hipaa & hitech privacy and security concerns : …hitech on hipaa •creates new privacy and...
TRANSCRIPT
HIPAA & HITECH Privacy and Security Concerns :
Are You Covered?
Insurance Accounting and Systems Association
Chicagoland Chapter Conference
April 17, 2014
Colin Gainer & Tim Lessman
SmithAmundsen, LLC
HIPAA
Privacy and Security
• Health Insurance Portability and Accountability Act of 1996
• HIPAA created and implemented standards for the use and dissemination of health care information.
• The Privacy Rule and Security Rule are sets of regulations for “administrative simplification” which were promulgated in order to carry out the requirements set forth by HIPAA.
Privacy Rule
The Privacy Rule regulates the use and
disclosure of individuals’ health information,
called protected health information (“PHI”)
Security Rule
The Security Rule sets standards for
ensuring that only individuals with clearance
to work with electronic protected health
information (“e-PHI”) have access to such
information.
Privacy Rule applies to all forms of patients’ protected health information
Security Rule covers protected health information in electronic form
Both rules stress the need to maintain “administrative”, “physical” , and “technical” safeguards when working with any form of protected health information.
Under HIPAA and HITECH
• Covered Entity (CE):
–Health plan
–Healthcare Clearinghouse
–Healthcare Provider
What is a Covered Entity A Health Care Provider A Health Plan A Health Care
Clearinghouse
This includes providers
such as:
Hospitals
Doctors
Clinics
Psychologists
Dentists
Chiropractors
Nursing Homes
Pharmacies
This includes:
Health insurance
companies
HMOs
Company health plans
Government programs
that pay for health care,
such as Medicare,
Medicaid, and the
military and veterans
health care programs
This includes entities
that process
nonstandard health
information they receive
from another entity into a
standard (i.e., standard
electronic format or data
content), or vice versa.
Who is a Business Associate of
a Covered Entity
Under HIPAA
• Business Associate (BA) is a person/entity who:
– Performs or assists with a function or activity involving individually Identifiable information
Business Associate Examples
• Law firms
• Accountants
• Information technology
companies
• Billing services
• Health insurance brokers
HITECH
What is HITECH?
• The American Recovery and
Reinvestment Act of 2009
(“ARRA”) included legislation,
commonly referred to as
Health Information Technology
for Economic and Clinical
Health Act (“HITECH”).
Final Rule
• On January 17, 2013, the Department of Health and
Human Services issued long-awaited final regulations
implementing the privacy, security, and breach-
notification provisions of the HITECH
• Effective September 23, 2013
• The regulations amend the HIPAA Privacy, Security, and
Enforcement Rules and finalize a modified HIPAA
Breach Notification Rule, which has been in effect on an
interim basis since 2009.
HITECH on HIPAA
• Creates new privacy and security
requirements for HIPAA covered
entities & their business associates – New accounting, disclosure, and breach
requirements
– New restrictions on marketing & fundraising
– Increased Penalties
– Rise of the HIPAA Audit
Expansion of Business
Associate • Business Associate defined to include:
• Patient Safety Organizations
• Health Information Organizations, E-
prescribing gateways
• Subcontractors
Subcontractors
• Downstream entities that work at the
direction of or on behalf of a BA
• Does not require CE to have a contract
with the subcontractor (BA does)
Subcontractors
• BA required to obtain written “satisfactory
assurances” from its immediate
subcontractor (Sub BAA).
• Responsible for compliance with the
business associate requirements under
the Security and Privacy Rules, even if the
parties failed to enter into a written
business associate agreement.
Expansion of Business
Associate • Entities that maintain PHI
– Document destruction
– ePHI vendors
– Storage vendors
– Cloud storage
• Test is persistence of custody, not the
degree of access
The Big Change for Business
Associates
The Business Associate before
HITECH
• Originally, “the provisions of HIPAA only applied to a business associate through a contractually created relationship with a covered entity.”
• Before HITECH the only remedy available to a covered entity for a business associate’s violation of HIPAA was one of general contract law.
The Business Associate after
HITECH • HITECH creates a direct legal obligation on a
business associate in both the application of the HIPAA requirements and the penalties associated with a violation.
• BA may be liable not only to the CE in the case of breach of security or privacy, but to the patient as well through HIPAA.
