new hipaa breach rules nahu presents the what...
TRANSCRIPT
New HIPAA Breach RulesNAHU presents the WHAT and WHYs
Presenters:
David Smith JD, Vice President, EbenconceptsTom Jacobs JD, co-CEO eflexgroup
Moderator: Ric Joyner CEBS CFCI, co-CEO, eflexgroup
1
Agenda
• Introduction – HIPPA Security Breach Notification Regulations
• Privacy and security landscape
• Pre-ARRA legal overview
• New (expanded) privacy and security requirements in ARRA
• Tips and recommendations to comply
• Discussion and questions
2
New HIPAA Security Breach Notification Regulations
• Department of Health and Human Services, Office for Civil Rights
• Issued an interim final rule August 24, 2009
• Required to by the American Recovery and Reinvestment Act of 2009 (Feb. 17, 2009)– Section 13402 of the Health Information Technology
for Economic and Clinical Health (HITECH) Act
Section 13402 HITECH
Requires Secretary of Dept. of HHS to issue interim final regulations within 180 days to require covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates to provide notification in the case of breaches of unsecured protected health information.
Timeline
• HITECH/ARRA 180 days from Febraury 17, 2009 to issue rules
• H&SS issued rules August 24, 2009• Rules become effective September 23, 2009, • BUT…
– H&SS stated it will hold off enforcing the rules for 6 months and will not impose sanctions for violations during this period
– Instead, HHS will work with covered entities and business associates through technical assistance and voluntary corrective actions.
Business Associates Beware!
• The American Reinvestment and Recovery Act of 2009 (ARRA) modifies the existing HIPAA framework by also requiring business associates to directly comply with the HIPAA Security Rule provisions on administrative, physical and technical safeguards. All Business Associate Agreements must reflect the business associate’s new obligations. Additionally, ARRA may now impose sanctions on business associates that fail to comply with the HIPAA Privacy Rule.
Business Associates Beware!
• In the event of a breach by the business associate, the business associate is now statutorily required to take steps to mitigate any damages to covered entities, including health care organizations and individuals whose unsecured PHI was compromised.
• More details later, first a look at current framework…
7
8
Citibank Hack Blamed for Alleged ATM Crime Spree
The Current Security Landscape
Data Hijacking On the Rise-Is Your Business Next??
1 out o
f 700 h
ackers are
caught
and p
rosecu
ted
Medical Records Are a Key TargetInsiders and External Thieves
9
Medical Record
Breaches on the
Rise
IDENTITY THIEVES
TARGETING MEDICAL
INFORMATION
California’s breach
disclosure law now
covers medical
records
Proliferating HIPAA complaints and Proliferating HIPAA complaints and medical record breachesmedical record breaches
University of Florida said to be
a 'natural target' for ID theft
Google Health Goes LiveMay 19, 2008 At a press-
packed, early morning event, Google launched its
long anticipated health initiative, Google Health
today.
UCLA’s
medical
record sp
ying
problem
worse th
an thoug
ht
Pre-ARRA – Legal Framework
10
HIPAA
Privacy Rule
2003 2004
First security breach notification law
Massachusetts privacy law, other new state privacy laws
HIPAA Security Rule
2004-2007 2008 2009
FTC, State AG enforcement on rise
Many more security breach notification laws and publicity about breaches
OutsourcingGlobalization Identity Theft
FTC Red Flag Rules
Data Hijacking and Corruption
HIPAA Privacy Rule compliants(resolved without fines)
July 15, 2008
Providence Health & Services
HIPAA Security Rule audits continuing
February 18, 2009
CVS – HHS and FTC collaboration
ARRAFeb. 17, 2009
March 5, 2007
Piedmont HIPAA
SecurityAudit
Pre-ARRA HIPAA Privacy Rule Complaints
(Pending as of February 2009)
11
Total Complaints:
43,338
20% Pending6,959
20% Pending6,959
80% Resolved36,379
No violation: 4,000
Not actionable: 24,387
Resolved w/o fine: 7992
Increasing number of HIPAA complaints filed per year with HHS
CVS $2.25M fine, 20 year FTC Consent Decree,
numerous state AG actions, adverse publicity
Top Five Allegations in HIPAA Privacy Rule Complaints
• Impermissible uses and disclosures of protected health information;
• Lack of safeguards of protected health information;
12
We have a question:So what?
Top Five Continued
• Lack of patient access to their protected health information;
• Uses or disclosures of more than the Minimum Necessary; and
• Lack of or invalid authorizations for uses and disclosures of protected health information
13
Top Targets for HIPAA Privacy Rule Complaints
• Private Practices
• General Hospitals
• Outpatient Facilities
• Health Plans (group health plans and health insurance issuers)
• Pharmacies
14
Pre-ARRA HIPAA Security Rule Complaints
• Complaint-driven enforcement
• Very few complaints filed through 2006
• CMS criticized by OIG for lax compliance, insufficient enforcement
15
Pre-ARRA HIPAA Security Rule Complaints
• OIG found significant violations at 8 hospitals that it audited
• March 5, 2007 – first CMS audit (Piedmont Hospital)
• Reportedly auditing 50 hospitals per year – via unannounced audits
16
Pre-ARRA Security Breach Notification Requirements
• State security breach notification laws
• Varying requirements
• No federal security breach law
• HIPAA Privacy Rule – disclosure log only
17
Key Pieces of Information Involved in Identity Theft
18
A US resident’s identity is stolen at least every two minutes.
