HIPAA/ HITECH: Relief for the Newest Regulatory Headache

1
HIPAA/ HITECH Relief for the Newest Regulatory
Headache

• Kippy L. WrotenFounding Shareholder, Wroten
  Associates
• Darryl A. RossShareholder, Wroten Associates

2
Scope of the Omnibus Rule

• Research uses of data compound, more general
  authorizations.
• Patients right to restrict data sharing with
  payors.
• Requirements to modify and redistribute notices
  of privacy practices.
• Inclusion of limitations on use of genetic
  information for underwriting.
• Clarifies HHS Secretarys role in enforcement,
  imposition of civil money penalties (CMPs) and
  CMP liability for acts of agents.

3
Whats Not in the Omnibus Rule

• Accounting of Disclosures still in process.
• Methodology for giving individuals harmed by
  HIPAA violations a percentage of any civil
  monetary penalties or settlements collected.
• Guidance for implementation of minimum necessary
  standard.
• HITECH also mandated study of definition of
  psychotherapy notes no specific deadline for
  the study.

4
HIPAA - Privacy vs. Security

• HIPAA Privacy Rule
• The need to protect medical records and other
  health information in any form (electronic,
  paper, or out of our mouths) from being shared,
  viewed, distributed, etc.
• HIPAA Security Rule
• The need to develop and maintain security of all
  electronic health information, including storage
  and transmission.

5
Privacy Rule
6
Security Rule
7
Health Information Technology for Economic and
Clinical Health Act (2009) Expands Protection
8
How Do HIPAA HITECH Apply to Me?

• Covered Entities
• Hybrid Entities
• Business Associates (Vendors)

9
Protected Health Information

• What is it?
• Identifies the individual
• Transmitted or maintained by a CE or BA
• Relates to individual's physical or mental health
  or payment for health care
• Demographic information

10
PHI

• Did You Know?
• Vehicle ID Serial Numbers - license plate
  numbers
• Device ID serial numbers
• Universal Resource Locators (URLs)
• Internet Protocol (IP) addresses
• Biometric identifiers, including finger and voice
  prints
• Full face photographic images and any comparable
  images
• Any other unique identifying number,
  characteristic, or code

• Common
• Names
• SSN
• Medical record s
• Account numbers
• Dates of treatment

• Probably Aware
• Telephone numbers
• Fax numbers
• Electronic mail addresses
• Certificate/license numbers

11
(No Transcript)
12
Covered Entities

• Health Plans
• An individual or group plan that provides or
  pays the cost of medical care
• Health care clearinghouses
• A public or private entity, including a billing
  service, re-pricing company, community health
  management information system or community health
  information system, and value added networks
  and switches that either process or facilitate
  the processing of health information
• Health care providers
• Care, services, or supplies related to the
  health of an individual, including (1)
  preventive, diagnostic, therapeutic,
  rehabilitative, maintenance, or palliative care,
  and counseling, service, assessment, or procedure
  with respect to the physical or mental condition,
  or functional status, of an individual that
  affects the structure or function of the body
  and (2) sale or dispensing of a drug, device,
  equipment, or other item in accordance with a
  prescription.
• who electronically transmit any health
  information

13
Hybrid Entities

• A single legal entity that is a covered entity,
  performs business activities that include both
  covered and non-covered functions, and designates
  its health care components as provided in the
  Privacy Rule. If a covered entity is a hybrid
  entity, the Privacy Rule generally applies only
  to its designated health care components.
  However, non-health care components of a hybrid
  entity may be affected because the health care
  component is limited in how it can share PHI with
  the non-health care component. The covered entity
  also retains certain oversight, compliance, and
  enforcement responsibilities.

