HIPAA HITECH Update 2014- Practical Effects and Enforcement Trends
Upcoming SlideShare
Loading in...5
×
 

HIPAA HITECH Update 2014- Practical Effects and Enforcement Trends

on

  • 749 views

Overview of HIPAA Omnibus Rule, including impacts on: Covered Entities, Business Associates, Data Breach Management and Reporting, Audits, Enforcement, Cyberliability Coverage

Overview of HIPAA Omnibus Rule, including impacts on: Covered Entities, Business Associates, Data Breach Management and Reporting, Audits, Enforcement, Cyberliability Coverage

Statistics

Views

Total Views
749
Views on SlideShare
749
Embed Views
0

Actions

Likes
0
Downloads
6
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    HIPAA HITECH Update 2014- Practical Effects and Enforcement Trends HIPAA HITECH Update 2014- Practical Effects and Enforcement Trends Presentation Transcript

    • Aldo M. Leiva, Esq. Lubell Rosen, LLC Columbus Center 1 Alhambra Plaza Suite 1410 Coral Gables, Fl 33134 Phone: (305) 442- 9211 Fax: (305) 442-9047 Email: aml@lubellrosen.com www.lubellrosen.com HIPAA/HITECH Update: Practical Effects and Enforcement Trends Presented by Aldo M. Leiva, Esq. Data Security and Privacy Attorney for American Health Lawyers Association January 13, 2013 © 2014 Lubell Rosen, LLC
    • OVERVIEW OF PRESENTATION ! HIPAA Omnibus Rule Key Provisions ♦  ♦  ♦  ! ! ! ! ! Breach Notification New Penalty Structure Business Associates Re-Defined Compliance Activities and Considerations OCR Audit Overview – Past and Future Latest Enforcement Actions Insurance Considerations Questions and Answers © 2014 Lubell Rosen, LLC
    • HIPAA/HITECH OMNIBUS RULE ! ! Effective Date- March 26, 2013 Compliance Deadline- September 23, 2013 © 2014 Lubell Rosen, LLC
    • HITECH ACT- KEY PROVISIONS ! ! ! ! ! Breach Notification Requirements New Penalty Levels Compliance Requirements for Business Associates (BAs) Audits Extended Enforcement by State AGs © 2014 Lubell Rosen, LLC
    • BREACH NOTIFICATION REQUIREMENTS ( ! Old Requirements under Interim Final ! Rule Breach is event that “compromises the security or privacy of the protected health information” and “poses a significant risk of financial, reputational, or other harm to the individual.” © 2014 Lubell Rosen, LLC
    • BREACH NOTIFICATION FINAL RULE (OMNIBUS) ! Any impermissible use or disclosure of protected health information is presumed to be a breach unless the regulated entity is able to demonstrate, through a risk assessment, that there is a low probability of compromise © 2014 Lubell Rosen, LLC
    • FOUR FACTORS FOR RISK ASSESSMENT ! ! ! ! To whom the information was impermissibly disclosed Whether the information was actually accessed or viewed Potential ability of the recipient to identify the subjects of the data Whether recipient took appropriate mitigating action © 2014 Lubell Rosen, LLC
    • TIERED PENALTY STRUCTURE ! ! ! ! Significant increase in penalties Reduction in number of Affirmative Defenses Mandatory penalties for all violations due to “willful neglect” Applies to violations occuring after February 18, 2009 © 2014 Lubell Rosen, LLC
    • TIER 1- UNKNOWING ! ! ! CE or BA did not know and reasonably should not have known of the violation. $ 100 to $ 50,000 per violation Total of $ 1.5M for all violations of an identical requirement or prohibition occurring within the same calendar year © 2014 Lubell Rosen, LLC
    • TIER 2- REASONABLE CAUSE ! ! ! CE or BA knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the covered entity or business associate did not act with willful neglect $ 1,000- $ 50,000 per violation Total of $ 1.5M for all violations of an identical requirement or prohibition occurring within the same calendar year © 2014 Lubell Rosen, LLC
    • TIER 3- WILLFUL NEGLECTCORRECTED ! ! ! The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the covered entity or business associate corrected the violation within 30 days of discovery. $ 10,000- $ 50,000 per violation Total of $ 1.5M for all violations of an identical requirement or prohibition occurring within the same calendar year © 2014 Lubell Rosen, LLC
