HIPAA/HITECH Compliance - Direct Marketing Services ......HIPAA/HITECH COMPLIANCE Organization # Individuals affected Community Health Systems Professional Services Corporation 4,500,000

CONFIDENTIALITY NOTICE: This document contains confidential information intended solely for the

recipient(s) named herein. The information set forth in this document may not be reproduced

or disclosed by the recipient(s) without the prior written consent of the author.

HIPAA/HITECH Compliance

Presented by: Victor Hair, Certified HIPAA Professional (CHP)

2015

2

What is HIPAA?

HIPAA/HITECH COMPLIANCE

The Health Insurance Portability and Accountability Act of 1996 is federal

regulations establishing national standards for protection of healthcare

information during usage and transferring it by all organizations.

Administrative Simplification - Title II, Subtitle F, of HIPAA which

authorizes HHS to: (1) adopt standards for transactions and code sets

that are used to exchange health data; (2) adopt standard identifiers for

health plans, healthcare providers, employers, and individuals for use on

standard transactions; and (3) adopt standards to protect the security and

privacy of personally identifiable health information.

3

Terms


Business Associate is: A person or company who performs or assists in the

performance of a function or activity on behalf of a covered entity (healthcare

provider) involving the use or disclosure of protected health information (PHI).

Common Rule – Under HIPAA, it outlines the necessity of obtaining informed

consent from patients.

Chain of Trust Agreement – Referred to in HIPAA rules, this is a contract needed to

extend the responsibility to protect healthcare data across a series of sub-contractual

relationships.

Covered Entities – Health Plans, Healthcare Clearinghouses, and Healthcare

Providers who must comply with HIPAA regulations and standards because they

transmit health information in electronic form in connection with HIPAA covered

transactions.

Deidentified Information – Patient Identifiable Information with all of the identifying

details removed so that it can no longer be linked to any specific person.

4

Terms (cont.)


Disclosing PHI – Transmitting Protected Health Information (PHI) outside the covered

entity. Some disclosures are allowed by the Privacy Act, some are disallowed.

PHI – Protected Health Information.

PII – Patient Identifiable Information such as name, address, phone number, social

security number, etc., which can isolate exactly which individual has received or been

billed for healthcare treatment.

Routine Disclosure – Using Protected Health Information (PHI) for the acceptable

purposes outlined in the Privacy Rule.

Privacy Rule – Healthcare legislation to set national standards for the protection

of certain patient information.

Security Rule – Healthcare legislation to set national standards for the security

of electronic healthcare information.

5

HITECH Act Regulations for Business Associates


HITECH Act passed in 2009 and went into effect in 2010. Changes to original HIPAA Act

passed in 1996.

BAs are directly subject to HIPAA regulations and to fines and penalties for violations.

BAs are directly subject to security breach notification requirements.

BAs are prohibited from selling PHI (or ePHI) and from accepting payment from outside

companies for communications using PHI.

6

What HIPAA Regulations Require From BAs


Adopting clear privacy procedures for its business operations.

Training employees so that they understand the privacy procedures.

Designating an individual to be responsible for seeing that the privacy procedures are

adopted and followed.

Securing patient information containing individually identifiable health information so that

they are not readily available to those who do not need them.

7

Business Associate Agreement


HIPAA requires that the covered entity have “satisfactory assurances” that the business

associate will appropriately safeguard the PHI it receives from the covered entity.

“Satisfactory assurances” means that there is a written contract between the covered

entity and the business associate which contains specific provisions identified in HIPAA.

8

Checklist for Business Associate Agreement:


Specify permitted uses and disclosures of PHI by Business Associate

No disclosure of PHI that would violate HIPAA

No disclosure of PHI other than as allowed for by the BAA

Safeguards for PHI

Report any unauthorized disclosure of PHI

Provide an accounting of disclosures

Agents and subcontractors of Business Associate agree to same provisions

Return or destroy PHI at end of contract

Authorize Covered Entity to terminate contract with BAA for material breach

9

What ensures that BA is HIPAA compliant:


Appoint a Privacy/Security Officer to implement policies and monitor compliance.

