HIPAA Compliance Guide for Navigating Breaches and Risk Assessments

© 2013 Armstrong Teasdale LLP© 2013 Armstrong Teasdale LLP
HIPAA: Navigating the Labyrinth
Anna Selby
Diane Keefe
July 31, 2013

© 2013 Armstrong Teasdale LLP
Navigating the Labyrinth

Call From Employee
1) Staff Texting Nude Patient Photo.
• Patient is Identifiable.
• Hospital Name is visible on scrubs.
2) Nurses photograph x-ray.
• Post x-ray to Facebook.
• Nurse comments regarding patient.

HIPAA
 Regulations Apply to:
• Covered Entities (CE)
1) Providers
2) Health Plans
3) Clearinghouses
 Business Associates of CE’s
• Insurance Broker, Benefit Specialists
• Strategic Consultants

HIPAA Protects
PHI
PERSONAL HEALTH INFORMATION

PHI Uses & Disclosures
 OK to use PHI for:
1) Treatment
2)Payment
3) Health Care Operations
 General Rule: Other Uses Require an Authorization.

HIPAA Breach - New Definition
 A Breach is
1. Unauthorized acquisition, access, use or disclosure of
2. Unsecured PHI
3. Compromises the privacy or security of the PHI
 Presumption of Reportable Breach UNLESS
• CE determines there is a low probability the
• PHI has been compromised after risk assessment.

HIPAA Risk Assessment
 What is Compromised?
• Rule does not tell us.
 Must Perform Risk Assessment.

 4 Elements:
1. Nature and extent of PHI involved.
2. The unauthorized person who used PHI or to whom
disclosure was made.
3. Whether PHI was actually acquired or viewed.
4. Extent to which the risk to PHI has been mitigated.

 If you do not do a breach notification you
MUST do a Risk Assessment.
 DOCUMENT, DOCUMENT, DOCUMENT.

HIPAA Breaches
 CVS 2009-Pill bottles thrown in dumpsters.
• $2.25 Million Settlement
• No policies.
• No training.

HIPAA Breaches
 Million Dollar Subway Ride
• Massachusetts General Hospital employee leaves documents
on subway.
• PHI of 192 patients. (Included HIV/AIDS status)
• $1 Million Settlement.
 Stanford 2011. BA posts PHI on web.
• 20,000 patients X $1,000 = $20 Million

HIPAA Breaches
 WellPoint—July 11, 2013
 Left Accessible Information on Internet
 $1.7 Million Settlement
 600,000 Patients’ Information
 WellPoint failed to:
1) Have Policies to authorize access to PHI;
2) Perform technical evaluation of software & database;
3) Have technical safeguards to verify identify of persons
accessing PHI.

HIPAA Breaches-Laptops
 Sutter 2011. Stolen unencrypted laptop.
• 4 million patients X $1,000 nominal damages per patient.
• $1 Billion Potential Damages.
 UCLA 2011.
• Encrypted laptop stolen. Paper also stolen.
• 16,000 patients X $1,000
• $16 Million.

HIPAA Breaches-Hardware
 Blue Cross Blue Shield Tennessee 2012
• Self Reported 57 unencrypted hard drives stolen.
• 1 Million people. $1.5 Million Settlement.
 Pentagon 2011
• BA lost backup tapes, 4.9 Million Tricare beneficiaries.
• If damages are $1,000 per patient = $4.9 Billion.
• Attempted to use HIPAA for basis of claims.

Lawsuits Pending
 Plaintiffs claim HIPAA violations. (Negligence Per Se)
 Case law is not clear.
 We argue no private right of action.
 Motions to dismiss granted.
 Breach of Fiduciary Duty & Public Disclosure of Private Fact
claims remain.
 Each suit involved OCR investigation.

HIPAA Breach
 If you don’t need it for your job=Unauthorized.
Snooping.

Snooping
 There once was a girl …
 Later goes to psych ward at UCLA…
 People get curious.
 13 fired & 12 disciplined.
 OCR investigates $865,000
 No evidence PHI disclosed or sold.

Snooping
 Little Rock: News anchor in hospital.
 Physician watches news from home.
 Unit Coordinator & Billing employee.
 2 fired; physician suspended 2 weeks.
• Face prison & fine.
• Each had HIPAA training.
 Mom sues Hospital.
• AR SC allows outrageous behavior claim.

Yes, Someone Went to Prison.
 Researcher at UCLA
 Reviewed records 323 times in 3 weeks.
 His Boss,
 No Evidence PHI was Used or Sold.
 4 Months in Prison.

Breach Notifications < 500
 Breach
• Must Notify Individual(s)
− In Writing including what happened & steps taken.
− Within 60 days of date breach discovered.
• Notify HHS Secretary
 Don’t Delay.

Breach Notifications > 500
 Where a Breach Involves Greater than 500 Residents:
• Notify Individuals in Writing
• Notify HHS Secretary
• Notify Media
− Press Release to “Prominent” media outlets.
− Within 60 days.

Penalties-Civil
 Per identical violation in a calendar year:
Did Not Know: $100 up to $25,000
Willful Neglect Uncorrected: $50,000 up to $1,500,000
Willful Neglect: Conscious, intentional failure or reckless
indifference.
 Can be Per Record.
 Extend to BA’s.
 Can impose penalty without seeking informal resolution.

Penalties-Criminal
 People that knowingly obtain or disclose PHI:
• Up to $50,000 AND 1 year imprisonment.
 With False Pretenses:
• Up to $100,000 AND 5 years.
 With Intent to sell or use for personal gain or malicious harm:
• Up to $250,000 AND 10 years.

