How to Comply with HIPAA Regulations

© 2013 Armstrong Teasdale LLP © 2013 Armstrong Teasdale LLP

HIPAA: Navigating the Labyrinth

Anna Selby Diane Keefe

July 31, 2013

© 2013 Armstrong Teasdale LLP

Navigating the Labyrinth


Call From Employee

1) Staff Texting Nude Patient Photo. • Patient is Identifiable.

• Hospital Name is visible on scrubs.

2) Nurses photograph x-ray.

• Post x-ray to Facebook.

• Nurse comments regarding patient.


HIPAA

Regulations Apply to: • Covered Entities (CE)

1) Providers

2) Health Plans

3) Clearinghouses Business Associates of CE’s

• Insurance Broker, Benefit Specialists

• Strategic Consultants


HIPAA Protects

PHI PERSONAL HEALTH INFORMATION


PHI Uses & Disclosures

OK to use PHI for: 1) Treatment 2)Payment 3) Health Care Operations

General Rule: Other Uses Require an Authorization.


HIPAA Breach - New Definition

A Breach is 1. Unauthorized acquisition, access, use or disclosure of

2. Unsecured PHI

3. Compromises the privacy or security of the PHI Presumption of Reportable Breach UNLESS

• CE determines there is a low probability the

• PHI has been compromised after risk assessment.


HIPAA Risk Assessment

What is Compromised? • Rule does not tell us.

Must Perform Risk Assessment.



4 Elements: 1. Nature and extent of PHI involved.

2. The unauthorized person who used PHI or to whom disclosure was made.

3. Whether PHI was actually acquired or viewed.

4. Extent to which the risk to PHI has been mitigated.



If you do not do a breach notification you MUST do a Risk Assessment. DOCUMENT, DOCUMENT, DOCUMENT.


HIPAA Breaches

CVS 2009-Pill bottles thrown in dumpsters. • $2.25 Million Settlement

• No policies.

• No training.


HIPAA Breaches

Million Dollar Subway Ride • Massachusetts General Hospital employee leaves documents

on subway.

• PHI of 192 patients. (Included HIV/AIDS status)

• $1 Million Settlement.

Stanford 2011. BA posts PHI on web.

• 20,000 patients X $1,000 = $20 Million


HIPAA Breaches

WellPoint—July 11, 2013 Left Accessible Information on Internet $1.7 Million Settlement 600,000 Patients’ Information WellPoint failed to:

1) Have Policies to authorize access to PHI;

2) Perform technical evaluation of software & database;

3) Have technical safeguards to verify identify of persons accessing PHI.


HIPAA Breaches-Laptops

Sutter 2011. Stolen unencrypted laptop. • 4 million patients X $1,000 nominal damages per patient.

• $1 Billion Potential Damages. UCLA 2011.

• Encrypted laptop stolen. Paper also stolen.

• 16,000 patients X $1,000

• $16 Million.


HIPAA Breaches-Hardware

Blue Cross Blue Shield Tennessee 2012 • Self Reported 57 unencrypted hard drives stolen.

• 1 Million people. $1.5 Million Settlement. Pentagon 2011

• BA lost backup tapes, 4.9 Million Tricare beneficiaries.

• If damages are $1,000 per patient = $4.9 Billion.

• Attempted to use HIPAA for basis of claims.


Lawsuits Pending

Plaintiffs claim HIPAA violations. (Negligence Per Se) Case law is not clear. We argue no private right of action. Motions to dismiss granted. Breach of Fiduciary Duty & Public Disclosure of Private Fact

claims remain. Each suit involved OCR investigation.


HIPAA Breach

If you don’t need it for your job=Unauthorized.

Snooping.


Snooping

There once was a girl … Later goes to psych ward at UCLA…

People get curious. 13 fired & 12 disciplined. OCR investigates $865,000 No evidence PHI disclosed or sold.


Snooping

Little Rock: News anchor in hospital. Physician watches news from home. Unit Coordinator & Billing employee. 2 fired; physician suspended 2 weeks.

• Face prison & fine.

• Each had HIPAA training. Mom sues Hospital.

• AR SC allows outrageous behavior claim.


Yes, Someone Went to Prison.

Researcher at UCLA Reviewed records 323 times in 3 weeks. His Boss,

No Evidence PHI was Used or Sold. 4 Months in Prison.


Breach Notifications < 500

Breach • Must Notify Individual(s)

− In Writing including what happened & steps taken.

− Within 60 days of date breach discovered.

• Notify HHS Secretary

Don’t Delay.


Breach Notifications > 500

Where a Breach Involves Greater than 500 Residents: • Notify Individuals in Writing

• Notify HHS Secretary

• Notify Media − Press Release to “Prominent” media outlets.

− Within 60 days.


Penalties-Civil

Per identical violation in a calendar year: Did Not Know: $100 up to $25,000

Willful Neglect Uncorrected: $50,000 up to $1,500,000

Willful Neglect: Conscious, intentional failure or reckless indifference.

Can be Per Record. Extend to BA’s. Can impose penalty without seeking informal resolution.


Penalties-Criminal

People that knowingly obtain or disclose PHI: • Up to $50,000 AND 1 year imprisonment.

