SlideShare uma empresa Scribd logo

HIPAA HITECH Update 2014- Practical Effects and Enforcement Trends

L
leivalaw

Overview of HIPAA Omnibus Rule, including impacts on: Covered Entities, Business Associates, Data Breach Management and Reporting, Audits, Enforcement, Cyberliability Coverage

Saúde e medicinaTecnologia
1 de 37
Baixar para ler offline
Aldo M. Leiva, Esq. Lubell Rosen, LLC Columbus Center 1 Alhambra Plaza Suite 1410 Coral Gables, Fl 33134 Phone: (305) 442- 9211 Fax: (305) 442-9047 Email: aml@lubellrosen.com www.lubellrosen.com HIPAA/HITECH Update: Practical Effects and Enforcement Trends Presented by Aldo M. Leiva, Esq. Data Security and Privacy Attorney for American Health Lawyers Association January 13, 2013 © 2014 Lubell Rosen, LLC
OVERVIEW OF PRESENTATION ! HIPAA Omnibus Rule Key Provisions ♦  ♦  ♦  ! ! ! ! ! Breach Notification New Penalty Structure Business Associates Re-Defined Compliance Activities and Considerations OCR Audit Overview – Past and Future Latest Enforcement Actions Insurance Considerations Questions and Answers © 2014 Lubell Rosen, LLC
HIPAA/HITECH OMNIBUS RULE ! ! Effective Date- March 26, 2013 Compliance Deadline- September 23, 2013 © 2014 Lubell Rosen, LLC
HITECH ACT- KEY PROVISIONS ! ! ! ! ! Breach Notification Requirements New Penalty Levels Compliance Requirements for Business Associates (BAs) Audits Extended Enforcement by State AGs © 2014 Lubell Rosen, LLC
BREACH NOTIFICATION REQUIREMENTS ( ! Old Requirements under Interim Final ! Rule Breach is event that “compromises the security or privacy of the protected health information” and “poses a significant risk of financial, reputational, or other harm to the individual.” © 2014 Lubell Rosen, LLC
BREACH NOTIFICATION FINAL RULE (OMNIBUS) ! Any impermissible use or disclosure of protected health information is presumed to be a breach unless the regulated entity is able to demonstrate, through a risk assessment, that there is a low probability of compromise © 2014 Lubell Rosen, LLC
FOUR FACTORS FOR RISK ASSESSMENT ! ! ! ! To whom the information was impermissibly disclosed Whether the information was actually accessed or viewed Potential ability of the recipient to identify the subjects of the data Whether recipient took appropriate mitigating action © 2014 Lubell Rosen, LLC
TIERED PENALTY STRUCTURE ! ! ! ! Significant increase in penalties Reduction in number of Affirmative Defenses Mandatory penalties for all violations due to “willful neglect” Applies to violations occuring after February 18, 2009 © 2014 Lubell Rosen, LLC
TIER 1- UNKNOWING ! ! ! CE or BA did not know and reasonably should not have known of the violation. $ 100 to $ 50,000 per violation Total of $ 1.5M for all violations of an identical requirement or prohibition occurring within the same calendar year © 2014 Lubell Rosen, LLC
TIER 2- REASONABLE CAUSE ! ! ! CE or BA knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the covered entity or business associate did not act with willful neglect $ 1,000- $ 50,000 per violation Total of $ 1.5M for all violations of an identical requirement or prohibition occurring within the same calendar year © 2014 Lubell Rosen, LLC
TIER 3- WILLFUL NEGLECTCORRECTED ! ! ! The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the covered entity or business associate corrected the violation within 30 days of discovery. $ 10,000- $ 50,000 per violation Total of $ 1.5M for all violations of an identical requirement or prohibition occurring within the same calendar year © 2014 Lubell Rosen, LLC
TIER 4- WILLFUL NEGLECTUNCORRECTED ! ! ! The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate did not correct the violation within 30 days of discovery. At least $ 50,000 per violation Total of $ 1.5M for all violations of an identical requirement or prohibition occurring within the same calendar year © 2014 Lubell Rosen, LLC
DEFENSE TO PENALTIES ! Penalty may not be imposed for violation that is not due to willful neglect and that is corrected within 30 days of actual or constructive knowledge of the violation, or during an additional period, as determined by the Secretary to be appropriate based on the nature and extent of the failure to comply © 2014 Lubell Rosen, LLC
PRACTICE TIP CE or BA that discovers a violation of HIPAA that is not due to willful neglect should attempt to: (i) correct the violation within 30 days of the discovery; (ii) document the date on which it discovered the violation(s); and (iii) document the date on which it implemented the correction in order to establish a basis for asserting the affirmative defense to the imposition of penalty for the violation. ! © 2014 Lubell Rosen, LLC
HHS DISCRETION ! ! HHS may waive a penalty for violations that are not due to willful neglect, in whole or in part, to the extent that the penalty is excessive relative to the violation. HHS has discretion to use other measures to address HIPAA violations, such as providing direct technical assistance or resolving possible noncompliance through informal means. © 2014 Lubell Rosen, LLC
CE AND BA LIABILITY ! ! CE is liable for the violations of its business associates (BA) that are its agents BA is liable for the acts of its agents (i.e. Subcontractors) © 2014 Lubell Rosen, LLC
BUSINESS ASSOCIATES RE-DEFINED ! ! ! BA is person/entity that “creates, receives, maintains or transmits protected health information on behalf of a covered entity”. New definition of BA includes records management companies that “maintain” records containing PHI, regardless of whether they are accessed or reviewed BA subject to the rule if it has access to electronic or hard copy PHI © 2014 Lubell Rosen, LLC
