Embed Size (px)
Citation preview
Breach SHOULD Be a Four Letter Word
HIPAA Omnibus
Objectives
• Recall two examples of recently reported breaches
• Define breach and post event risk analysis guidance.
• List three strategies a practice can implement to reduce the likelihood of a breach.
04/18/23
Breaking News
• QCA Health Plan has agreed to pay a $250,000 monetary settlement.o Breach in February 2012 - an unencrypted laptop computer
containing the ePHI of 148 individuals was stolen. o After the breach data on equipment was encrypted by QCA.o QCA failed to comply with multiple requirements of the HIPAA
Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012.
• Concentra has agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan to evidence their remediation of these findings.o Breach – stolen laptop from a PT facility.o Several risk analysis’ had identified the risk.
04/18/23
Breaches
• Advocate Medical Group in Chicago had 4 desktop computers taken in a burglary that contained the personal information of over 4 million patients.
• A St. Louis orthodontist office was burglarized and company computers were taken with the data for over 10,000 patients.
• A physician practice at the University of Texas Health Science Center at Houston discovers a laptop has been stolen containing data for nearly 600 patients.
04/18/23
Protected Health Information Includes
• Health information whether oral or recorded in any form or medium
• Names• All geographical subdivisions
smaller than a State, including street address, city, county, precinct, zip code
• All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death
• Fax numbers• Electronic mail addresses• Social Security numbers• Medical record numbers• Health plan beneficiary numbers
• Account numbers• Certificate/license numbers• Vehicle identifiers and serial
numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voice prints
• Full face photographic images and any comparable images; and
• Any other unique identifying number, characteristic, or code
BREACH
What is a Breach?
• The unauthorized acquisition, access, use, or disclosure of PHI not permitted under the privacy rule, which compromises the security or privacy of such information.
• An acquisition, access, use, or disclosure of protected health information in a manner not permitted under the privacy rule is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.
• Compliance date September 23, 2013.
Breach Exclusions
• Worker who has the authority to access information accidentally accesses a record in which they are not involved in the care of that patient.
• Worker who has the authority to access information inadvertently shares the information with another worker who is not involved in the care of the patient.
• Information is shared with an individual/entity who is not authorized but the unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
Risk Analysis Must Be Completed
1) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification.
2) The unauthorized person who used the protected health information or to whom the disclosure was made.
3) Whether the protected health information was actually acquired or viewed.
4) The extent to which the risk to the protected health information has been mitigated.
Breach Notification
• Patients must be notified without reasonable delay and no later than 60 days of the discovery of the breach.
• Breaches involving 500 or more individuals:• Notify prominent media outlets serving the State or
jurisdiction with the notification sent to the individual.• Notify the Secretary of HHS concurrently with the
notification sent to the individual.• Breaches involving less than 500 individuals:
• Maintain a log or other documentation of the breaches and report no later than 60 days after the end of each calendar year in which the breach was discovered.
• Provide the notification as listed on HHS website.
Reporting Breach Information
http://1.usa.gov/WjyhJS
Breaches Impacting 500 or More
04/18/23
Breach Notification and Business Associates
• Must provide notice to the covered entity (CE) without reasonable delay and no later than 60 days from the discovery of a breach.
• MUST address timing of reporting either known breaches or suspect situations in the BA contract.
• It is the CE ultimate responsibility to report the breach to impacted individuals.o Reporting of the incident may be delegated by contract
to the BA.o Does not lessen the responsibility of the CE.o Both parties should NOT report.
What Does This Mean?
• All events must be documented; this includes exclusion events and why they are determined to meet the definition.
• CE and BA have the burden of proof: • To demonstrate that all breach notifications were
provided. • An impermissible use or disclosure did not constitute a
breach such as by demonstrating through a risk assessment that there was a low probability that the protected health information had been compromised.
• Must maintain documentation sufficient to meet that burden of proof.
• CRITICAL QUESTION: How will BAs communicate potential breach scenarios?
Patient Notification Process
• Written notice to affected individuals, provided by first class mail or by electronic mail is specified as the preferred method by the individual.o May be provided in one or MORE mailings as information
becomes available.o Phone notice is allowed in an urgent situation, but must be
followed by written notice.• Substitute notice to affected individuals if contact
information is insufficient or out-of-date must be provided. This may be provided via email.
• Insufficient contact information for 10 or more individuals, the notice must be a conspicuous posting on the home page of the covered entity’s Web site for 90 days or notice in major print or broadcast media in the geographic areas where the affected individuals likely reside.o Toll-free number must be included where individuals can learn
whether their information was included in the breach.
Patient Notification to Include
• Brief description of what happened.• Description of the types of unsecured PHI that
were involved in the breach (name, Social Security Number, etc.).
• Steps individuals should take to protect themselves from potential harm.
• Brief description of what the covered entity is doing to investigate the breach, mitigate damage, and protect against further breaches.
• Contact information at the covered entity for questions by patients.
• Must make a decision on credit monitoring services.
