hipaa and privacy for researchers
DESCRIPTION
While researchers are technically not covered by HIPAA, it still is important to protect patient's Protected Health Information(PHI). This is a presentation I did for the Society of Clinical Research Associates (SOCRA)TRANSCRIPT
HIPAA and Privacy:Changing Landscape 2014
Jason Karn, Total HIPAA Compliance, LLC
Topics for Discussion• Who is required to comply with HIPAA?• How has HIPAA changed?• What other privacy regulations protect
research subjects?• What lessons can be learned from recent
HIPAA breaches?
HIPAA Has Changed
Requirements for the updated 2013Omnibus Rules went into effect
September 23, 2013
What is Different in the New HIPAA?• Increases in fines and penalties for breaches of
health information• Encryption required for both stored Protected
Health Information (PHI) files and emails• Business Associates’ Subcontractors and BAs must
meet the same requirements as Covered Entities• Implement new Policies and Procedures for Security
and Privacy• Staff needs to be trained on HIPAA and your Policies
and Procedures
HIPAA Compliance is Required for Anything Related to:
• Medical– Medicare Supplement– Drug Coverage– Federally Mandated Marketplace (FMM)
• Dental• Vision
HIPAA is…Applicable (PHI)• Hospital / practice and its
employees• Laboratory or reader that
receives identifying information
• EHR provider• Patient recruitment
company• Chart review company• Subject payment company
Not Applicable (released PHI)• Pharma and Device sponsor• Clinical Research
Organization• Central laboratory or reader
that receives blinded information
• EDC provider
HIPAA Does NOT Apply to:• Short-term and long-
term disability • AD&D (Accidental
Death and Dismemberment)
• Life insurance• Worker's Compensation • Auto medical insurance• Fitness-for-duty exams
(DOT or OSHA exams)
• Drug testing• Work-life benefits
(fitness center)• Family Medical Leave
Act (FMLA)• Americans with
Disabilities Act (ADA)
Who Must Be Compliant
Who Does this Affect?
This law affects all Covered Entities, Business Associates, and Subcontractors of Business Associates that come in contact with Protected Health Information. YOU MAY FIND YOUR COMPANY WILL FALL UNDER MORE THAN ONE CATEGORY!
Healthcare Providers BA/Subcontractors Health Plan
Doctors Any contractors that may have access to Protected Health Information (PHI). Including, but not limited to:
Health Insurance Companies
Clinics Maintenance or Cleaning Services HMOs
Psychologists Accountants Employers offering health plans
Dentists Attorneys Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programsChiropractors Billing Services
Nursing Homes Building Operator
Pharmacies...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard
Health Insurance Agents
Shredding Companies
Temp Agencies
Supplemental Staffing Agencies
Difference Between BA and Subcontractors
Covered Entities have Business Associates and Business Associates have Subcontractors
BA/Subcontractors• What must the Business Associate do?– Have them sign a Business Associate
Subcontractor Agreement– Ensure they train their employees, and implement
policies and procedures concerning HIPAA Privacy and Security
BA/Subcontractors
If your BA/Subcontractors are NOT compliant, this could be a liability issue for the covered entity. In accordance with the Federal Common law of Agency, it is now the Covered Entities’ and Business Associate’s responsibility to make sure that their BA/Subcontractor’s are implementing and following HIPAA.
Penalties for Privacy Rule Violations
Violation Penalties
Did Not Know $100 -$50,000 /violation, up to $1.5 Million/ year
Reasonable Cause
$1,000 -$50,000 /violation, up to $1.5 Million/ year
Willful Neglect - Corrected
$10,000 -$50,000 violation, up to $1.5 Million/ year
Willful Neglect -Not Corrected
$50,000 / violation, up to $1.5 Million/ year
Criminal Penalties
Violation Penalties
Knowingly obtaining or
disclosing PHI $50,000 + one year prison
Offenses conducted under false pretenses
Up to $100,000 + 5 years
Intent to sell, $ gain, harm Up to $250,000 + 10 years
Best Business PracticesIf you’re coming in contact with Protected Health Information (PHI), you should be trained! • In order to share information with research
sites• Reduces potential liability under HIPAA and
other laws and regulations that protect privacy
FTC Liability
• July 2011, Accretive Health employee has unencrypted laptop stolen from car with 23,000 patient records
• FTC rules Accretive failed “to employ reasonable and appropriate measures to protect personal information” per 15 USC 45(a) Section 5(a)
• FTC has continued to pursue healthcare companies into 2014
Civil Liability
• HIPAA as a standard by which to measure professional responsibility and negligence
Hinchy v. Walgreen Co., et al., No. 49D06 11 08 CT029165(Marion Co. Sup. Ct., Ind., filed August, 1, 2011)
Researcher’s HIPAA ExceptionAn external researcher is not a business associate of a covered entity by virtue of its research activities, even if the covered entity has hired the researcher to perform the research
WHAT CAN YOU DO TO PREVENT PRIVACY BREACHES?
