Anatomy of a HIPAA Anatomy of a HIPAA Breach Breach Maureen D’Agostino SVP, Quality, Service and Performance Excellence Colleen McClorey Associate General Counsel, University of Michigan Health System Legal Office 1
Mar 28, 2015
Anatomy of a HIPAA Anatomy of a HIPAA BreachBreach
Maureen D’AgostinoSVP, Quality, Service and Performance Excellence
Colleen McCloreyAssociate General Counsel, University of Michigan Health System Legal Office
1
I. Omnibus HIPAA ChangesI. Omnibus HIPAA ChangesA. Breach notificationB. Business Associates and SubcontractorsC. AgencyD. Enforcement
II. Determining BreachA. Day to DayB. Electronic Perils
1. EMR; Laptops; Social Media2. Encryption3. Administrative, Technical Physical Safeguards
C. Other Horror Stories
III. What To DoA. Management Strategies
1. Training Notice of Privacy Practices2. Data Needed3. Privilege vs. Non-privilege4. Investigation
B. OCR Response
2
Important Dates – Omnibus Important Dates – Omnibus RuleRule
Published in Federal Register – January 25, 2013
Effective Date – March 26, 2013Compliance Date – September
23, 2013Transition Period to Conform BA
contracts – Up to September 22, 2014, for Qualifying Contracts
3
Breach NotificationBreach Notification
Revised definition of breachRevised risk assessment
approachCE or BA must rebut presumption
of breachFocus on harm to data rather
than to individualHow will this work??
4
ConsiderationsConsiderations
The nature and extent of the PHI involved
The unauthorizied person who used access or received the PHI
Whether the PHI was actually acquired or viewed
The extent to which the risk to the PHI has been mitigated
5
Business Associates and Business Associates and SubcontractorsSubcontractorsRevised definition of “business
associate”Subcontractors “all the way down
the chain” are now BAsBAs and subcontractors directly
liable under HIPAABAAs still required – but how to
revise?Staggered deadlines for new BAAs
6
Business Associates and Business Associates and SubcontractorsSubcontractors
Reassessment of existing BA relationships
BAs with direct access to ePHIBA liability considerations“Satisfactory assurances”
regarding safeguarding of PHI by subcontractors
7
AgencyAgency
Agency relationship affects liability, breach notification timing for CEs and BAs
Use federal common law of agency◦Who controls conduct?◦Will more control = more liability?
8
EnforcementEnforcementMakes permanent the increased
CMP amounts and tiered levels of culpability form 2009 IFR
Clarifies “reasonable cause” tierWillful neglect cases do not
require informal resolutionIntentional wrongful disclosures
may be subject to civil, rather than criminal, penalties
Audit authority is added
9
Common Breach PitfallsCommon Breach PitfallsFaxes can lead to extortion! Before faxing:
◦ Confirm you have the correct number and it is entered correctly
◦ Review and update programmed numbers on a regularly basis
◦ Use an appropriate cover sheet with confidentiality clause on it and contact number at your site
After faxing:◦ Confirm receipt by contacting party, do not simply rely
on the fax machine transmission report◦ Promptly retrieve improperly faxed documents if
possibleSpecial Alert: monitor and update auto fax
numbers embedded in EHRs and other record systems/software – these are often easily forgotten – e.g., auto fax of record to PCP from specialists office, lab or radiology
10
Common Breach PitfallsCommon Breach PitfallsMedical Record release can lead to extortion
too and $’s:
◦ Record copy given/sent to wrong party◦ Record copy sent contained another patient’s
information that was not found or corrected from an entry error or registration error
◦ Incorrect patient selection at registration due to common first and last names – train registration to ask patient for information and not simply recite file information to patient; registration should request photo id and compare information/picture to presenting patient
◦ Discharge instruction with demographic information given to wrong patient
◦ Patient wristband with some data present given to wrong patient due to registration error
11
Common Breach Pitfalls - Common Breach Pitfalls - EMREMR Caution 1: The pitfalls mentioned are
HIPPA/HITECH issues but even more important – clinical issues. Patient identification verification at all levels is critical to minimizing the impact of human error.