• BA subject to Civil and Criminal penalties under HIPAA
• Potentially subject to mandatory compliance audits by Secretary of HHS
BA Obligations
• Limit uses and disclosures to what is permitted under the Privacy
Rule
– This specifically includes compliance with the minimum
necessary standards;
• Provide breach notification to the covered entity;
• Provide a copy of electronic PHI to either the covered entity or
individual
• Disclose PHI to the Secretary in an investigation
• Provide an accounting of disclosures*
• Comply with the security rule safeguards and BAA requirements
HIPAA’s and HITECH’s
Impact on Identifiable Health
Information
PHI and E-PHI Content
• Individually identifiable health
information contains demographic
information collected from an
individual.
• Is created or received by a CE
• Relates to past, present, or future
health condition of the individual;
the provision of health care to the
individual; or past, present, or future
payment for the provision of health
care to the individual
Elements of PHI • Names
• Geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code
• Elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death
• Telephone and Fax numbers
• E-mail address
• Social security numbers
• Medical record numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voice prints
• Full face photographic images and any comparable images
45 CFR 164.514
Secured Information
• Unsecured protected health information is … protected health information that is not secured through a technology or methodology specified in guidance by HHS. - 45 C.F.R. § 164.402.
• Electronic protected health information may be secured by encryption or workstation security for example.
• Paper protected health information can be secured by destruction or proper storage for example.
Securing PHI and E-PHI – Automatic log out
– Password protected log on
– Procedures in place for guarding against viruses, Trojan horses, worms, etc.
– Limit access to E-PHI internally
– Verify terminated employees/agents no longer have electronic access
– Increase use of shredders (bins) on daily basis and at time of purging closed files
– Monitor or control areas where PHI is used
– Immediately account for and report lost: Iphone, laptop, disks, files, etc.
– Encryption
Breaches
Breach Reporting
• HITECH requires every covered entity to notify a
person when there has been a “breach” of that
person’s PHI and to notify HHS
• Under HITECH, a business associate is required
to notify the covered entity of any breach of
confidentiality of PHI acquired from the covered
entity
Old Breach Definition
“Breach” meant the acquisition, access, use, or disclosure of [PHI] in a manner not authorized under [HIPAA] which compromises the security or privacy of such information
45 C.F.R. § 164.402
Old Definition
“compromises the security or privacy” meant a result of:
“significant risk of financial, reputational, or other harm to the individual.”
45 C.F.R. § 164.402
Final Rule Change
• Replaces the breach notification rule’s “harm”
threshold with a more objective standard.
• Breach is any breach UNLESS you can
demonstrate that there is a LOW PROBABILITY
that the PHI has been compromised.
• Presumption standard
Reporting
Within 60 days of the
discovery of a breach, a
covered entity must provide
notice via first class mail to the
affected person’s last known
address. 45 C.F.R. §164.404(b).
In any case in which more
than 500 persons are
affected by a breach, the
covered entity must provide
notice to major local media
outlets
What must the notice include?
• A description of what happened
• Date
• Types of information involved
• Steps the person should take to protect
• Description of covered entity's investigation &
mitigation efforts
• Contact information
• *Toll free number for web/print/broadcast
notice
Business Associate Breach Notification Rule
• Business associate must notify the
covered entity
• A business associate must provide notice
to the covered entity within 60 days (check
BAA).
• Provide CE with:
– the identification of each individual
– any information required to be provided by the
CE in its notification to affected individuals.
Additional BA Requirements
• Must report to CE if BA knows of a
“pattern of activity or practice” by CE that
constitutes a material breach of BAA
• BA must take steps to cure the breach
OR:
– Terminate arrangement
– Report to HHS
HIPAA/HITECH Enforcement
Breaches
• Every breach carries with it the potential
for OCR enforcement and civil penalties,
regardless of the size, circumstances,
or response of the responsible entity
Penalties
• Prior to HITECH
– No more than $100 for each and up to
$25,000
– Also allowed for “ignorance of the law”
defense
Penalties
HITECH:
• Tiered approach
– Unaware even through due diligence:
• $100-$50,000per occurrence/ $1.5mil aggregate
– Caused but not from willful neglect:
• $1,000-$50,000per occurrence/ $1.5mil aggregate
– Willful neglect, corrected in 30 days:
• $10,000-$50,000per occurrence/ $1.5mil aggregate
– Willful neglect, not corrected:
• $50,000 minimum per occurrence/ $1.5mil aggregate
OCR Penalties
• Alaska Medicaid Agency
– $1.7 million over PHI of 501 individuals
• BCBS of Tennessee
– $1.5 million over PHI of 1,023,209 individuals
Other Violation Examples
• OCR imposed $4.3 million penalty on Cignet Health of Prince George’s County, MD
– $1.3 million was imposed on the basis that Cignet had denied 41 patients access to their medical records.
