More Related Content Similar to 2016-04-21 HIPAA Similar to 2016-04-21 HIPAA (20) 2016-04-21 HIPAA3. Ethical and Moral Obligation
• We serve a vulnerable population and have an
obligation to protect their security, privacy,
and civil rights
© Hickman & Lowder Co. L.P.A.
4. Loss of Public Trust
• HIPAA violations will be newsworthy
• The loss of public trust will erode community
support for your organization
• Levy campaigns will be negatively affected
© Hickman & Lowder Co. L.P.A.
5. Enforcement of HIPAA
• The Department of Health and Human
Services (DHHS) is responsible for
developing and establishing the
Privacy Rule standards
• Office of Civil Rights (OCR) is
responsible for implementing and
enforcing the Privacy & Security Rules
6. Civil Penalties
• Penalties apply equally to CE and BA
• Prior to revisions, penalty was $100 per
violation up to $25,000 for identical violation
per year
© Hickman & Lowder Co. L.P.A.
7. Penalties: Did not know
© Hickman & Lowder Co. L.P.A.
Each violation $100 - $50,000
Max. per year for
identical violations
$1,500,000
9. Penalties: Willful Neglect
Corrected
© Hickman & Lowder Co. L.P.A.
Each violation $10,000 - $50,000
Max. per year for
identical violations
$1,500,000
Each violation $10,000 - $50,000
Max. per year for
identical violations
$1,500,000
10. Penalties: Willful Neglect Not
Corrected
© Hickman & Lowder Co. L.P.A.
Each violation $50,000
Max. per year for
identical violations
$1,500,000
11. Affirmative Defenses
• On or after 2/18/11: No civil penalty if
criminal already imposed
• Prior to 2/18/11: No civil penalty if violation
subject to criminal penalty
• On or after 2/18/09: HHS may not impose if
CA/BA establishes -
– No willful neglect; and
– Corrected w/in 30 days
© Hickman & Lowder Co. L.P.A.
12. Criminal: when imposed
• Knowingly violates HIPAA:
– Uses or causes to be used a unique health
identifier OR
– Obtains individual PHI OR
– Discloses PHI
© Hickman & Lowder Co. L.P.A.
13. Criminal: when imposed
• Applicable to a CE and specific individuals
– This can include administrators, employees, or
officers of the CE
© Hickman & Lowder Co. L.P.A.
14. Criminal: penalties
• General: 50K or 1 yr
• Under false pretenses: 100K or 5 yr
• Intent gain or harm: 250K or 10 yr
© Hickman & Lowder Co. L.P.A.
15. HIPAA Complaints by Year
2006 2007 2008 2009 2010 2011 2012 2013 2014
7,362
8,221 8,729
7,586
8,763 9,018
10,457
12,974
17,779
Complaints
© Hickman & Lowder Co. L.P.A.
16. Top Five Issues in Corrective
Action Cases
Year Issue 1 Issue 2 Issue 3 Issue 4 Issue 5
2014 Impermissible Uses
& Disclosures
Safeguards Administrative
Safeguards
Access Technical
Safeguards
2013 Impermissible Uses
& Disclosures
Safeguards Access Administrative
Safeguards
Minimum
Necessary
2012 Impermissible Uses
& Disclosures
Safeguards Administrative
Safeguards
Access Minimum
Necessary
2011 Impermissible Uses
& Disclosures
Safeguards Access Minimum
Necessary
Complaints
2010 Impermissible Uses
& Disclosures
Safeguards Access Minimum
Necessary
Complaints
© Hickman & Lowder Co. L.P.A.
17. Recent Penalties
• Skagit County, Washington: $215,000
• New York Presbyterian & Columbia
University: $4,800,000
• University of Washington Medicine: $750,000
• North Memorial Health Care: $1,550,000
© Hickman & Lowder Co. L.P.A.
18. Skagit County, Washington
• First settlement with a county government
– “Sends a strong message about the importance of HIPAA compliance to
local and county governments, regardless of size”
• ePHI was inadvertently moved to a publicly accessible
server
• Did not
– Have appropriate procedures and policies
– Document their HIPAA requirements or training
• OCR discovered general and widespread non-compliance by
the county
© Hickman & Lowder Co. L.P.A.
19. New York and Presbyterian Hospital
(NYP) and Columbia University (CU)
• NYP and CU operate a shared data network that is linked to
systems containing ePHI
• A doctor deactivated a server which resulted in ePHI being
accessible on public search engines
• Did not
– Make efforts prior to the breach to assure that the server was secure
and that it contained appropriate software protections
– Conduct a thorough risk analysis
– Implement appropriate policies and procedures for authorizing access to
its databases
– Comply with its own policies on information access management
© Hickman & Lowder Co. L.P.A.
20. New York and Presbyterian Hospital
AGAIN
• NYP allowed ABC to film patients for “NY Med” without
consent
• In particular, the crew filmed someone who was dying and
another person in significant distress, even after a medical
professional urged the crew to stop
• Did not
– Safeguard PHI and allowed ABC film crews virtually unfettered access
to their health care facility
• In addition to the HIPAA settlement, NYP is being sued for
breach of physician-patient privilege
© Hickman & Lowder Co. L.P.A.
21. The University of Washington
Medicine (UWM)
• An employee downloaded malware from an email
which compromised the data of 90,000 patients
• UWM polices required its affiliates to have up-to-date,
documented system-level risk assessments
• Did not
– Follow up to ensure that affiliates were properly conducting risk
assessments and appropriately responding to the potential risks
and vulnerabilities in their respective environments
© Hickman & Lowder Co. L.P.A.
22. North Memorial Health Care of
Minnesota
• Unencrypted laptop was stolen from a BA
employee’s car
• Did not
– Have a BA agreement in place, despite the BA having
access to a database with ePHI for almost 300,000
patients
– Complete a risk analysis
© Hickman & Lowder Co. L.P.A.
