disclosures of PHI Access to PHI Request for amendment of PHI
82
Privacy Policies: What to Include? (cont.)
• Patient’s Rights (cont.)– Accounting for disclosures of PHI– Request for restriction on use or disclosures of PHI– Request for confidential communication of PHI
• Use and disclosure of PHI subject to an authorization
• Use and disclosure of PHI subject to minimum necessary
• Use and disclosure of PHI for fundraising• Personal representation of individuals
83
Privacy Policies: What to Include? (cont.)
Use and disclosure of PHI not subject to an individual’s authorization or opportunity to agree or object
Accounting for disclosures of PHI – tracking disclosures
Use and disclosure of PHI for research purposes Use and disclosure of PHI to persons involved in the
individual’s care and for notification purposes Use and disclosure of de-identified health
information
84
Privacy Policies: What to Include? (cont.)
Use and disclosure of PHI within a limited data set Safeguarding against wrongful uses and disclosures
against PHI Human Resources Complaints regarding privacy practices HIPAA Recordkeeping Verification of entities or persons to whom protected
health information may be disclosed Use and disclosure of PHI by business associates Notification of breach of PHI to individuals, media
and HHS.
85
Privacy Policies: What to Include? (cont.)
Privacy Officer’s Name and Contact Information, Job Description
Off-site disposal procedures (e.g. shredding of paper records or return to home office for shredding).
Forms, including: Request for Access Request for Amendment Request for Accounting of Disclosures Request for Restrictions on Uses and Disclosures Request for Confidential Communications
86
Privacy Policies: What to include? (cont.)
Forms (cont.) Authorization for Release of Protected Health
Information Notices re: Approval/Denial of Requests, Extensions
of Time, Additional Rights Privacy Practices Complaint Form Business Associate Agreement Disclosure Tracking Log Form
• Patient Name• Medical Record Number
Date Request Received
Name of Requestor
Address (if known)
Written Request (Y/N)
Purpose of Disclosure
Description of PHI
Disclosed
Date Disclosed
Disclosed by
87
Privacy Policies: What to include? (cont.)
Sanction Guidelines for HIPAA Violations– Violation/Possible Sanction– Example 1:
• Violation: Obtaining, using or disclosing PHI under false pretenses, such as if workforce member misrepresents a fact in order to obtain, use or disclose an individual’s PHI.
• Possible Sanction: Termination– Example 2:
• Violation: Unintentionally violating privacy practices.• Possible Sanction: First offense – formal letter of
reprimand and applicable training. Second offense – suspension for a period of time commensurate with violation. Third offense – termination.
88
Security Policies: What to Include?
Administrative Safeguards Security management
Risk analysis and mitigationRisk managementSanctionsInformation system activity
review Security responsibility –
Assignment of security responsibility
89
Security Policies: What to Include? (cont.)
Administrative Safeguards (cont.) Workforce security
Access authorization an supervisionWorkforce clearanceWorkforce termination
Information access management Access authorizationAccess establishment and modification
Security awareness and trainingSecurity remindersMalicious software
90
Security Policies: What to Include? (cont.)
Administrative Safeguards (cont.) Security awareness and training (cont.)
Login monitoringPassword management
Security Incident Procedures – response and reporting
Contingency PlanData backupDisaster recoveryEmergency mode operationsTesting and revision
91
Security Policies: What to Include? (cont.)
Administrative Safeguards (cont.) Contingency Plan
Application and data criticality analysis Evaluation – Compliance evaluation
Physical Safeguards Facility Access Controls
Facility contingency operationsFacility security Facility access control and validationFacility maintenance records
92
Security Policies: What to Include? (cont.)
Physical Safeguards (cont.) Workstation Use – Workstation Security Device and Media Controls
Device disposalMedia re-use/transferAccountabilityData backup and storage
Technical Safeguards Access Control
Unique user identificationEmergency Access
93
Security Policies: What to Include? (cont.)