– An additional $3.0 million was imposed because Cignet failed to cooperate with OCR’s investigations on a continuing basis from March 17, 2009 to April 7, 2010.
• Massachusetts General Physicians Organization Inc. (Mass General) agreed to pay $1,000,000
– Incident involved the loss PHI of 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS.
• University of California at Los Angeles Health System agreed to settle for $865,500
– Investigation stemmed from complaint of employees viewing records of two separate celebrity patients
OCR and HHS
Findings, Developments, and Trends
• Breaches involving 500 or more individuals made up less than one percent of reports, – BUT accounted for more than 99 percent of the more
than 7.5 million individuals who were affected by a breach of their protected health information
• The largest breaches occurred as a result of theft
• Greatest number of reported incidents: – Small breaches involving human or technological
error
– Most commonly involved the protected health information of just one or two individuals
Trends
• Investigated most
– Impermissible use and disclosure of PHI
– Lack of safeguards on PHI
– Lack of patient access
– Violating minimum necessary rule
– Lack of admin safeguards on E-PHI
Who is Being Affected
Top 5:
• Private Practices
• General Hospitals
• Outpatient Facilities
• Health Plans
• Pharmacies
Audits
HIPAA Audits under HITECH
Section 13411 of the of the HITECH Act
requires Dept. of Health and Human
Services (HHS) to provide for periodic audits
to ensure covered entities and business
associates are complying with the HIPAA
Privacy and Security Rules and Breach
Notification standards.
HIPAA Audits under HITECH
HHS was left with the task of developing and
implementing an audit program that carries
out the mandate under HITECH
Office of Civil Rights (OCR), through HHS, is
overseeing the audit process
Audit Protocol
Currently 169 activities OCR considers part of the
Audit Program
78 activities for HIPAA Security
81 activities for HIPAA Privacy
10 activities for Breach Notification and Reporting
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
Security Rule Protocols
• The protocol covers Security Rule
requirements for administrative, physical,
and technical safeguards
– Examples:
• Risk assessment policy
• Workforce clearance to PHI access
Privacy Rule Protocols
Covers areas of the Privacy rule concerning: 1) notice
of privacy practices for PHI; 2) Rights to request
privacy protection for PHI; 3) Administrative
requirements; 4) Uses and disclosures of PHI; 5)
Access of individuals to PHI; 6) Amendment of PHI; 7)
Accounting of disclosures
Examples:
Business Associate Agreement Policy
Consistent “Use and Disclosure” Policies and
“Notice of Disclosure” Policies
Breach Protocols
The protocol covers requirements for the
Breach Notification Rule
Examples:
–Alerting an individual of a breach involving
his/her PHI
–Ensuring breach notification elements are
contained in Business Associate Agreement
What OCR Discovered
• Most of the evaluated entities did not conform to HIPAA standards for security, privacy, and breach notification – the three-audit areas
• 2/3 failed to perform a sufficient security risk assessment
• Most common response to non-compliance finding was that the entity was “unaware of the requirement”
What OCR Discovered
• Privacy requirements entities were most “unaware” of:
– notice of privacy practices
– access of individuals
– minimum necessary
– authorizations
• Security requirements entities were most “unaware” of”
– risk analysis
– media movement and disposal
– audit controls and monitoring
Future of the HIPAA Audit
• As suspected…Round II
• February 2014 HHS OCR announced plan
to survey 1200 organizations – 800 covered entities and 400 business associates
– “will gather information about respondents to enable
OCR to assess the size, complexity and fitness of a
respondent for an audit.”
– Will collect recent data about the number of patient
visits or insured lives, use of electronic information,
revenue and business locations
Who Can Be Audited?
• Every covered entity and business associate is eligible for an audit
• Initial rounds were designed to provide a broad assessment of the health care industry
• OCR has promised to audit: “…as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses..."
HHS OCR Perspective • Views the audits as a way to improve knowledge,
compliance, and encourage best practices
• "Audits present a new opportunity to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR's ongoing complaint investigations and compliance reviews”
Best Practices
• Self-audits – The audit process is public information
– No secret formula on how OCR will grade your compliance
• Annually review your program – Do not rely on out-of-date policies and procedures as
evidence of compliance
• OCR has been clear that you are out of compliance with the regulation if you are not reviewing and updating your program on an annual basis – The areas covered by HIPAA Security Rule are especially
sensitive to changes in technology
Best Practices
• Do your policies extend beyond the desktop PC at work?
