Aldo M. Leiva, Esq.
Lubell Rosen, LLC
Columbus Center
1 Alhambra Plaza
Suite 1410
Coral Gables, Fl 33134
Phone: (305) 442-...
OVERVIEW OF PRESENTATION
!

HIPAA Omnibus Rule Key Provisions
♦ 
♦ 
♦ 

!
!
!
!
!

Breach Notification
New Penalty Structu...
HIPAA/HITECH OMNIBUS RULE
!
!

Effective Date- March 26, 2013
Compliance Deadline- September 23,
2013

© 2014 Lubell Rosen...
HITECH ACT- KEY PROVISIONS
!
!
!
!
!

Breach Notification Requirements
New Penalty Levels
Compliance Requirements for Busi...
BREACH NOTIFICATION
REQUIREMENTS
( ! Old Requirements under Interim Final
!

Rule
Breach is event that “compromises the
se...
BREACH NOTIFICATION FINAL
RULE (OMNIBUS)
!

Any impermissible use or disclosure of
protected health information is
presume...
FOUR FACTORS FOR RISK
ASSESSMENT
!
!
!
!

To whom the information was
impermissibly disclosed
Whether the information was ...
TIERED PENALTY STRUCTURE
!
!
!
!

Significant increase in penalties
Reduction in number of Affirmative
Defenses
Mandatory ...
TIER 1- UNKNOWING
!
!
!

CE or BA did not know and reasonably
should not have known of the violation.
$ 100 to $ 50,000 pe...
TIER 2- REASONABLE CAUSE
!

!
!

CE or BA knew, or by exercising reasonable
diligence would have known, that the act or om...
TIER 3- WILLFUL NEGLECTCORRECTED
!

!
!

The violation was the result of conscious, intentional
failure or reckless indiff...
TIER 4- WILLFUL NEGLECTUNCORRECTED
!

!
!

The violation was the result of conscious, intentional
failure or reckless indi...
DEFENSE TO PENALTIES
!

Penalty may not be imposed for violation that
is not due to willful neglect and that is
corrected ...
PRACTICE TIP
CE or BA that discovers a violation of HIPAA that is
not due to willful neglect should attempt to:
(i) correc...
HHS DISCRETION
!

!

HHS may waive a penalty for violations that
are not due to willful neglect, in whole or in
part, to t...
CE AND BA LIABILITY
!

!

CE is liable for the violations of its
business associates (BA) that are its
agents
BA is liable...
BUSINESS ASSOCIATES
RE-DEFINED
!

!

!

BA is person/entity that “creates, receives,
maintains or transmits protected heal...
BEFORE HITECH ACT
!
!

!

BA was subject to breach of contract claim for
violation of BAA
2009- HITECH enacted- BA was now...
BA AGREEMENT TERMS
!

!

!

Establish how BA is permitted or required to
use and disclose PHI – must not use or further
di...
BA AGREEMENT TERMS (2)
!

!

BAAs must also include a provision that
allows the CE to terminate the underlying
agreement i...
NO FORMAL BAA ?
!
!

Omnibus Rule still applies
BA must comply with the relevant
HIPAA provisions irrespective of BAA
term...
BA VIOLATIONS
!
!
!

!

BA does not contractually impose restrictions
on subcontractors
Fails to notify CE of security bre...
COMPLIANCE ACTIVITIES
!
!
!
!
!
!
!
!
!

Develop and implement Privacy Policies
Conduct periodic Risk Assessments
Develop ...
AUDITS
!
!
!

December 2012- Pilot Audits Completed
Evaluations of Pilot Program
BAs to be audited as well

© 2014 Lubell ...
OCR AUDIT PLANS FOR 2014
!
!
!
!

Streamlined audit process
Expanded scope of Audits (to include
BAs)
OCR is hiring more a...
PILOT AUDIT RESULTS
!

!
!

“Small” CE (< $ 50M in revenue) had
more compliance issues (66% of
deficiencies)
Health care p...
PILOT AUDIT RESULTS (2)
!

!

80% of health care providers did not
have a complete and accurate risk
analysis
Encryption -...
AUDIT PROTOCOL
!
!

Tool for Audit Preparation
http://www.hhs.gov/ocr/privacy/hipaa/
enforcement/audit/protocol.html

© 20...
STATE AG ENFORCEMENT
!

!

HITECH gave State Attorneys General
authority to bring civil actions on behalf
of state residen...
STATE AG PENALTIES
!
!

!

