HIPAA Privacy, Security, Breach Overview


Published on

Presentation on HIPAA Privacy, Security, Breach for Dublin Entrepreneurial Center (DEC) at Metro Data Center on Sept 12, 2013

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

HIPAA Privacy, Security, Breach Overview

  1. 1. Don’t Get Hit by the HIPAA Omnibus: Are You Ready for Sept 23?
  2. 2. Disclaimers The material in this presentation and/or any remarks made by HealthCare Too, LLC personnel are NOT meant to provide legal advice or counsel. We intend this session to provide you with highlights of the new HIPAA Omnibus for your edification and for your own use at your own professional discretion. 8/6/13HealthCareToo,LLCProprietary 2
  3. 3. Scope 45 CFR Parts 160 and 164 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act Or “The HIPAA Omnibus” was 138 pages when released on Jan 25, 2013. This presentation introduces several major changes at a high level but does not present all changes. 8/6/13HealthCareToo,LLCProprietary 3
  4. 4. Your Presenters • Tim Perry, MPA, CHTS-IS • Chief Information Officer, HealthCare Too, LLC • 25+ years of Health Information Technology and Compliance experience • Chief Technology Officer, Ecommerce, LLC (Cloud & Hosting) • Senior Vice President of Infrastructure Services, Reed Elsevier • Global IT Director, Johnson & Johnson • Consulting engagements at SmithKline Beecham, Merck • Education • Master of Technology Management, Univ of Pennsylvania • Master of Public Administration, The Ohio State University • Bachelor of Arts, The Ohio State University 8/6/13HealthCareToo,LLCProprietary 4
  5. 5. 8/6/13 5
  6. 6. What’s in a Name? • Mega Rule • Omnibus • Final Rule 8/6/13HealthCareToo,LLCProprietary 6
  7. 7. Protected Health Information (PHI) 8/6/13HealthCareToo,LLCProprietary Individually identifiable Health Information List of 18 Identifiers • Names • All geographic subdivisions smaller than state • All elements of dates except year • Phone numbers • Fax numbers • Electronic mail addresses • Social Security numbers • Medical record numbers • Health plan beneficiary numbers • Account numbers • Certificate/license numbers • Vehicle identifiers and serial numbers • Device identifiers and serial numbers; • Web Universal Resource Locators (URLs); • Internet Protocol (IP) address numbers; • Biometric identifiers • Full face photographic images • Any other unique identifying number Health information means any information, including genetic information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. 7
  8. 8. 8/6/13HealthCareToo,LLCProprietary 8 “Some Incident” Breach [A]cquisition, access, use, or disclosure of protected health information in a manner not permitted Risk Assessment Document & Done No Breach OCR Agreement for Corrective Action, Settlement, or Formal Finding and Fine Breach Verified Complaint A person who believes a covered entity or business associate is not complying with the administrative simplification provisions may file a complaint with the Secretary OCR Intake / Review Document & Done No Violation Possible Violation OCR Investigation Document & Done No Violation Violation Found [F]ailure to comply with an administrative simplification provision.
  9. 9. 8/6/13HealthCareToo,LLCProprietary 9
  10. 10. Leon Rodriguez “I am the first Director of the Office of Civil Rights to come to the Office with experience, extensive experience, both in law enforcement and a healthcare provider lawyer and its my commitment to ramp up the enforcement of the Office.” 8/6/13HealthCareToo,LLCProprietary Oral Testimony to Senate Judiciary Subcommittee on Privacy, Technology, and Law “Your Health and Your Privacy: Protecting Health Information in a Digital World.”, Nov 2, 2011. 10
  11. 11. 8/6/13HealthCareToo,LLCProprietary 11 HIPAA Resolutions by Type and Year (based on OCR data)
  12. 12. Reported 500+ Breaches in OH 8/6/13HealthCareToo,LLCProprietary 12 Patients Affected Date of Breach Type of Breach Location of Breach 60998 3/27/10 Theft Laptop 1001 4/22/10 Unauthorized Access/Disclosure Email 1200 6/13/10 Improper Disposal Paper 1309 6/11/10 Loss Laptop 13867 6/7/10 Theft Laptop 2123 7/29/10 Improper Disposal Paper 1000 11/15/10 Improper Disposal Paper 501 11/5/10 Theft Laptop, Computer 78,042 6/3/11 Theft Laptop 500 10/1/10 Improper Disposal Other (X-ray film) 15,000 10/01/2010 - 03/21/2012 Unauthorized Access/Disclosure Other 15000 10/1/2010 - 03/21/2012 Unauthorized Access/Disclosure Other 850 12/2/12 Theft Laptop, Network Server 2500 3/19/13 Theft Other 500 04/14/2013 - 04/19/2013 Loss Laptop 2203 5/29/13 Other Paper 78542 TOTAL