Develop privacy policies and procedures for permitted uses and disclosures of

protected health information.

Reorganize your company’s structure to eliminate unnecessary uses or disclosures

of protected health information.

Establish a policy to ensure that employees are only disclosing the minimum amount

of protected health information necessary for each particular purpose.

10

What ensures that BA is HIPAA compliant: (cont.)


Develop a policy regarding oral disclosures of protected health information.

Develop a policy on when Authorizations are needed for disclosures by the company

and draft an Authorization to be used for such disclosures.

Develop a complaint procedure and appoint a contact person to receive complaints.

Develop a training program and provide training to all employees that will handle or

have access to protected health information.

Establish sanctions for violations of the Business Associate’s privacy practices.

11

Minimum Necessary Rule


A central aspect of the Privacy Rule is the principle of “minimum necessary” use and

disclosure. A covered entity must make reasonable efforts to use, disclose, and request

only the minimum amount of protected health information needed to accomplish the

intended purpose of the use, disclosure, or request.*

*The HIPAA Academy Quick Reference Card

12

HITECH notification requirements for each

privacy or security breach


Patient notification mandated in certain circumstances, without reasonable delay and

within 60 days.

Upon discovery of a breach of unsecured PHI under its control, a business associate

is required to notify the covered entity, which then must notify the impacted individual.

Notice of the breach must be provided to HHS and prominent media outlets serving

a particular area if more than 500 individuals in that area are impacted.

HHS website for listing reaches affecting 500 or more individuals

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html

13

Sources of health data breaches in 2014


Of the 169 breaches of 500 or more records

posted on the HHS Wall of Shame for 2014,

Business Associates were involved in 36 of

them. However, these breaches represented

7,163,530 records of the total of 9,042,851

breached, or 79%!

Theft was still the leading reason for all

HITECH Act breaches, totaling 5.4 million of

the 9 million records breached. Hacking only

represented less than 250,000 of the breached

records — but this trend has reversed in 2015

dramatically with hacking certain to be the

largest cause of healthcare breaches in 2015!

Breaches by Location

# of Breaches Location # of Individuals

affected

32 Laptop 2,821,984

41 Paper 374,001

15 Desktop 2,175,468

22 Other Portable

Electronic Devices 2,233,616

59 Other 1,437,782

Breaches by Reason

# of Breaches Reason # of Individuals

affected

72 Theft 5,409,197

16 Loss 159,804

19 Hacking 242,139

9 Improper Disposal 91,549

36 Unauthorized Access 2,817,597

17 Other 322,565

169 9,042,851

14

Top 10 breaches of health data for 2014


Organization # Individuals affected

Community Health Systems Professional Services Corporation 4,500,000

Xerox State Healthcare, LLC 2,000,000

Sutherland Healthcare Solutions, Inc. 342,197

Touchstone Medical Imaging, LLC 307,528

Indian Health Service 214,000

Walgreen Co. 160,000

NRAD Medical Associates, P.C. 97,000

Visionworks, Inc. 73,994

St. Vincent Hospital and Health Care Center, Inc. 63,325

Onsite Health Diagnostics 60,582

15

Far more health breach victims in 2014


2014 was a landmark year, although unfortunately for the healthcare industry, for the wrong

reasons. The year has seen some of the largest recorded HIPAA data breaches ever to

affect the healthcare industry, exposing the protected health data of millions of patients and

costing the healthcare industry as a whole many tens of millions in fines and levies.

The healthcare industry accounted for 42.3% of all data breaches recorded this year.

Healthcare providers have exposed the PHI of over 8 million in 322 recorded breaches.

2014’s biggest HIPAA data breaches were significantly larger than 2013’s.*

There were 169 total HIPAA-related data breaches in 2014 compared to 140 in 2013

that affected 500 or more people.

* According to the Identity Theft Resource Center Report for 2014

16

Far more health breach victims in 2014 (cont.)


