Understanding HIPAA, HITECH, and Risks Associated with PHI/PI

Explore the implications of HIPAA and HITECH regulations, the risks linked to PHI/PI, and the consequences of data breaches, along with examples of HHS settlements and the increased enforcement authority by Attorneys General using HIPAA. Discover the importance of compliance, breach notification requirements, and the role of NoDataBreach.com in risk management.

• HIPAA compliance
• PHI risks
• data breaches
• HHS settlements
• cybersecurity

bonk_lan Follow

Uploaded on Oct 09, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Introduction to HIPAA HITECH and Risks Associated With PHI and/or PI April 25, 2013 William Ewy, CIPP/US Privacy and Security Practice Manager ePlace Solutions, Inc. Provider of NoDataBreach.com Risk Management Service 1

2. NoDataBreach.com Included with Cyber Insurance Policy Cyber Risk Management Service Online Materials Webinars Materials Distributed via Email Phone and Email Support 2

3. Threat and Costs of Data Breaches and ID Theft Damage to individuals ID theft, loss of privacy Costs for organizations Forensic investigations to determine cause and extent Fines, penalties and potential legal costs Preparing and distributing breach notification letters, call center to answer victim questions Credit monitoring for victims Damage to reputation/loss of customer confidence 3

4. Example HHS Settlements Phoenix Cardiac Surgery (5 physician practice) Reported to OCR for posting clinical and surgical appointments on Internet-based calendar OCR found PCS had few policies and procedures to comply with the HIPAA Privacy and Security Fined $100,000, required to implement follow-up plan Hospice of North Idaho OCR investigation began after HONI reported theft of unencrypted laptop 1st settlement involving less than 500 individuals Fined $50,000 4

5. From HHS Wall of Shame http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html 5

6. Attorneys General Beginning to Use HIPAA Enforcement Authority Accretive Health, Inc. sued by Minnesota AG South Shore Hospital sued by Massachusetts AG 6

7. Agenda HIPAA in the Past and as We Know It Today What s Changing and When Business Associates/Business Associate Agreements Data Breach Notification Requirements Notice of Privacy Practices Enforcement What to Do Now Overview/Demo of NoDataBreach.com 7

8. Disclaimer William Ewy is not providing legal advice during today s presentation. Mr. Ewy and ePlace Solutions provide certain risk management services known as NoDataBreach to Beazley s Breach Response insurance policyholders and does not provide legal advice. If you have legal questions, you should obtain legal advice from qualified legal counsel. 8

9. What is HIPAA and HITECH The Health Insurance Portability and Accountability Act (HIPAA) of 1996 The Privacy Rule applies to Protected Health Information (PHI) in any form (e.g. electronic, paper, oral, etc.) The Security Rule applies to PHI in electronic form and requires specific Administrative, Physical and Technical safeguards The Health Information Technology for Economic and Clinical Health Act (HITECH) made several amendments to HIPAA 9

10. Organizations Subject to HIPAA Covered Entities (CEs) Health plans (health insurance plans) Healthcare clearinghouses - e.g. a billing service (non-standard to standard format, or vice versa) Healthcare providers that conduct standard electronic transactions covered by HIPAA (listed on next page) Business Associates (BAs) now a person who creates, receives, maintains, or transmits PHI on behalf of a CE 10

11. Electronic Transactions Covered by HIPAA Healthcare claims or encounter information Healthcare payment of remittance advice Coordination of benefits Healthcare claims status Enrollment or disenrollment in a health plan Eligibility for a health plan Health Plan premium payments Referral certification and authorization First report of injury Health claims attachments Any other transaction prescribed by the Secretary of HHS 11

12. Examples of Covered Entities Health Care Providers Doctors Clinics Psychologists Dentists Chiropractors Nursing Homes Pharmacies Health Plans Health insurance companies HMOs Company health plans Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs 12

13. Todays HIPAA Landscape HITECH/ARRA, since 2009, included Breach notification Business associate liability Enforcement penalties Attorneys General authority to enforce 13