BEFORE HITECH ACT ! ! ! BA was subject to breach of contract claim for violation of BAA 2009- HITECH enacted- BA was now directly liable for PHI breach, but OCR agreed not to pursue enforcement actions against BA until finalization of the Rule Rule is finalized- enforcement actions can commence as of September 23, 2013 © 2014 Lubell Rosen, LLC
BA AGREEMENT TERMS ! ! ! Establish how BA is permitted or required to use and disclose PHI – must not use or further disclose PHI other than as permitted by or required by the BAA or by law Use appropriate safeguards to prevent PHI from being used or disclosed other than as permitted by the BAA Report to CE if it learns of any unauthorized use or disclosure of PHI © 2014 Lubell Rosen, LLC
BA AGREEMENT TERMS (2) ! ! BAAs must also include a provision that allows the CE to terminate the underlying agreement if the BA violates a material term of the BAA Ensure that subcontractors receiving PHI from the BAA agree to the same restrictions on use and disclosure of PHI © 2014 Lubell Rosen, LLC
NO FORMAL BAA ? ! ! Omnibus Rule still applies BA must comply with the relevant HIPAA provisions irrespective of BAA terms or service contracts with customers © 2014 Lubell Rosen, LLC
BA VIOLATIONS ! ! ! ! BA does not contractually impose restrictions on subcontractors Fails to notify CE of security breach within 60 days Fails to implement any of the administrative, physical, and technical safeguards in the HIPAA Security Rule Fails to follow “minimum necessary” standard © 2014 Lubell Rosen, LLC
COMPLIANCE ACTIVITIES ! ! ! ! ! ! ! ! ! Develop and implement Privacy Policies Conduct periodic Risk Assessments Develop and adopt Email Policies Develop and adopt Mobile Device Policies Train employees Designate Privacy/Security Officers Update Notice of Privacy Practices Revise BA Agreements Adopt Breach Assessment/Notification Policies © 2014 Lubell Rosen, LLC
AUDITS ! ! ! December 2012- Pilot Audits Completed Evaluations of Pilot Program BAs to be audited as well © 2014 Lubell Rosen, LLC
OCR AUDIT PLANS FOR 2014 ! ! ! ! Streamlined audit process Expanded scope of Audits (to include BAs) OCR is hiring more auditors More audits are likely, with emphasis on BA © 2014 Lubell Rosen, LLC
PILOT AUDIT RESULTS ! ! ! “Small” CE (< $ 50M in revenue) had more compliance issues (66% of deficiencies) Health care providers responsible for 81% of deficiencies Majority of deficiencies related to the Security Rule © 2014 Lubell Rosen, LLC
PILOT AUDIT RESULTS (2) ! ! 80% of health care providers did not have a complete and accurate risk analysis Encryption - Organizations deciding against encryption did not document basis for doing so © 2014 Lubell Rosen, LLC
AUDIT PROTOCOL ! ! Tool for Audit Preparation http://www.hhs.gov/ocr/privacy/hipaa/ enforcement/audit/protocol.html © 2014 Lubell Rosen, LLC
STATE AG ENFORCEMENT ! ! HITECH gave State Attorneys General authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. State AGs may obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules. © 2014 Lubell Rosen, LLC
STATE AG PENALTIES ! ! ! Penalties are calculated by multiplying the number of violations by up to $100. Total penalties imposed for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000. The court, in its discretion, may award the costs of the action and reasonable attorney fees to the State. © 2014 Lubell Rosen, LLC
ENFORCEMENT TRENDS ! ! ! As of June 30, 2013, OCR has investigated and resolved over 20,359 cases by requiring changes in privacy practices and other corrective actions by CEs. WellPoint pays $ 1.7M to settle potential violations (2013) Mass. Eye & Ear pays $ 1.5M to settle potential violations (2012) © 2014 Lubell Rosen, LLC
ENFORCEMENT TRENDS (2) ! ! ! December 24, 2013- OCR imposed $ 150,000 penalty and corrective action plan CE reported stolen UNENCRYPTED thumb drive with PHI to OCR and notified patients within 30 days OCR issued penalty due to failure of CE to: - conduct adequate risk assessment of ePHI - adopt written policies and train personnel - reasonably safeguard unencrypted thumb drive © 2014 Lubell Rosen, LLC
ENFORCEMENT TRENDS (3) ! ! ! Barry University Data Breach – Dec. 31, 2013 CE reported data breach SEVEN MONTHS after laptop was infected with malware Violation of HITECH Rules- individual notifications must be provided without unreasonable delay and in no case later than 60 days following discovery of data breach © 2014 Lubell Rosen, LLC
AUDIT TRENDS TO TRACK- 2014 ! ! ! ! ! Much larger pool of entities subject to enforcement Likely that enforcement actions will increase BA focusing on record storage and document destruction may be subject to more scrutiny due to large volume of PHI potentially at risk OCR is hiring more auditors More audits are likely, with emphasis on BA © 2014 Lubell Rosen, LLC
AUDIT TRENDS TO TRACK- 2014 ! ! ! ! OCR is requesting budget increase OCR will use $ 4.5 million in collected HIPAA penalties to help fund audit program OCR is seeking contractor for permanent audit program OCR Director Leon Rodriguez is slated to leave OCR for post at Homeland Security © 2014 Lubell Rosen, LLC
CYBERLIABILITY COVERAGE ! ! ! ! ! Review existing insurance policies Traditional D & O and E & O Policies may provide HIPAA coverage, unless excluded Consider additional coverage HIPAA Policies- investigations, defense costs, and penalties Consult with Insurance coverage counsel © 2014 Lubell Rosen, LLC
THANK YOU Aldo M. Leiva, Esq. Chair, Data Security and Privacy Practice Lubell Rosen One Alhambra Plaza, Suite 1410 Coral Gables, FL 33134 aml@lubellrosen.com www.lubellrosen.com Direct: (305) 442-9211 © 2014 Lubell Rosen, LLC