Caution 2: OCR complaint investigator demanded copies of discharge instructions and sample of wristbands looking for demographic information to evaluate risk to patient.
Caution 3: Bolt on systems/software and interfaces to the main EMR often make record correction difficult and labor intensive.
Caution 4: Allegations of neglect and abuse require special handling of vulnerable adult and minor records to protect the patient post-hospitalization. Flagging sensitive records may be the only means of identifying these records such that the record service knows to take precautions before release.
12
Common Breach Pitfalls – After the Common Breach Pitfalls – After the Elevator!Elevator!
Patient Bedside Verbal BreachesSpeaking with family or friends present without
determining patient wishes Assuming all care conversations may occur in
front of family or friends are ok based on past patient response - even ones with sensitive information?
Not inquiring of person’s relationship to patient in surgical waiting – assuming person is family!
Having clinical conversations while patient family in next bed are present never requesting politely for them to leave the room
Staff not asking the patient for permission to talk with family and friends present and later finding this was not acceptable when the OCR complaint inquiry comes
13
Determining a Breach – FAX Determining a Breach – FAX CaseCase Analyze telephone/fax number and address used in “fax to” – authorized person
(physician, clinic, etc) or not (commercial business, home). Reverse look-ups are often helpful
Identify person who holds information if different from above Identify type of document and contents; check audit trails if you have a staff name
◦ Was demographic, clinical or other identification information accessed or released. Recall Medicare beneficiary number is the SS# with only modest change – a alphabetic letter typically!
Locate where the fax or record was sent from (“fax from”) – not always easy with trunk lines and auto fax built into record
Retrieve incorrectly faxed information if possible, even if that means going to the home or business yourself
Determine approx. length of time in wrong person’s possession Assuming identifying or clinical data compromised was there opportunity for the
unauthorized part to retain the documents and does this present risk to the patient – our latest interactions suggest OCR takes a near worst case scenario perspective
Following the internal assessment that there is risk to the patient, notify the patient. What do you offer with notification (free credit checks)?
Take and document remedial actions (policy, protocols, system changes, education, discipline) as appropriate.
If unable to pinpoint fax locations have IT/Telecommunications disable the erroneous fax phone number – prevents call out. Effective disabling may require disabling the number in all trunk lines or “switches,” not just the one thought to be involved
DON’T PAY THE RANSOM! File your lawsuit to retrieve documents and get a retraining order to put risk on party if there is further disclosure! We did agree to pay for expense for ink and paper.
Finally, don’t forget to file your report with OCR. FYI, in one case OCR in complaint notification letter advised they would expect a report to be filed.