Your laptop and mobile devices:
• Remove information from a laptop or mobile device that doesn’t need to be there– Old– Financial
• Have remote wiping turned on• Don’t leave your laptop in your car• Watch what you FAX
Encryption, Encryption, Encryption
• Email– If you are sending emails with PHI, make sure that
you send those emails encrypted• Encrypt your laptop and mobile devices• Text Messages
Paper Records
• Don’t record unnecessary information• Don’t transmit unnecessary information• Lock up paper records even in your office• Send records to secure storage when
appropriate
Numbers (2009-2013)
• 29.3 million health records compromised– This only counts breaches of more than 500
patients which must be reported to HHS. Real number is probably closer to 45 million
• 90,000 complaints to HHS• 17 fines from HSS for HIPAA violations
Breaches as of January, 17 2014# of Breaches Location Reason Individuals
Affected
164 Laptop Theft 3,962,143
63 Paper Unauthorized Access/Disclosure 533,230
62 Desktop Theft 6,406,636
41Other
Portable Electronic Device
Loss 238,498
40Other
Portable Electronic Device
Theft 444,024
Source: http://www.melamedia.com/HIPAA.Stats.home.html
Total (since 2003)Complaints Filed 77,200
Cases Investigated 27,500
Cases with corrective action 18,600
Civil Monetary Penalties &Resolution Agreements (since 2008)
Complaints (as of 12/31/12 - HHS)
$15.2 Million
NOT ALL IS RIGHTIN THE LAND OF HIPAA
Likely to get worse…
• Experian predicts surge of data breaches.2014 Data Breach Industry Forecast
• “People see healthcare as a serious treasure trove for personal identifiable information.”R. Leventhal. Cybercrime in Healthcare: Can It Be Stopped?
CASES
Case: New York-Presbyterian Hospital & Columbia University
• Physician sets up his own system to pull information from the medical record, security problems
• Family member finds record of deceased family through a Google search
• Investigation finds 6,800 records were revealed on the internet
• NYP pays $3.3 million fine & CU pays $1.5 million fine
• Implement risk analysis and management, policies and training, and provide progress reports to HHS
Case: Triple-S Management• On 20 Sept 2013 mailed a pamphlet to 13,336
beneficiaries that included their Medicare number
• Immediately reported, notified individuals & media, and gave 1 year of identity protection and credit monitoring
• Under local law fined $500/person + $100,000 penalty for non-compliance with local investigation - $6.8 million
Computers: Stolen and Compromised
• December 6, 2013, two cable-locked computers stolen from BCBS of New Jersey headquarters. Unknown what information was on them, all 840,000 enrollees notified.
• October 2013- 10 unencrypted laptops stolen from Legal Aid Society of San Mateo
• Fall 2013- in two separate thefts 2 unencrypted laptops stolen from cars of UHS-Pruitt Corporation
Data Put on the Internet
Business Associate of California hospital left 32,500 patient records on internet-accessible computer, mapped by Google
Data Lost
December 2013 University of Wisconsin-Madison loses unencrypted hard drive containing records for 41,437 people
Employee Misbehavior - 2014
• MI hospital employee posts patient pic on Facebook– 3 employees that “liked” photo and poster fired
• Doctor who runs for political office outed as having posted patient x-rays to Facebook years ago– Unclear whether before or after HIPAA, being
investigated by state medical board
Employee Misbehavior - 2014
• Employee of Texas public psychiatric hospital takes 50 records out of hospital
• Contract physician takes paper records with information on 858 patients from St. Francis Hospital; records then stolen from his car
• CEO of AOL discusses health care expenses of two employees on investor conference call
Theft
• Silver thieves take x-rays from dental office in Raleigh (6th biggest HIPAA breach of 2013)
• Hackers from China break into St. Joseph Health Care System for 3 days in December, 405,000 records compromised
• Feb 2014, Dental practice employee invites felon boyfriend to hang out in practice after hours, credit card numbers stolen
Phishing
• Thousands of patient records compromised by phishing schemes so far in 2014.
• One hospital lost control of their email system through a phishing attack.– It was their second phishing attack of the year. The
FBI is investigating.
www.TotalHIPAA.com