Recomendados

CAL/OSHA & AB 2774: The new law that could impact you!
CAL/OSHA & AB 2774: The new law that could impact you!CAL/OSHA & AB 2774: The new law that could impact you!
CAL/OSHA & AB 2774: The new law that could impact you!InsuranceCommunityCenter
 
Brenner
BrennerBrenner
BrennerBFBootcamp
 
HIPAA
HIPAAHIPAA
HIPAAKarna *
 
Answering the Call: Requirements for reporting channels
Answering the Call: Requirements for reporting channelsAnswering the Call: Requirements for reporting channels
Answering the Call: Requirements for reporting channelsConvercent
 
The Impact of Communicable Diseases, Including Coronavirus, on the Workplace
The Impact of Communicable Diseases, Including Coronavirus, on the WorkplaceThe Impact of Communicable Diseases, Including Coronavirus, on the Workplace
The Impact of Communicable Diseases, Including Coronavirus, on the WorkplaceFinancial Poise
 
The Impact of Communicable Diseases, Including Coronavirus, on the Workplace
The Impact of Communicable Diseases, Including Coronavirus, on the WorkplaceThe Impact of Communicable Diseases, Including Coronavirus, on the Workplace
The Impact of Communicable Diseases, Including Coronavirus, on the WorkplaceFinancial Poise
 
HIPAA Omnibus Presentation
HIPAA Omnibus PresentationHIPAA Omnibus Presentation
HIPAA Omnibus PresentationCompliancy Group
 
HIPAA Omnibus Rule: Critical Changes for Business Associates
HIPAA Omnibus Rule: Critical Changes for Business AssociatesHIPAA Omnibus Rule: Critical Changes for Business Associates
HIPAA Omnibus Rule: Critical Changes for Business AssociatesBridge Front
 

Recomendados

CAL/OSHA & AB 2774: The new law that could impact you!
CAL/OSHA & AB 2774: The new law that could impact you!CAL/OSHA & AB 2774: The new law that could impact you!
CAL/OSHA & AB 2774: The new law that could impact you!InsuranceCommunityCenter
 
Brenner
BrennerBrenner
BrennerBFBootcamp
 
HIPAA
HIPAAHIPAA
HIPAAKarna *
 
Answering the Call: Requirements for reporting channels
Answering the Call: Requirements for reporting channelsAnswering the Call: Requirements for reporting channels
Answering the Call: Requirements for reporting channelsConvercent
 
The Impact of Communicable Diseases, Including Coronavirus, on the Workplace
The Impact of Communicable Diseases, Including Coronavirus, on the WorkplaceThe Impact of Communicable Diseases, Including Coronavirus, on the Workplace
The Impact of Communicable Diseases, Including Coronavirus, on the WorkplaceFinancial Poise
 
The Impact of Communicable Diseases, Including Coronavirus, on the Workplace
The Impact of Communicable Diseases, Including Coronavirus, on the WorkplaceThe Impact of Communicable Diseases, Including Coronavirus, on the Workplace
The Impact of Communicable Diseases, Including Coronavirus, on the WorkplaceFinancial Poise
 
HIPAA Omnibus Presentation
HIPAA Omnibus PresentationHIPAA Omnibus Presentation
HIPAA Omnibus PresentationCompliancy Group
 
HIPAA Omnibus Rule: Critical Changes for Business Associates
HIPAA Omnibus Rule: Critical Changes for Business AssociatesHIPAA Omnibus Rule: Critical Changes for Business Associates
HIPAA Omnibus Rule: Critical Changes for Business AssociatesBridge Front
 
HIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upHIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upDavid Sweigert
 
sick lv article in Constant Contact (00053508xAF685)
sick lv article in Constant Contact (00053508xAF685)sick lv article in Constant Contact (00053508xAF685)
sick lv article in Constant Contact (00053508xAF685)krose50
 
Everything You Need To Know About DOL Audits
Everything You Need To Know About DOL AuditsEverything You Need To Know About DOL Audits
Everything You Need To Know About DOL Auditsbenefitexpress
 
OSHA
OSHA OSHA
OSHA Gabriela Rosas
 
HR Webinar Series June 2021
HR Webinar Series June 2021HR Webinar Series June 2021
HR Webinar Series June 2021JJ Steadman
 
Legal Issues Important for Doing Business in the U.S. | Martijn Steger
Legal Issues Important for Doing Business in the U.S. | Martijn StegerLegal Issues Important for Doing Business in the U.S. | Martijn Steger
Legal Issues Important for Doing Business in the U.S. | Martijn StegerKegler Brown Hill + Ritter
 
Business Law Newsletter
Business Law NewsletterBusiness Law Newsletter
Business Law NewsletterdmurrayTH
 
CEA SSAE16
CEA SSAE16CEA SSAE16
CEA SSAE16Jeffrey Behm
 
Whistleblower Law
Whistleblower LawWhistleblower Law
Whistleblower LawThe Virtual HR Director, LLC
 
Avoiding traps in EMR/Technology Contracts by Sandra P. Greenblatt
Avoiding traps in EMR/Technology Contracts by Sandra P. GreenblattAvoiding traps in EMR/Technology Contracts by Sandra P. Greenblatt
Avoiding traps in EMR/Technology Contracts by Sandra P. GreenblattSandra Greenblatt
 
12 Ways Employers Violate FMLA [Data Driven]
12 Ways Employers Violate FMLA [Data Driven]12 Ways Employers Violate FMLA [Data Driven]
12 Ways Employers Violate FMLA [Data Driven]Richard Celler
 
How International Startups Can Move to Silicon Valley
How International Startups Can Move to Silicon ValleyHow International Startups Can Move to Silicon Valley
How International Startups Can Move to Silicon Valleyideatoipo
 
Background Screening Presentation 2011
Background Screening Presentation 2011Background Screening Presentation 2011
Background Screening Presentation 2011poseyjj
 
Brian Balow HIPAA Final Rule
Brian Balow HIPAA Final RuleBrian Balow HIPAA Final Rule
Brian Balow HIPAA Final Rulemihinpr
 
First and Foremosts September 2021 Presentation
First and Foremosts September 2021 PresentationFirst and Foremosts September 2021 Presentation
First and Foremosts September 2021 Presentationlerchearly
 
Employment Law Newsletter
Employment Law NewsletterEmployment Law Newsletter
Employment Law NewsletterdmurrayTH
 