23. HHS Resolutions and Penalties
• http://www.hhs.gov/hipaa/for-
professionals/compliance-
enforcement/agreements/index.html
• Updated as new settlements are reached
© Hickman & Lowder Co. L.P.A.
24. Audits
• Audits, unlike complaint investigations or
compliance reviews, are reviews of covered
entities and business associates that are
initiated not because of any particular event
or incident indicating possible noncompliance
on the part of the covered entity or business
associate, but rather based on application of
a set of objective selection criteria.
© Hickman & Lowder Co. L.P.A.
25. 2011-2013 Audit
• The last audit process began in November,
2011 and went into 2013
• 115 covered entities were audited including:
– 47 health plans, 61 health care providers, and 7
health care clearinghouses.
• The smallest providers had highest rate of
deficiencies in Privacy, Security and Breach
Notification
© Hickman & Lowder Co. L.P.A.
26. Primary Areas of Deficiency
Privacy
Notice of Privacy Practices
Access of Individuals
Minimum Necessary
Authorizations
Security
Risk Analysis
Media Movement and Disposal
Audit Controls and Monitoring
© Hickman & Lowder Co. L.P.A.
29. Phase 2 HIPAA Audit Program
• Began in 2016
• OCR currently requesting address and
contact information verification
© Hickman & Lowder Co. L.P.A.
32. Who is affected by HIPAA?
• COVERED ENTITIES:
– Health Care Providers
– Health Plans
– Health Care Clearinghouses
• BUSINESS ASSOCIATES
33. Privacy Rule
Standards
• Applies to health
information in all
forms:
– Written
– Spoken
– Electronic
• Health
information
includes:
– Medical records
– Claims information
– Payment information
35. Individually Identifiable
Health Information
• Name
• Address
• Drivers license #
• Dates
– Birth date
– Admission date
– Discharge date
– Date of death
• Telephone numbers
• FAX number
• E-mail address
• Social Security
Number
• Medical record
number
• Web URL
• Finger or voice
prints
• Photographic
images
• Account number
36. Use and Disclosure of PHI
• Use-Sharing protected health information
within the entity that maintains the
information
• Disclosure-Release or transfer of PHI by an
entity to persons or organizations outside of
that entity
– Another facility
– Nursing home
37. Permitted Uses and Disclosures
• A CE is permitted to use and disclose
protected health information without an
individual’s authorization for the following:
– Treatment, Payment, and Health Care Operations
– Opportunity to Agree or Object
• Facility directory
– Incidental disclosures are permitted
– Public Interest
38. Disclosures not requiring
patient Authorization
• Required by Federal or State Law
– Workers compensation
– Birth reporting
– Child abuse
• Required for public health reasons
– Sexually transmitted disease
• Required for national security reasons
– Prevent a serious threat of harm to the individual or
others
39. Disclosures with Authorization
• Authorization is required for certain
disclosures to:
– Attorneys
• Disclosures to a patient’s attorney for purposes of
a malpractice lawsuit
• Disclosures to a life insurance company, when the
individual is seeking to obtain coverage
40. Minimum Necessary Req.
Use, disclosure or request of records
must be limited to the minimum
which is reasonably necessary to
accomplish the purpose of the use,
disclosure or request
© Hickman & Lowder Co. L.P.A.
41. a/k/a “NEED TO KNOW” Rule
“Do I need to know this to do my
job?”
You should NOT access any information that
you do not need to know in order to provide
patient care or to complete your job.
42. Minimum Necessary Exceptions
• Treatment
• Requests by the individual
• Authorization
• Required for compliance with HIPAA
• To HHS/OCR for
investigation/enforcement
• When required by other law
© Hickman & Lowder Co. L.P.A.
43. Minimum Necessary Reqs
CE must establish policies that address scope of use by
employees, disclosures and requests for info to ensure
minimum necessary requirements are met.
Guidance from HHS on minimum necessary requirements:
• http://www.hhs.gov/ocr/privacy/hipaa/understanding/
coveredentities/minimumnecessary.html
© Hickman & Lowder Co. L.P.A.
44. How do you protect PHI?
• Do NOT talk about individuals in public places
• Do not leave PHI on voicemail or with
someone other than individual – ONLY NAME
AND NUMBER
• Avoid paging individual using identifying info
• Computer screens
• Access info
• Open charts or files
• Paper with PHI in trash vs. shredder
47. Notice of Privacy Practices
(NPP)
• Right to notice of breach
• Right to restrict disclosures of PHI when self-
paid in full
• Fundraising communications and right to opt-
out
• Right to have disclosures of psychotherapy
notes, sale of PHI and marketing disclosures
only pursuant to authorization
• If Health Plan, no genetic info for
underwriting
49. Exceptions
• Psychotherapy notes
– Individual, family or group sessions
– Separate from main file
• Agreed-upon restrictions by covered entity
• Information to health plan/payer when
consumer has paid for services privately and
in full
© Hickman & Lowder Co. L.P.A.
51. Readability of PPN and
Authorizations
• CEs are required to provide PPNs in “plain
language”
• HHS has model PPNs with simplified language
and made them available on their website
• Authorizations must be written in “plain
language”, but they still must contain core
elements and statements
– Due to these requirements, authorizations may not be
understood by certain individuals
– DD Board employees should make all efforts to ensure
that the authorization is understood and informed consent
is obtained
© Hickman & Lowder Co. L.P.A.
52. Translation of PPN or
Authorizations
• Nothing explicitly in HIPAA requires
translation of documents
• However, the Civil Rights Act of 1964 applies
to DD Boards since they receive federal
funding
– “No person in the United States shall, on the ground
of race, color, or national origin, be excluded from
participation in, be denied the benefits of, or be
subjected to discrimination under any program or
activity receiving Federal financial assistance.”
© Hickman & Lowder Co. L.P.A.