Penalties are calculated by multiplying the
number of violations by up to $100.
Total penalties...
ENFORCEMENT TRENDS
!

!
!

As of June 30, 2013, OCR has investigated
and resolved over 20,359 cases by requiring
changes i...
ENFORCEMENT TRENDS (2)
!
!

!

December 24, 2013- OCR imposed $ 150,000
penalty and corrective action plan
CE reported sto...
ENFORCEMENT TRENDS (3)
!
!
!

Barry University Data Breach – Dec. 31, 2013
CE reported data breach SEVEN MONTHS
after lapt...
AUDIT TRENDS TO TRACK- 2014
!
!
!

!
!

Much larger pool of entities subject to
enforcement
Likely that enforcement action...
AUDIT TRENDS TO TRACK- 2014
!
!
!
!

OCR is requesting budget increase
OCR will use $ 4.5 million in collected
HIPAA penal...
CYBERLIABILITY COVERAGE
!
!
!
!
!

Review existing insurance policies
Traditional D & O and E & O Policies may
provide HIP...
THANK YOU
Aldo M. Leiva, Esq.
Chair, Data Security and Privacy Practice
Lubell Rosen
One Alhambra Plaza, Suite 1410
Coral ...
Upcoming SlideShare
Loading in...5
×

HIPAA HITECH Update 2014- Practical Effects and Enforcement Trends

845

Published on

Overview of HIPAA Omnibus Rule, including impacts on: Covered Entities, Business Associates, Data Breach Management and Reporting, Audits, Enforcement, Cyberliability Coverage

Published in: Health & Medicine, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
845
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