  13. 13. Notable Settlements Entity Amount Year WellPoint, Inc. (unattended weaknesses in online database) $1.7 million July 2013 Walgreens (pharmacist looked up a woman’s history) $1.44 million July 2013 MN AG & Accretive Health (started from July 2011 lost laptop) $2.5 million July 2013 Shasta Regional Med Center (disclosure of patient info to Media) $275,000 June 2013 Idaho State University (left a firewall down for 10 mos after maint) $400,000 May 2013 Goldthwait Associates & 4 Pathology Groups MA Attorney General (disposed of patient data at dump) $140,000 January 2013 8/6/13HealthCareToo,LLCProprietary 13
  14. 14. Compliance Deadline Omnibus HIPAA Final Rule • Published in Federal Register – January 25, 2013 • Effective Date – March 26, 2013 • Compliance Date – September 23, 2013 • Transition Period to Conform BA Contracts – Up to September 22, 2014, for Qualifying Contracts 8/6/13HealthCareToo,LLCProprietary 14
  15. 15. Covered Entities, Business Associates, and Subcontractors, Oh My! 8/6/13HealthCareToo,LLCProprietary 15
  16. 16. “Covered Entity” • (1) A health plan. • (2) A health care clearinghouse. • (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter. • Note: if an electronic transaction is made on a provider’s behalf… it is considered the provider’s 8/6/13HealthCareToo,LLCProprietary 16
  17. 17. “Business Associate” What it says What it means “functions, activities or services on behalf of covered entities” “Create, receive, maintain, or transmit PHI” An employee of a CE is NOT a BA. Clarifies definition of BA to include: • Patient Safety Organizations, • Health Information Exchanges, • Personal Health Records Must have BAA in place Clarification that BAs are liable whether or not they have an agreement in place with the CE . (Marissa Gordon-Nguyen, JD, MPH Office for Civil Rights) 8/6/13HealthCareToo,LLCProprietary 17
  18. 18. “Subcontractors” What it says What it means "a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate." (45 CFR 160.103) "under the final rule, covered entities must ensure that they obtain satisfactory assurances required by the Rules from their BAs, and BAs must do the same with regard to subcontractors, and so on, no matter how far 'down the chain' the information flows." Subcontractors are BAs: • Subject to HIPAA provisions • Directly liable for HIPAA violations • BA must have BAA with every subcontractor • Subcontractor must have BAA with its subcontractors, who are also BAs 8/6/13HealthCareToo,LLCProprietary 18
  19. 19. Agency • Covered Entities can be held liable for the violations caused by their Business Associates. • Business Associates can be held liable for the violations caused by their sub-contractors. • Federal common law of Agency will govern whether an agency relationship exists between the parties - regardless of what the contract actually says. (WEDI presentation by Joseph R. McClure, Esq. Legal Counsel, Siemens Medical Solutions USA WEDI Privacy & Security Co-Chair) 8/6/13HealthCareToo,LLCProprietary 19
  20. 20. Your PHI Ecosystem is Explicit 8/6/13HealthCareToo,LLCProprietary 20
  21. 21. 8/6/13HealthCareToo,LLCProprietary 21 1 – 2 million ? ??? Never directly liable for HIPAA… until now.
  22. 22. 8/6/13HealthCareToo,LLCProprietary WEDI Privacy & Security Workgroup, Business Associate Sub-Workgroup 22
  23. 23. 8/6/13HealthCareToo,LLCProprietary WEDI Privacy & Security Workgroup, Business Associate Sub-Workgroup 23
  24. 24. Typical BA Functions (Again) • Claims processing or administration • Data analysis, processing or administration • Utilization review • Quality assurance billing • Benefit management • Practice management • Repricing 8/6/13HealthCareToo,LLCProprietary • Data Storage / Hosting • Legal • Actuarial • Accounting • Consulting • Data aggregation • Management • Administrative • Accreditation • Financial 24
  25. 25. Business Associates Must: 1. Comply with the HIPAA Security Rule 2. Report to Covered Entity any breach of unsecured PHI 3. Enter into BAAs with subcontractors imposing the same obligations that apply to the Business Associate 4. Comply with the HIPAA Privacy Rule to the extent Business Associate is carrying out a Covered Entity’s Privacy Rule obligations 8/6/13HealthCareToo,LLCProprietary (WEDI presentation by Joseph R. McClure, Esq. Legal Counsel, Siemens Medical Solutions USA WEDI Privacy & Security Co-Chair) 25
  26. 26. Breach Unauthorized acquisition, access, use or disclosure that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. 8/6/13HealthCareToo,LLCProprietary 26
  27. 27. Four-Factor PHI Breach Assessment 1. Nature and extent of PHI involved 2. Unauthorized person who used PHI or to whom disclosure was made 3. Whether PHI was actually acquired or viewed 4. Extent to which risk to PHI has been mitigated 8/6/13HealthCareToo,LLCProprietary “Guilty until proven innocent” Breach is now presumed 27