14
Determining a Breach - Determining a Breach - BasicsBasics
Starts with the complaint or is raised by audit question Complaint drives next steps in analysis Audit may reveal what appears to be excessive access, printing or ‘break
the glass’ activity – little or no charting Evaluate job duties, assignment, hours of work and/or work unit Determine type of access was it for treatment, payment or operations
(“TPO”) Was access/disclosure comply with ‘need to know’ and/or minimum
necessary rule if applicable If unauthorized access/disclosure occurred or likely occurred based on
above, did the access/disclosure present risk or better, did the access/disclosure fit within the HIPAA/HITECH definition of breach
If yes, take action to minimize risk to patient and consistent with HIPAA/HITECH and organizational policy and past practice
Be mindful not to violate by policy or practice NRLA General Counsel opinions on ‘concerted activity.’ Focus only on the HIPAA/HITECH rule issues not on dialogue that ties to conditions of work or discussion of the work environment
File OCR of the breach as required. Recommend doing breach reports including those that fall below the 500 person level at the time of the breach determination even though you may file an annual report. Data is readily at hand and facts are fresh in mind and doing filing on a case by case basis is more efficient than re-reviewing cases at year end
15
Electronic PerilsElectronic Perils
EMR; Laptops; Social Media (employees right in NLRA)Guidance
◦Policies and Procedures◦Security Protocols◦BAAs◦Audit
Encryption
16
Administrative, Technical and Physical Safeguards
Firewalls, tracking devices, strong password controls, tools that will activate to destroy hard drives
17
Breaches Involving the Breaches Involving the FedsFedsGovernment agency makes
appointment to come in to talk to Compliance Officer who are wearing guns
Presents a subpoena for documentsGives little information about reasonDoes state that other government
agencies are involvedPresents a list of patient names (300)
to verify that yes, they were our patients
18
Federal BreachesFederal BreachesGives us 2 weeks to confirm
patients and compile all documents of subpoena including sequestering the computer and do a “forensic” copy of all drives and memory
An encrypted secured government email for document delivery
19
So How Did This HappenSo How Did This HappenManagement level employeeAs part of their job has access to
patient demographicsSelectively based on diagnoses
steals their demographics and passes the information on to a third party outside the organization
Third party submits fraudulent documents and receives government reimbursement
20
ContinuedContinued
Additional names begins to reach close to or may exceed the 500 required to do a report to the OCR. Question are these 500 distinct events or does this trigger the 500 rule in HIPAA/HITECH for OCR notification purposes let alone public notice
Government agency allows us to conduct our own internal investigation (beware of the obstruction argument) and to do whatever we thought appropriate with the employee
Also told to record all conversations.Investigation is quickly done and employee
is fired21
ContinuedContinued
Employee office was searched and computer and files confiscated.
All electronic sign-on’s were immediately closed down prior to termination.
Multiple patient demographics found, that employee would have no reason to have
As employee is exiting states, “ I guess I got caught up with the wrong crowd”
22
ContinuedContinued
Open felony investigationGovernment agency states may take
years to conclude.Also states, “that we are way down
the road in the investigation for us to come here”
So how did the agency pick up on this: a agent noticed the same name at the same address was too frequent and many were elderly!
Internal investigation is on hold because we are not allowed to disturb the forensic information
23
Strategies: How to ManageStrategies: How to Manage Training from entry level position to executives, including
physicians which includes privacy and security policies and process
Monitoring -audit trails of electronic information that is continuous such as, break the glass, same last name, address proximity locator, frequency and breath of access and printing quantification
Hiring: entry into the workplace because of data access not because of healthcare interest-think, identity theft.
Firewall protection Attorney-Client Privileged information versus non-privileged-
assess the potential damage, anticipate poor outcomes and negative results, media implications, regulatory implications and investigations
How to determine if you need an investigation-start with a review or probe of information, if can’t conclude then full investigation
How to conduct one for EHR non Fax- audit reports, complaint typically received, who accessed and what they accessed along with their role, personnel who accessed, their organizational role (think in terms of TPO) treatment, payment and operations, conduct interviews, take action as appropriate with employee
24
Notice of Privacy PracticesNotice of Privacy PracticesProviders and plans must update
NPPs◦Authorization required for disclosure
of psychotherapy notes, marketing communications, sale of PHI
◦Right to breach notification◦Right to opt out of fundraising◦Right to restrict disclosure sot plans◦Most plans cannot use generic info to
make underwriting decisions
25
Notice of Privacy Practices -- Notice of Privacy Practices -- GeneralGeneral
Clarifications on delivery of revised NPPs by providers and plans
More time likely required to change underlying policies and train than to revise NPPs
26
Attorney/Client Privilege – Attorney/Client Privilege – When to Use itWhen to Use it
27
InvestigationInvestigationCentral point of contactFollow-upSet time framesTry to complete and notify within
a reasonable time (30) days
28
29
Questions?Questions?
30