HIPAA HITECH Update 2014- Practical Effects and Enforcement Trends

  1. 1. Aldo M. Leiva, Esq. Lubell Rosen, LLC Columbus Center 1 Alhambra Plaza Suite 1410 Coral Gables, Fl 33134 Phone: (305) 442- 9211 Fax: (305) 442-9047 Email: aml@lubellrosen.com www.lubellrosen.com HIPAA/HITECH Update: Practical Effects and Enforcement Trends Presented by Aldo M. Leiva, Esq. Data Security and Privacy Attorney for American Health Lawyers Association January 13, 2013 © 2014 Lubell Rosen, LLC
  2. 2. OVERVIEW OF PRESENTATION ! HIPAA Omnibus Rule Key Provisions ♦  ♦  ♦  ! ! ! ! ! Breach Notification New Penalty Structure Business Associates Re-Defined Compliance Activities and Considerations OCR Audit Overview – Past and Future Latest Enforcement Actions Insurance Considerations Questions and Answers © 2014 Lubell Rosen, LLC
  3. 3. HIPAA/HITECH OMNIBUS RULE ! ! Effective Date- March 26, 2013 Compliance Deadline- September 23, 2013 © 2014 Lubell Rosen, LLC
  4. 4. HITECH ACT- KEY PROVISIONS ! ! ! ! ! Breach Notification Requirements New Penalty Levels Compliance Requirements for Business Associates (BAs) Audits Extended Enforcement by State AGs © 2014 Lubell Rosen, LLC
  5. 5. BREACH NOTIFICATION REQUIREMENTS ( ! Old Requirements under Interim Final ! Rule Breach is event that “compromises the security or privacy of the protected health information” and “poses a significant risk of financial, reputational, or other harm to the individual.” © 2014 Lubell Rosen, LLC
  6. 6. BREACH NOTIFICATION FINAL RULE (OMNIBUS) ! Any impermissible use or disclosure of protected health information is presumed to be a breach unless the regulated entity is able to demonstrate, through a risk assessment, that there is a low probability of compromise © 2014 Lubell Rosen, LLC
  7. 7. FOUR FACTORS FOR RISK ASSESSMENT ! ! ! ! To whom the information was impermissibly disclosed Whether the information was actually accessed or viewed Potential ability of the recipient to identify the subjects of the data Whether recipient took appropriate mitigating action © 2014 Lubell Rosen, LLC
  8. 8. TIERED PENALTY STRUCTURE ! ! ! ! Significant increase in penalties Reduction in number of Affirmative Defenses Mandatory penalties for all violations due to “willful neglect” Applies to violations occuring after February 18, 2009 © 2014 Lubell Rosen, LLC
  9. 9. TIER 1- UNKNOWING ! ! ! CE or BA did not know and reasonably should not have known of the violation. $ 100 to $ 50,000 per violation Total of $ 1.5M for all violations of an identical requirement or prohibition occurring within the same calendar year © 2014 Lubell Rosen, LLC
  10. 10. TIER 2- REASONABLE CAUSE ! ! ! CE or BA knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the covered entity or business associate did not act with willful neglect $ 1,000- $ 50,000 per violation Total of $ 1.5M for all violations of an identical requirement or prohibition occurring within the same calendar year © 2014 Lubell Rosen, LLC
  11. 11. TIER 3- WILLFUL NEGLECTCORRECTED ! ! ! The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the covered entity or business associate corrected the violation within 30 days of discovery. $ 10,000- $ 50,000 per violation Total of $ 1.5M for all violations of an identical requirement or prohibition occurring within the same calendar year © 2014 Lubell Rosen, LLC
  12. 12. TIER 4- WILLFUL NEGLECTUNCORRECTED ! ! ! The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate did not correct the violation within 30 days of discovery. At least $ 50,000 per violation Total of $ 1.5M for all violations of an identical requirement or prohibition occurring within the same calendar year © 2014 Lubell Rosen, LLC
  13. 13. DEFENSE TO PENALTIES ! Penalty may not be imposed for violation that is not due to willful neglect and that is corrected within 30 days of actual or constructive knowledge of the violation, or during an additional period, as determined by the Secretary to be appropriate based on the nature and extent of the failure to comply © 2014 Lubell Rosen, LLC
  14. 14. PRACTICE TIP CE or BA that discovers a violation of HIPAA that is not due to willful neglect should attempt to: (i) correct the violation within 30 days of the discovery; (ii) document the date on which it discovered the violation(s); and (iii) document the date on which it implemented the correction in order to establish a basis for asserting the affirmative defense to the imposition of penalty for the violation. ! © 2014 Lubell Rosen, LLC
  15. 15. HHS DISCRETION ! ! HHS may waive a penalty for violations that are not due to willful neglect, in whole or in part, to the extent that the penalty is excessive relative to the violation. HHS has discretion to use other measures to address HIPAA violations, such as providing direct technical assistance or resolving possible noncompliance through informal means. © 2014 Lubell Rosen, LLC
  16. 16. CE AND BA LIABILITY ! ! CE is liable for the violations of its business associates (BA) that are its agents BA is liable for the acts of its agents (i.e. Subcontractors) © 2014 Lubell Rosen, LLC
  17. 17. BUSINESS ASSOCIATES RE-DEFINED ! ! ! BA is person/entity that “creates, receives, maintains or transmits protected health information on behalf of a covered entity”. New definition of BA includes records management companies that “maintain” records containing PHI, regardless of whether they are accessed or reviewed BA subject to the rule if it has access to electronic or hard copy PHI © 2014 Lubell Rosen, LLC
  18. 18. BEFORE HITECH ACT ! ! ! BA was subject to breach of contract claim for violation of BAA 2009- HITECH enacted- BA was now directly liable for PHI breach, but OCR agreed not to pursue enforcement actions against BA until finalization of the Rule Rule is finalized- enforcement actions can commence as of September 23, 2013 © 2014 Lubell Rosen, LLC
