ARTICLE
Audio (MP3) Listen in New Window Presentation (PDF) Open in new window Disclaimer: This presentation is provided for general information purposes and is not intended as legal advice. Program Goals To understand the essential elements of maintaining the privacy and security of sensitive information and protected health information (PHI) of patients Topics Covered: - HIPAA privacy and security rules - What makes identifiers create PHI - Your role in complying with HIPAA - State privacy laws - What to do in the event of a breach Sensitive Information The privacy and security of ALL forms of sensitive information must be protected Forms: - Written - Printed - Electronically stored - Electronically transmitted - Spoken Examples: - Identifiable health information - Social Security Number - Credit card number - Driver’s license number - Address - Passwords HIPAA Privacy Rule The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects individually identifiable health information known as Protected Health Information or PHI. HIPAA requirements were expanded and strengthened in 2009 under the Health Information Technology for Economic and Clinical Health Act (HITECH). Key Definitions: - Covered Entity: A person or entity that furnishes, bills or is paid for health care services in the normal course of business - PHI: Any information that can be used to identify a patient that relates to past, present or future health condition, including health care services and payment for those services What Makes PHI Identifiable? Any unique number, code or characteristic that links information to a specific individual - Name - Address/Zip Code - Telephone number - Fax number - Social Security Number - Vehicle identifier - Email address - Dates (except year) - Names of relatives - Full face photo or image - Medical record number - Patient account number - Fingerprint/Voiceprint - Medical device numbers - Health plan numbers - Certificate/license number Duty to Protect PHI Covered Entity must protect PHI from unauthorized use or disclosure. An employee may access or disclose a patient’s PHI only as a part of the employee’s job duties. - Use or disclosure of PHI permitted for: Treatment, Payment, Healthcare operations, Public health purposes - Except for treatment purposes, access, use or disclosure of PHI must be limited to the minimum necessary to accomplish the intended purpose - Except to or on behalf of the patient, all other uses and disclosures of PHI must be authorized by the patient Individual Rights HIPPA grants certain rights to individuals with respect to how their PHI is used and disclosed by the Covered Entity Patients have the right to: - Receive a copy of the facility’s Notice of Privacy Practices - View and obtain copies of their medical records - Request corrections to their medical records - Request restrictions on use and sharing of their information - Obtain an accounting of certain disclosures of their PHI - Request that communications related to PHI be directed to a specific location - File a compliant if they believe these rights have been denied or their PHI is not being protected Uses and Disclosures Permitted Without an Authorization - Treatment within and between health care providers - Payment for health care treatment - Healthcare Operations of Facility - Quality Initiatives - Training - Audit/Legal/Compliance Activities - Personnel Performance Evaluations - Public Health Activities - Reporting abuse, neglect or domestic violence - FDA-regulated product safety - To provide information to coroners, medical examiners or funeral directors - Organ Donation - Court order or subpoena - Law enforcement purposes related to crimes, provided certain circumstances are met Special Disclosure Circumstances - To the Public: Unless a patient objects, a Covered Entity may disclose that patient’s location (i.e., treatment room) to person’s, including clergy, who inquire about that patient by name - Family & Friends: Unless a patient has given permission, PHI must never be shared with family members, friends or others involved in the patient’s care - Decedents: PHI may be disclosed to a family member or person involved in the care of a deceased patient unless the patient had expressed otherwise while still living. HIPAA protections apply for 50 years after death. Marketing & Fundraising HIPAA imposes restrictions on the use of PHI for marketing and fundraising purposes - Covered Entity may only use demographic information to market services or send fundraising solicitations to patients - Covered Entity may never sell PHI - Without an authorization, Covered Entity may not receive payment for the use or disclosure of PHI - Notice of Privacy Practices must advise patients of the prohibitions on marketing and the sale of PHI and their right to “opt out” of being contacted - Each fundraising solicitation must contain an easy means for patients to “opt out” of receiving future communications Business Associates Business Associate: An outside person or company that performs a function or provides services for, on behalf of, the Covered Entity that involves the use, disclosure or creation of PHI Business Associates are directly liable for compliance with HIPAA privacy and security requirements and must: - Enter into a Business Associate Agreement (BAA) - Use appropriate safeguards to prevent access, use or disclosure of PHI - Obtain satisfactory assurances from any subcontractor that it has appropriate safeguards in place - Notify the CE of any breach of unsecured PHI - Train employees and subcontractors on HIPAA requirements - Protect PHI to the same degree as the CE HIPAA Security Rule HIPAA established physical, technical and administrative standards for the protection of electronic PHI with a focus on the confidentiality, integrity and availability of PHI Safeguards Must: - Protect PHI from accidental or intentional unauthorized use or disclosure in computer systems and work areas - Virus protection software - Encryption - Limit accidental disclosures - Restrict hallway and waiting room discussions - Do not leave computers unattended or in public areas - Control access to facilities and systems - Password protection - Lock doors and file cabinets Employee Responsibilities All facility personnel are responsible for the protection of sensitive information and PHI You Should: - Avoid storing sensitive information on mobile devices and portable media unless the information is encrypted - Keep portable devices physically secure to prevent theft and unauthorized access - Access