14. Todays HIPAA Landscape Interim Rules ( interim =effective but subject to change via final rule) - 2009 Breach notification Enforcement penalties Proposed Rule (not effective until final rule) July 2010 HITECH implementation, including BA and BAA agreement modifications 14

15. Changing HIPAA Landscape: New HIPAA/HITECH Regulations Omnibus HIPAA Final Rule, published Jan 25, 2013 Topics addressed include: Breach notification Business associate liability Business associate agreements Enforcement Many other HIPAA compliance issues, including permissibility of using/disclosing PHI for marketing and fundraising communications, individual s right of access to electronic PHI, and other issues 15

16. New HIPAA/HITECH Regulations Effective date: Mar 26, 2013 - (except as otherwise provided) Compliance date: Sep 23, 2013 16

17. New HIPAA/HITECH Regulations: Business Associates HITECH made BAs subject to Security Rule and certain Privacy Rule provisions New regs implement HITECH requirements BA definition amended to add Patient Safety Organizations, Health Information Organizations/data transmission entities, Vendors who provide Personal Health Records on behalf of covered entities, and Subcontractors 17

18. Business Associates: Subcontractors Subcontractors to BAs subject to HIPAA Agreement is required between BA and subcontractor that contains all required BAA provisions No matter how far down the chain the information flows 18

19. Business Associate Liability Business Associates and their subcontractors are now directly liable for violations of Security Rule and for uses and disclosures of PHI in violation of Privacy Rule Business Associates must Keep and disclose records as required by HHS; cooperate with HIPAA compliance investigations Disclose PHI as needed by a CE to fulfill requirement to provide electronic copy of PHI Notify CE of a breach of unsecured PHI Adhere to minimum necessary uses and disclosures of PHI Provide an accounting of disclosures Enter into agreements with subcontractors that comply with Privacy and Security Rules 19

20. Business Associate Agreements New required provisions (additive); Business Associate agreement must Require BA to comply with Security Rule Require BA to report breaches to CE If delegated activity, require BA to comply with Privacy Rule If BA subcontracts, require BA to have a contract with subcontractor that complies with BAA provisions Transition provisions Existing BAAs may continue to operate for a one-year period after compliance date, provided that Existing BAA currently complies with all BAA requirements, and Existing BAA does not renew prior to compliance date 20

21. BAA Transition Period Detail (e) Implementation specification: Deemed compliance. (1) Qualification. Notwithstanding other sections of this part, a covered entity, or business associate with respect to a subcontractor, is deemed to be in compliance with the documentation and contract requirements of 164.308(b), 164.314(a), 164.502(e), and 164.504(e), with respect to a particular business associate relationship, for the time period set forth in paragraph (e)(2) of this section, if: (i) Prior to January 25, 2013, such covered entity, or business associate with respect to a subcontractor, has entered into and is operating pursuant to a written contract or other written arrangement with the business associate that complies with the applicable provisions of 164.314(a) or 164.504(e) that were in effect on such date; and (ii) The contract or other arrangement is not renewed or modified from March 26, 2013, until September 23, 2013. (2) Limited deemed compliance period. A prior contract or other arrangement that meets the qualification requirements in paragraph (e) of this section shall be deemed compliant until the earlier of: (i) The date such contract or other arrangement is renewed or modified on or after September 23, 2013; or (ii) September 22, 2014. 21

22. Business Associates: What to Do Now Inventory Business Associate Agreements for current compliance Create template (1) amendments for existing BAs and (2) BA agreement going forward. Determine which BAAs must be amended/replaced prior to 9/23/2012 Map out amendment/replacement strategy Communicate with Business Associates; set expectations for: BAA amendment/replacement process Subcontractor identification and BA action plan Set realistic timeline 22

23. New HIPAA/HITECH Regulations: Breach Notification Unchanged requirements, including Notification if breach of unsecured PHI/EPHI Notice to affected individuals within 60 days of discovery Notice content requirements Notice to OCR immediately if breach affects 500 or more individuals and annually if less than 500 Notice to the media if 500 or more affected 23

24. Current Definition of Breach HITECH defined breach Acquisition, access, use or disclosure of PHI in a manner not permitted by Privacy Rule which compromises the security or privacy of the PHI Interim final rule defined compromise Poses a significant risk of financial, reputational or other harm CEs and BAs have been applying this standard in performing analyses 24