Technical Safeguards (cont.) Access Control (cont.)
Automatic logoffEncryption & decryption
Audit Controls Integrity Controls Person/Entity Authentication Transmission Security
Transmission integrity controlsTransmission encryption
94
Security Policies: What to include? (cont.)
Security Officer’s Name and Contact Information, Job Description
Risk Assessment for entity and ePHI systems Plans (or where to find them)
Security incident management plan Business continuity/disaster recovery plan Data backup and recovery procedures
95
Security Policies: What to include? (cont.)
Forms, e.g.: Maintenance request form Equipment/Media Disposal and Sanitation Log Access Authorization and Supervision Form used by
Security Officer to grant/establish/modify access rights to systems, applications, etc.:
Name Position Access Level based on Job Description
Supervision Level
Supervisor Approval
96
Breach Notification: What to include?
Internal reporting requirements and processes Written incident response plan Breach Evaluation Form
Description of incident Analysis or Risk Assessment List of individuals who participated in analysis or risk
assessment Other risk assessment documentation
97
Additional Considerations: Transmission of Emails Containing ePHI
• E-mails sent from one employee to another do not need to be encrypted or password protected
• E-mails should only be sent to employees who need to know the information
• E-mails sent outside of the company must be password protected or encrypted
• Unsolicited ePHI received in an unsecure manner must be appropriately secured once it is in the possession of the covered entity or business associate
• ePHI should never appear in the subject matter line of an e-mail
98
Other Documentation
• Policies are not enough! Need evidence of implementation and ongoing compliance– Risk assessment – document the process!– Disclosure logs– Logs of security breaches– Documentation of access rights, periodically updated
to reflect changes in workforce– Evidence of systems activity review– Training documentation for each employee– Evidence of responses to violations (sanctions,
updated risk assessments, revisions to policies)
99
Other Documentation (con’t)
– List of all business associates, including contact information, phone and email address, what the relationship is, name of applicable agreement
– Custodial Staff• Not generally regarded as business associates, consider
confidentiality agreement, procedures for inadvertent encounters with PHI, termination for breach of confidentiality
100
INTERNAL DISCIPLINARY SANCTIONS
• Have them• Apply them• Document them• You will be penalized if you violate applicable
privacy policies or HIPAA• Depending on your violation, you may receive a
warning letter, suspension or termination
101
Be consistent with
what is in your policies
and
what occurs in practice!
102
HIPAA Training for Employees and Staff
103
Training Overview
• Every person accessing data holds a position of trust. Each individual must recognize his or her responsibility to protect the privacy and security of this information.
• All levels of the workforce need HIPAA awareness and training
• Training should be consistent, ongoing and documented
104
Initial Training -- Fundamentals
• What is HIPAA?• What does HIPAA cover?
– Privacy• What is PHI?• What is excluded from the definition of PHI?
– Security• What is ePHI?• What is excluded from the definition of ePHI?
105
Initial Training – Fundamentals (cont.)
• How does HIPAA affect us? • What is required of us under HIPAA?
– Uses and disclosures– Rights of individuals– Appropriate safeguards– Administrative requirements
• Report impermissible uses or disclosures that you become aware of either to the Privacy Officer or other designated individual
106
Initial Training – Fundamentals (cont.)
• Who do I contact with questions?– Employees need to know who to contact!– Who advises on HIPAA implementation?– Who handles requests for access, complaints, etc.?– Who monitors system activity?– Who is responsible for business associate
agreements?– Who keeps the forms?
107
Training Considerations
• Make training simple, easy to understand• Depending on level of access, consider an
evaluation of individual’s understanding at end of training session
• Promote culture of compliance through understanding that training is not an obstacle, protects employee as much as it protects the organization
• Employees should understand their role in the process. Security measures are not effective if they are not followed.
108
Training Considerations (cont.)