  28. 28. Breach Notification Less Than 500 Patient Records 500+ Patient Records Individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach Notify HHS on an annual basis. Individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach Notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. Provide notice to prominent media outlets serving the State or jurisdiction 8/6/13HealthCareToo,LLCProprietary HHS provides “safe harbor” for PHI that is encrypted or properly disposed of in keeping with early guidance. Note: When you notify of a breach, you are self-reporting a HIPAA violation and should make your counsel aware as well as conduct a new risk analysis with corrective actions. 28
  29. 29. 8/6/13HealthCareToo,LLCProprietary Breach Discovered Risk Assessment 1. Nature and extent of PHI involved 2. Unauthorized person who used PHI or to whom disclosure was made 3. Whether PHI was actually acquired or viewed 4. Extent to which risk to PHI has been mitigated Document & Done No Breach Less Than 500? Notify Individuals Notify HHS Annually Notify Individuals Notify HHS w/i 60 days Notify Media Breach Yes No 29
  30. 30. Where? • Privacy Rule applies to any form of PHI • It’s about disclosures • Security Rule applies to electronic forms of PHI • Desktop • Laptop • Tablet Computer • Smart Phone • Cloud • USB “thumb drive” • CD / DVD • Floppy disk (if those even still exist) • …. 8/6/13HealthCareToo,LLCProprietary 30
  31. 31. Greater Use of Health Information Technology 8/6/13HealthCareToo,LLCProprietary 31
  32. 32. 8/6/13HealthCareToo,LLCProprietary http://www.himss-oregon.org/events/pdf/ChrisGough-BigDataKeynote.pdf
  33. 33. 8/6/13HealthCareToo,LLCProprietary The Size of the Issue…. 2 Kilobytes: A Typewritten page 1 Megabyte: A small novel 1 Gigabyte: A pickup truck filled with paper 1 Terabyte is 50,000 trees made into paper and printed 1 Petabyte of music would take ~2,000 years to play 1 Exabyte: 100,000X the printed material in the Lib of Congress 1 Zettabyte: ~62 Billion iPhones (stacked would pass the moon) http://highscalability.com/blog/2012/9/11/how-big-is-a-petabyte-exabyte-zettabyte-or-a-yottabyte.html To store a Yottabyte on terabyte sized hard drives would require a million city block size data-centers… as big as the states of Delaware and Rhode Island http://en.wikipedia.org/
  34. 34. Privacy Rule Privacy Rule Covered Entity • Marketing & Fundraising • Sale of protected health information (PHI) • Right to request restrictions • Electronic access for patient • Delegates • Genetic info for underwriting prohibited • Immunization records with parent approval • Decedent PHI protected for 50 years Business Associate BAA at least as strict as CE Subcontractor BAA at least as strict as BA 8/6/13HealthCareToo,LLCProprietary 34
  35. 35. 8/6/13HealthCareToo,LLCProprietary 35
  36. 36. Security Rule: Phys Safeguards Required Addressable Workstation Use (R) Workstation Security (R) Disposal (R) Media Re-use (R) Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) Accountability (A) Data Backup and Storage (A) 8/6/13HealthCareToo,LLCProprietary 36 Applies to: Covered Entity, Business Associates, and Subcontractors
  37. 37. Security Rule: Admin Safeguards Required Addressable Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility (R) Isolating Health Care Clearinghouse Function (R) Response and Reporting (R) Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Evaluation (R) Written Contract or Other Arrangement (R) Authorization and/or Supervision (A) Workforce Clearance Procedure (A) Termination Procedures (A) Access Authorization (A) Access Establishment and Modification (A) Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A) 8/6/13HealthCareToo,LLCProprietary 37 Applies to: Covered Entity, Business Associates, and Subcontractors
  38. 38. Security Rule: Tech Safeguards Required Addressable Unique User Identification (R) Emergency Access Procedure (R) Audit Controls (R) Person or Entity Authentication (R) Automatic Logoff (A) Encryption and Decryption (A) Mechanism to Authenticate Electronic PHI (A) Integrity Controls (A) Encryption (A) 8/6/13HealthCareToo,LLCProprietary 38 Applies to: Covered Entity, Business Associates, and Subcontractors
  39. 39. Security Rule: Org Reqmnts Required Addressable Business Associate Contracts (R) Group Health Plans (R) Documentation Time Limit (R) Availability (R) Updates (R) 8/6/13HealthCareToo,LLCProprietary 39 Applies to: Covered Entity, Business Associates, and Subcontractors
  40. 40. 2007 Original Omnibus 8/6/13HealthCareToo,LLCProprietary 40
  41. 41. 8/6/13HealthCareToo,LLCProprietary 41 For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis. -HIPAA Omnibus If I Store Data Online Does HIPAA Apply to the Hoster?