14
Who is a Business Associate?

• Claims Processing
• Data Analysis
• Utilization Review
• Billing
• Legal (including litigation counsel)
• Actuarial
• Accounting
• Consulting
• Data Aggregation
• Management

• Administrative
• Accreditation
• Financial Services
• E-Discovery Vendors
• Copier Technicians (if your copier has memory)
• Shredding Services
• Computer Support Services
• Records subpoenas/duplication services

15
Business AssociatesHITECH Expands Privacy and
Security

• Expanded definition of "business associate-
  Business associate means one who, on behalf of
  a Covered Entity
• creates, receives, maintains or transmits PHI
• "Business associate" now also means
  "subcontractor of business associate who
  creates, receives, maintains or transmits PHI on
  behalf of a business associate
• Status as Business Associate based upon role and
  responsibilities, not upon who are the parties to
  the contract

16
Business Associate DefinitionClarifications

• Rule clarifies definition of "business associate
  -- included
• Patient Safety Organizations
• Health information exchange organizations,
  e-prescribing gateways, covered entities'
  personal health record vendors (not all PHRs)
• Data transmission providers that require access
  to PHI on a routine basis
• Not included those who just provide
  transmission services, like digital couriers or
  mere conduits.
• However, those who store PHI, even if they dont
  intend to actually view it, are BAs (implications
  for cloud model EHRs).

17
Business Associates
18
Do They Know Who They Are?

• Implications for subcontractor relationships
• Contract between the covered entity's BA and that
  BA's
• Subcontractor must satisfy the BAA requirements
• Subcontractor of subcontractor is also a BA, and
  so on
• As a result, HIPAA/HITECH obligations that apply
  to BAs also directly apply to subcontractors

19
BAs Uses of PHI

• Uses of PHI
• BAs may use or disclose PHI only as permitted by
  BAA or required by law
• BAs may not use or disclose PHI in manner that
  would violate Privacy Rule
• Subcontractors subject to limits in initial CE-BA
  agreement
• Must pass along in subcontracts
• BAs not making a permitted use or disclosure if
  not
• Follow minimum necessary rules
• BA does not comply if it knows of subcontractor's
  material noncompliance and does not take
  reasonable steps to cure the breach or, if such
  steps fail, to terminate the relationship
• BAs (incl. subcontractors) subject to civil money
  penalties for HIPAA violations
• BA/subs remain liable under contract to CE/BA
• Secretary authorized to receive and investigate
  complaints against BAs (including
  subcontractors), and to take action regarding
  complaints and noncompliance
• BAs (incl. subs) required to maintain records and
  submit compliance reports to Secretary, cooperate
  in complaint investigations and compliance
  reviews, give Secretary access to information
• BAA - Generally, compliance required 180 days
  following Omnibus Rules effective date
  (3/26/13), which is 9/23/13

20
Omnibus RulesCompliance

• Omnibus Rules Compliance Date September 23,
  2013

21
Compliance Plan - Step One

• Have you established an executive/board-level
  responsibility for HIPAA compliance?
• Have you designated yourself as a (a hybrid
  entity, or (b) a single affiliated covered entity
  with other legally separate covered entities
  under common ownership or control?
• Have you taken the necessary follow-up steps to
  document?
• Have you designated responsible persons for
  Privacy?  For Security?  Do you have job
  descriptions?
• Have you distributed a Notice of Privacy
  Practices with the identification of the Privacy
  and Security Officers?
• Have you posted information and trained staff?
• Has the staff signed confidentiality agreements
  related to privacy and security?
• Do you have Business Associate Agreements in
  place?

22
Compliance Plan - Step Two

• Is HIPAA privacy and security included in new
  employee orientation?
• Is your Governing Body/Board trained?
• Are volunteers and clergy trained?
• How do you facilitate privacy and security
  awareness?

23
Risk Assessment

• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards

24
Risk Assessment - PHI Flow Chart
25
Security Risk Assessment- Organizational
Requirements

• Business Associates Identified
• Policies Procedures adopted
• Documentation procedures adopted

26
Security Risk Assessment

• Security Awareness and Training
• Security Incident Procedures
• Workstation Use
• Device and Media Controls
• Access Control
• Integrity
• Person/Entity Authentication
• Transmission Security

27
Access Controls

• Limit physical access to its electronic
  information systems, including facilities where
  data housed. 164.310(a)(1).
• Workstation Security - physical safeguards for
  all workstations that access ePHI. 164.310(c).
• Must assure authorized users have access.