With False Pretenses: • Up to $100,000 AND 5 years.

With Intent to sell or use for personal gain or malicious harm: • Up to $250,000 AND 10 years.


When a Breach Occurs:

Call Us. What We Can Do:

• Walk you through whether it is reportable. − Multiple factors.

• Advise during investigation.

• Assist with Proactive Prevention.


What Can/Should be Done to Comply?

Most obvious • Modify your Business Associate Agreements

• Modify your Notice of Privacy Practices

Not so obvious…

• Conduct a Risk Assessment

• Review, evaluate and update polices and procedures

• Educate and train staff/employees


Modifications to the BAA’s

A statement that the Business Associate (“BA”) now needs to comply with the administrative, physical, and technical components of the Security Rule

• Should also reflect that the BA is required to implement and maintain compliance with the administrative, physical, and technical components of the Security Rule


Modifications to BAAs

A statement that the BA must report to the Covered Entity any breach of unsecured PHI (in addition to any unauthorized use or disclosure)

• Should reflect exactly what the BA should do in order to notify the Covered Entity of the breach:

− Date of incident − Date of discovery of incident (if different than above) − Categories of the affected information − Individual(s) who were affected − Steps for mitigation − Steps for prevention



A statement that the BA must ensure that any subcontractor will agree to the same restrictions and conditions that apply to the BA

• In other words, BAs now need to enter into BAAs with subcontractors

A statement requiring the BA to implement a system for documenting and recording uses and disclosures in compliance with the Security Rule A statement that provides for retention of information for 6

years from the date of the disclosure



Other Aspects to Consider • Liability is determined on Agency principles, so a statement

that reflects the status of the parties

• Consider modifying or adding insurance requirements

• Consider modifying or adding limitations of liability and indemnification provisions



Compliance Deadline • depends on whether there is an existing BAA or whether

there will be a new BAA entered into between the parties − If existing BAA, then September 22, 2014

− If no existing BAA, then September 23, 2013


Modifications to Notice of Privacy Practices

Must now include statements regarding the Sale of PHI Must now include statements regarding marketing and other

purposes that require an authorization Must now include statement that an individual can opt out of

fundraising communications/efforts


Modifications to Notice of Privacy Practices

Must now include statement that the Covered Entity must agree to restrict disclosures to health plans if the individual pays out of pocket in full for the health care service Must now include a statement about an individual’s right to

receive breach notifications


Conducting a Risk Assessment

Elements of a general risk assessment include: 1. Identify the scope – what are potential risks and

vulnerabilities to your organization?

2. Identify where all the PHI is stored, received, maintained or transmitted

3. Assess current security measures: − Do you utilize encryption software?

− Are passwords used and changed frequently?

− Are firewalls used?

− Are mobile devices protected?



Other Aspects: • Determine likelihood of the occurrence of a threat

• Determine the potential impact of that threat

• Determine the level of risk

Which becomes a mathematical equation…

• Vulnerability x likelihood x impact = level of risk

Which can then assist in the mitigation that risk



Threat Source Terminated EE Calculation

Threat Unauthorized Access to Patient Information

Vulnerability No formal process in place to notify the IT department when ee’s are terminated and periodic reviews are not performed

3

Likelihood Removal of access for terminated ee has not been performed

3

Impact PHI is viewed, altered or destroyed 3

Risk Disgruntled ee gains unauthorized access to PHI after termination, deleting records

Total = 27

Risk Mitigation IT implements daily automated program to read ee database in payroll system and automatically removes access to network and application systems for terminated ees

Risk is now significantly reduced


Reviewing/Updating Policies and Procedures

Update policies and procedures on breach notification and integrate into the policy the four factors of whether a breach occurred by a risk assessment:

1. Nature and extent of the PHI involved

2. The unauthorized person who used the PHI or to whom the disclosure was made

3. Whether PHI was actually acquired or viewed

4. Extent to which the risk has been mitigated



Use and disclosure of PHI for marketing • Requires determination of what is and is not considered

marketing

• Once that determination is made, then clarify the policy to reflect what requires an authorization from the individual

Sale of PHI

• Selling an individual’s PHI without an authorization is prohibited



Electronic Access to PHI • May require revisions to job descriptions to clearly delineate who

has access and in what situation • May require revisions to IT policies and procedures

Requests for Restrictions

Use and disclosures of decedent information

Social media and cell phone policies



Covered entities may use any security measures that allow them to reasonably and appropriately implement the HIPAA regulations. So, in determining whether to draft new or revise old policies and procedures, you should consider:

• Size, complexity, and capabilities of the Covered Entity

• Technical infrastructure, hardware, and software

• Costs

• Likelihood and impact of risks or potential risks, i.e., risk assessment


Educate and Train Staff/Employees

Must ensure that the policies and procedures reviewed, revised, and/or created are implemented by staff/employees. Sign-in sheets should be passed around so attendance of staff

members/employees is documented Staff/Employee training must be conducted at the following

intervals: • At the start of employment

• Annual basis If staff/employees do not apply these policies to their

everyday practice, then organizations are at risk!


Questions?

Anna Selby 314.552.6616

[email protected]

Diane Keefe 314.259.4731

[email protected]

mailto:[email protected]

mailto:[email protected]