Top 5 HR Legal Hot Spots for Businesses
Top 5 HR Legal Hot Spots for BusinessesTop 5 HR Legal Hot Spots for Businesses
Top 5 HR Legal Hot Spots for BusinessesBFBootcamp
 
Corporate compliance powerpoint
Corporate compliance powerpointCorporate compliance powerpoint
Corporate compliance powerpointsmcmanus3
 
Mortgage Tech Summit AZ 2012 Internet Advertising Compliance
Mortgage Tech Summit AZ 2012 Internet Advertising ComplianceMortgage Tech Summit AZ 2012 Internet Advertising Compliance
Mortgage Tech Summit AZ 2012 Internet Advertising ComplianceSteve Lines
 
HIPAA Business Associate Compliance and Dangers
HIPAA Business Associate Compliance and DangersHIPAA Business Associate Compliance and Dangers
HIPAA Business Associate Compliance and DangersConference Panel
 
SWD (Short wave diathermy)- Physiotherapy.ppt
SWD (Short wave diathermy)- Physiotherapy.pptSWD (Short wave diathermy)- Physiotherapy.ppt
SWD (Short wave diathermy)- Physiotherapy.pptMumux Mirani
 
Hematology and Immunology - Leukocytes Functions
Hematology and Immunology - Leukocytes FunctionsHematology and Immunology - Leukocytes Functions
Hematology and Immunology - Leukocytes FunctionsMedicoseAcademics
 

Mais conteúdo relacionado

Semelhante a HIPAA HITECH Update 2014- Practical Effects and Enforcement Trends

HIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upHIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upDavid Sweigert
 
sick lv article in Constant Contact (00053508xAF685)
sick lv article in Constant Contact (00053508xAF685)sick lv article in Constant Contact (00053508xAF685)
sick lv article in Constant Contact (00053508xAF685)krose50
 
Everything You Need To Know About DOL Audits
Everything You Need To Know About DOL AuditsEverything You Need To Know About DOL Audits
Everything You Need To Know About DOL Auditsbenefitexpress
 
HR Webinar Series June 2021
HR Webinar Series June 2021HR Webinar Series June 2021
HR Webinar Series June 2021JJ Steadman
 
Legal Issues Important for Doing Business in the U.S. | Martijn Steger
Legal Issues Important for Doing Business in the U.S. | Martijn StegerLegal Issues Important for Doing Business in the U.S. | Martijn Steger
Legal Issues Important for Doing Business in the U.S. | Martijn StegerKegler Brown Hill + Ritter
 
Business Law Newsletter
Business Law NewsletterBusiness Law Newsletter
Business Law NewsletterdmurrayTH
 
Avoiding traps in EMR/Technology Contracts by Sandra P. Greenblatt
Avoiding traps in EMR/Technology Contracts by Sandra P. GreenblattAvoiding traps in EMR/Technology Contracts by Sandra P. Greenblatt
Avoiding traps in EMR/Technology Contracts by Sandra P. GreenblattSandra Greenblatt
 
12 Ways Employers Violate FMLA [Data Driven]
12 Ways Employers Violate FMLA [Data Driven]12 Ways Employers Violate FMLA [Data Driven]
12 Ways Employers Violate FMLA [Data Driven]Richard Celler
 
How International Startups Can Move to Silicon Valley
How International Startups Can Move to Silicon ValleyHow International Startups Can Move to Silicon Valley
How International Startups Can Move to Silicon Valleyideatoipo
 
Background Screening Presentation 2011
Background Screening Presentation 2011Background Screening Presentation 2011
Background Screening Presentation 2011poseyjj
 
Brian Balow HIPAA Final Rule
Brian Balow HIPAA Final RuleBrian Balow HIPAA Final Rule
Brian Balow HIPAA Final Rulemihinpr
 
First and Foremosts September 2021 Presentation
First and Foremosts September 2021 PresentationFirst and Foremosts September 2021 Presentation
First and Foremosts September 2021 Presentationlerchearly
 
Employment Law Newsletter
Employment Law NewsletterEmployment Law Newsletter
Employment Law NewsletterdmurrayTH
 
Top 5 HR Legal Hot Spots for Businesses
Top 5 HR Legal Hot Spots for BusinessesTop 5 HR Legal Hot Spots for Businesses
Top 5 HR Legal Hot Spots for BusinessesBFBootcamp
 
Corporate compliance powerpoint
Corporate compliance powerpointCorporate compliance powerpoint
Corporate compliance powerpointsmcmanus3
 
Mortgage Tech Summit AZ 2012 Internet Advertising Compliance
Mortgage Tech Summit AZ 2012 Internet Advertising ComplianceMortgage Tech Summit AZ 2012 Internet Advertising Compliance
Mortgage Tech Summit AZ 2012 Internet Advertising ComplianceSteve Lines
 
HIPAA Business Associate Compliance and Dangers
HIPAA Business Associate Compliance and DangersHIPAA Business Associate Compliance and Dangers
HIPAA Business Associate Compliance and DangersConference Panel
 

Semelhante a HIPAA HITECH Update 2014- Practical Effects and Enforcement Trends (20)

HIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upHIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats up
 
sick lv article in Constant Contact (00053508xAF685)
sick lv article in Constant Contact (00053508xAF685)sick lv article in Constant Contact (00053508xAF685)
sick lv article in Constant Contact (00053508xAF685)
 
Everything You Need To Know About DOL Audits
Everything You Need To Know About DOL AuditsEverything You Need To Know About DOL Audits
Everything You Need To Know About DOL Audits
 
OSHA
OSHA OSHA
OSHA
 
HR Webinar Series June 2021
HR Webinar Series June 2021HR Webinar Series June 2021
HR Webinar Series June 2021
 
Legal Issues Important for Doing Business in the U.S. | Martijn Steger
Legal Issues Important for Doing Business in the U.S. | Martijn StegerLegal Issues Important for Doing Business in the U.S. | Martijn Steger
Legal Issues Important for Doing Business in the U.S. | Martijn Steger
 