53. Translation of PPN or
Authorizations
• HHS guidance on Limited English Proficient
persons (LEP) recommends an individualized
assessment that balances the following four
factors:
– The number or proportion of LEP persons eligible to be
served or likely to be encountered by the program;
– The frequency with which LEP individuals come in contact
with the program;
– The nature and importance of the program, activity, or
service provided by the program to people's lives; and
– The resources available to the grantee/recipient and costs
© Hickman & Lowder Co. L.P.A.
54. Safe Harbor
• The CE should provide written translations of
vital documents for each LEP group that
constitutes five percent or 1,000, whichever
is less, of the population of persons eligible to
be served or likely to be affected
© Hickman & Lowder Co. L.P.A.
55. Demographic Information
© Hickman & Lowder Co. L.P.A.
• Current state and county-level data is
accessible at:
– http://www.lep.gov/demog_data/demog_data.html
– http://www.lep.gov/maps/
58. What is a breach?
• Acquisition, Access, Use, Disclosure of PHI
• Unauthorized manner
• Compromises PHI security or privacy
© Hickman & Lowder Co. L.P.A.
59. Exception 1:
• Unintentional acquisition, access, use;
• By CE or BA workforce member;
• In Good Faith;
• Within scope of Authority; and
• No further unpermitted use or disclosure.
© Hickman & Lowder Co. L.P.A.
60. Exception 2:
• Inadvertent disclosure
• By CE/BA employee with access authorization
• To another employee with access
authorization of SAME CE/BA (or organized
healthcare arrangement)
• No further unpermitted use or disclosure
© Hickman & Lowder Co. L.P.A.
61. Exception 3:
• Disclosure by CE/BA
• Good faith belief that
• Unauthorized person not reasonably able to
retain PHI
© Hickman & Lowder Co. L.P.A.
62. Time of breach
• Covered Entity
– When discovered or should have been discovered
• When BA acts as agent, when BA discovers
• If BA not an agent, when reported to Covered
Entity
© Hickman & Lowder Co. L.P.A.
63. Notice of Breach
• Covered entity must provide notice of breach
• Applicable to unsecured PHI only
• Secured v. Unsecured PHI
© Hickman & Lowder Co. L.P.A.
64. When notice of breach is
required
© Hickman & Lowder Co. L.P.A.
Secured No notice
Unsecured - exception No notice
Unsecured - no exception Notice
65. Secured PHI
• Defined in guidance issued by Secretary of
HHS
– Encryption
– Destruction
• www.hhs.gov/ocr/privacy
© Hickman & Lowder Co. L.P.A.
66. Risk Assessment
• Whether low probability that data has been
compromised
• Examine and document factors:
• Nature, extent of PHI, type of identifiers,
and likelihood of re-identification
• unauthorized person who used/accessed
• Whether PHI actually acquired/viewed
• Extent risk to PHI mitigated
© Hickman & Lowder Co. L.P.A.
67. Who Gets Notice
• Individual
• Media if >500
• HHS
– Promptly if >500
– Annually if <500
• CE if BA breached
© Hickman & Lowder Co. L.P.A.
68. Timing of Notice
• Without unreasonable delay
• No later than 60 days after discovery of
breach
• Delay if notice would:
– Impede criminal investigation
– Affect national security
© Hickman & Lowder Co. L.P.A.
69. Content of Notice
• What happened and when
• PHI involved in breach
• Steps to protect from potential harm
• Corrective steps by CE
• Contact information
© Hickman & Lowder Co. L.P.A.
70. Method of Notice
• Written
– First class mail
– E-mail with consent
• Substitute
– <10 – written, phone, other
– >=10 Web site 90 days or media with toll free number
for 90 days
© Hickman & Lowder Co. L.P.A.
71. Method of Notice (cont’d)
• Urgent – imminent misuse of unsecured PHI
• CE may contact by phone or other means
© Hickman & Lowder Co. L.P.A.
72. Accountings
• Ohio law removes blanket requirement for all
disclosures
• HIPAA: accounting required:
– TPO stored electronically: 3 years
– Other covered disclosures: 6 years
• BA agreement must define procedure for
accountings
© Hickman & Lowder Co. L.P.A.
73. Accounting Exceptions
• Disclosures:
– To carry out treatment, payment and health care operations;
– To individuals of protected health information about them;
– Incident to a use or disclosure otherwise permitted or required by
the HIPAA Privacy Rules;
– Pursuant to an authorization;
– For the facility’s directory or to persons involved in the
individual’s care or other notification purposes;
– For national security or intelligence purposes;
– To correctional institutions or law enforcement officials;
– As part of a limited data set; or
– That occurred prior to the compliance date for the Board
© Hickman & Lowder Co. L.P.A.
74. What’s Left to Account?
• Disclosures to a Public Health Entity
• Disclosures made during the course of litigation
– Disclosures made by a CE that is not a party to the litigation or
proceeding and that are made:
• as required by law (under § 164.512(a) and (e)(1)(i));
• for a proceeding before a health oversight agency
(164.512(d)); or
• in response to a subpoena, discovery request, or other lawful
process
• Certain Disclosures to Business Associates
– Where the BA discloses information described above
© Hickman & Lowder Co. L.P.A.
75. Implementation dates
• Jan. 1, 2011
– For disclosures of records in existence
after 1/1/09
• Jan. 1, 2014
– For disclosures of records in existence on
or before 1/1/09
• Secretary may delay implementation dates;
accounting rules still under construction
© Hickman & Lowder Co. L.P.A.
76. Accounting Recommendation
• Use authorizations to eliminate need
for accounting
• Bring prior accounting requirement in
line with HIPAA standards
• Consider continuing prior accounting
procedures if in line with HIPAA
© Hickman & Lowder Co. L.P.A.