  19. 19. BA AGREEMENT TERMS ! ! ! Establish how BA is permitted or required to use and disclose PHI – must not use or further disclose PHI other than as permitted by or required by the BAA or by law Use appropriate safeguards to prevent PHI from being used or disclosed other than as permitted by the BAA Report to CE if it learns of any unauthorized use or disclosure of PHI © 2014 Lubell Rosen, LLC
  20. 20. BA AGREEMENT TERMS (2) ! ! BAAs must also include a provision that allows the CE to terminate the underlying agreement if the BA violates a material term of the BAA Ensure that subcontractors receiving PHI from the BAA agree to the same restrictions on use and disclosure of PHI © 2014 Lubell Rosen, LLC
  21. 21. NO FORMAL BAA ? ! ! Omnibus Rule still applies BA must comply with the relevant HIPAA provisions irrespective of BAA terms or service contracts with customers © 2014 Lubell Rosen, LLC
  22. 22. BA VIOLATIONS ! ! ! ! BA does not contractually impose restrictions on subcontractors Fails to notify CE of security breach within 60 days Fails to implement any of the administrative, physical, and technical safeguards in the HIPAA Security Rule Fails to follow “minimum necessary” standard © 2014 Lubell Rosen, LLC
  23. 23. COMPLIANCE ACTIVITIES ! ! ! ! ! ! ! ! ! Develop and implement Privacy Policies Conduct periodic Risk Assessments Develop and adopt Email Policies Develop and adopt Mobile Device Policies Train employees Designate Privacy/Security Officers Update Notice of Privacy Practices Revise BA Agreements Adopt Breach Assessment/Notification Policies © 2014 Lubell Rosen, LLC
  24. 24. AUDITS ! ! ! December 2012- Pilot Audits Completed Evaluations of Pilot Program BAs to be audited as well © 2014 Lubell Rosen, LLC
  25. 25. OCR AUDIT PLANS FOR 2014 ! ! ! ! Streamlined audit process Expanded scope of Audits (to include BAs) OCR is hiring more auditors More audits are likely, with emphasis on BA © 2014 Lubell Rosen, LLC
  26. 26. PILOT AUDIT RESULTS ! ! ! “Small” CE (< $ 50M in revenue) had more compliance issues (66% of deficiencies) Health care providers responsible for 81% of deficiencies Majority of deficiencies related to the Security Rule © 2014 Lubell Rosen, LLC
  27. 27. PILOT AUDIT RESULTS (2) ! ! 80% of health care providers did not have a complete and accurate risk analysis Encryption - Organizations deciding against encryption did not document basis for doing so © 2014 Lubell Rosen, LLC
  28. 28. AUDIT PROTOCOL ! ! Tool for Audit Preparation http://www.hhs.gov/ocr/privacy/hipaa/ enforcement/audit/protocol.html © 2014 Lubell Rosen, LLC
  29. 29. STATE AG ENFORCEMENT ! ! HITECH gave State Attorneys General authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. State AGs may obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules. © 2014 Lubell Rosen, LLC
  30. 30. STATE AG PENALTIES ! ! ! Penalties are calculated by multiplying the number of violations by up to $100. Total penalties imposed for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000. The court, in its discretion, may award the costs of the action and reasonable attorney fees to the State. © 2014 Lubell Rosen, LLC
  31. 31. ENFORCEMENT TRENDS ! ! ! As of June 30, 2013, OCR has investigated and resolved over 20,359 cases by requiring changes in privacy practices and other corrective actions by CEs. WellPoint pays $ 1.7M to settle potential violations (2013) Mass. Eye & Ear pays $ 1.5M to settle potential violations (2012) © 2014 Lubell Rosen, LLC
  32. 32. ENFORCEMENT TRENDS (2) ! ! ! December 24, 2013- OCR imposed $ 150,000 penalty and corrective action plan CE reported stolen UNENCRYPTED thumb drive with PHI to OCR and notified patients within 30 days OCR issued penalty due to failure of CE to: - conduct adequate risk assessment of ePHI - adopt written policies and train personnel - reasonably safeguard unencrypted thumb drive © 2014 Lubell Rosen, LLC
  33. 33. ENFORCEMENT TRENDS (3) ! ! ! Barry University Data Breach – Dec. 31, 2013 CE reported data breach SEVEN MONTHS after laptop was infected with malware Violation of HITECH Rules- individual notifications must be provided without unreasonable delay and in no case later than 60 days following discovery of data breach © 2014 Lubell Rosen, LLC
  34. 34. AUDIT TRENDS TO TRACK- 2014 ! ! ! ! ! Much larger pool of entities subject to enforcement Likely that enforcement actions will increase BA focusing on record storage and document destruction may be subject to more scrutiny due to large volume of PHI potentially at risk OCR is hiring more auditors More audits are likely, with emphasis on BA © 2014 Lubell Rosen, LLC
  35. 35. AUDIT TRENDS TO TRACK- 2014 ! ! ! ! OCR is requesting budget increase OCR will use $ 4.5 million in collected HIPAA penalties to help fund audit program OCR is seeking contractor for permanent audit program OCR Director Leon Rodriguez is slated to leave OCR for post at Homeland Security © 2014 Lubell Rosen, LLC
  36. 36. CYBERLIABILITY COVERAGE ! ! ! ! ! Review existing insurance policies Traditional D & O and E & O Policies may provide HIPAA coverage, unless excluded Consider additional coverage HIPAA Policies- investigations, defense costs, and penalties Consult with Insurance coverage counsel © 2014 Lubell Rosen, LLC
  37. 37. THANK YOU Aldo M. Leiva, Esq. Chair, Data Security and Privacy Practice Lubell Rosen One Alhambra Plaza, Suite 1410 Coral Gables, FL 33134 aml@lubellrosen.com www.lubellrosen.com Direct: (305) 442-9211 © 2014 Lubell Rosen, LLC
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×