One in seven hundred identity thieves are caught and prosecuted.
The Risks You Face with Popular US Retailers
19
Cost of a Data Breach
Poneman Institute Survey20
Cost of a Data Breach by Industry
21Poneman Institute Survey
ARRA – Overview
• Significant changes to the US privacy and security landscape
• Increasing scrutiny, enforcement on the way (federal and state)
• Expect great deal of uncertainty – as with HIPAA
22
ARRA—Key Changes“Improved Privacy Provisions and
Security Provisions”
• Security breach notifications
• Broader HIPAA scope of coverage (and enforcement)
• Additions and modifications to certain HIPAA requirements
23
ARRA—Key Changes“Improved Privacy Provisions and
Security Provisions”
• New HHS inspection and enforcement framework
• New tiered penalties for federal and state regulators
• Varying effective dates for different sections
24
Broader HIPAA Scope of Coverage
• Business associates
• Other third parties (who are now clearly business associates)
• Another category of third parties who are not business associates under ARRA, but may be considered business associates under a forthcoming evaluation (before February 17, 2010)
25
Business Associates
Pre-ARRA ARRA Comments
BA’s contractually bound to certain HIPAA requirements.
Statutorily bound to all HIPAA Privacy and Security Rule requirements, including new requirements in ARRA.
Some BA’s might not be able to comply. HIPAA Security Rule obligations will be a challenge.
Covered entity legally responsible for ensuring appropriate BA agreement. No requirement for BA agreements between covered entities.
BA and covered entity both responsible for ensuring appropriate BA agreement. Specific requirement to update all BA’s, consistent with new ARRA obligations.
Recommend evaluation of BA for ability to comply too.
HIPAA enforcement and penalties do not apply directly to BA’s.
HIPAA enforcement and penalties apply directly to BA’s.
Unclear whether violations by BA will be applied to covered entities.
No right for HHS to audit BA’s. HHS has the right to audit BA’s and must publish results.
Much greater scrutiny of BA’s.
26
Additions and Modifications to Certain HIPAA Requirements
• Disclosure log – now includes treatment, payment, healthcare operations
• Patient access rights – electronic records, 3 years for accounting (not 6 years)
27
Additions and Modifications to Certain HIPAA Requirements
• Patient access rights to information from BA’s (two options)
• Minimum necessary – applies to treatment disclosures too, new guidance
• Additional restrictions on use of PHI without a valid authorization
28
New Inspection and Public Posting Requirements
• HHS required to conduct inspections of covered entities
• Inspections of business associates
• Publication of inspections, general findings
• Publication of security breaches on HHS website
29
New Security Breach Enforcement Requirements
• Attorneys General can bring state actions for violations under ARRA
• However, cannot bring an action while an HHS action is pending
• Individual right to a percentage of the government’s fine – forthcoming guidance
30
New Enforcement Requirements
• As noted previously, business associates now fall directly under HIPAA enforcement
• ARRA makes clear that HIPAA enforcement applies to individuals as well as organizations that are covered
• New tiered enforcement – willful violations result in highest penalties
31
Security Breach Notifications
• First federal security breach notification requirements
• Expanded scope of when notification is triggered for covered entities
• Business associates required to notify covered entities about breaches
• These rules apply to information in any format – ePHI (electronic PHI)
– Paper– Tapes/CDs 32
Security Breach Notifications
Breach: An individual’s protected health information [in “unsecured”form] that has been, or is reasonably believed by the covered entity to have been accessed, used, acquired or disclosed to an unauthorized person, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.– Exceptions:
• unintentional access by employees or individuals acting under authority of covered entity or business associate if information is not used or disclosed by recipient or anyone else.
• inadvertent disclosure from one covered entity or business associate employee authorized to access PHI to a co-employee authorized to access PHI
• unauthorized access by an unauthorized person who cannot reasonably be able to retain the information disclosed.
33
Security Breach Notifications (continued)
• Rules do not apply to PHI in an “secured” form– If improperly acquired data was secured (encrypted or
destroyed), then no breach notification is required
• Notification when there has been a breach above the “harm threshold”– Responsible for determining whether a breach poses
a “significant” risk and warrants notification. – Do a risk assessment:
• What and how much information was released?
• Can we get it back?
34
Security Breach Notifications (continued)
• Notify without unreasonable delay and at least within 60 day timeframe
60 days begins to run from the date the covered entity or business associate or any employee, officer or other agent of the covered entity or business associate knew or reasonably should have known about the breach
35
Security Breach Notifications (continued)
• Method of notice (new obligations): – Send a written notice to the individual (or next of kin, if the
individual is deceased) at the last known address by first-class or electronic mail.