• Initial training is not enough! Additional training and security reminders should be provided. – Source compliance plan, HIPAA policies and
procedures for ideas– Pay attention to news media for violations
involving other organizations, use them as training opportunities• E.g. 2011 news article re: Rhode Island physician who
was reprimanded by state regulators for posting information that led to the identification of a patient
• E.g. 2010 article re: negative comments about a patient posted on Facebook
• Inform them that usage will be monitored and audits will be performed.
109
NO PEEKING!
Employees must know that if they do not have a bona fide medical or administrative reason to access
a patient’s medical record, then they should not access the record!
110
Recent Enforcement Efforts
And
Upcoming Regulatory Updates
111
Recent Enforcement Efforts
Source: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/data/historicalnumbers.html#resol
112
Recent Enforcement Efforts (cont.)• Blue Cross Blue Shield of Tennessee (“BCBST”)
– First enforcement action under HITECH’s breach notification rule
– 2009: BCBST submitted breach report to OCR • 57 unencrypted hard drives stolen• Hard drives were located in storage closet leased by
BCBST• Contained audio/video recordings of customer service
calls, including PHI– 2012: OCR and BCBST entered into Resolution
Agreement. BCBST did not admit liability, OCR did not concede that BCBST did not violate HIPAA.
113
Recent Enforcement Efforts (cont.)
• BCBST (cont.)– $1,500,000 payment– Corrective Action Plan, including updating policies
and procedures, training workforce in Security Rule measures regarding ePHI.
114
Recent Enforcement Efforts (cont.)• OCR Enforcement Action Against Alaska’s
Department of Health and Human Services– In 2009, submitted a breach report to OCR stating
that a portable storage device containing PHI had been stolen from the vehicle of a computer technician.
– OCR determined that AK-HHS failed to comply with five HIPAA requirements:• No risk analysis• Insufficient risk management precautions• Failure to train workforce members• Failure to implement device/media controls• Failed to address device/media encryption
115
Recent Enforcement Efforts (cont.)• OCR Enforcement Against AK-HHS (cont.)
– June 2012: OCR and AK-HHS entered into Resolution Agreement. AK-HHS did not admit liability, OCR did not concede that AK-HHS did not violate HIPAA.
– $1,700,000 payment– Corrective action plan, including requirement to
develop, review and revise HIPAA Security Rule policies and train workforce in Security Rule measures regarding ePHI.
116
Recent Enforcement Efforts (cont.)
• United States v. Zhou– U.S. Attorney General for Central District of
California charged Huping Zhou with violating HIPAA by accessing patient records without authorization.
– 2003: Hired University of California at Los Angeles Health System (“UHS”) as research assistant in rheumatology. Terminated in same year for poor performance.
– After termination, accessed patient records at least 4 times.
117
Recent Enforcement Efforts (cont.)
• United States v. Zhou (cont.)– Government alleged that Zhou violated 1320d-6(a)
(2), which applies to persons who “knowingly and in violation of HIPAA” obtain PHI.
– Zhou moved to dismiss charges, stating no assertion that his actions were illegal.
– District Court denied. Sentenced to 4 months in prison plus 1 year of supervised release, $2,000 fine…
– Zhou appealed to Ninth Circuit Court of Appeals. Stated that he did not know his actions were illegal, government misapplied “knowing” requirement of the statute.
118
Recent Enforcement Efforts (cont.)
• United States v. Zhou (cont.)– Court: “knowingly and in violation” of the statute =
two separate elements: (1) must knowingly obtain an individual’s PHI; and (2) must obtain the information in violation of HIPAA. Do not need to know that your conduct was in violation of HIPAA.
119
Upcoming Regulatory Updates
• A final “omnibus” rule was expected to be released in July, 2012. Has since been delayed. Expected to include:– Final Enforcement Rule– Final Beach Notification Rule– Changes to HIPAA Privacy and Security
Standards
120
Disclaimer
Consult with legal counsel!