information only as necessary to fulfill your job responsibilities - Comply with all facility policies - Promptly report the loss or misuse of devices where PHI or sensitive information is stored Managing Breaches A breach occurs when information that is legally required to be protected is exposed to unauthorized use or disclosure that compromises the security or privacy of the information unless it can be proven that the risk of compromise is low. What Constitutes a Breach? - Information is lost, stolen or improperly disposed of - Information is “hacked” into by people or mechanized programs - Worms - Information is provided to others who have no right to or need for the information - Gossip - Tabloids Obligations in the Event of Breach Facility is required to take reasonable steps to lessen harmful effects of a confirmed breach involving compromised PHI - Depending on the risk analysis of an impermissible use or disclosure of PHI, facility may be required to notify: - The affected patient(s) - Department of Health and Human Services/Office of Civil Rights - Indiana Attorney General - Standard: Potential for “significant harm”, not actual harm, to patient - Facility personnel may not threaten or take any retaliatory action against an individual for exercising his/her rights under HIPAA or for filing a HIPAA report or complaint, including notifying of a privacy or security breach - Office of Civil Rights may investigate any reported breach Breach Notification Requirements Covered Entity Must: - Notification must be made “without reasonable delay” but no later than 60 days after discovery of the breach - Notice must be: - In writing and sent to individual by mail or email - Sent to last known address of individual - If insufficient or out of date information, CE must give public notice via website or media - If breach involves more than 500 individuals, CE must notify HHS immediately and notify prominent media outlets - If breach involves less than 500 individuals, CE may maintain a log to be produced to HHS annually Breach Notification Breach notification must include: - Brief description of what happened, including dates of breach and discovery - Description of the types of unsecured PHI that were involved - Steps individuals should take to protect themselves from potential harm resulting from the breach - Brief description of what the CE is doing to investigate the cause, mitigate losses and protect against future breaches - Contact procedures, including toll-free phone number, email address, web site or postal address Personal Health Records (PHR) vendors, servicers and other third party service providers must notify their customers and the FTC of any breach of security involving the customer’s PHR identifiable health information. FTC may take action against violations as unfair and deceptive acts or practices under the FTC Act. Penalties for Breaches HIPAA imposes civil and criminal penalties for violation of the privacy or security requirements. Penalties apply to CE, employees, Business Associates and others that obtain or disclose PHI without authorization - Civil Penalties: $50,000 per incident up to $1.5 Million per incident for violations not corrected, per calendar year - Criminal Penalties: $50,000 to $250,000 in fines and up to 20 years in prison - HHS must investigate any complaint that breach occurred due to “willful neglect”. If found, must impose civil monetary penalties - State Attorneys General may bring civil actions to enjoin privacy/security actions or obtain damages Indiana Law Upon discovery of a breach, data base owner must disclose the breach to Indiana residents whose personal information was or may have been acquired by an unauthorized person if the database owner knows, or should know, that it could result in identify theft. (IC 24-4.9) Notification requirements: - Without reasonable delay by mail, phone, fax, email - Notice via website and major news media permitted if more than 500,000 persons are affected or if cost would exceed $250,000 - Notify Attorney General’s Office Penalties for failure to disclose: - Lawsuit by Attorney General and civil fines up to $150,000 A Data Breach Near You Anthem: - Announced in January 2015 - Up to 80 million people affected - Sophisticated cyber attack - Lack of encryption, stolen network credentials by “phishing” Medical Informatics Engineering: - Announced in June 2015 - Up to 4 million people affected - Sophisticated cyber attack - Main networks and NoMoreClipBoard systems - Electronic Health Records and Personal Health Records Violations Are Costly - Massachusetts Eye and Ear: Paid $1.5 million and retained independent monitor for HIPAA violations due to theft of unencrypted laptop containing PHI of patients - Affinity Health Plan: Paid $1.2 million and entered into settlement for breach of over 300,000 patients for returning copiers to the leasing agent without erasing the data contained on the hard drives that included PHI - Walgreens: Paid $1.44 million to a customer whose PHI was impermissibly accessed and disclosed by a pharmacy employee. Looked up husband’s ex-girlfriend’s records to confirm diagnosis of STD and shared the information with her husband In addition to money damages, privacy breaches can cause significant reputational harm to the organization What’s Next? Phase II Audits The Affordable Care Act authorized the Office of Civil Rights to audit for compliance with HIPAA privacy, security and breach notification standards. Audits in 2011 and 2012 (Phase I) focused on Covered Entities. Phase II will be conducted starting in 2015 and will cover CEs and Business Associates. - Pre-audit surveys will be sent to 550 to 800 randomly selected CEs. Based on survey responses, 350 CEs and 50 BAs will be selected for audit. - Be prepared: - Conduct a risk assessment - Ensure policies and procedures are up to date and comprehensive - Review electronic files to identify which are encrypted - Create a complete list of BAs and subcontractors - Ensure Breach Notification Policy includes state law requirements - Ensure Notice of Privacy Practices is compliant and available to patients Most Common Violations Types: - Misuse & disclosure of PHI - No protections in place - Patients unable to access their health information - Guidance to be issued 2015 - Use or disclosure of more than minimum necessary - No safeguards of ePHI Entities: - Private practices - Hospitals - Outpatient facilities - Group health plans - Pharmacies -- Colleen M. Roberts Krieg DeVault LLP 312.800.4010 croberts@kdlegal.com