The year had only just begun when the FBI released a stern warning to the healthcare

industry that cybercriminals were likely to target the healthcare sector in the coming months,

and that medical devices and hospital networks were under an elevated risk of a targeted

attack. The FBI attributed the increased threat to the “mandatory transition from paper to

electronic health records, lax cybersecurity standards, and a higher financial payout for

medical records in the black market.”

Private healthcare providers were not the only healthcare entities to record major data

breaches this year:

The Montana State Department of Public Health and Human Services was also targeted

by cybercriminals and they stole the health data of 1.3 million individuals.

The Indiana Health Service also suffered a major breach involving the exposure of

214,000 patient records.

17

Leading cause of PHI breaches in 2014


Loss and theft of laptop computers and mobile devices was a major problem throughout

the year and has potentially exposed the data of many millions of Americans. Whether

they were opportunistic thefts or targeted attacks for the data contained on the devices,

all HIPAA breaches would have been avoided had the data on the devices been

encrypted, as required by HIPAA Privacy and Security Rules.

18

Government response


The Department of Health and Human Services’ Office for Civil Rights is charged with

policing HIPAA and it has been particularly active this year, investigating more incidents

involving data breaches and issuing increased fines for data breaches resulting from lax

security standards.

New York-Presbyterian Hospital and Columbia University were the hardest hit, receiving

a joint $4.8 million fine for HIPAA violations with the combined total being the highest ever

settlement collected by the OCR.

Concentra Health Services was required to pay $1,725,220 in another major 2014 OCR

HIPAA settlement.

19

Cost of PHI breaches continues to climb


The Ponemon Institute released data in 2014 on the true cost of data breaches, clearly

showing the total cost to be far in excess of the fines issued by the Office for Civil Rights

for non-compliance.

In its report, 2014 Cost of Data Breach Study: Global Analysis, data breaches were

estimated to cost an average of $3.5 million, while the total annual cost to the healthcare

industry as a whole was estimated at $5.6 billion, not including the cost to the reputations

of the organizations that have failed to protect patient data.

20

Penalties


Civil monetary penalties: HITECH sets mandatory fines for HIPAA violations.

Category Monetary penalty per violation

Calendar year cap for identical violations

The covered entity did not know of the violation

$100 - $50,000 $1.5 million

Violation due to reasonable cause, not willful neglect

$1,000 - $50,000 $1.5 million

Violation due to willful neglect, corrected within required time

$10,000 - $50,000 $1.5 million

Violation due to willful neglect, not corrected

$50,000 $1.5 million

21

Penalties and monetary settlements


Examples of penalties accessed by HHS in 2014:

Organization Amount accessed

New York-Presbyterian Hospital $4.8 million

And Columbia University

Concentra Health Services $1,725,220

Parkview Health System $800,000

QCA Health Plan $250,000

22

Under HITECH, individuals are subject

to civil monetary penalties


The Office of Civil Rights may pursue an investigation and impose civil monetary

penalties against any individual for an alleged criminal violation of the Privacy and

Security Rules even if the Justice Department does not prosecute the individual.

State Attorneys General are now authorized to bring civil actions in federal district

court against individuals who violate HIPAA in order to enjoin further violations.

23

Penalties


Criminal Penalties:

A fine of up to $50,000 and up to one year in prison for a person who knowingly

obtains or discloses individually identifiable health information in violation of HIPAA.

A fine of up to $100,000 and up to five years in prison if the wrongful conduct

involves false pretenses.

A fine of up to $250,000 and up to ten years in prison if the wrongful conduct

involves the intent to sell, transfer, or use individually identifiable health information

for commercial advantage, personal gain, or malicious harm.

The HIPAA Academy Quick Reference Card

24

Data breach costs continue to rise (costs other than penalties and lawsuits)


Average organizational cost increased to $3.5 million*

- 15% increase over the previous year

Total annual cost to the Healthcare Industry in 2014: $5.6 billion*

The recently announced hacking of Anthem Healthcare’s member records, exposing the

private information of more than 80 million members, is expected to cost Anthem well in

excess of $100 million. This incident represents a significant increase in the impact of

healthcare breaches both from the total number of individuals impacted and the total

cost of healthcare breaches.