  42. 42. What’s Your Hosting Service? 8/6/13HealthCareToo,LLCProprietary 42 Shared Dedicated Medical-grade Cloud Price ~$7.95/month ~$50+ / month ~$300+ / month BA Agreement Violation? Violation? Risk Analysis Violation? Violation? 24 X 7 Monitoring Violation? Violation? Encryption Violation? Violation? Audit Logs Violation? Violation? Monthly Report Violation? Violation? DR Plan Violation? Violation? Data Backup Violation? Violation? Disposal Policy Violation? Violation? Unique User ID Violation? Violation? AND MUCH, MUCH, MUCH MORE
  43. 43. Fine Structure 8/6/13HealthCareToo,LLCProprietary Violation Category Per Violation Per Calendar Year Did Not Know $100 - $50,000 $1,500,000 Reasonable Cause $1,000 - $50,000 $1,500,000 Willful Neglect – Corrected $10,000 - $50,000 $1,500,000 Willful Neglect – Not Corrected $50,000 $1,500,000 43
  44. 44. Last year we had a $1.5M settlement with BCBS TN that had 57 hard drives stolen from a storage facility. The citation that drove the penalty was NOT the breach. Rather, the penalty was applied because of the failure to implement appropriate administrative safeguards, not performing a risk assessment, and failure to implement access controls for physical safeguards. They could have turned that storage facility into Fort Knox, and it might have still been breached. But the problem was they didn’t implement any preventive policies or procedures or appropriate administrative or physical safeguards. This is a great example of the lack of ongoing attention to compliance. 8/6/13HealthCareToo,LLCProprietary HIPAA in a HITECH World: HIPAA Violations on the Rise, According to Director of OCR Posted on March 22, 2013 by April Sage Leon Rodriguez, Director Office for Civil Rights 44
  45. 45. Another Real Life Example Breach of less than 500 patients' PHI • Hospice of North Idaho fined $50,000 • Unencrypted laptop was stolen from an employee's car. • OCR found that HONI (1) did not conduct a risk analysis to safeguard ePHI and (2) did not have policies/procedures in place to address mobile device security. 8/6/13HealthCareToo,LLCProprietary 45
  46. 46. Patient Rights over PHI What it says What it means In this final rule, we strengthen an individual’s right to receive an electronic copy of his or her protected health information. The final rule requires that a covered health care provider agree in most cases to an individual’s request to restrict disclosure to a health plan of the individual’s protected health information that pertains to a health care service for which the individual has paid the health care provider in full out of pocket. If you use an EHR, you must provide an e-copy of PHI to patients upon request, within timeframe and costs of Final Rule. Patients may pay for treatment and ask provider to withhold PHI from insurer. 8/6/13HealthCareToo,LLCProprietary 46
  47. 47. Street Value of Medical Records A thief downloading and stealing data can get $50 on the street for a medical identification number compared to just $1 for a Social Security number. For those receiving the medical ID number and using it to defraud a health care organization, the average payout is more than $20,000,” according to Pam Dixon, executive director of the World Privacy Forum. "Compare that to just $2,000 for the average payout for regular ID theft. 8/6/13HealthCareToo,LLCProprietary “Protected Health Information (PHI): High Value to Hackers: Medical Facilities at Risk”, http://www.prweb.com/releases/2013/2/prweb10412883.htm 47
  48. 48. 8/6/13HealthCareToo,LLCProprietary Value of Protected Health Information Big Data / Internet of Things Aging US Pop Gene Data EHRs / HIEs Social Nets / PHRs Cyber Crimes Data GovernanceNon-compliance
  49. 49. Resources • Jan 17, 2013 New Release on Omnibus http://www.hhs.gov/news/press/2013pres/01/20130117 b.html • Poyner Spruill Summary of HIPAA Omnibus http://www.poynerspruill.com/publications/Pages/sum maryofNewHIPAARules.aspx • Health Information Privacy http://www.hhs.gov/ocr/privacy/hipaa/understanding/in dex.html • Enforcement Examples http://www.hhs.gov/ocr/privacy/hipaa/enforcement/exa mples/index.html • HHS “Wall of Shame” http://www.hhs.gov/ocr/privacy/hipaa/administrative/br eachnotificationrule/breachtool.html 8/6/13HealthCareToo,LLCProprietary 49
  50. 50. Questions 8/6/13HealthCareToo,LLCProprietary 50 888-596-HEAL (4325) info@healthcaretoo.com