Business Law Newsletter
Business Law NewsletterBusiness Law Newsletter
Business Law Newsletter
 
CEA SSAE16
CEA SSAE16CEA SSAE16
CEA SSAE16
 
Whistleblower Law
Whistleblower LawWhistleblower Law
Whistleblower Law
 
Avoiding traps in EMR/Technology Contracts by Sandra P. Greenblatt
Avoiding traps in EMR/Technology Contracts by Sandra P. GreenblattAvoiding traps in EMR/Technology Contracts by Sandra P. Greenblatt
Avoiding traps in EMR/Technology Contracts by Sandra P. Greenblatt
 
12 Ways Employers Violate FMLA [Data Driven]
12 Ways Employers Violate FMLA [Data Driven]12 Ways Employers Violate FMLA [Data Driven]
12 Ways Employers Violate FMLA [Data Driven]
 
How International Startups Can Move to Silicon Valley
How International Startups Can Move to Silicon ValleyHow International Startups Can Move to Silicon Valley
How International Startups Can Move to Silicon Valley
 
Background Screening Presentation 2011
Background Screening Presentation 2011Background Screening Presentation 2011
Background Screening Presentation 2011
 
Brian Balow HIPAA Final Rule
Brian Balow HIPAA Final RuleBrian Balow HIPAA Final Rule
Brian Balow HIPAA Final Rule
 
First and Foremosts September 2021 Presentation
First and Foremosts September 2021 PresentationFirst and Foremosts September 2021 Presentation
First and Foremosts September 2021 Presentation
 
Employment Law Newsletter
Employment Law NewsletterEmployment Law Newsletter
Employment Law Newsletter
 
Top 5 HR Legal Hot Spots for Businesses
Top 5 HR Legal Hot Spots for BusinessesTop 5 HR Legal Hot Spots for Businesses
Top 5 HR Legal Hot Spots for Businesses
 
Corporate compliance powerpoint
Corporate compliance powerpointCorporate compliance powerpoint
Corporate compliance powerpoint
 
Mortgage Tech Summit AZ 2012 Internet Advertising Compliance
Mortgage Tech Summit AZ 2012 Internet Advertising ComplianceMortgage Tech Summit AZ 2012 Internet Advertising Compliance
Mortgage Tech Summit AZ 2012 Internet Advertising Compliance
 
HIPAA Business Associate Compliance and Dangers
HIPAA Business Associate Compliance and DangersHIPAA Business Associate Compliance and Dangers
HIPAA Business Associate Compliance and Dangers
 

Último

SWD (Short wave diathermy)- Physiotherapy.ppt
SWD (Short wave diathermy)- Physiotherapy.pptSWD (Short wave diathermy)- Physiotherapy.ppt
SWD (Short wave diathermy)- Physiotherapy.pptMumux Mirani
 
Hematology and Immunology - Leukocytes Functions
Hematology and Immunology - Leukocytes FunctionsHematology and Immunology - Leukocytes Functions
Hematology and Immunology - Leukocytes FunctionsMedicoseAcademics
 
epilepsy and status epilepticus for undergraduate.pptx
epilepsy and status epilepticus for undergraduate.pptxepilepsy and status epilepticus for undergraduate.pptx
epilepsy and status epilepticus for undergraduate.pptxMohamed Rizk Khodair
 
Primary headache and facial pain. (2024)
Primary headache and facial pain. (2024)Primary headache and facial pain. (2024)
Primary headache and facial pain. (2024)Mohamed Rizk Khodair
 
Culture and Health Disorders Social change.pptx
Culture and Health Disorders Social change.pptxCulture and Health Disorders Social change.pptx
Culture and Health Disorders Social change.pptxDr. Dheeraj Kumar
 
Tans femoral Amputee : Prosthetics Knee Joints.pptx
Tans femoral Amputee : Prosthetics Knee Joints.pptxTans femoral Amputee : Prosthetics Knee Joints.pptx
Tans femoral Amputee : Prosthetics Knee Joints.pptxKezaiah S
 
Statistical modeling in pharmaceutical research and development.
Statistical modeling in pharmaceutical research and development.Statistical modeling in pharmaceutical research and development.
Statistical modeling in pharmaceutical research and development.ANJALI
 
low cost antibiotic cement nail for infected non union.pptx
low cost antibiotic cement nail for infected non union.pptxlow cost antibiotic cement nail for infected non union.pptx
low cost antibiotic cement nail for infected non union.pptxdrashraf369
 
world health day presentation ppt download
world health day presentation ppt downloadworld health day presentation ppt download
world health day presentation ppt downloadAnkitKumar311566
 
Glomerular Filtration and determinants of glomerular filtration .pptx
Glomerular Filtration and determinants of glomerular filtration .pptxGlomerular Filtration and determinants of glomerular filtration .pptx
Glomerular Filtration and determinants of glomerular filtration .pptxDr.Nusrat Tariq
 
Presentation on General Anesthetics pdf.
Presentation on General Anesthetics pdf.Presentation on General Anesthetics pdf.
Presentation on General Anesthetics pdf.Prerana Jadhav
 
PULMONARY EMBOLISM AND ITS MANAGEMENTS.pdf
PULMONARY EMBOLISM AND ITS MANAGEMENTS.pdfPULMONARY EMBOLISM AND ITS MANAGEMENTS.pdf
PULMONARY EMBOLISM AND ITS MANAGEMENTS.pdfDolisha Warbi
 
The next social challenge to public health: the information environment.pptx
The next social challenge to public health: the information environment.pptxThe next social challenge to public health: the information environment.pptx
The next social challenge to public health: the information environment.pptxTina Purnat
 
April 2024 ONCOLOGY CARTOON by DR KANHU CHARAN PATRO
April 2024 ONCOLOGY CARTOON by DR KANHU CHARAN PATROApril 2024 ONCOLOGY CARTOON by DR KANHU CHARAN PATRO
April 2024 ONCOLOGY CARTOON by DR KANHU CHARAN PATROKanhu Charan
 
