Embed Size (px)
Citation preview
www.mcguirewoods.com
Click to edit Master title style
www.mcguirewoods.com
HIPAA and Privacy Issues for
ASCs
Presented by:
Holly Carnell
Meggan Bushee
McGuireWoods LLP
McGuireWoods LLP | 2
Introductions
Meggan Bushee
McGuireWoods LLP
704-343-2360
Holly Carnell
McGuireWoods LLP
312-849-3687
McGuireWoods | 3
CONFIDENTIAL
Agenda
• Recent enforcement actions
• Ransomware
• Social media
• HITECH Act audit program update
McGuireWoods | 4
CONFIDENTIAL
The HIPAA Security Rule
McGuireWoods | 5
CONFIDENTIAL
Recent HIPAA Enforcement Actions
McGuireWoods | 6
CONFIDENTIAL
Office for Civil Rights Overview
• Responsible for enforcing the HIPAA
• Investigates complaints related to alleged HIPAA violations filed
with HHS
– Discretionary
– May refer violation of the criminal provision of HIPAA to the
Department of Justice for investigation
• Conducts compliance reviews
• Performs education and outreach to foster compliance
• HITECH Act Audits
– Mandatory
McGuireWoods | 7
CONFIDENTIAL
University of Mississippi Medical Center (July 2016)
• $2.75 million settlement for multiple alleged HIPAA violations
• UMMC employee’s unencrypted laptop was stolen from
intensive care unit
• Breach of ePHI affecting approximately 10,000 individuals
• OCR determined UMMC was aware of risk and vulnerabilities as
far back as April 2005
• Found that no significant risk management activity was
undertaken until after breach
• UMMC must pay resolution amount and adopt corrective action
plan to assure HIPAA compliance
McGuireWoods | 8
CONFIDENTIAL
Oregon Health & Science University (June 2016)
• $2.7 million settlement following multiple breach reports
• One of the breaches involved theft of unencrypted thumbdrive
• Two of the breaches involved theft of unencrypted laptops
• OCR investigation found widespread and diverse security issues
• Storage of ePHI for over 3,000 individuals on a cloud-based
server with no BAA in place
• Must institute a comprehensive three-year corrective action plan
and pay settlement
McGuireWoods | 9
CONFIDENTIAL
North Memorial Healthcare (March 2016)
• North Memorial Healthcare of Minnesota – March 2016
– Agreed to settle potential violations of HIPAA for $1.55 million
– Theft of unencrypted laptop from a business associate’s locked
vehicle
– No business associate agreement with a vendor that had access to
North Memorial’s patient database!
McGuireWoods | 10
CONFIDENTIAL
Catholic Health Care Services of the Archdiocese of
Philadelphia (June 2016)
• $650,000 settlement and
corrective action plan
• CHCS provided management
and information technology
services as a business associate
to six skilled nursing facilities
• Theft of a CHCS mobile device
compromised the ePHI of 412
nursing home residents
McGuireWoods | 11
CONFIDENTIAL
Raleigh Orthopaedic Clinic, P.A. (April 2016)
• Agreed to settle potential violations for $750,000
• The practice had released x-ray films and related PHI of 17,300
patients to a vendor for them to transfer the images to electronic
media
• Failed to execute a business associate agreement with the vendor!
• “HIPAA’s obligations are covered entities to obtain business
associate agreements is more than a mere check-the-box
paperwork exercise. It is critical for entities to know to whom
they are handling PHI and to obtain assurances that the
information will be protected.” said OCR Director Jocelyn
Samuels.
McGuireWoods | 12
CONFIDENTIAL
New York Presbyterian Hospital (April 2016)
• $2.2 million settlement and
comprehensive correction plan with
2 years of monitoring
• 2 patients’ PHI was disclosed while
using the hospital to film an
episode of “NY Med” an ABC TV
show
• The hospital allowed one person
who was dying, and another who
was in significant distress to be
filmed for the TV show
McGuireWoods | 13
CONFIDENTIAL
Advocate Health Care Network (August 2016)
• $5.55 million settlement (largest HIPAA settlement with OCR to
date against a single entity)
• Investigation following 3 breach reports (including one involving
theft of an unencrypted laptop left in an unlocked vehicle
overnight
• Failure to have BAAs in place
• Failure to conduct an accurate and thorough Security Rule risk
assessment
• “We hope this settlement sends a strong message to covered
entities that they must engage in a comprehensive risk analysis
and risk management to ensure that individuals’ ePHI is secure.”
– OCR Director, Jocelyn Samuels
McGuireWoods | 14
CONFIDENTIAL
Ransomware
McGuireWoods | 15
CONFIDENTIAL
What is Ransomware?
• Stops user from using PC, holding
the PC or files for “ransom”
• Ransomware methods:
– Locks user completely out of
computer or windows
– Encrypts files which can only
be decrypted with key that
hacker has
– Stop certain applications like
web browsers
• Ransomware will then not be lifted
until certain amount of money is
paid (usually in untraceable
bitcoin)
• Major issue: giving the ransom
money does not guarantee you get
functionality back
McGuireWoods | 16
CONFIDENTIAL
Detecting/Protecting Against Ransomware
• How does it get on your PC?