28
Workstation Security Compliance Practices

• Identify desktop/laptops containing ePHI
• Lock down procedures.
• Policies to prevent unencrypted ePHI from being
  stored on portable electronic devices and
  laptops.
• Encryption practices.

29
Device Controls and Re-Use
164.310(d)(2)(ii) - Re-Use
164.310(d)(1) - Controls

• PPs governing removal of ePHI before device
  re-used.
• PPs to assure ePHI is unusable and/or
  inaccessible prior to re-using device.
• All storage devices or all ePHI records must be
  overwritten multiple times, in accordance with
  NIST guidelines.

• Movement within facility.
• Removal of hardware from facility.
• PPs to address final disposition of ePHI and/or
  medium where stored

30
Disposal Compliance Practices

• ePHI on must be rendered unusable and/or
  inaccessible prior to disposal.
• When portable media is discarded, it should
  either be overwritten multiple times, in
  accordance with NIST guidelines.
• Maintain a record of where the hardware is, and
  the person responsible for it.
  164.310(d)(2)(iii).

31
Accountability Practices for Compliance

• Identify types of hardware and electronic media
  that must be tracked.
• Create record / log to track where devices are.
• Portable devices should not ordinarily contain
  ePHI and must be individually identified in the
  tracking system in order to contain ePHI.
• Possession of portable device with ePHI must be
  consistent with the individuals position.
• Inventory should be physically confirmed at least
  annually.

32
Data Backup and Storage

• Create a retrievable, exact copy of electronic
  protected health information, when needed, before
  movement of equipment. 164.310(d)(2)(iv)
• Establish a process for documenting or verifying
  its creation.

33
4 Components of Compliant Technical PPs
164.312(a)(2)(iii) Automatic logoff procedures
164.312(a)(2)(i) Unique name / identifier to
track users.
164.312(a)(2)(iv) Encryption and decryption
procedures
164.312(a)(2)(ii) Emergency access procedures.
34
Step 1 User ID

• Unique account for each user including unique
  username and password if access to ePHI.
• Verification procedures
• PPs to map permissions
• Generic or shared accounts are not permitted for
  access to ePHI.

35
Step 2 Emergency Controls

• Protocol should be written
• Do not rely on availability of a single
  individual.
• Identify roles that may require special access
  during an emergency.
• Proper ID of individuals required Access to power
  or a network?
• If electronic systems are a copy of the medical
  record and access to the system is not necessary
  for safe patient care, use of medical records
  while the systems is unavailable is acceptable

Do You Know What You Will Do If The Lights Go Out?
36
Step 3 Auto Logoff Compliance Practices

• Best practice require electronic to be
  terminated.
• If terminating session isnt possible, implement
  automatic workstation lockout as a compensating
  control.
• Whats an appropriate amount of inactivity before
  automatic lockout?

10 MINUTES
37
Step 4 Encryption Technical Standards

• HITECH references NIST encryption standards
• Enforce complex passwords where possible
• Protection from malicious software for details)
• Ensure secure remote access
• Implement correctly configured firewalls
  (hardware and/or software)

38
Step 4 Encryption Decryption PPs

• Unique user IDs
• Frequent changes to IDs
• Prohibit unencrypted ePHI will not be stored on
  portable electronic devices, including laptops.
• Remote wipe procedures
• Incorrect Password
• IT Personnel

39
Common Sense Security

• Log off your system if you are not in front of
  it.
• Remove patient/resident/employee data from view.
• Make sure others cannot see your computer screen.
  
• Dont place patient/resident/employee data on a
  flash drive, CD, diskette, or even your C drive
  if you have PC.
• Dont give anyone your password
• Any device /laptop used to store/transmit PHI
  must be encrypted dont store/transmit PHI on
  personal devices.
• Secure all PHI when sent outside of secure
  environment
• Emails
• Texts

40
Mobile Devices Security

• Enterprise issued mobile devices
• Password protected
• Encrypted
• Remote monitoring
• Remote wiping (destruction)
• BYOD
• Are they secure?
• Dealing with physicians who insist on texting
• Difference between sending and receiving
• Education Training - materials
• healthit.gov/providers-professionals/downloadable
  -materials

41
Risks Mobile Devices

• Mobile devices produced for consumer use.
• Can store massive amounts of data.
• Lack security and operational controls to enable
  management of the device from a centralized
  system.
• Easily lost or stolen and pose increased risks to
  the confidentiality and security of patient
  health information.
• Loss or theft may result in breach notification.