Big Data Analysis Suggests COVID Vaccination Increases Excess Mortality Of ...
Big Data Analysis Suggests COVID Vaccination Increases Excess Mortality Of ...Big Data Analysis Suggests COVID Vaccination Increases Excess Mortality Of ...
Big Data Analysis Suggests COVID Vaccination Increases Excess Mortality Of ...sdateam0
 
PULMONARY EDEMA AND ITS MANAGEMENT.pdf
PULMONARY EDEMA AND ITS MANAGEMENT.pdfPULMONARY EDEMA AND ITS MANAGEMENT.pdf
PULMONARY EDEMA AND ITS MANAGEMENT.pdfDolisha Warbi
 
Informed Consent Empowering Healthcare Decision-Making.pptx
Informed Consent Empowering Healthcare Decision-Making.pptxInformed Consent Empowering Healthcare Decision-Making.pptx
Informed Consent Empowering Healthcare Decision-Making.pptxSasikiranMarri
 
Basic principles involved in the traditional systems of medicine PDF.pdf
Basic principles involved in the traditional systems of medicine PDF.pdfBasic principles involved in the traditional systems of medicine PDF.pdf
Basic principles involved in the traditional systems of medicine PDF.pdfDivya Kanojiya
 
maternal mortality and its causes and how to reduce maternal mortality
maternal mortality and its causes and how to reduce maternal mortalitymaternal mortality and its causes and how to reduce maternal mortality
maternal mortality and its causes and how to reduce maternal mortalityhardikdabas3
 

Último (20)

SWD (Short wave diathermy)- Physiotherapy.ppt
SWD (Short wave diathermy)- Physiotherapy.pptSWD (Short wave diathermy)- Physiotherapy.ppt
SWD (Short wave diathermy)- Physiotherapy.ppt
 
Hematology and Immunology - Leukocytes Functions
Hematology and Immunology - Leukocytes FunctionsHematology and Immunology - Leukocytes Functions
Hematology and Immunology - Leukocytes Functions
 
epilepsy and status epilepticus for undergraduate.pptx
epilepsy and status epilepticus for undergraduate.pptxepilepsy and status epilepticus for undergraduate.pptx
epilepsy and status epilepticus for undergraduate.pptx
 
Primary headache and facial pain. (2024)
Primary headache and facial pain. (2024)Primary headache and facial pain. (2024)
Primary headache and facial pain. (2024)
 
Culture and Health Disorders Social change.pptx
Culture and Health Disorders Social change.pptxCulture and Health Disorders Social change.pptx
Culture and Health Disorders Social change.pptx
 
Tans femoral Amputee : Prosthetics Knee Joints.pptx
Tans femoral Amputee : Prosthetics Knee Joints.pptxTans femoral Amputee : Prosthetics Knee Joints.pptx
Tans femoral Amputee : Prosthetics Knee Joints.pptx
 
Statistical modeling in pharmaceutical research and development.
Statistical modeling in pharmaceutical research and development.Statistical modeling in pharmaceutical research and development.
Statistical modeling in pharmaceutical research and development.
 
low cost antibiotic cement nail for infected non union.pptx
low cost antibiotic cement nail for infected non union.pptxlow cost antibiotic cement nail for infected non union.pptx
low cost antibiotic cement nail for infected non union.pptx
 
world health day presentation ppt download
world health day presentation ppt downloadworld health day presentation ppt download
world health day presentation ppt download
 
Glomerular Filtration and determinants of glomerular filtration .pptx
Glomerular Filtration and determinants of glomerular filtration .pptxGlomerular Filtration and determinants of glomerular filtration .pptx
Glomerular Filtration and determinants of glomerular filtration .pptx
 
Presentation on General Anesthetics pdf.
Presentation on General Anesthetics pdf.Presentation on General Anesthetics pdf.
Presentation on General Anesthetics pdf.
 
PULMONARY EMBOLISM AND ITS MANAGEMENTS.pdf
PULMONARY EMBOLISM AND ITS MANAGEMENTS.pdfPULMONARY EMBOLISM AND ITS MANAGEMENTS.pdf
PULMONARY EMBOLISM AND ITS MANAGEMENTS.pdf
 
The next social challenge to public health: the information environment.pptx
The next social challenge to public health: the information environment.pptxThe next social challenge to public health: the information environment.pptx
The next social challenge to public health: the information environment.pptx
 
April 2024 ONCOLOGY CARTOON by DR KANHU CHARAN PATRO
April 2024 ONCOLOGY CARTOON by DR KANHU CHARAN PATROApril 2024 ONCOLOGY CARTOON by DR KANHU CHARAN PATRO
April 2024 ONCOLOGY CARTOON by DR KANHU CHARAN PATRO
 
Big Data Analysis Suggests COVID Vaccination Increases Excess Mortality Of ...
Big Data Analysis Suggests COVID Vaccination Increases Excess Mortality Of ...Big Data Analysis Suggests COVID Vaccination Increases Excess Mortality Of ...
Big Data Analysis Suggests COVID Vaccination Increases Excess Mortality Of ...
 