Four Tiered Penalty Structure
• For violations involving unknown violations (that is, where entity did not know of the violation and would not have known of it if exercising reasonable diligence): o The penalty for each violation will be between $100 and
$50,000. • For violations involving reasonable cause (that is, where
circumstances would make it unreasonable to comply with HIPAA, despite exercising ordinary business care and prudence): o The penalty for each violation will be between $1,000
and $50,000. • Maximum annual penalties for same violations: $1.5
million
04/18/23
Willful Neglect
• Violation was due to willful neglect and was timely corrected, an amount not less than $10,000 or more than $50,000 for each violation.
• Violation in which it is established that the violation was due to willful neglect and was not timely corrected, an amount not less than $50,000 for each violation.
• Penalty for violations of the same requirement or prohibition under any of these categories may not exceed $1,500,000 in a calendar year.
• Secretary of HHS has waiver authority.
How Much of a Fine and Investigations
• Nature and extent of the violation.• Number of individuals impacted.• Nature and extent of harm, including reputational
harm.• Indications of non-compliance – Broadly includes
past issues around compliance.• Investigations:
o Indications of willful neglect will result by law in an investigation.
o Civil money penalties will NOT be imposed if the violation is corrected within 30 days from when the entity is aware of the violation UNLESS due to willful neglect.
Calculation of Penalties
• Where multiple individuals are affected by an impermissible use or disclosure, such as in the case of a breach of unsecured protected health information, it is anticipated that the number of identical violations of the Privacy Rule standard regarding permissible uses and disclosures would be counted by the number of individuals affected.
• Continuing violations, such as lack of appropriate safeguards for a period of time, it is anticipated that the number of identical violations of the safeguard standard would be the number of days the entity did not have appropriate safeguards in place to protect the protected health information.
Reference: Federal Register January 25, 2013
Individual Employee Liability
(1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person,
o A person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation) and the individual obtained or disclosed such information without authorization.
04/18/23
OCR Enforcement Example
• The Hospice of North Idaho (HONI) has agreed to pay HHS $50,000 to settle potential violations of the HIPAA Security Rule.
• First settlement involving a breach of unsecured ePHI affecting fewer than 500 individuals.
• Unencrypted laptop computer containing the ePHI of 441 patients had been stolen in June 2010. OCR discovered that o HONI had not conducted a risk analysis to
safeguard ePHI. o Did not have in place policies or procedures to
address mobile device security as required by the HIPAA Security Rule.
Tips to Protect Information
Use or Release Information
• For treatment, payment and healthcare operations after providing a Notice of Privacy Practices.
• To the individual or legal representative.• To friends and family with informal approval or for
emergencies. o May ask the patient for permission to discuss healthcare
if accompanied by another person during exam.
• As authorized by the patient.• Based on professional judgment of the healthcare
provider which is in the best interest of the patient.
ePHI – Think Broader Than Your Computer
• Laptops, office PCs, servers
• Smartphones • Thumb or flash drives• Back up devices• CD/DVD• Equipment such as fax or
copiers• ePHI during transmission
o Emailo Healthcare providerso Personal health records
Risk Analysis and Audits
• Risk Analysis required by the Security Rule• Audits
o Logons outside usual business hourso Remote access reporto File update or change reportso Review of daily activityo Review of employees logged ino Record access.o Logon when person is out of officeo Change reporto Exceptional access or printo VIP record access
What Can Others See or Hear?
Be mindful of hallway conversations which may be overheard.
Know what you can discuss with who in patient care areas when others are brought back into the exam area.
What information is viewable on your computer screen?
Are the appointments for the day posted?Is patient information in the regular trash?When PHI is printed out, double check whose
information it is before it is given to a patient (common problem!).
Conversations outside of the work environment?
Safeguarding ePHI
• Access information with personal login and password.o Passwords must not be shared!
• Log off or lock computer when moving away from work area.
• Be mindful of the physical security of especially mobile devices containing ePHI (laptops, smart phones).
• Only open email/attachments from reliable sources.• Access only approved internet sites.• Patient information should not be mentioned on
personal social media accounts.• Data encryption – back-up devices, phones, servers,
computers.
• Email containing PHI must be sent in a secure manner.o This includes emailing information for referral
purposes.o Emailing between employees within the practice is
acceptable if the email system is secure.• Means of protection include:
o Patient portal.o Encryption.
• At the patient’s request, PHI may be sent unsecured if you have informed the patient of the risk.o Request should be in writing using the Authorization
for Release - Compound Release form.
04/18/23
Training
• Train all employeeso Including Admin staffo Physicians
• Baseline training for all new employeeso Train specific job functions on targeted areas of need
• Priority to train employees regarding breacho Definition
• Protection strategieso Minimum necessaryo Logins/passwordso Computer protections – physical securityo Social mediao Acceptable information sharing siteso Remote access
Quotes from HHS Attorneys
• If you find you have a problem, report it.• If you hinder the investigation by hiding the facts,
they will bring the heaviest fines.• They don’t care how sorry you are, or how you will do
things differently next time.• The facts will always speak for themselves.• Simply, did you have a good compliance program,
and have an incident that happened, or did you have nothing, and did nothing?
• The real cold comment the Federal attorney made in closing, “ I don’t care if a company or practice goes out of business because of the fine.”
04/18/23
Thank you!
Bill FivekPresident & CEOwww.totalmedicalcompliance.comBill@totalmedicalcompliance.com888.862.6742
