Presented by Brandon Kulwicki| 214.615.2025 | bkulwicki@hallrender.com

HIPAA: Navigating Medical Privacy and Confidentiality Laws in Texas

TAPS 2017

Applicable Laws • On the federal level…

– Health Insurance Portability and Accountability Act (HIPAA),

– Health Information Technology for Economic and Clinical Health (HITECH), and

– HIPAA Omnibus Rule. • On the state level…

– House Bill 300 (Tex. Health & Safety Code part 181) 2

What does HIPAA cover? • HIPAA and its implementing regulations (HITECH and the

Omnibus Rule) create regulations for the use and disclosure of protected health information (“PHI”) made by covered entities.

• So, what are… – “Uses and disclosures” – “PHI” – “Covered entities”

3

What are Covered Entities? • HIPAA defines a “Covered Entity” as “a health plan, a health

care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by [HIPAA].”

• This definition includes all hospitals, physicians, dentists, insurance companies, and most likely any other health care entity that you come across.

45 CFR §160.103

4

What are Covered Entities? (cont.) • Texas House Bill 300 defines “Covered Entities” even more

broadly to include any person/entity who is involved in “assembling, collecting, analyzing, using, evaluating, storing, or transmitting” protected health information (PHI), or “comes into possession” of PHI, or “obtains or stores” PHI. This also includes their employees, agents, and contractors.

• Practically, this means that nearly everyone in Texas is a covered entity!

Tex. Health & Safety Code§181.001

5

What is PHI? • Protected health information, or PHI, includes any individually

identifiable health information that is: – Created or received by a health care provider, health plan,

or health care clearinghouse, and – Relates to the past, present, or future physical or mental

health or condition of an individual, the provision of health care to an individual, or payment of such health care.

45 CFR §164.512(e)(1)(ii)

6

Use and Disclosure of PHI • Under HIPAA, a covered entity is permitted to use or disclose

an individual’s PHI only: – To the individual – For treatment, payment, or health care operations – Incident to a use or disclosure otherwise permitted – Pursuant to and in compliance with a valid authorization – Pursuant to an agreement – As permitted by and in compliance with 45 CFR §164.512

45 CFR §164.502(a)(1) 7

What is the HIPAA Omnibus Rule? • In January 2013, the Department of Health & Human Services

(HHS) published a set of rule changes modifying privacy, security, and enforcement previously addressed in HIPAA and the HITECH Act of 2009.

• The Omnibus Rule is a finalization of the Interim Final Rules created by HHS following the introduction of HIPAA and HITECH, and went into effect March 26, 2013.

http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/ 8

So what did the Omnibus Rule do? • Among others, the Omnibus Rule created final rules to:

– Make Business Associates directly liable for compliance with certain HIPAA privacy and security rules.

– Strengthen the limitations on the use and disclosure of PHI for marketing and fundraising purposes, and prohibit the sale of PHI without individual authorization.

– Adopt changes to the HIPAA Enforcement Rules to incorporate the increased and tiered civil monetary penalty structure provided by the HITECH Act.

9

What is Texas House Bill 300? • Due to concerns that HIPAA and HITECH did not adequately

protect PHI, the Texas legislature enacted House Bill 300, which went into effect on September 1, 2012.

• House Bill 300 (Tex. Health & Safety Code part 181) increased the safeguards mandated by federal legislation.

http://www.legis.state.tx.us/BillLookup/Text.aspx? LegSess=82R&Bill=HB300

10

So what did TX House Bill 300 do? • A few of the major changes to existing federal regulations:

– Expansion of the definition of a “Covered Entity” to include parties that assemble, collect, analyze, transmit, possess, or store PHI.

– Adoption of new training requirements for employees. – Adoption of additional patient rights related to electronic

medical records. – Increased civil penalties for Covered Entities that

wrongfully disclose a patient’s PHI. 11

So why do you care?

HIPAA Privacy • General rule for Use and Disclosure of PHI is to obtain

individual authorization. The Omnibus Rule specifically requires authorization in the following circumstances: – Most uses and disclosures of psychotherapy notes – Most uses and disclosures for marketing purposes – Uses and disclosures that involve the sale of PHI

45 CFR §164.508(a) 13

HIPAA Privacy (cont.) • Exceptions to the general rule - authorization is NOT required

when use/disclosure of PHI is for: • Treatment of the individual, or providing access to an

individual’, • Payment purposes, • Health Care operations (including disclosures to

business associates), • Public health activities,

14

HIPAA Privacy (cont.) • Law enforcement purposes, • Research purposes, • Sale, transfer, merger or consolidation of all or part of a

Covered Entity, • Providing an individual access to their own PHI, or • Other purposes the Secretary deems reasonable and

necessary.