PULMONARY EDEMA AND ITS MANAGEMENT.pdf
PULMONARY EDEMA AND ITS MANAGEMENT.pdfPULMONARY EDEMA AND ITS MANAGEMENT.pdf
PULMONARY EDEMA AND ITS MANAGEMENT.pdf
 
Informed Consent Empowering Healthcare Decision-Making.pptx
Informed Consent Empowering Healthcare Decision-Making.pptxInformed Consent Empowering Healthcare Decision-Making.pptx
Informed Consent Empowering Healthcare Decision-Making.pptx
 
Basic principles involved in the traditional systems of medicine PDF.pdf
Basic principles involved in the traditional systems of medicine PDF.pdfBasic principles involved in the traditional systems of medicine PDF.pdf
Basic principles involved in the traditional systems of medicine PDF.pdf
 
maternal mortality and its causes and how to reduce maternal mortality
maternal mortality and its causes and how to reduce maternal mortalitymaternal mortality and its causes and how to reduce maternal mortality
maternal mortality and its causes and how to reduce maternal mortality
 
Epilepsy
EpilepsyEpilepsy
Epilepsy
 

HIPAA HITECH Update 2014- Practical Effects and Enforcement Trends

  • 1. Aldo M. Leiva, Esq. Lubell Rosen, LLC Columbus Center 1 Alhambra Plaza Suite 1410 Coral Gables, Fl 33134 Phone: (305) 442- 9211 Fax: (305) 442-9047 Email: aml@lubellrosen.com www.lubellrosen.com HIPAA/HITECH Update: Practical Effects and Enforcement Trends Presented by Aldo M. Leiva, Esq. Data Security and Privacy Attorney for American Health Lawyers Association January 13, 2013 © 2014 Lubell Rosen, LLC
  • 2. OVERVIEW OF PRESENTATION ! HIPAA Omnibus Rule Key Provisions ♦  ♦  ♦  ! ! ! ! ! Breach Notification New Penalty Structure Business Associates Re-Defined Compliance Activities and Considerations OCR Audit Overview – Past and Future Latest Enforcement Actions Insurance Considerations Questions and Answers © 2014 Lubell Rosen, LLC
  • 3. HIPAA/HITECH OMNIBUS RULE ! ! Effective Date- March 26, 2013 Compliance Deadline- September 23, 2013 © 2014 Lubell Rosen, LLC
  • 4. HITECH ACT- KEY PROVISIONS ! ! ! ! ! Breach Notification Requirements New Penalty Levels Compliance Requirements for Business Associates (BAs) Audits Extended Enforcement by State AGs © 2014 Lubell Rosen, LLC
  • 5. BREACH NOTIFICATION REQUIREMENTS ( ! Old Requirements under Interim Final ! Rule Breach is event that “compromises the security or privacy of the protected health information” and “poses a significant risk of financial, reputational, or other harm to the individual.” © 2014 Lubell Rosen, LLC
  • 6. BREACH NOTIFICATION FINAL RULE (OMNIBUS) ! Any impermissible use or disclosure of protected health information is presumed to be a breach unless the regulated entity is able to demonstrate, through a risk assessment, that there is a low probability of compromise © 2014 Lubell Rosen, LLC
  • 7. FOUR FACTORS FOR RISK ASSESSMENT ! ! ! ! To whom the information was impermissibly disclosed Whether the information was actually accessed or viewed Potential ability of the recipient to identify the subjects of the data Whether recipient took appropriate mitigating action © 2014 Lubell Rosen, LLC
  • 8. TIERED PENALTY STRUCTURE ! ! ! ! Significant increase in penalties Reduction in number of Affirmative Defenses Mandatory penalties for all violations due to “willful neglect” Applies to violations occuring after February 18, 2009 © 2014 Lubell Rosen, LLC
  • 9. TIER 1- UNKNOWING ! ! ! CE or BA did not know and reasonably should not have known of the violation. $ 100 to $ 50,000 per violation Total of $ 1.5M for all violations of an identical requirement or prohibition occurring within the same calendar year © 2014 Lubell Rosen, LLC
  • 10. TIER 2- REASONABLE CAUSE ! ! ! CE or BA knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the covered entity or business associate did not act with willful neglect $ 1,000- $ 50,000 per violation Total of $ 1.5M for all violations of an identical requirement or prohibition occurring within the same calendar year © 2014 Lubell Rosen, LLC
  • 11. TIER 3- WILLFUL NEGLECTCORRECTED ! ! ! The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the covered entity or business associate corrected the violation within 30 days of discovery. $ 10,000- $ 50,000 per violation Total of $ 1.5M for all violations of an identical requirement or prohibition occurring within the same calendar year © 2014 Lubell Rosen, LLC
  • 12. TIER 4- WILLFUL NEGLECTUNCORRECTED ! ! ! The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate did not correct the violation within 30 days of discovery. At least $ 50,000 per violation Total of $ 1.5M for all violations of an identical requirement or prohibition occurring within the same calendar year © 2014 Lubell Rosen, LLC
  • 13. DEFENSE TO PENALTIES ! Penalty may not be imposed for violation that is not due to willful neglect and that is corrected within 30 days of actual or constructive knowledge of the violation, or during an additional period, as determined by the Secretary to be appropriate based on the nature and extent of the failure to comply © 2014 Lubell Rosen, LLC
  • 14. PRACTICE TIP CE or BA that discovers a violation of HIPAA that is not due to willful neglect should attempt to: (i) correct the violation within 30 days of the discovery; (ii) document the date on which it discovered the violation(s); and (iii) document the date on which it implemented the correction in order to establish a basis for asserting the affirmative defense to the imposition of penalty for the violation. ! © 2014 Lubell Rosen, LLC
  • 15. HHS DISCRETION ! ! HHS may waive a penalty for violations that are not due to willful neglect, in whole or in part, to the extent that the penalty is excessive relative to the violation. HHS has discretion to use other measures to address HIPAA violations, such as providing direct technical assistance or resolving possible noncompliance through informal means. © 2014 Lubell Rosen, LLC
  • 16. CE AND BA LIABILITY ! ! CE is liable for the violations of its business associates (BA) that are its agents BA is liable for the acts of its agents (i.e. Subcontractors) © 2014 Lubell Rosen, LLC
