• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
How to Comply with HIPAA Regulations
 

How to Comply with HIPAA Regulations

on

  • 338 views

CLE Presentation: Anna Selby and Diane Keefe, Attorneys at Armstrong Teasdale ...

CLE Presentation: Anna Selby and Diane Keefe, Attorneys at Armstrong Teasdale

Recent changes to the HIPAA Privacy and Security rules impacy how covered entities protect Personal Health Information, one of today's most valuable and sensitive types of confidential data. the protection of this information and management of breach notification is essential to compliance with HIPAA.

The choice of a lawyer is an important decision and should not be based solely on this presentation. All rights are reserved and content may not be reproduced, disseminated or transferred, in any form or by means, except with the prior written consent of Armstrong Teasdale.

Statistics

Views

Total Views
338
Views on SlideShare
338
Embed Views
0

Actions

Likes
0
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    How to Comply with HIPAA Regulations How to Comply with HIPAA Regulations Presentation Transcript

    • © 2013 Armstrong Teasdale LLP© 2013 Armstrong Teasdale LLP HIPAA: Navigating the Labyrinth Anna Selby Diane Keefe July 31, 2013
    • © 2013 Armstrong Teasdale LLP Navigating the Labyrinth
    • © 2013 Armstrong Teasdale LLP Call From Employee 1) Staff Texting Nude Patient Photo. • Patient is Identifiable. • Hospital Name is visible on scrubs. 2) Nurses photograph x-ray. • Post x-ray to Facebook. • Nurse comments regarding patient.
    • © 2013 Armstrong Teasdale LLP HIPAA  Regulations Apply to: • Covered Entities (CE) 1) Providers 2) Health Plans 3) Clearinghouses  Business Associates of CE’s • Insurance Broker, Benefit Specialists • Strategic Consultants
    • © 2013 Armstrong Teasdale LLP HIPAA Protects PHI PERSONAL HEALTH INFORMATION
    • © 2013 Armstrong Teasdale LLP PHI Uses & Disclosures  OK to use PHI for: 1) Treatment 2)Payment 3) Health Care Operations  General Rule: Other Uses Require an Authorization.
    • © 2013 Armstrong Teasdale LLP HIPAA Breach - New Definition  A Breach is 1. Unauthorized acquisition, access, use or disclosure of 2. Unsecured PHI 3. Compromises the privacy or security of the PHI  Presumption of Reportable Breach UNLESS • CE determines there is a low probability the • PHI has been compromised after risk assessment.
    • © 2013 Armstrong Teasdale LLP HIPAA Risk Assessment  What is Compromised? • Rule does not tell us.  Must Perform Risk Assessment.
    • © 2013 Armstrong Teasdale LLP HIPAA Risk Assessment  4 Elements: 1. Nature and extent of PHI involved. 2. The unauthorized person who used PHI or to whom disclosure was made. 3. Whether PHI was actually acquired or viewed. 4. Extent to which the risk to PHI has been mitigated.
    • © 2013 Armstrong Teasdale LLP HIPAA Risk Assessment  If you do not do a breach notification you MUST do a Risk Assessment.  DOCUMENT, DOCUMENT, DOCUMENT.
    • © 2013 Armstrong Teasdale LLP HIPAA Breaches  CVS 2009-Pill bottles thrown in dumpsters. • $2.25 Million Settlement • No policies. • No training.
    • © 2013 Armstrong Teasdale LLP HIPAA Breaches  Million Dollar Subway Ride • Massachusetts General Hospital employee leaves documents on subway. • PHI of 192 patients. (Included HIV/AIDS status) • $1 Million Settlement.  Stanford 2011. BA posts PHI on web. • 20,000 patients X $1,000 = $20 Million
    • © 2013 Armstrong Teasdale LLP HIPAA Breaches  WellPoint—July 11, 2013  Left Accessible Information on Internet  $1.7 Million Settlement  600,000 Patients’ Information  WellPoint failed to: 1) Have Policies to authorize access to PHI; 2) Perform technical evaluation of software & database; 3) Have technical safeguards to verify identify of persons accessing PHI.
    • © 2013 Armstrong Teasdale LLP HIPAA Breaches-Laptops  Sutter 2011. Stolen unencrypted laptop. • 4 million patients X $1,000 nominal damages per patient. • $1 Billion Potential Damages.  UCLA 2011. • Encrypted laptop stolen. Paper also stolen. • 16,000 patients X $1,000 • $16 Million.
    • © 2013 Armstrong Teasdale LLP HIPAA Breaches-Hardware  Blue Cross Blue Shield Tennessee 2012 • Self Reported 57 unencrypted hard drives stolen. • 1 Million people. $1.5 Million Settlement.  Pentagon 2011 • BA lost backup tapes, 4.9 Million Tricare beneficiaries. • If damages are $1,000 per patient = $4.9 Billion. • Attempted to use HIPAA for basis of claims.