15

Written Authorization • So what does an authorization for release of medical records

need to contain to be valid under HIPAA? – Description of the information to be used or disclosed to

identifies the information in a specific and meaningful fashion;

– Name or other specific identification of the person(s) authorized to make the requested use or disclosure;

– Name or other specific identification of the person(s) to whom the requested use or disclosure may be made;

16

Written Authorization (cont.) – A description of each purpose of the requested use or

disclosure; – An expiration date for the authorization (if indefinite, the

authorization should so state); – Signature of the individual who is authorizing the use or

disclosure. If signed by an individual’s legal representative, the authorization should include a description of the representative’s authority to act on behalf of the individual. 45 CFR §164.508(c)

17

Written Authorization (cont.) • Key elements for an authorization:

– In writing – Signed by individual (or individual’s legal representative) – Must identify what information should be disclosed – Must identify who is receiving the information

18

Written Authorization (cont.)

• Under TX House Bill 300, the Office of the Attorney General was charged with creating a standard-form authorization compliant with HIPAA and Texas privacy requirements.

www.oag.state.tx.us/consumer/hipaa.shtml

19

Subpoenas for Medical Records • In addition to the general requirements for a valid subpoena,

subpoenas for medical records must satisfy HIPAA’s privacy protections.

• Under HIPAA, a covered entity cannot legally release medical records under a subpoena unless the covered entity receives a patient authorization for such disclosure, or the covered entity receives “satisfactory assurances” that reasonable efforts have been made to notify the patient of the request for PHI.

45 CFR §164.512(e)

21

Satisfactory Assurances • Unless a subpoena is accompanied by a court order or patient

authorization, satisfactory assurances must be included with a subpoena for medical records.

• Under HIPAA, a requesting party has provided satisfactory

assurances when the party shows that: – The requesting party has made a good faith attempt to

provide written notice to the individual;

22

Satisfactory Assurances (cont.) – The written notice includes sufficient information about

the litigation in which the PHI is requested to permit the individual to raise an objection to the court; and

– The time for the individual to raise such an objection has elapsed, and either no objection was filed or any objections filed have been resolved by the court.

45 CFR §164.512(e)(1)(ii)

23

Satisfactory Assurances (cont.) • Statements providing satisfactory assurances should be

provided in writing and included with the subpoena. Supporting documentation, such as a copy of the written notice given to the individual, should be included as well.

24

Other Considerations • Under TX House Bill 300, health care providers have fifteen

business days to provide medical records from receipt of a proper request.

• Because Texas health care providers may charge a reasonable fee for the copying of health records, contact the provider prior to request to determine the cost.

Tex. Health & Safety Code §181.102 25

Heightened Protection • There are three primary categories of PHI which receive

heightened protection from use and disclosure under federal and state law: – Psychotherapy notes/Mental health records – Drug and alcohol treatment records – HIV/AIDS test results

26

Psychotherapy/Mental Health • HIPAA requires that a covered entity must obtain a patient’s

written authorization before releasing “psychotherapy notes.”

• This term covers all notes recorded by a health care provider who is a mental health professional during a private counseling session or a group, joint, or family counseling session, and which are separated from the individual’s medical record.

27

Psychotherapy (cont.) • The term “psychotherapy notes” does NOT include:

– Medication prescription and monitoring, – Counseling session start and stop times, – Modalities and frequencies of treatment furnished, – Results of clinical tests, and – Any summary of the diagnosis, functional status,

treatment plan, symptoms, prognosis or progress to date.

28

Mental Health (cont.) • Texas law also provides heightened protection for “mental

health records”. Generally, full access can only be obtained with a written authorization or by court order.

• The Texas definition of “mental health records” is broader than HIPAA’s definition, and includes communications between a patient and any medical doctor or individual licensed/certified to diagnose or treat mental or emotional conditions. HIPAA’s protections apply only to mental health providers.

Tex. Health & Safety Code §611.002 29

Drug/Alcohol Treatment Records • HIPAA provides increased privacy protections for:

– Identification of a patient as a drug or alcohol abuser, either directly, by reference to other publicly known information, or through verification of such an identification; and

30

Drug/Alcohol (cont.) • Drug abuse information obtained by a federally assisted drug

abuse program, or alcohol abuse information obtained by a federally assisted alcohol abuse program, for the purpose of treating drug or alcohol abuse, making such a diagnosis, or making a referral for that treatment

• Will typically require either an authorization or court order.

31

HIV/AIDS Test Results • Texas has created a separate confidentiality provision relating

to the release of PHI relating to test results for AIDS or HIV infection.

• Such information may be obtained with a written authorization of the patient, or in relation to a test ordered by the court as part of a criminal proceeding for certain sexual or assaultive offenses.

Tex. Health & Safety Code §81.103 32

HIPAA Enforcement Violation Penalty

Violation in which person did not know (or exercising reasonable diligence would not have known) that was in violation

$100 to $50,000 for each violation, up to $1.5 million per year

Violation due to reasonable cause and not to willful neglect

$1,000 to $50,000 for each violation, up to $1.5 million per year

Violation due to willful neglect, but is corrected within 30-day cure period

$10,000 to $50,000 for each violation, up to $1.5 million per year

Violation due to willful neglect and is not corrected within 30-day cure period

At least $50,000 for each violation, up to $1.5 million per year

33 45 CFR §160.404(b)

Penalties Under TX House Bill 300 • Civil Penalties:

– $5,000 for each violation that occurs within one (1) year regardless of length, committed negligently.