    • TIER 4- WILLFUL NEGLECTUNCORRECTED ! ! ! The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate did not correct the violation within 30 days of discovery. At least $ 50,000 per violation Total of $ 1.5M for all violations of an identical requirement or prohibition occurring within the same calendar year © 2014 Lubell Rosen, LLC
    • DEFENSE TO PENALTIES ! Penalty may not be imposed for violation that is not due to willful neglect and that is corrected within 30 days of actual or constructive knowledge of the violation, or during an additional period, as determined by the Secretary to be appropriate based on the nature and extent of the failure to comply © 2014 Lubell Rosen, LLC
    • PRACTICE TIP CE or BA that discovers a violation of HIPAA that is not due to willful neglect should attempt to: (i) correct the violation within 30 days of the discovery; (ii) document the date on which it discovered the violation(s); and (iii) document the date on which it implemented the correction in order to establish a basis for asserting the affirmative defense to the imposition of penalty for the violation. ! © 2014 Lubell Rosen, LLC
    • HHS DISCRETION ! ! HHS may waive a penalty for violations that are not due to willful neglect, in whole or in part, to the extent that the penalty is excessive relative to the violation. HHS has discretion to use other measures to address HIPAA violations, such as providing direct technical assistance or resolving possible noncompliance through informal means. © 2014 Lubell Rosen, LLC
    • CE AND BA LIABILITY ! ! CE is liable for the violations of its business associates (BA) that are its agents BA is liable for the acts of its agents (i.e. Subcontractors) © 2014 Lubell Rosen, LLC
    • BUSINESS ASSOCIATES RE-DEFINED ! ! ! BA is person/entity that “creates, receives, maintains or transmits protected health information on behalf of a covered entity”. New definition of BA includes records management companies that “maintain” records containing PHI, regardless of whether they are accessed or reviewed BA subject to the rule if it has access to electronic or hard copy PHI © 2014 Lubell Rosen, LLC
    • BEFORE HITECH ACT ! ! ! BA was subject to breach of contract claim for violation of BAA 2009- HITECH enacted- BA was now directly liable for PHI breach, but OCR agreed not to pursue enforcement actions against BA until finalization of the Rule Rule is finalized- enforcement actions can commence as of September 23, 2013 © 2014 Lubell Rosen, LLC
    • BA AGREEMENT TERMS ! ! ! Establish how BA is permitted or required to use and disclose PHI – must not use or further disclose PHI other than as permitted by or required by the BAA or by law Use appropriate safeguards to prevent PHI from being used or disclosed other than as permitted by the BAA Report to CE if it learns of any unauthorized use or disclosure of PHI © 2014 Lubell Rosen, LLC
    • BA AGREEMENT TERMS (2) ! ! BAAs must also include a provision that allows the CE to terminate the underlying agreement if the BA violates a material term of the BAA Ensure that subcontractors receiving PHI from the BAA agree to the same restrictions on use and disclosure of PHI © 2014 Lubell Rosen, LLC
    • NO FORMAL BAA ? ! ! Omnibus Rule still applies BA must comply with the relevant HIPAA provisions irrespective of BAA terms or service contracts with customers © 2014 Lubell Rosen, LLC
    • BA VIOLATIONS ! ! ! ! BA does not contractually impose restrictions on subcontractors Fails to notify CE of security breach within 60 days Fails to implement any of the administrative, physical, and technical safeguards in the HIPAA Security Rule Fails to follow “minimum necessary” standard © 2014 Lubell Rosen, LLC
    • COMPLIANCE ACTIVITIES ! ! ! ! ! ! ! ! ! Develop and implement Privacy Policies Conduct periodic Risk Assessments Develop and adopt Email Policies Develop and adopt Mobile Device Policies Train employees Designate Privacy/Security Officers Update Notice of Privacy Practices Revise BA Agreements Adopt Breach Assessment/Notification Policies © 2014 Lubell Rosen, LLC