25. New HIPAA/HITECH Regulations: Presumption/new Compromise Standard An acquisition, access, use or disclosure of PHI in a manner not permitted is presumed to be a breach Unless the CE or BA can demonstrate (via documentation) that there is a low probability that the PHI has been compromised 25

26. New HIPAA/HITECH Regulations: Probability of Compromise Factors that must be weighed in assessing probability of compromise 1. The nature and extent of the PHI involved 2. The unauthorized person who used the PHI or to whom the disclosure was made 3. Was the PHI actually acquired or viewed, and 4. Has the risk to the PHI been mitigated 26

27. Data Breach Changes: What to do Now Update incident response plan Revise breach analysis template Update policies and procedures* Train workforce on new requirements* *Factor in other new HIPAA requirements 27

28. Notice of Privacy Practices The Final Rule requires several new provisions - NPPs must state that the following require an individual s prior authorization: (1) most uses and disclosures of psychotherapy notes (if the CE maintains psychotherapy notes); (2) uses and disclosures of PHI for marketing purposes; and (3) disclosures of PHI that constitute a sale. If a CE contacts individuals for fundraising purposes, its NPP must notify individuals that they have a right to opt out of such communications NPPs must inform individuals of their right to restrict certain disclosures of PHI to health plans when the individual has paid in full NPPs must tell individuals of their right to receive a notification if there is a breach of their unsecured PHI For health plans, assurances that the plan will not use or disclose genetic information for underwriting purposes 28

29. Enforcement Provisions Adopted and Clarified Regulations adopt HITECH increased penalty structure: Did not know: $100-$50,000 per violation Reasonable cause: $1,000-$50,000 per violation Willful neglect* if corrected: $10,000-$50,000 per violation Willful neglect if uncorrected: $50,000 per violations $1,500,000 maximum for all violations of an identical provision per year *Conscious, intentional failure or reckless indifference to a compliance obligation 29

30. Enforcement Provisions: New Clarifications Factors government must now consider when determining penalties Nature and extent of violation, now includes number of affected individuals Nature and extent of harm resulting, now includes reputational harm History of compliance, now includes indications of non- compliance (vs. formal findings of violations) Financial condition of the organization If willful neglect, HHS Is required to investigate Must conduct a compliance review May (but probably won t) resolve informally 30

31. NoDataBreach.com Overview of Services 31

32. The Service Focus Providing updated, timely, relevant information to help organizations prevent data breaches US Federal and State Laws and Regulations Practical guidance The information can be accessed/used as you see fit, for non-commercial purposes, within your insured organization 32

33. Scope of Services (1) Step-by-Step Procedures to Lower Risk Understand the scope of personal information ( PI ) Determine where PI is stored Collect/retain the minimum amount of PI required for business needs Destroy PI when no longer needed Risk assessment guidance Develop and implement an Incident Response Plan On-line Compliance Materials Federal and state compliance materials Summaries of federal and state laws Sample policies & procedures Continuing updates and electronic notification of significant changes 33

34. Scope of Services (2) Periodic Newsletter & Privacy Posts Phone/E-mail Support Sent by email Significant changes in federal and state laws/regulations Breach and data security news Privacy Alerts for events requiring immediate attention Data Security Tips Consultants & attorneys answer questions, including: Health care & HIPAA compliance issues Data breach prevention issues Data Security best practices Computer forensic issues 34

35. Scope of Services (3) Training Modules On-line training material Specific, to-the-point Awareness bulletins & posters Webinars for privacy compliance and IT staff Handling Data Breaches Guidance provided to: Respond to a data breach 35

36. Policyholder Feedback With your outreach this week, I m truly appreciating the value of our membership with No Data Breach. I don t feel like I m going it alone and will be surfing your website more frequently! 36

37. Site Walkthrough 37

38. In Summary, the Service Provides Unlimited non-commercial access to information to help prevent data breaches Updates via email Newsletters, Privacy Posts Webinars Phone/E-mail support (questions) Online resources 38

39. Questions? 39