  • 17. BUSINESS ASSOCIATES RE-DEFINED ! ! ! BA is person/entity that “creates, receives, maintains or transmits protected health information on behalf of a covered entity”. New definition of BA includes records management companies that “maintain” records containing PHI, regardless of whether they are accessed or reviewed BA subject to the rule if it has access to electronic or hard copy PHI © 2014 Lubell Rosen, LLC
  • 18. BEFORE HITECH ACT ! ! ! BA was subject to breach of contract claim for violation of BAA 2009- HITECH enacted- BA was now directly liable for PHI breach, but OCR agreed not to pursue enforcement actions against BA until finalization of the Rule Rule is finalized- enforcement actions can commence as of September 23, 2013 © 2014 Lubell Rosen, LLC
  • 19. BA AGREEMENT TERMS ! ! ! Establish how BA is permitted or required to use and disclose PHI – must not use or further disclose PHI other than as permitted by or required by the BAA or by law Use appropriate safeguards to prevent PHI from being used or disclosed other than as permitted by the BAA Report to CE if it learns of any unauthorized use or disclosure of PHI © 2014 Lubell Rosen, LLC
  • 20. BA AGREEMENT TERMS (2) ! ! BAAs must also include a provision that allows the CE to terminate the underlying agreement if the BA violates a material term of the BAA Ensure that subcontractors receiving PHI from the BAA agree to the same restrictions on use and disclosure of PHI © 2014 Lubell Rosen, LLC
  • 21. NO FORMAL BAA ? ! ! Omnibus Rule still applies BA must comply with the relevant HIPAA provisions irrespective of BAA terms or service contracts with customers © 2014 Lubell Rosen, LLC
  • 22. BA VIOLATIONS ! ! ! ! BA does not contractually impose restrictions on subcontractors Fails to notify CE of security breach within 60 days Fails to implement any of the administrative, physical, and technical safeguards in the HIPAA Security Rule Fails to follow “minimum necessary” standard © 2014 Lubell Rosen, LLC
  • 23. COMPLIANCE ACTIVITIES ! ! ! ! ! ! ! ! ! Develop and implement Privacy Policies Conduct periodic Risk Assessments Develop and adopt Email Policies Develop and adopt Mobile Device Policies Train employees Designate Privacy/Security Officers Update Notice of Privacy Practices Revise BA Agreements Adopt Breach Assessment/Notification Policies © 2014 Lubell Rosen, LLC
  • 24. AUDITS ! ! ! December 2012- Pilot Audits Completed Evaluations of Pilot Program BAs to be audited as well © 2014 Lubell Rosen, LLC
  • 25. OCR AUDIT PLANS FOR 2014 ! ! ! ! Streamlined audit process Expanded scope of Audits (to include BAs) OCR is hiring more auditors More audits are likely, with emphasis on BA © 2014 Lubell Rosen, LLC
  • 26. PILOT AUDIT RESULTS ! ! ! “Small” CE (< $ 50M in revenue) had more compliance issues (66% of deficiencies) Health care providers responsible for 81% of deficiencies Majority of deficiencies related to the Security Rule © 2014 Lubell Rosen, LLC
  • 27. PILOT AUDIT RESULTS (2) ! ! 80% of health care providers did not have a complete and accurate risk analysis Encryption - Organizations deciding against encryption did not document basis for doing so © 2014 Lubell Rosen, LLC
  • 28. AUDIT PROTOCOL ! ! Tool for Audit Preparation http://www.hhs.gov/ocr/privacy/hipaa/ enforcement/audit/protocol.html © 2014 Lubell Rosen, LLC
  • 29. STATE AG ENFORCEMENT ! ! HITECH gave State Attorneys General authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. State AGs may obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules. © 2014 Lubell Rosen, LLC
  • 30. STATE AG PENALTIES ! ! ! Penalties are calculated by multiplying the number of violations by up to $100. Total penalties imposed for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000. The court, in its discretion, may award the costs of the action and reasonable attorney fees to the State. © 2014 Lubell Rosen, LLC
  • 31. ENFORCEMENT TRENDS ! ! ! As of June 30, 2013, OCR has investigated and resolved over 20,359 cases by requiring changes in privacy practices and other corrective actions by CEs. WellPoint pays $ 1.7M to settle potential violations (2013) Mass. Eye & Ear pays $ 1.5M to settle potential violations (2012) © 2014 Lubell Rosen, LLC
  • 32. ENFORCEMENT TRENDS (2) ! ! ! December 24, 2013- OCR imposed $ 150,000 penalty and corrective action plan CE reported stolen UNENCRYPTED thumb drive with PHI to OCR and notified patients within 30 days OCR issued penalty due to failure of CE to: - conduct adequate risk assessment of ePHI - adopt written policies and train personnel - reasonably safeguard unencrypted thumb drive © 2014 Lubell Rosen, LLC
  • 33. ENFORCEMENT TRENDS (3) ! ! ! Barry University Data Breach – Dec. 31, 2013 CE reported data breach SEVEN MONTHS after laptop was infected with malware Violation of HITECH Rules- individual notifications must be provided without unreasonable delay and in no case later than 60 days following discovery of data breach © 2014 Lubell Rosen, LLC
  • 34. AUDIT TRENDS TO TRACK- 2014 ! ! ! ! ! Much larger pool of entities subject to enforcement Likely that enforcement actions will increase BA focusing on record storage and document destruction may be subject to more scrutiny due to large volume of PHI potentially at risk OCR is hiring more auditors More audits are likely, with emphasis on BA © 2014 Lubell Rosen, LLC
  • 35. AUDIT TRENDS TO TRACK- 2014 ! ! ! ! OCR is requesting budget increase OCR will use $ 4.5 million in collected HIPAA penalties to help fund audit program OCR is seeking contractor for permanent audit program OCR Director Leon Rodriguez is slated to leave OCR for post at Homeland Security © 2014 Lubell Rosen, LLC
  • 36. CYBERLIABILITY COVERAGE ! ! ! ! ! Review existing insurance policies Traditional D & O and E & O Policies may provide HIPAA coverage, unless excluded Consider additional coverage HIPAA Policies- investigations, defense costs, and penalties Consult with Insurance coverage counsel © 2014 Lubell Rosen, LLC
  • 37. THANK YOU Aldo M. Leiva, Esq. Chair, Data Security and Privacy Practice Lubell Rosen One Alhambra Plaza, Suite 1410 Coral Gables, FL 33134 aml@lubellrosen.com www.lubellrosen.com Direct: (305) 442-9211 © 2014 Lubell Rosen, LLC