– $25,000 for each violation over one (1) year, committed knowingly and intentionally.

– $250,000 for each violation in which a Covered Entity used PHI for financial gain.

34

TX HB 300 Penalties (cont.) • Maximum fine is $250,000 annually if disclosure was made to

another Covered Entity for an authorized purpose and the court finds that the PHI was encrypted, the recipient did not use or disclose the PHI, or security policies were put in place prior to disclosure by the Covered Entity.

Tex. Health & Safety Code§ 181.201

35

TX HB 300 Penalties (cont.) • If the court finds a pattern or practice, the maximum penalty

increases to $1.5 million.

• The court will consider seriousness of violation; covered entity’s compliance history; significant risk of harm; whether the covered entity was certified; amount necessary to deter future violation; and efforts to correct the violation.

Tex. Health & Safety Code§ 181.201 36

Penalties for HIPAA Violations

37

Type of Entity Amount Individuals Affected

State Year Key Facts

Health System $2,400,000 1 TX May 2017

• Patient used fraudulent ID card at one of System’s clinics • Clinic alerted law enforcement consistent with HIPAA • System published press release containing patient’s name

Wireless Health Services Provider (remote cardiac monitoring)

$2,500,000 1,391 PA April 2017

• Theft of unencrypted laptop from workforce member car • Insufficient risk analysis and risk management process • Policies and procedures in draft form – not implemented • Lack of mobile device policy

Children’s Digestive Health Center

$31,000 10,000+ IL April 2017

• Failure to enter into Business Associate Agreement

FQHC $400,000 3,200 CO April 2017

• Phishing incident • Lack of a security management process • Failure to conduct risk analysis until after breach, and

then conducting insufficient risk analyses • Failure to implement risk management plan

Health System $5,500,000 80,000 FL Feb 2017

• Misappropriation of login credentials of former employee • Failure to implement user access rights procedures • Failure to review information system activity • Disregarding identified risks over period of several years

38

Type of Entity Amount Individuals Affected

State Year Key Facts

Children’s Hospital $3,200,000 6,000+ TX Feb 2017

• Loss of unencrypted, non password-protected blackberry and theft of unencrypted laptop

• Failure to implement risk management plans, despite external recommendations

• Failure to deploy encryption or equivalent alternative

Life Insurance Company $2,200,000 2,209 Puerto Rico

Jan 2017

• Theft of unencrypted thumb drive from IT Department • Lack of physical safeguards • Failure to deploy encryption or equivalent alternative • Failure to conduct risk analysis • Delay in implementing corrective measures promised to

OCR

Health System $475,000 836 IL Jan 2017

• Failure to timely notify of breaches • Several late notifications over the course of 2 years

University Health Service $650,000 1,670 MA Nov 2016

• Failure to designate all health care components of its hybrid entity

• Failure to implement technical security measures • Failure to conduct accurate and thorough risk analysis

Health System $2,140,500 31,800 CA Oct 2016

• ePHI publicly accessible via internet • Failure to evaluate security risks after implementing a

new server for meaningful use • Risk analyses were conducted in patchwork fashion and

did not result in enterprise-wide risk analysis

39

Type of Entity Amount Individuals Affected

State Year Key Facts

Health System $400,000 14,000 RI Sept 2016

• Improper delineation of hybrid entity status • Failure to enter into Business Associate Agreement

between covered entity and parent corporation • Failure to update Business Associate Agreements

Health System $5,500,000 4,000,000 IL Aug 2016

• Theft of desktop computers and ePHI accessible on Business Associate’s network

• Failure to perform risk analysis for all ePHI • Lack of facility access controls on data center • Lack of Business Associate Agreement • Failure to safeguard laptop

University Medical Center

$2,750,000 10,000 MS July 2016

• Active directory files accessible via wireless network • Failure to manage and remediate risks and vulnerabilities

to ePHI • Failure to implement unique user access • Failure to implement workstation physical safeguards • Failure to notify all affected individuals

University Medical Center

$2,700,000 3,000 OR July 2016

• Stolen unencrypted laptop • Risk analyses were not enterprise-wide • Failure to address identified risks and vulnerabilities • Lack of C-Suite involvement in HIPAA compliance

Business Associate $650,000 412 MN June 2016

• Theft of unencrypted iPhone • Lack of mobile device policy • No risk analysis or risk management plan

Please visit the Hall Render Blog at http://blogs.hallrender.com for more information on topics related to health care law.

Brandon Kulwicki 214.615.2025 bkulwicki@hallrender.com Dallas | Denver | Detroit | Indianapolis | Louisville | Milwaukee | Philadelphia | Seattle | Washington, D.C.