77. Other Privacy Changes
• Ability to get electronic versions of records
• Ability to restrict disclosure
• Immunizations
• Access to decedent information (50 yrs)
© Hickman & Lowder Co. L.P.A.
78. UPDATE YOUR NOTICES
Sample HIPAA Privacy Forms & Policies:
www.socialworkers.org/hipaa/sample.asp
© Hickman & Lowder Co. L.P.A.
81. BA Definition
• Performs functions or activities on behalf of a
covered entity
• Involves use or disclosure of PHI
• Includes subcontractors of BA if PHI involved
© Hickman & Lowder Co. L.P.A.
82. BA Definition (cont’d)
• Agreement required
• Absence of agreement does not change
status
© Hickman & Lowder Co. L.P.A.
83. BA Compliance
• All security requirements
• Privacy rules applicable to PHI activities
• Same requirements for subcontractors
© Hickman & Lowder Co. L.P.A.
84. BA notice of Breach
• Report to covered entity
• Without unreasonable delay
– 60 day max
• Must provice CE with identity of each
individual affected by breach
© Hickman & Lowder Co. L.P.A.
85. BA as agent – significance
• If Agent
– CE liable for actions of BA
– date of discovery by BA is date of discovery for CE
• If not Agent
– No direct liability
– date of notice by BA is date of discovery for CE
© Hickman & Lowder Co. L.P.A.
86. When is BA an Agent
• Main issue is the right or authority of a CE to
control BA’s conduct in course of service on
behalf of CE
• Issue is the RIGHT to control, regardless of
actual exercise
• Clarify in Agreement
© Hickman & Lowder Co. L.P.A.
87. Direct Liability of BA
• Impermissible use or disclosure
• Failure to provide notice of breach
• Failure to provide access if required
• Failure to provide info to HHS
• Failure to provide accounting
• Failure to implement security rules
© Hickman & Lowder Co. L.P.A.
89. SECURITY 101
PRIVACY v s. SECURITY
ALL PHI ONLY e-PHI
electronic, paper or oral PHI PHI created, received,
maintained or transmitted in
electronic media
Standards for who may
access PHI
Standards to ensure only
authorized persons have
access
Overseen and enforced
by OCR
Overseen and enforced
by OCR
© Hickman & Lowder Co. L.P.A.
90. SECURITY 101:
Who Must Comply?
Since 2005-2006:
Covered Entities
By September 23, 2013:
Business Associates
BA Subcontractors
© Hickman & Lowder Co. L.P.A.
91. SECURITY 101: General Rules
Maintain reasonable, appropriate
safeguards for protecting e-PHI’s:
1) Confidentiality
e-PHI accessible only by authorized people and
processes
2) Integrity
e-PHI is not altered or destroyed in unauthorized
manner
3) Availability
e-PHI can be accessed as needed by authorized
person
© Hickman & Lowder Co. L.P.A.
92. SECURITY 101: General Rules
Identify and protect against threats to
security or integrity;
Protect against impermissible uses or
disclosures;
and
Ensure compliance by workforce
© Hickman & Lowder Co. L.P.A.
93. SECURITY 101: General Rules
Safeguards
Standards
Implementation Specifications
Required Addressable
© Hickman & Lowder Co. L.P.A.
94. “Addressable”
Implementation Specifications
For each addressable Imp. Spec. MUST:
Implement the Spec. if reasonable and
appropriate; or
If not reasonable and appropriate –
• Document rationale supporting decision;
and
• Implement equivalent measure that would
accomplish same purpose
© Hickman & Lowder Co. L.P.A.
95. Administrative Safeguards
Security Management Process:
Implement policies and procedures to
prevent, detect, contain, and correct security
violations.
1. Risk Analysis (R)
2. Risk Management (R)
3. Sanction Policy (R)
4. Information System Activity Review (R)
© Hickman & Lowder Co. L.P.A.
96. Administrative Safeguards
Risk analysis:
• Conduct accurate thorough
assessment of risks, vulnerabilities,
and threats to confidentiality, integrity,
and availability of e-PHI
Risk Management:
• Implement security measures to
reduce risks and vulnerabilities to
reasonable and appropriate level
© Hickman & Lowder Co. L.P.A.
97. Administrative Safeguards
IMPORTANT DEFINITIONS
VULNERABILITY: A flaw or weakness in system security
procedures, design, implementation, or internal controls that could
be [accidentally triggered or intentionally exploited] and result in a
security breach or a violation of security policy.
THREAT: The potential for a person or thing to [accidentally trigger
or intentionally exploit] a specific vulnerability.
RISK: A Vulnerability triggered or exploited by a Threat:
1. Unauthorized disclosure, modification, or destruction of info
2. Unintentional errors or omissions
3. IT disruptions due to natural or man-made disasters
4. Failure to exercise due care and diligence in the implementation and
operation of IT system
Definitions from CMS HIPAA Security Series / NIST SP 800-30
© Hickman & Lowder Co. L.P.A.
98. Administrative Safeguards
Security Management Process
EXAMPLE RISK ANALYSIS:
1. Identify the scope of analysis
2. Gather Data
3. Identify and document potential threats and
vulnerabilities
4. Assess current security measures
5. Determine likelihood of threat occurrence
6. Determine level of risk
7. Identify security measures and finalize
documentation
© Hickman & Lowder Co. L.P.A.
99. Administrative Safeguards
Security Management Process
EXAMPLE RISK MANAGMENT:
1. Develop and implement risk management plan
– Purpose to evaluate, prioritize, and implement risk-reducing
security measures
2. Implement security measures
– Scope, timeline and budget for each project
3. Evaluate and maintain security measures
– Ongoing : periodic or in response to changes in environment
© Hickman & Lowder Co. L.P.A.
100. Administrative Safeguards
• Security Officer
• Workforce Security: “Need to Know” (A)
• Information Access Management (R/A)
• Security Awareness and Training (A)
• Security Incident Procedures (R)
© Hickman & Lowder Co. L.P.A.