• Recent OCR enforcement trends have focused heavily on internet and mobile technology
– e.g. cloud and social networking
• Entities need policies and procedures addressing tracking, authentication, and security of PHI accessible “outside” of the physical work area
– e.g. remote access via smartphones and tablets
Worst Practices
• Hoping you do not get selected (fingers crossed approach)
• Thinking you are too small to be noticed by OCR
• Waiting until you receive an Audit letter to begin developing HIPAA/HITECH compliant policies
What the future will bring… • More audits!
• Evidence Audits will not go away:
– HHS mandated under HITECH to periodically audit
– Audits perform two-fold function of enforcing HIPAA and generating (potentially) revenue in the form of penalties stemming from HIPAA violations
– Money has been appropriated for the audit program
• OCR Director Leon Rodriguez:
“We did our audit pilot this year and…the idea after that is to have a permanent program, part of which will need to be funded by the proceeds of enforcement. I saw these articles out there that said “More audits are coming” and “Are you ready for audits?” and that’s a smart question because that is really what’s ahead for us.”
The Cyber Threat
• Data Breach Examples:
• Hacking
• Theft of storage devices
• Viruses
• Catastrophic weather events
• State-sponsored hacking
The Implications: • Exposure of Personally Identifiable Information
Business interruption
Litigation
• Regulatory Implications
Government Investigations
Reputational Damages
Will Insurance Help?
• Some decisions have found coverage
under traditional policies
• Going forward, however, traditional forms
of insurance may not offer sufficient
protection.
or
Property Insurance
• Ward General Ins. Serv., Inc. v. Employers Fire Ins. Co., 114 Cal.App.
4th 548 (Cal. App. 2003)
• Lost data does not constitute tangible property, thus there was no
“physical loss” as was required by the policy.
• See also: America Online, Inc. v. St. Paul Mercury Ins. Co., 207
F.Supp.2d 459 (E.D. Va. 2002); Southeast Mental Health Center, Inc. v.
Pacific Ins. Co., Ltd., 439 F.Supp.2d 831 (W.D. Tenn. 2006)
• But….
• Landmark American Ins. Co. v. Gulf Coast Analytical Laboratories, 2012
WL 1094761 (M.D. La., Mar. 30, 2012)
• Tangibility was not a defining quality of physicality; electronic data
deemed to be ‘physical’.
Crime Insurance
• Retail Ventures, Inc. v. National Union Fire Ins. Co. of Pittsburgh,
Pa., 691 F.3d 821 (6th Cir. 2012)
• Insured prevailed on appeal in its coverage claim seeking $6.8
million in data breach losses under a computer fraud rider to a
commercial crime policy. Loss resulted “directly from” theft of
insured property by computer fraud.
Errors & Omissions Insurance
• Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir. 2010)
• Online marketing firm was provided coverage under its E&O policy because
the insured’s acts were not intentionally wrongful, thus fell within coverage
grant.
• Also found coverage under CGL due to allegations of loss of use of plaintiff’s
computer. Was not excluded under the “impaired property” exclusion because
no evidence was presented that the situation could be remedied by the
removal of Eyeblaster’s “spyware.”
CGL Insurance
• Loss of Electronic Data not “Tangible Property” – Recall Total Information Management v. Federal Ins. Co., 2012 WL 469988 (Conn.Super. Jan. 17, 2012); Union Pump Co. v. Centrifugal Technologies, Inc.
• But…. remember Eyeblaster
• Also, Netscape Communications Corp. v. Federal Ins. Co., 343 Fed.Appx 271 (9th Cir. 2009) found that an insured was covered under the Personal & Advertising Injury
• Encore Receivable Management, Inc. v. ACE Property & Cas. Ins. Co., 2013 WL 3354571 (S.D. Ohio, July 3, 2013) found that “publication” occurs the moment a customer’s conversation is recorded. Could serve to limit the “publication” requirement.
• Hartford Cas. Ins. Co. v. Corcino & Assoc. et al. – C.D. California case finding publication of confidential medical information triggered a duty to defend.
• Zurich American Ins. Co. v. Sony Corp. of America: PlayStation Data Breach. Recent pro-insurer ruling – “publication” that occurred was not by policyholder, but by third-party hackers. No duty to defend found.
Limitations of Existing Forms
of Coverage
• Exclusions being added to these types of policies to prevent
coverage extensions
• The War Exclusion and Terrorism Exclusions
• Insurers willing to litigate issues
Best Practices: Cyber Coverage
• Types of coverage offered widely varies, but
consultation with professionals regarding
needs can ascertain the appropriate type of
coverage.
Q & A