When a Breach Occurs:
 Call Us.
 What We Can Do:
• Walk you through whether it is reportable.
− Multiple factors.
• Advise during investigation.
• Assist with Proactive Prevention.

What Can/Should be Done to Comply?
 Most obvious
• Modify your Business Associate Agreements
• Modify your Notice of Privacy Practices
 Not so obvious…
• Conduct a Risk Assessment
• Review, evaluate and update polices and procedures
• Educate and train staff/employees

Modifications to the BAA’s
 A statement that the Business Associate (“BA”) now needs to
comply with the administrative, physical, and technical
components of the Security Rule
• Should also reflect that the BA is required to implement and
maintain compliance with the administrative, physical, and
technical components of the Security Rule

Modifications to BAAs
 A statement that the BA must report to the Covered Entity any
breach of unsecured PHI (in addition to any unauthorized use or
disclosure)
• Should reflect exactly what the BA should do in order to notify the
Covered Entity of the breach:
− Date of incident
− Date of discovery of incident (if different than above)
− Categories of the affected information
− Individual(s) who were affected
− Steps for mitigation
− Steps for prevention

 A statement that the BA must ensure that any subcontractor
will agree to the same restrictions and conditions that apply
to the BA
• In other words, BAs now need to enter into BAAs with
subcontractors
 A statement requiring the BA to implement a system for
documenting and recording uses and disclosures in
compliance with the Security Rule
 A statement that provides for retention of information for 6
years from the date of the disclosure

 Other Aspects to Consider
• Liability is determined on Agency principles, so a statement
that reflects the status of the parties
• Consider modifying or adding insurance requirements
• Consider modifying or adding limitations of liability and
indemnification provisions

 Compliance Deadline
• depends on whether there is an existing BAA or whether
there will be a new BAA entered into between the parties
− If existing BAA, then September 22, 2014
− If no existing BAA, then September 23, 2013

Modifications to Notice of Privacy Practices
 Must now include statements regarding the Sale of PHI
 Must now include statements regarding marketing and other
purposes that require an authorization
 Must now include statement that an individual can opt out of
fundraising communications/efforts

Modifications to Notice of Privacy Practices
 Must now include statement that the Covered Entity must
agree to restrict disclosures to health plans if the individual
pays out of pocket in full for the health care service
 Must now include a statement about an individual’s right to
receive breach notifications

Conducting a Risk Assessment
 Elements of a general risk assessment include:
1. Identify the scope – what are potential risks and
vulnerabilities to your organization?
2. Identify where all the PHI is stored, received, maintained
or transmitted
3. Assess current security measures:
− Do you utilize encryption software?
− Are passwords used and changed frequently?
− Are firewalls used?
− Are mobile devices protected?

 Other Aspects:
• Determine likelihood of the occurrence of a threat
• Determine the potential impact of that threat
• Determine the level of risk
 Which becomes a mathematical equation…
• Vulnerability x likelihood x impact = level of risk
 Which can then assist in the mitigation that risk

Threat Source Terminated EE Calculation
Threat Unauthorized Access to Patient
Information
Vulnerability No formal process in place to notify
the IT department when ee’s are
terminated and periodic reviews
are not performed
3
Likelihood Removal of access for terminated
ee has not been performed
3
Impact PHI is viewed, altered or destroyed 3
Risk Disgruntled ee gains unauthorized
access to PHI after termination,
deleting records
Total = 27
Risk Mitigation IT implements daily automated
program to read ee database in
payroll system and automatically
removes access to network and
application systems for terminated
ees
Risk is now significantly reduced

Reviewing/Updating Policies and Procedures
 Update policies and procedures on breach notification and
integrate into the policy the four factors of whether a breach
occurred by a risk assessment:
1. Nature and extent of the PHI involved
2. The unauthorized person who used the PHI or to whom the
disclosure was made
3. Whether PHI was actually acquired or viewed
4. Extent to which the risk has been mitigated

 Use and disclosure of PHI for marketing
• Requires determination of what is and is not considered
marketing
• Once that determination is made, then clarify the policy to
reflect what requires an authorization from the individual
 Sale of PHI
• Selling an individual’s PHI without an authorization is
prohibited

 Electronic Access to PHI
• May require revisions to job descriptions to clearly delineate who
has access and in what situation
• May require revisions to IT policies and procedures
 Requests for Restrictions
 Use and disclosures of decedent information
 Social media and cell phone policies

 Covered entities may use any security measures that allow
them to reasonably and appropriately implement the HIPAA
regulations. So, in determining whether to draft new or
revise old policies and procedures, you should consider:
• Size, complexity, and capabilities of the Covered Entity
• Technical infrastructure, hardware, and software
• Costs
• Likelihood and impact of risks or potential risks, i.e., risk
assessment

Educate and Train Staff/Employees
 Must ensure that the policies and procedures reviewed,
revised, and/or created are implemented by staff/employees.
 Sign-in sheets should be passed around so attendance of staff
members/employees is documented
 Staff/Employee training must be conducted at the following
intervals:
• At the start of employment
• Annual basis
 If staff/employees do not apply these policies to their
everyday practice, then organizations are at risk!

Questions?
Anna Selby
314.552.6616
aselby@armstrongteasdale.com
Diane Keefe
314.259.4731
dkeefe@armstrongteasdale.com

HIPAA Compliance Guide for Navigating Breaches and Risk Assessments

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (16)

Semelhante a HIPAA Compliance Guide for Navigating Breaches and Risk Assessments

Semelhante a HIPAA Compliance Guide for Navigating Breaches and Risk Assessments (20)

Mais de Armstrong Teasdale

Mais de Armstrong Teasdale (20)

Último

Último (20)

HIPAA Compliance Guide for Navigating Breaches and Risk Assessments