42
WHERE IS YOUR DATA?
43
A N D T H I S
OR TH I S
WHAT IS THIS?
SAY HELLO TO YOUR DATA
44
ePHI Text Messaging PPs

• Appropriate use of work-related texting.
• Prohibiting texting of ePHI
• Requiring medical records be updated if ePHI
  received via text.
• Identifying retention period for any ePHI
  received via text.
• An inventory of all mobile devices used for
  texting ePHI (whether provider-owned or personal
  devices).

45
Device Ownership. BYOD Considerations

• Written authorization before storing ePHI.
• A clear definition of data ownership.
• Define what is acceptable use.
• Annual acknowledgment of organization PPs
• Reservation of rights to examine devices
• Procedures during employee or contractor
  separation

46
BYOD Policies To Consider

• Appropriate use of texting
• Appropriate use of camera and video
• Appropriate use of sensitive information
• Requirements for password protection and lock-out
  features.
• Prohibition on altering factory defaults and
  operating systems (i.e., jail-breaking)
• Appropriate use of applications and conditions of
  downloading software.

47
Technology Solutions for Mobile Devices

• Password protection and encryption for mobile
  devices that create, receive or maintain text
  messages with ePHI.
• Enterprise control to oversee communication use
• Enterprise control to wipe information from lost
  devices and/or separated employees
• Use of a secure messaging application.
• Audit trail system.

48
Security Assessment Exemplars
49
Event Management Breach

• Ready or not, expect there will be a breach

50
Risk Assessment Breach

• CE/BA should perform risk assessment post-breach
  discovery and must consider at least the
  following
• Nature and extent of PHI involved, including
  types of
• Identifiers and likelihood of re-identification
• Who was the recipient of the PHI
• Was the PHI actually acquired or viewed
• The extent to which the risk to misuse of the PHI
  has been
• Mitigated

51
Risk Analysis Criteria

• Likelihood of identification or
  re-identification
• a list of patient names not low probability
• patient discharge data, patient not specified
  can patients be re-identified? could be low
  probability (depends on the circumstances)
• Who is the unauthorized recipient
• a HIPAA covered entity low probability, as long
  as you have evidence the risk has been mitigated
• an employer may be able to use personnel
  records to re-identify not low probability
• PHI actually acquired or viewed
• untampered with laptop low probability
• information mailed to wrong person not low
  probability
• Has improper use been mitigated
• satisfactory assurances of destruction from a
  known person low probability

52
Risk of Harm Analysis

• Did the breach pose a significant risk of
  financial, reputational, or other harm to the
  individual?
• To whom was the PHI disclosed? RISK
  EVALUATION
• Another employee/BA? Low risk
• Wrong fax number/unauthorized family member?
  Moderate risk
• PHI lost or stolen? High risk
• In what form was the PHI accessed, used, or
  disclosed?
• Verbal? Low risk
• Paper? Moderate
  risk
• Electronic? High risk
• What event caused the access, use, or disclosure
  of PHI?
• Unintentional disclosure? Low risk
• Intentional disclosure? Moderate risk
• Hacking/theft? High risk
• What type of PHI was impermissibly accessed,
  used, or disclosed?
• Limited data set? Low risk
• Non-sensitive PHI? Moderate risk
• Treatment provided? Potentially higher
  risk
• Substance abuse, mental health, contagious
  disease? High risk

53
Definition of Breach

• Definition changed from the interim rule
  definition
• An impermissible use or disclosure of PHI is
  presumed to be a breach unless the covered entity
  or business associate demonstrates there is low
  probability that the PHI has been compromised

54
Has A Breach Occurred?

• Is the information unsecured PHI?
• Was the PHI de-identified?
• Was the PHI acquired, accessed, used, or
  disclosed in accordance with the Privacy Rule?
• Was the PHI encrypted?
• Was the PHI properly destroyed?
• If any of the above answers is "yes", then the
  information is not unsecured PHI therefore no
  breach has occurred and notification is not
  required.