– Post a conspicuous message (for a period determined by HHS) on your Web site’s home page or with major print or broadcast media when insufficient or out-of-date contact information prevents direct contact.
– Call individuals whose unsecured health information was breached when there is an imminent threat of misuse.
– Notify prominent media outlets within the state or jurisdiction if a breach of unsecured PHI affects or is reasonably believed to affect more than 500 residents.
– Notify HHS immediately for breaches involving more than 500 individuals and annually for all other breaches. 36
Security Breach Notifications (continued)
• Content of notice– a brief description of what happened, including the date of the
breach and the date of the discovery of the breach, if known; – a description of the types of PHI involved in the breach (such as
full name, social security number, date of birth, home address, account number, diagnosis, disability code, etc.);
– suggested steps individuals should take to protect themselves from potential harm resulting from the breach;
– a brief description of what the covered entity is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and
– contact procedures for individuals to ask questions or learn additional information, which must include a toll- free telephone number, an email address, website, and postal address.
37
Effective Dates
• Vary by section
• Many sections effective on February 17, 2010– Breach notification rules go into effect in September but no
enforcement until February (per HHS/FTC)
• Some contingent on passage of additional guidance documents
• Penalty section (including state enforcement) effective immediately.
38
Tips and Recommendations
• Increasingly complex legal requirements – state, federal, global
• Recommend overall risk management approach
• Specific individuals for privacy and security (two roles)
• Written policies and procedures for privacy and security 39
Tips and Recommendations
• Policies should be approved by senior management, consistent, accurate. Do not make promises that you cannot keep.
• Ongoing vigilance required – changing threats, new laws, new guidances
40
Tips and Recommendations -Business Associates
• Overall vendor management approach
• Pre-screening of vendors including business associates
• Proper agreements – ensure that you have a final copy in place
41
Tips and Recommendations -Business Associates
• Recommendations - examples:– HIPAA Privacy and Security Rules– Security Breaches– HHS Audits– Accounting of Disclosures– Marketing restrictions – Policies and Procedures– Training– Compliance monitoring/inspections– Right to audit – Indemnification provisions 42
What You Need to Do
• Identify sources of unsecured PHI. • Determine how to secure PHI to avoid having to provide
breach notifications. • Develop policies and procedures regarding securing
PHI. • Develop policies and procedures for breach notifications. • Assign responsibility for drafting and approving breach
notices. • Revise business associate agreements to address
breach notice obligations. • Train workforce members regarding the new breach
notice.
Guidance: Use Encryption –Destroy Paper Records
• HHS affirmed that the only method to render electronic protected health information unusable, unreadable or indecipherable to unauthorized persons is through encryption. HHS relies on the detail encryption guidance from the National Institute of Standards and Technology.
Therefore, when a covered entity is the subject of a data breach, but the data is appropriately encrypted, federal breach notification requirements and the vast majority of state breach notification requirements will not be triggered.
Guidance: Use Encryption –Destroy Paper Records
• With respect to information in non-electronic formats, HHS stated that only destruction of paper records, and not redaction, will meet the requirements to avoid breach notification.
HHS takes the position that covered entities can encrypt or destroy:
– Data in motion—data that is moving through a network;– Data at rest—data in databases, file systems, flash drives,
memory and any other storage method; and– Data disposed—discarded paper records or recycled electronic
media.
Risk Assessment
• Risk Assessment. The rule clarifies that the privacy and security of PHI is compromised and the notification requirement is triggeredonly if the acquisition, access, use or disclosure of the information poses a significant risk of financial, reputational or other harmto the individual. The covered entity or business associate mustconduct a risk assessment and determine whether a significant risk to the individual exists. Factors to consider include who impermissibly used or obtained the information, the type of information involved, whether the covered entity took immediate steps that eliminated or reduced the risk of harm and whether the information was returned prior to being used for an improper purpose.
Applies to Unsecured PHI Only
• The new rule requires notification to individuals and to HHS for breaches of unsecured PHI.
• Unsecured PHI is any PHI that is not secured through a technology or methodology specified by HHS. The recently published HHS regulations require covered entities to promptly notify (no later than 60 calendar days from the date of discovery) affected individuals of a breach.
Some Key Areas of Consideration
• Security assessments
• Security breach notification process
• Policies and procedures (including Notice of Privacy Practices)
• Training
• Auditing/compliance monitoring
• Litigation risk reduction – proper recordkeeping48
Conclusion
• Don’t become the next CVS or…– the next security breach poster child – the target of state attorneys general
• Don’t be fooled into buying things that you don’t need (remember the HIPAA scams, like HIPAA-compliant cabinets?)
49
Conclusion
• Prepare procedures and training programs that are employee-friendly and not overwhelming. The goal is results, not reams of paper.
• Security experts can differ greatly in terms of cost and expertise. Don’t be fooled.
• Ensure proper documentation and recordkeeping practices.
50