101. Administrative Safeguards
Contingency Plan: Response to
emergency (fire, vandalism, system failure,
etc.).
1. Data Backup (R)
2. Disaster Recovery (R)
3. Emergency Mode Operation Plan (R)
4. Periodic testing & Revision (A)
5. Prioritize software/data for backup (A)
© Hickman & Lowder Co. L.P.A.
102. Administrative Safeguards
Evaluation: Periodic assessment of system –
environment and operational changes (R)
BA Contracts & Other Arrangements:
CE may permit a BA to create, receive,
maintain, or transmit e-PHI but ONLY with
satisfactory assurances:
- BA Agreement (contract)
- MOU if CE/BA are both government agencies
© Hickman & Lowder Co. L.P.A.
103. Physical Safeguards
Facility Access and Control:
- Limit physical access while ensuring
authorized access
Workstation & Device Security:
- Specify proper use of and access
- Policies/procedures to address transfer,
removal, disposal, and re-use of e-media
© Hickman & Lowder Co. L.P.A.
104. Technical Safeguards
Access Control: Only authorized persons can
access
Audit Control: Implement hardware, software,
procedural mechanisms to record/examine
access and activity on systems
Integrity Control: Electronic measures to
ensure e-PHI is not improperly altered/destroyed
Transmission Security: technical measures to
guard against unauthorized access to e-PHI
transmitted over network
© Hickman & Lowder Co. L.P.A.
105. Case Study #2
• As more documents migrate to electronic
storage, data integrity is increasingly
important.
• Data can be altered/destroyed by user error,
or by electronic media errors or failures.
• If data integrity is not monitored, these errors
can propagate into data backup systems and
the “clean” data can be lost forever.
• A CE is REQUIRED to implement policies and
procedures to protect ePHI from improper
alteration or destruction.
© Hickman & Lowder Co. L.P.A.
106. Documentation
• BA Agreements & Other Arrangements
• Policies and Procedures
• Action, activity or assessment required
by Standard or Imp. Spec.
– Retain 6 yrs from date of creation or date last in
effect, whichever later
– Make available to persons responsible for
implementation
– Review, update periodically
© Hickman & Lowder Co. L.P.A.
107. Overview of Security Process
1. Assess current security, risks, gaps.
2. Develop implementation plan.
• Read Security Rule and review standards
and Imp. Specs.
• Review “addressable” Imp. Specs. –
determine if reasonable and appropriate
• Determine security measures
3. Implement solutions.
4. Document decisions.
5. Reassess periodically
© Hickman & Lowder Co. L.P.A.
108. General Resources on HIPAA
• www.cms.gov under “Regulations and
Guidance” for latest Security papers and
checklists
• http://www.hhs.gov/hipaa/index.html for latest
guidance, FAQs, and other info on Privacy
Rule
• http://www.hhs.gov/hipaa/for-professionals/faq
for FAQs about HIPAA
© Hickman & Lowder Co. L.P.A.
109. Resources on HIPAA
for Social Workers
• *Sample HIPAA Privacy Forms and Policies:
www.socialworkers.org/hipaa/sample.asp
• NASW HIPAA Security Rule Online
Compliance Workbook
https://www.socialworkers.org/hipaa/workboo
k.asp
• HIPAAprof.com Awareness and Compliance
Training
http://www.hipaaprof.com/nasw
© Hickman & Lowder Co. L.P.A.
111. Is Texting Allowed?
• HIPAA does not explicitly prohibit texting
ePHI.
• However, the Security Rule still applies.
– Text messages are generally not secure because
they lack encryption during transmission, they may be
stored on a wireless provider’s servers for a period of
time, and it is difficult to verify the text recipient with
certainty.
© Hickman & Lowder Co. L.P.A.
112. Encryption
• Text encryption is addressable under the
security rule
Implement if reasonable and appropriate; or
If not reasonable and appropriate –
• Document rationale supporting decision;
and
• Implement equivalent measure that would
accomplish same purpose
© Hickman & Lowder Co. L.P.A.
114. 1. Decide
• Decide whether mobile devices will be used to access,
receive, transmit, or store PHI or used as part of your
organization’s internal networks or systems
• Understand the risks to your organization before you
decide to allow the use of mobile devices. Risks can
vary based on the mobile device and its use. Some
risks may be:
– A lost mobile device
– A stolen mobile device
– Inadvertently downloading viruses or other malware
– Unintentional disclosure to unauthorized users when sharing
mobile devices with friends, family and/or coworkers
– Using an unsecured Wi-Fi network.
© Hickman & Lowder Co. L.P.A.
115. 2. Assess
• Consider how mobile devices affect the risks to
the PHI your organization holds.
– Conduct a risk analysis to identify the risks to your
organization.
• After conducting a risk analysis, document:
– Which mobile devices are being used to communicate with
your organization’s internal networks or system (e.g., the
EHR system or Health Information Exchange (HIE)),
– What information is accessed, received, stored, and
transmitted by or with the mobile device
© Hickman & Lowder Co. L.P.A.
116. 3. Identify
• Identify your organization’s mobile device risk
management strategy, including privacy and
security safeguards.
– The purpose of a mobile device risk management
strategy is to develop and implement mobile device
safeguards to reduce risks identified in the risk
analysis. The risk management strategy should
include evaluation and maintenance of the mobile
device safeguards you put in place
© Hickman & Lowder Co. L.P.A.
117. 4. Develop, Document,
Implement
• Develop, document, and implement the
organization’s mobile device policies and
procedures to safeguard PHI.
© Hickman & Lowder Co. L.P.A.