55
Privacy Security Exceptions

• Did a CE/BA workforce member unintentionally
  access or use the PHI while acting within the
  scope of their duties?
• Was the impermissible use and/or disclosure
  stopped before further disclosure occurred?
• Did a CE/BA workforce member inadvertently
  disclose PHI to another workforce member where
  all were otherwise authorized to access/use PHI?
• Was the use/disclosure of PHI incident to an
  otherwise permissible use or disclosure where the
  minimum necessary requirement was followed?
• Was the PHI impermissibly disclosed to an
  unauthorized person but there is a good faith
  belief exists that the recipient would not be
  able to retain the PHI?
• If any of the above answers is "yes", then no
  breach has occurred and notification is not
  required.

56
Breach Decision Tree
No Notification under HITECH Determine if state
breach notification laws apply
Is the information PHI?
No
Yes
No Notification under HITECH Determine if
accounting and mitigation obligations under HIPAA
Is the PHI unsecured?
No
Yes
Is there an impermissible acquisition, access,
use or disclosure of PHI?
No Notification under HITECH
No
Yes
Does the impermissible acquisition, access, use
or disclosure compromise the security or privacy
of PHI? Has a written risk assessment been
completed?
No Notification under HITECH Determine if
accounting and mitigation obligations under HIPAA
No
Yes
Does an exemption apply?
No
Notification Required Determine methods for
notification for affected individuals, the
Secretary of HHS and, if necessary, media
57
(No Transcript)
58
Breach Notification

• Notification of Breach
• Data breach notification requirements imposed for
  unauthorized uses and disclosures of "unsecured
  PHI."
• Patients must be notified of any unsecured
  breach.
• If a breach impacts 500 patients or more, HHS
  must also be notified, and breaching entity's
  name will be published on HHS' website.
• Under certain conditions local media will also
  need to be notified.
• Notification is triggered whether the unsecured
  breach occurred externally or internally.

59
Notice of Privacy Practices

• Redistribution required!

60
Notice of Privacy Practices (NPP)

• NPPs must include
• Statements regarding certain uses and disclosures
  requiring authorization
• Psychotherapy notes (where appropriate)
• Marketing
• Sales of PHI
• Right to restrict disclosures to health plans
  (provider only) and
• Right to be notified of breach.
• General statement that all uses and disclosures
  not described in NPP also require authorization

61
Notice of Privacy Practices

• Does it contain all the required elements?
• This notice describes how medical information
  about you may be used and disclosed and how you
  can get access to this information please review
  it.
• Include examples of types of use and disclosures.
• List of uses and disclosures allowed without
  authorization.
• List of individuals rights.
• Privacy Officer contact information.
• Do you use PHI for marketing?
• Do you use PHI for research?

62
Covered Entity - Privacy Obligations

• Is NPP posted?
• Has NPP been translated?
• What is your process for delivery?
• What is your process to re-distribute when there
  are changes
• Is your NPP posted on websites?

63
Omnibus Rule NPPs must be Revised

• Changes in rule are material
• For plans that post on website, post revised NPP
  by effective date and in next annual mailing
• If no web site, plans must provide within 60 days
  of material revision
• For providers, must post and make available upon
  request must provide to (and seek
  acknowledgement from) new patients
• Can send by e-mail if individual agrees

64
Important Next Steps

• Review policies, procedures, forms, and update
• Train staff on new provisions
• Inventory BAs and update BAAs
• Update breach response plan in particular,
  update risk assessment and address encryption

65
Components Of An Effective Security Plan

• Policies Procedures governing hardware and
  software.
• Testing
• Auditing
• Contingency Plans

66
Compliance Date

• September 23, 2013