*Source: Ponemon Institute - 2014 Cost of Data Breach Study: Global Analysis

25

What if State Laws Conflict?


Conflicts between this federal law and state laws are addressed in the HIPAA legislation.

The general rule is that HIPAA supersedes (overrides) any contrary state law, except in

the following circumstances:

The Secretary of HHS determines that the state laws are necessary for the technical

purposes outlined in the statute.

State laws that the Secretary determines address controlled substances.

State laws regarding the privacy of the individually identifiable health information that

is contrary to and more stringent than the federal requirements.

When state laws and federal HIPAA laws conflict, the best practice is to follow the

stricter of the two statutes.


26

Examples of state privacy laws more strict than HIPAA:


California: Requires reporting of any size breach to the state health department and

notification to affected individuals within 5 business days of discovery.

Connecticut: The state Insurance Department requires reporting of any “information

security incident” within 5 calendar days of discovery.

HIPAA requires notification without unreasonable delay, no later than 60 days after

discovery and reporting of breaches affecting 500 or more individuals to HHS, as well as

local media outlets if 500 or more individuals reside in the same state.


27

HITECH Security rule applies to

Covered Entities and Business Associates


The HITECH Act obligates business associates to comply with all of the security

requirements that only covered entities were previously required to follow.

Civil and criminal penalties for violating those standards now apply directly to business

associates as well as covered entities.

28


Physical Security Maintain lock and restricted access to areas.

Implement the use of shredders and/or locked recycling containers.

Secure locations and placement of individual records.

Electronic Security Update computers with passwords, automatic logouts, virus protection, and

encryption mechanisms.

Minimize exposure of computer screens that are visible with protected health

information by placing privacy screens on computer monitors.

Prevent unnecessary copying or faxing of health information and releasing of

such information.

29

Mitigation, Complaints and Retaliation


Mitigation – A covered entity must mitigate, to the extent practicable, any harmful

effect it learns was caused by use or disclosure of protected health information by its

workforce or its business associates in violation of its privacy policies and procedures

or the Privacy Rule.

Complaints – Consumers have up to 180 days to file a complaint from the time they

are aware of the violation or perceived violation. A covered entity must have procedures

for individuals to complain about its compliance with its privacy policies and procedures

and the Privacy Rule.

Retaliation – A covered entity may not retaliate against a person for exercising rights

provided by the Privacy Rule, for assisting in an investigation by HHS or another

appropriate authority, or for opposing an act or practice that the person believes

in good faith violates the Privacy Rule.

30

Documentation and Record Retention


A covered entity must maintain, until six years after the later of the date of their creation

or last effective date, its privacy policies and procedures, its privacy practices notices,

disposition of complaints, and other actions, activities, and designations that the Privacy

Rule requires be documented.

31

HITECH Accounting of electronic disclosures


Individuals have the right to request an accounting of all disclosures of their electronic

PHI including disclosures made for treatment, payment and healthcare operations

(TPO) in the previous three years.

For each electronic health record, access logs must include:

the name and address of the person accessing the records

a brief description of the type of health information disclosed

the date and time of the access

changes to the record, including modifications

Effective dates for compliance:

For records acquired before 1/1/2009, record TPO disclosures made on or after

January 1, 2014. For records acquired after 1/1/2009, record TPO disclosures made

on or after January 1, 2011.

32

HITECH Marketing Restrictions


Marketing communication based on or containing PHI is not allowed if it involves

direct or indirect payment to the covered entity (or business associate) for making

the communication.

33

OCR HIPAA compliance audits


The HITECH law requires The Office for Civil Rights (OCR) to conduct audits of

organizations subject to HIPAA regulations.

Organizations to be audited will receive a notification with request for documentation

of the organization’s HIPAA policies and procedures, latest risk assessment, security

incident response plan, breach notification plan and employee training plan.

Auditors will also conduct site visits.

Fines and/or penalties may be imposed depending on the results of the audits.

34

Thank you!

Documents

HIPAA/HITECH Compliance - Direct Marketing Services ......HIPAA/HITECH COMPLIANCE Organization # Individuals affected Community Health Systems Professional Services Corporation 4,500,000