– Visiting unsafe, suspicious, or fake
websites
– Opening e-mails or attachments from
unexpected or unknown sources
– Clicking on malicious or bad links
from social media
• What can it look like?
– Can be disguised as an official
looking or government screen
claiming user has done something
illegal
– Can just describe the locked files
• General tips
– Don’t click on webpages, emails, or
attachments unless you trust the
source
– If you are unsure, don’t click!
– Look for things like bad spelling or
unusual web addresses
McGuireWoods | 17
CONFIDENTIAL
Ransomware in Health Care
• Hackers increasingly using
ransomware against providers
instead of just stealing medical
records
• Health care record theft is up
1,100% from last year
• Health care industry security
spending is at an estimated 1/10 of
other major industries
• Ransomware in health care leads to
quicker payment for cybercriminals
than typical record theft
– Providers are in the unique
situation where they need
constant, immediate access to
records, so they pay quickly
• 41% of respondents hit by
ransomware end up paying
the ransom
• Health Information Trust
Alliance conducted a study
of 30 midsized hospitals and
found 52% were infected
with malicious software,
which is a vector for
ransomware
McGuireWoods | 18
CONFIDENTIAL
HHS HIPAA Guidance and Ransomware
• HHS guidance focuses on how HIPAA compliance can protect from malware
and ransomware
• Compliance with HIPAA security measures to prevent malware introduction
– Implement security management process with risk analysis to identify
threats and vulnerabilities
– Implement procedures to guard against malicious software
– Train users to ID malicious software risks
– Limit personnel access only to those who need it
• Compliance with HIPAA to aid in recovery from ransomware attacks
– Covered entities required to implement policies that assist in responding
and recovering to ransomware
– Maintain frequent backups and ensure ability to recover data
– HIPAA mandates procedures for responding to and reporting security
incidents that can be used in a ransomware attack. 45 C.F.R. 164.308(a)(6)
McGuireWoods | 19
CONFIDENTIAL
HIPAA Guidance and Ransomware Cont.
• Compliance with HIPAA breach rules
– Presence of ransomware on a covered entity’s system is a security incident under the
HIPAA rules
– Must initiate response and reporting procedures once this happens
– Whether or not the infection is considered a breach under the HIPAA rules depends
on the situation
– If the data is encrypted by the attack, it is considered a breach because the data has
been acquired (and thus is a disclosure) unless the covered entity can show that
“there is a low probability that PHI has been compromised”
– Showing low probability that PHI has been compromised by risk assessment
considers four factors:
• nature and extent of PHI involved
• Unauthorized person who used PHI or to whom disclosure was made
• Whether PHI was actually acquired or viewed
• Extent to which risk to the PHI has been mitigated
– Depending on the facts of the situation, if PHI was encrypted by the provider
beforehand to comply with HIPAA, it may not be considered a breach
• No risk assessment to determine if low probability of compromise if encrypted
correctly
McGuireWoods | 20
CONFIDENTIAL
Social media
McGuireWoods | 21
CONFIDENTIAL
Three Principles
1. All it takes is a phone and the press of a button to
create a privacy breach.
2. News travels in an instant.
3. Retrieval is almost always impossible.
McGuireWoods | 22
CONFIDENTIAL
Privacy Breaches Before . . . .
• Conversation at nurses' station in presence of others
• Mention of hospitalized neighbor at community
BBQ
• Photo of new baby with other newborns in nursery
McGuireWoods | 23
CONFIDENTIAL
Privacy Breaches Now . . .
• Comments about patient care or clinical situations on
• BLOGS about patient safety in hospitals/LTC facilities
• TWEETS about cutting edge procedure in OR
• VIDEO of consent process, postoperative instructions or
procedure on YOUTUBE
• EMAILS between providers regarding patient care or
incident
• VIDEO of patient taken by family member on YOUTUBE
• PHOTOS that intentionally or inadvertently disclose patient
information
McGuireWoods | 24
CONFIDENTIAL
“Everybody” is doing it…
McGuireWoods | 25
CONFIDENTIAL
Policy Provisions and Considerations
• Define what is and what is not appropriate social media use
• Prohibit false or obscene statements
• Prohibit harassing statements or statements disparaging an
individual’s race, religion, age, sex or disability
• Prohibit the posting of any confidential information about
patients/residents
• Prohibit the posting of any photos, videos, or recordings of
patients/residents on personal social media
• Prohibit the posting of photos taken anywhere on company
property on personal social media
• Encourage employees to post photos of co-workers taken outside
of work only with the co-worker’s permission
McGuireWoods | 26
CONFIDENTIAL
Policy Provisions and Considerations
• Prohibit disclosure of company financial, proprietary or other
confidential information
• Explicitly state that the policy is not intended to interfere with
protected activity or infringe upon employees’ rights
• Prohibit disparaging comments about the company, coworkers or
supervisors that are not related to working conditions
• Prohibit use of company trademarks or logos on personal social
media.