    • © 2013 Armstrong Teasdale LLP Lawsuits Pending  Plaintiffs claim HIPAA violations. (Negligence Per Se)  Case law is not clear.  We argue no private right of action.  Motions to dismiss granted.  Breach of Fiduciary Duty & Public Disclosure of Private Fact claims remain.  Each suit involved OCR investigation.
    • © 2013 Armstrong Teasdale LLP HIPAA Breach  If you don’t need it for your job=Unauthorized. Snooping.
    • © 2013 Armstrong Teasdale LLP Snooping  There once was a girl …  Later goes to psych ward at UCLA…  People get curious.  13 fired & 12 disciplined.  OCR investigates $865,000  No evidence PHI disclosed or sold.
    • © 2013 Armstrong Teasdale LLP Snooping  Little Rock: News anchor in hospital.  Physician watches news from home.  Unit Coordinator & Billing employee.  2 fired; physician suspended 2 weeks. • Face prison & fine. • Each had HIPAA training.  Mom sues Hospital. • AR SC allows outrageous behavior claim.
    • © 2013 Armstrong Teasdale LLP Yes, Someone Went to Prison.  Researcher at UCLA  Reviewed records 323 times in 3 weeks.  His Boss,  No Evidence PHI was Used or Sold.  4 Months in Prison.
    • © 2013 Armstrong Teasdale LLP Breach Notifications < 500  Breach • Must Notify Individual(s) − In Writing including what happened & steps taken. − Within 60 days of date breach discovered. • Notify HHS Secretary  Don’t Delay.
    • © 2013 Armstrong Teasdale LLP Breach Notifications > 500  Where a Breach Involves Greater than 500 Residents: • Notify Individuals in Writing • Notify HHS Secretary • Notify Media − Press Release to “Prominent” media outlets. − Within 60 days.
    • © 2013 Armstrong Teasdale LLP Penalties-Civil  Per identical violation in a calendar year: Did Not Know: $100 up to $25,000 Willful Neglect Uncorrected: $50,000 up to $1,500,000 Willful Neglect: Conscious, intentional failure or reckless indifference.  Can be Per Record.  Extend to BA’s.  Can impose penalty without seeking informal resolution.
    • © 2013 Armstrong Teasdale LLP Penalties-Criminal  People that knowingly obtain or disclose PHI: • Up to $50,000 AND 1 year imprisonment.  With False Pretenses: • Up to $100,000 AND 5 years.  With Intent to sell or use for personal gain or malicious harm: • Up to $250,000 AND 10 years.
    • © 2013 Armstrong Teasdale LLP When a Breach Occurs:  Call Us.  What We Can Do: • Walk you through whether it is reportable. − Multiple factors. • Advise during investigation. • Assist with Proactive Prevention.
    • © 2013 Armstrong Teasdale LLP What Can/Should be Done to Comply?  Most obvious • Modify your Business Associate Agreements • Modify your Notice of Privacy Practices  Not so obvious… • Conduct a Risk Assessment • Review, evaluate and update polices and procedures • Educate and train staff/employees
    • © 2013 Armstrong Teasdale LLP Modifications to the BAA’s  A statement that the Business Associate (“BA”) now needs to comply with the administrative, physical, and technical components of the Security Rule • Should also reflect that the BA is required to implement and maintain compliance with the administrative, physical, and technical components of the Security Rule
    • © 2013 Armstrong Teasdale LLP Modifications to BAAs  A statement that the BA must report to the Covered Entity any breach of unsecured PHI (in addition to any unauthorized use or disclosure) • Should reflect exactly what the BA should do in order to notify the Covered Entity of the breach: − Date of incident − Date of discovery of incident (if different than above) − Categories of the affected information − Individual(s) who were affected − Steps for mitigation − Steps for prevention
    • © 2013 Armstrong Teasdale LLP Modifications to BAAs  A statement that the BA must ensure that any subcontractor will agree to the same restrictions and conditions that apply to the BA • In other words, BAs now need to enter into BAAs with subcontractors  A statement requiring the BA to implement a system for documenting and recording uses and disclosures in compliance with the Security Rule  A statement that provides for retention of information for 6 years from the date of the disclosure
    • © 2013 Armstrong Teasdale LLP Modifications to BAAs  Other Aspects to Consider • Liability is determined on Agency principles, so a statement that reflects the status of the parties • Consider modifying or adding insurance requirements • Consider modifying or adding limitations of liability and indemnification provisions
    • © 2013 Armstrong Teasdale LLP Modifications to BAAs  Compliance Deadline • depends on whether there is an existing BAA or whether there will be a new BAA entered into between the parties − If existing BAA, then September 22, 2014 − If no existing BAA, then September 23, 2013