118. 5. Train
• Conduct mobile device privacy and security
awareness and training
• Safeguards will not protect PHI unless the
workforce is aware of its role in following and
enforcing those safeguards. Privacy and security
awareness and training should be ongoing and
include a discussion of the following topics:
– Risks when using mobile devices for work
– How to secure mobile devices
– How to protect and secure health information
– How to avoid mistakes when using mobile devices
© Hickman & Lowder Co. L.P.A.
119. Are Texts Records?
• The content of a record is more important
than the medium in which it is conveyed.
• If a DD Board decides to use text messaging
as an official method of communicating,
messages should be retained in accordance
with the DD Board’s existing RC-2 Records
Retention Schedule.
© Hickman & Lowder Co. L.P.A.
121. SUBPOENAS (Ohio Civ. R. 45)
• Hearing
– Clerk
• Deposition
– Court reporter
– Counsel
• Text of Rule 45 (C) and (D)
© Hickman & Lowder Co. L.P.A.
124. Site for Appearance
• Hearing
– Anywhere in state
• Deposition
– County of residence or
– County of place of work or
– “other convenient place fixed by the court”
• Documents – no appearance
– Appearance not necessary
© Hickman & Lowder Co. L.P.A.
125. Prepayment of costs
• In county - on request
• Out of county - automatic
© Hickman & Lowder Co. L.P.A.
126. Response
• Within 14 days or before time for compliance
(if <14 days)
• Objection
• Motion to Quash
© Hickman & Lowder Co. L.P.A.
128. HIPAA: Response to Subpoena
requires:
• Satisfactory assurance from requestor that reasonable
efforts have been made to ensure that the individual
involved has been given NOTICE OF THE REQUEST; OR
• Satisfactory assurance from requestor that reasonable
efforts have been made to SECURE A QUALIFIED
PROTECTIVE ORDER.
• Covered Entity makes reasonable efforts to give notice
or obtain protective order
• Terms defined in 45 CFR 164.512(e)(1)
© Hickman & Lowder Co. L.P.A.
129. HIPAA: Assurances for notice
• Written statement with documentation showing:
• Good faith attempt to provide written notice
• Reasonable summary about litigation which
allows consumer to object
• No objection made/time elapsed or
• Objections overruled
© Hickman & Lowder Co. L.P.A.
130. HIPAA: Assurances for
Protective Order
• Written statement with documentation
showing:
• Parties presented an agreed protective order
to court OR
• The party seeking PHI requested a qualified
protective order from court
© Hickman & Lowder Co. L.P.A.
131. HIPAA: Elements of Protective
Order
• Prohibits the parties from using or disclosing
PHI for any purpose other than legal
proceedings for which information was
requested; and
• Requires that PHI be returned to the covered
entity or destruction of PHI (including all
copies made) at the end of the litigation or
proceeding.
© Hickman & Lowder Co. L.P.A.
133. Scope of AoD rules
• AoD service
• Federal connection
© Hickman & Lowder Co. L.P.A.
134. General AoD rules
• Strict confidentiality
• Minors must consent
• Condition of probation/parole
© Hickman & Lowder Co. L.P.A.
136. AoD Proceedings
42 CFR 2.61-65
• Subpoena AND
• Court order
• Not required if disclosure is for research,
audit or evaluation
© Hickman & Lowder Co. L.P.A.
137. AoD Court Order:
Required Findings
• Disclosure is necessary to protect against an
existing threat to life or of serious bodily
injury,
• including circumstances which constitute
suspected child abuse and neglect and
• verbal threats against third parties
• OR
© Hickman & Lowder Co. L.P.A.
138. AoD Court Order Required
Findings (cont’d)
• Disclosure is necessary in connection with
investigation or prosecution of an extremely
serious crime,
• such as one which directly threatens loss of
life or serious bodily injury, including
homicide, rape, kidnapping, armed robbery,
assault with a deadly weapon, or child abuse
and neglect
• OR
© Hickman & Lowder Co. L.P.A.
139. AoD Court Order: Required
Findings (cont’d)
• Disclosure connected to litigation or an
administrative proceeding in which the
patient offers testimony or other evidence
pertaining to the content of the confidential
communications.
© Hickman & Lowder Co. L.P.A.
140. AoD Court Order: Application
(Civil)
• By person with legal interest
– Not part of criminal investigation or prosecution
• Must use fictitious name
• May not use identifying data unless
– Patient consents
– Court seals record
© Hickman & Lowder Co. L.P.A.
141. AoD Court Order: Notice (Civil)
• Given to patient and person holding records
• Adequate without disclosing identity of
person to others
• Notify of right to appear to respond or to
show that criteria are not being met
© Hickman & Lowder Co. L.P.A.
142. AoD Court Order: Hearing
(Civil)
• In Judge’s chambers or otherwise protected
from public disclosure
• Patient may consent to open hearing
– Consent requirements must be met
© Hickman & Lowder Co. L.P.A.
143. AoD Court Order: Criteria (Civil)
• Standard for disclosure met
• Good Cause, which means that
• Other means of obtaining info are not
available or ineffective
• Public interest outweighs value of
confidentiality
© Hickman & Lowder Co. L.P.A.
144. AoD Court Order: Content
(Civil)
• Limit disclosure to essential parts of record
• Limit disclosure to persons in need of info
• Other methods restricting access to info –
e.g. sealing record from public
© Hickman & Lowder Co. L.P.A.
145. AoD Court Order: Application
(Criminal)
• By person holding record or
investigator/prosecutor
• Must use fictitious name
• Cannot disclose personal information unless
record is sealed
© Hickman & Lowder Co. L.P.A.
146. AoD Court Order: Notice and
Hearing (Criminal)
• Person must be given adequate notice
without revealing patient identifying data
• Opportunity to appear to challenge basis for
request
• Right to be represented by counsel
• Hearing in judge’s chambers or otherwise
protected from public scrutiny
© Hickman & Lowder Co. L.P.A.