• Specify that employees are not to speak for companies on social
networking sites or blogs, only for themselves
• Policies cannot prohibit an employee’s ability to discuss the
terms and conditions of work with fellow employees
McGuireWoods | 27
CONFIDENTIAL
Policy Provisions and Considerations
• Ensure legal review of any social media policy. The NLRB is very
active in this area and has taken aggressive positions – NOTE: this
applies even where workforce is not organized. Consider this scenario:
– Company establishes a social media policy prohibiting the posting of
“confidential information”
– The phrase “confidential information” is undefined and is viewed to
include wages, benefits, and treatment by supervisors
– The policy also generally prohibits disparaging comments about the
Company and fellow employees
– Employee complains on Facebook about his/her wages, working
conditions, or supervisor
– Company learns of the post and disciplines employee for disclosing
confidential information and disparaging the supervisor
– The current NLRB would find that the policy interferes with the
employee’s right to discuss the terms and conditions of his/her work with
fellow employees; order reinstatement and back pay
McGuireWoods | 28
CONFIDENTIAL
McGuireWoods | 29
CONFIDENTIAL
Introduction to HITECH Act Audit Program
• Section 13411 of the HITECH Act requires HHS to perform periodic compliance audits to ensure compliance with HIPAA– Privacy Rule compliance
– Security Rule compliance
– Breach Notification Rule compliance
– Not State specific Privacy and Security Rules
• Both covered entities and business associates are subject to audits– Selected by OCR “as wide a range of types and sizes as
possible”
– Not just healthcare providers; health plans and clearinghouses will also be audited
• Selection does not indicate a complaint has been filed or OCR suspects a violation
• Intended to identify and correct compliance deficiencies– Not intended to be punitive
• Discovery of deficiencies will likely lead to a recommendation for corrective action– Grievous situations may lead to enforcement action
McGuireWoods | 30
CONFIDENTIAL
Launching Phase 2
• On March 21, OCR announced the launch of its Phase 2 Audit Program.
Communications from OCR will be sent by email (check your spam)
• Process Overview
– Obtain and verify contact information from a wide range of covered
entities and business associates to develop pools of potential
auditees
– Pre-audit questionnaires about the size, type and operations of
potential auditees for use in creating audit pools (includes request
for list of business associates)
– An entity that does not respond to OCR may still be selected for
audit or subject to compliance review
– Desk audits in 2016
– More comprehensive, onsite audits in 2017
– Some desk auditees may also be subject to an onsite audit
McGuireWoods | 31
CONFIDENTIAL
2016 Desk Audits
• Notification email containing list of requested documents
• Document production
– 10 business days
– Submit electronically in digital form
• Auditor reviews documents and issues draft report
• Auditee reviews draft report and returns written comments
– 10 business days
• Final report shared with auditee
– 30 business days
– How the audit was conducted
– What the findings were
– What actions the covered entity or business associate is taking in
response to those finding
McGuireWoods | 32
CONFIDENTIAL
2017 Onsite Audits
• Notification email
• Entrance conference
• Onsite audit
– Conducted over 3-5 days
– More comprehensive than desk audits
• Auditor issues draft report
• Auditee reviews draft report and returns written comments
– 10 business days
• Final report
– 30 business days
– Shared with Auditee
McGuireWoods | 33
CONFIDENTIAL
After an Audit
• Individual results are not published
• Certain documents/information may be subject to requests by the
public under the Freedom of Information Act
• Implement any required corrective actions
• It is possible that an audit could indicate serious compliance
issues that may trigger a separate enforcement investigation by
OCR.
• Still subject to future audits
McGuireWoods | 34
CONFIDENTIAL
Audit Program Protocol
• Available on OCR’s website at:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protoco
l.html
• Updated to reflect Omnibus Final Rule
• The Audit Program Protocol covers:
– Privacy Rule requirements
– Security Rule requirements
– Breach Notification Rule requirements
• Can be used for self-reviews/self-audits
– Recommended at least annually
• Feedback about the protocol can be submitted to OCR at
McGuireWoods | 35
CONFIDENTIAL
Audit Protocol Example
Section Established
Performance
Criteria
Key Activity Audit Procedures Implementati
on
Specification
HIPAA
Complian
ce Area
§164.404 §164.404
(c)(1)Elements
of the
notification
required by
paragraph (a) of
this section
shall include to
the extent
possible: (A)a
brief description
of what
happened,
including the
date of the
breach and the
date of the
discovery of the
breach, if
known;…..
Content of
Notification
Inquire of
management to
determine if there is a
standard template or
form letter for breach
notification. Verify
that, if any breaches
have occurred, the
notification to the
individuals included
the required elements
of this section.
N/A Breach
McGuireWoods | 36
CONFIDENTIAL
Questions or Comments?
www.mcguirewoods.com