    • AUDITS ! ! ! December 2012- Pilot Audits Completed Evaluations of Pilot Program BAs to be audited as well © 2014 Lubell Rosen, LLC
    • OCR AUDIT PLANS FOR 2014 ! ! ! ! Streamlined audit process Expanded scope of Audits (to include BAs) OCR is hiring more auditors More audits are likely, with emphasis on BA © 2014 Lubell Rosen, LLC
    • PILOT AUDIT RESULTS ! ! ! “Small” CE (< $ 50M in revenue) had more compliance issues (66% of deficiencies) Health care providers responsible for 81% of deficiencies Majority of deficiencies related to the Security Rule © 2014 Lubell Rosen, LLC
    • PILOT AUDIT RESULTS (2) ! ! 80% of health care providers did not have a complete and accurate risk analysis Encryption - Organizations deciding against encryption did not document basis for doing so © 2014 Lubell Rosen, LLC
    • AUDIT PROTOCOL ! ! Tool for Audit Preparation http://www.hhs.gov/ocr/privacy/hipaa/ enforcement/audit/protocol.html © 2014 Lubell Rosen, LLC
    • STATE AG ENFORCEMENT ! ! HITECH gave State Attorneys General authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. State AGs may obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules. © 2014 Lubell Rosen, LLC
    • STATE AG PENALTIES ! ! ! Penalties are calculated by multiplying the number of violations by up to $100. Total penalties imposed for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000. The court, in its discretion, may award the costs of the action and reasonable attorney fees to the State. © 2014 Lubell Rosen, LLC
    • ENFORCEMENT TRENDS ! ! ! As of June 30, 2013, OCR has investigated and resolved over 20,359 cases by requiring changes in privacy practices and other corrective actions by CEs. WellPoint pays $ 1.7M to settle potential violations (2013) Mass. Eye & Ear pays $ 1.5M to settle potential violations (2012) © 2014 Lubell Rosen, LLC
    • ENFORCEMENT TRENDS (2) ! ! ! December 24, 2013- OCR imposed $ 150,000 penalty and corrective action plan CE reported stolen UNENCRYPTED thumb drive with PHI to OCR and notified patients within 30 days OCR issued penalty due to failure of CE to: - conduct adequate risk assessment of ePHI - adopt written policies and train personnel - reasonably safeguard unencrypted thumb drive © 2014 Lubell Rosen, LLC
    • ENFORCEMENT TRENDS (3) ! ! ! Barry University Data Breach – Dec. 31, 2013 CE reported data breach SEVEN MONTHS after laptop was infected with malware Violation of HITECH Rules- individual notifications must be provided without unreasonable delay and in no case later than 60 days following discovery of data breach © 2014 Lubell Rosen, LLC
    • AUDIT TRENDS TO TRACK- 2014 ! ! ! ! ! Much larger pool of entities subject to enforcement Likely that enforcement actions will increase BA focusing on record storage and document destruction may be subject to more scrutiny due to large volume of PHI potentially at risk OCR is hiring more auditors More audits are likely, with emphasis on BA © 2014 Lubell Rosen, LLC
    • AUDIT TRENDS TO TRACK- 2014 ! ! ! ! OCR is requesting budget increase OCR will use $ 4.5 million in collected HIPAA penalties to help fund audit program OCR is seeking contractor for permanent audit program OCR Director Leon Rodriguez is slated to leave OCR for post at Homeland Security © 2014 Lubell Rosen, LLC
    • CYBERLIABILITY COVERAGE ! ! ! ! ! Review existing insurance policies Traditional D & O and E & O Policies may provide HIPAA coverage, unless excluded Consider additional coverage HIPAA Policies- investigations, defense costs, and penalties Consult with Insurance coverage counsel © 2014 Lubell Rosen, LLC
    • THANK YOU Aldo M. Leiva, Esq. Chair, Data Security and Privacy Practice Lubell Rosen One Alhambra Plaza, Suite 1410 Coral Gables, FL 33134 aml@lubellrosen.com www.lubellrosen.com Direct: (305) 442-9211 © 2014 Lubell Rosen, LLC