147. AoD Court Order: Criteria
(Criminal)
• Crime is “extremely serious”
• Reasonable likelihood that info is of
“substantial value” to
investigation/prosecution
• Other means of obtaining info unavailable or
ineffective
• Injury to patient/confidentiality outweighed by
public interest/need for disclosure
© Hickman & Lowder Co. L.P.A.
148. AoD Court Order: Criteria
(cont’d)
• If applicant for court order does law
enforcement function:
– Person holding records has had opportunity to obtain
independent counsel
– If record holder is in Federal, State, Local
government, entity has in fact obtained counsel
© Hickman & Lowder Co. L.P.A.
149. AoD Court Order: Elements
(Criminal)
• Findings on requirements for order
• Limit disclosure to essential parts of record
• Limit disclosure to investigators/prosecutors
to extent needed for serious crime
• Other methods restricting access to info –
e.g. sealing record from public
© Hickman & Lowder Co. L.P.A.
150. AoD Court Order: Action against
program or person holding
records
• No notice required
• Follow standards for civil proceedings
• Delete patient ID data from documents
available to public
• info can’t be used for investigation or
prosecution of a patient, or be used as the
basis for an application for an order under
AoD rules applicable to criminal
investigations/proceedings.© Hickman & Lowder Co. L.P.A.
151. AoD Court Order: Undercover
agent
• Application: suspicion of criminal conduct by
program employees/agents
• Notice to director unless
– Director implicated
– Director likely to disclose info on investigation
© Hickman & Lowder Co. L.P.A.
152. AoD Court Order: Undercover
Agent (cont’d)
• Order requires good cause
• 6 months maximum
• Steps to protect confidentiality of patients
and program disruption
• Info from undercover agent cannot be use to
prosecute patients
© Hickman & Lowder Co. L.P.A.
154. Sanctions
45 CFR 164.530(e)
• A CE must have and apply appropriate
sanctions against members of its workforce
who fail to comply with the privacy policies
and procedures of the CE or applicable
requirements
• A CE must document the sanctions that are
applied, if any
© Hickman & Lowder Co. L.P.A.
155. Exemptions
• A CE shall not impose sanctions against a
workforce member or BA who believes in
good faith that the CE has engaged in
conduct that is unlawful or otherwise violates
professional or clinical standards, or that the
care, services, or conditions provided by the
CE potentially endangers one or more
patients, workers, or the public
© Hickman & Lowder Co. L.P.A.
156. Only if the Disclosure is to:
• A health oversight agency or public health authority
authorized by law to investigate or otherwise oversee
the relevant conduct or conditions of the CE or to an
appropriate health care accreditation organization for
the purpose of reporting the allegation of failure to
meet professional standards or misconduct by the CE;
or
• An attorney retained by or on behalf of the workforce
member or business associate for the purpose of
determining the legal options of the workforce member
or business associate.
© Hickman & Lowder Co. L.P.A.
157. Victim of a Crime
• The CE may not impose sanctions for
disclosure of PHI against a member of its
workforce who is the victim of a criminal act
if the victim discloses PHI to a law
enforcement official
© Hickman & Lowder Co. L.P.A.
158. Provided That:
• The PHI disclosed is about the suspected perpetrator of the
criminal act; and
• The PHI disclosed is limited to the following information:
– Name and address;
– Date and place of birth;
– Social security number;
– ABO blood type and Rh factor;
– Type of injury;
– Date and time of treatment;
– Date and time of death, if applicable; and
– A description of distinguishing physical characteristics, including height,
weight, gender, race, hair and eye color, presence or absence of facial
hair (beard or moustache), scars, and tattoos
© Hickman & Lowder Co. L.P.A.
160. Best Practices
• The type of sanction should vary depending
on factors such as:
– the severity of the violation,
– whether the violation was intentional or unintentional
– whether the violation indicated a pattern of improper
use or disclosure of PHI.
• Sanctions could range from warning to
termination and should be in line with
existing progressive discipline policies.
© Hickman & Lowder Co. L.P.A.
161. Training
• Training should be provided and expectations
should be clear so individuals are not
sanctioned for doing things that they did not
know were inappropriate or wrong
• Sanctions should be applied consistently and
equitably to all staff
© Hickman & Lowder Co. L.P.A.
162. Sanction Categories
• A CE should have enough sanction categories
to cover privacy and security incidents of
varying severity
• Risk analysis and the scale/scope of the
incident should also be taken into
consideration
– Accidentally sending out PHI to the wrong email
address vs accidentally sending out PHI to an entire
email distribution list.
© Hickman & Lowder Co. L.P.A.
163. Sample Sanction Policy
• The following list outlines some of violations
that may occur at a DD Board, but it is not
exclusive.
© Hickman & Lowder Co. L.P.A.
164. Group I
• Accidental violations of privacy and security
policies caused by carelessness, lack of
training, or other minor errors.
– Employee accidentally sends out PHI to the wrong
email address or fax number. Employee forgets to
apply encryption to an email. Employee turns in a
release authorization missing a component.
© Hickman & Lowder Co. L.P.A.
165. Group II
• More meaningful or repeated violations of
privacy and security policies caused by a
disregard of procedure.
– Employee releases information without an appropriate
authorization form. Employee deliberately transmits
PHI via unsecure methods to save time.
© Hickman & Lowder Co. L.P.A.
166. Group III
• Deliberate violation of policies without
harmful intent.
– Employee alters existing release authorization form to
avoid meeting with the individual/guardian again.
Employee accesses PHI about a coworker’s family
member without a need to do so.
© Hickman & Lowder Co. L.P.A.
167. Group IV
• Malicious violation of policies with harmful
intent.
– Employee discloses PHI for criminal purposes or with
malicious/harmful intent. (e.g. Identity theft, extortion,
posting PHI to social media to mock an individual).
© Hickman & Lowder Co. L.P.A.