    • © 2013 Armstrong Teasdale LLP Modifications to Notice of Privacy Practices  Must now include statements regarding the Sale of PHI  Must now include statements regarding marketing and other purposes that require an authorization  Must now include statement that an individual can opt out of fundraising communications/efforts
    • © 2013 Armstrong Teasdale LLP Modifications to Notice of Privacy Practices  Must now include statement that the Covered Entity must agree to restrict disclosures to health plans if the individual pays out of pocket in full for the health care service  Must now include a statement about an individual’s right to receive breach notifications
    • © 2013 Armstrong Teasdale LLP Conducting a Risk Assessment  Elements of a general risk assessment include: 1. Identify the scope – what are potential risks and vulnerabilities to your organization? 2. Identify where all the PHI is stored, received, maintained or transmitted 3. Assess current security measures: − Do you utilize encryption software? − Are passwords used and changed frequently? − Are firewalls used? − Are mobile devices protected?
    • © 2013 Armstrong Teasdale LLP Conducting a Risk Assessment  Other Aspects: • Determine likelihood of the occurrence of a threat • Determine the potential impact of that threat • Determine the level of risk  Which becomes a mathematical equation… • Vulnerability x likelihood x impact = level of risk  Which can then assist in the mitigation that risk
    • © 2013 Armstrong Teasdale LLP Conducting a Risk Assessment Threat Source Terminated EE Calculation Threat Unauthorized Access to Patient Information Vulnerability No formal process in place to notify the IT department when ee’s are terminated and periodic reviews are not performed 3 Likelihood Removal of access for terminated ee has not been performed 3 Impact PHI is viewed, altered or destroyed 3 Risk Disgruntled ee gains unauthorized access to PHI after termination, deleting records Total = 27 Risk Mitigation IT implements daily automated program to read ee database in payroll system and automatically removes access to network and application systems for terminated ees Risk is now significantly reduced
    • © 2013 Armstrong Teasdale LLP Reviewing/Updating Policies and Procedures  Update policies and procedures on breach notification and integrate into the policy the four factors of whether a breach occurred by a risk assessment: 1. Nature and extent of the PHI involved 2. The unauthorized person who used the PHI or to whom the disclosure was made 3. Whether PHI was actually acquired or viewed 4. Extent to which the risk has been mitigated
    • © 2013 Armstrong Teasdale LLP Reviewing/Updating Policies and Procedures  Use and disclosure of PHI for marketing • Requires determination of what is and is not considered marketing • Once that determination is made, then clarify the policy to reflect what requires an authorization from the individual  Sale of PHI • Selling an individual’s PHI without an authorization is prohibited
    • © 2013 Armstrong Teasdale LLP Reviewing/Updating Policies and Procedures  Electronic Access to PHI • May require revisions to job descriptions to clearly delineate who has access and in what situation • May require revisions to IT policies and procedures  Requests for Restrictions  Use and disclosures of decedent information  Social media and cell phone policies
    • © 2013 Armstrong Teasdale LLP Reviewing/Updating Policies and Procedures  Covered entities may use any security measures that allow them to reasonably and appropriately implement the HIPAA regulations. So, in determining whether to draft new or revise old policies and procedures, you should consider: • Size, complexity, and capabilities of the Covered Entity • Technical infrastructure, hardware, and software • Costs • Likelihood and impact of risks or potential risks, i.e., risk assessment
    • © 2013 Armstrong Teasdale LLP Educate and Train Staff/Employees  Must ensure that the policies and procedures reviewed, revised, and/or created are implemented by staff/employees.  Sign-in sheets should be passed around so attendance of staff members/employees is documented  Staff/Employee training must be conducted at the following intervals: • At the start of employment • Annual basis  If staff/employees do not apply these policies to their everyday practice, then organizations are at risk!
    • © 2013 Armstrong Teasdale LLP Questions? Anna Selby 314.552.6616 aselby@armstrongteasdale.com Diane Keefe 314.259.4731 dkeefe@armstrongteasdale.com