169. Record Retention
• In General
– six years from the date of receipt of payment or until
an initiated audit is resolved
• Determination of Ineligibility
– Five years after determination is made
• UI, MUI
– seven years after date of the incident
© Hickman & Lowder Co. L.P.A.
170. ICF Records
• 7 years after cost report filed or
• Six years after appeal rights exhausted
© Hickman & Lowder Co. L.P.A.
171. Local Government Records
Program (LGRP)
• Local government records can only be
destroyed or transferred after approval of the
County Records Commission
• Such action involves the preparation of either
a schedule of records retention and
disposition (RC-2) or an application for one-
time records disposal (RC-1).
© Hickman & Lowder Co. L.P.A.
172. RC-1 Forms
• RC-1 forms are used for a ‘One Time Disposal
of Obsolete Records’ that are no longer
created or maintained
• Since your DD Board is no longer creating
these records, there is no need to include
them on a retention schedule (RC-2 form)
– However, if you wish to dispose of these records, it
will still need to be documented with an RC-1 form.
© Hickman & Lowder Co. L.P.A.
173. RC-2 Forms
• The RC-2 form is your DD Board’s Retention
Schedule. It tells the state how long each
record series will be retained.
• RC-1 and RC-2 forms are signed off first by
the Records Commission, then submitted to
the State Archives
– Once reviewed and signed by the State Archives,
they are sent over to the Auditor of State’s office for
review and signature.
© Hickman & Lowder Co. L.P.A.
174. RC-3 Forms
• An RC-3 form is a Certificate of Disposal for
records identified on a RC-2 form. These
forms do not require the signature of the
Records Commission. The certificate of
records disposal serves as the official record
of the disposition of the records.
© Hickman & Lowder Co. L.P.A.
175. RC-3 Exceptions
• RC-2 forms dated after September 29th, 2011
have check boxes for the LGRP to mark. RC-3
forms will only be required for records series
that have been checked by the LGRP
• Generally, the LGRP is unable to review or
select for its custody any records protected
by HIPAA or FERPA
– This should be clearly indicated on the RC-2 form and
be enforced by the DD Board’s records custodian.
© Hickman & Lowder Co. L.P.A.
176. RC-2 Best Practices
• The LGRP website has detailed instructions
on how to fill out an RC-2 Retention schedule.
• The LGRP also provides a draft copy of a
suggested Retention Schedule for DD Boards
with sample records series and retention
windows.
– www.ohiohistory.org/lgrforms
– https://www.ohiohistory.org/OHC/media/OHC-
Media/Learn/Archives-
Library%20Documents/Developmental-Disabilities-
Draft.pdf
© Hickman & Lowder Co. L.P.A.
177. Multiple Media Types
• If you are keeping both paper and electronic
records for the same length time, they can be
listed together with both media types listed.
If you are only keeping one type until it is
converted to the other type (paper scanned to
electronic), you should use two separate
lines.
© Hickman & Lowder Co. L.P.A.
178. Keeping Paper AND Electronic
Records
Schedule Number Record Title and
Description
Retention Period Media Type
SSA-01 Client Records Permanent Paper/Electronic
© Hickman & Lowder Co. L.P.A.
179. Keeping Paper OR Electronic
Records
Schedule Number Record Title and
Description
Retention Period Media Type
SSA-01 Client Records Retain until scanned Paper
SSA-02 Client Records Permanent Electronic
© Hickman & Lowder Co. L.P.A.
180. Digital vs Physical Record
Retention
• The Ohio History Connection strongly
recommends maintaining an eye-readable
backup for records deemed of permanent
value or that will be maintained for greater
than ten years.
• It is our opinion that this is directed towards
government records with historical value as
opposed to DD Board records.
© Hickman & Lowder Co. L.P.A.
181. Digital vs Physical Record
Retention
• ORC 9.01 generally states that electronic
copies of a document have the same
authority as a paper copy as long as they are
certified or authenticated.
• The State is concerned with the record itself
more than the medium in which it is retained.
© Hickman & Lowder Co. L.P.A.
182. State Guidelines for Long-Term
Imaging
• Originals should be scanned at a minimum of
300 DPI and saved in Group 4 TIFF format.
This will be the master image/archival copy.
– Quality control should be intensive if the agency is
retaining ONLY a digital image.
• Images should be periodically copied to new
media to address any degradation or
impermanence, and the data should be
reformatted from obsolete storage devices.
© Hickman & Lowder Co. L.P.A.
183. State Guidelines for Long-Term
Imaging
• Images should be reformatted into newly
emerging archival formats if applicable, and
components of your electronic document
management system should be migrated to
new software or hardware as technology
changes.
• All changes should be exhaustively tested
and documented to preserve the integrity of
your digital images and/or metadata.
© Hickman & Lowder Co. L.P.A.
184. Jonathan Zuhosky
• Jonathan has been the Records Manager at
the Franklin County Board of Developmental
Disabilities for the past six and a half years.
He has a Masters Degree in Library and
Information Science from Kent State
University.
© Hickman & Lowder Co. L.P.A.
Editor's Notes Where does MN apply – processing payment Limited data set – lacks client identifying info
Minimum info ex: payment SA Tip – continue to use releases even when it’s optional
BM Tip – policy to use and require releases Example: Farah’s medical info sold to Nat’l Enq. Supposed to go on a home visit and took wrong file by mistake. Team discusses individual in ISP meeting. One team member mentions follows up on another case in meeting with others present Visiting group home with persons with seriously disability. Talk with your client and another client walks in and hears part of conversation. You believe that the other client could not have understood. Handout includes current guidance
HHS must update guidance annually
All paper PHI is unsecured
BMs – consider policies re: handling of client files
SAs – consider careful handling of client files Delay must be requested by law enforcement official – see page 6-7. Lose computer which stores PHI and all info, including SSN are taken.
Lose blackberry with client related e-mails.
One client takes another’s file that was sitting on desk
Provided directly by BA or through CE