CCPA Seminar: A HIPAA UPDATE September 11, 2012 Pamela H. Del Negro Robinson & Cole LLP 1.

1

CCPA Seminar: A HIPAA UPDATE

September 11, 2012

Pamela H. Del Negro

Robinson & Cole LLP

2

Agenda• HIPAA Overview• HIPAA Audit Protocols• What to include in your HIPAA Policies and

Procedures Manual• HIPAA Training for Employees and Staff• Recent Enforcement Efforts and Upcoming

Regulatory Updates

3

HIPAA PRIVACY

4

WHAT INFORMATION IS PROTECTED UNDER HIPAA?

• Protected Health Information (“PHI”) is individually identifiable health information in any form that relates to the health or condition of an individual or the payment for health care

• Does not include de-identified information or employment records

5

PERMITTED USES AND DISCLOSURES OF PHI

• To the individual• Treatment, payment & health care

operations• Pursuant to valid authorization• Business associates

6

DISCLOSURE PERMITTED AFTER OPPORTUNITY TO AGREE OR OBJECT

• Facility directory (sign in sheet/hospital log)– Disclose limited information (i.e., name,

location in facility, general description of condition, religious affiliation, etc.)

• Persons involved in care– If patient is present, ask whether disclosure is

permitted– If patient is not present, use professional

judgment, infer from circumstances– Limit disclosure to information directly

relevant to such person’s involvement

7

USES AND DISCLOSURES WITHOUT AUTHORIZATION

Under limited circumstances, the following uses and disclosures do not require authorization or opportunity to object:

• Decedent’s Information• Organ/Tissue Donation• Avert a Serious Threat to Safety• Specialized Government Functions• Research (if IRB waives requirement)• Workers’ Compensation

• Public Health Activities• Reporting Victims of Abuse, Neglect, or

Domestic Violence• Health Oversight• Judicial or Administrative Proceedings• Law Enforcement Purposes

CONSULT STATE LAW!

8

AUTHORIZATION

• A more specific and detailed form of permission designed to allow other uses or disclosures of PHI

• Required for all uses and disclosures not specifically permitted by HIPAA and required for uses or disclosures of certain sensitive information

• Individual has a right to revoke the authorization• Generally cannot condition treatment on the

individual providing an authorization• Not necessary if special circumstances (i.e.

emergency) apply

9

HOW MUCH PHI CAN I USE OR DISCLOSE?

• In general, must make reasonable efforts to limit the use or disclosure of PHI to the minimum necessary

• Comply with policies and procedures that limit the amount of information to the minimum necessary to perform your job

• Your job description may limit your level of information access

10

HOW MUCH PHI CAN I USE OR DISCLOSE?

• Special rules:– Treatment purposes – no limits– Authorized disclosures - limited to the terms of the

authorization – To the individual – no limits– Compliance purposes – no limits– Other legally required disclosures – as limited by law

11

PERSONAL REPRESENTATIVES

• Person with authority to act on behalf of individual, for example:– Parent of a minor– Court appointed guardian/conservator

• Has all rights of individual with respect to relevant PHI

12

• May choose not to treat an individual as a personal representative if:– Not in the individual’s best interest, and– The individual suspected to be victim of abuse or

neglect by the personal representative, or– Treating the individual as the personal representative

could endanger the individual

ABUSE, NEGLECT, AND ENDANGERMENT

13

VERIFICATION

• Verify the identity of a person requesting information and determine that the person has the authority to receive the information

14

PRIVACY OFFICER

• DUTIES OF THE PRIVACY OFFICER (OR AS DELEGATED)

– Develop Privacy Policies and Procedures– Coordinate with administration to implement privacy

requirements– Develop administrative, technical, and physical safeguards– Maintain documentation and records for required time periods– Conduct periodic audits– Serve as a privacy consultant– Serve as liaison to government oversight agency– Receive (as contact person) and respond to individual complaints – Attempt to mitigate harm caused by improper disclosures

15

NOTICE OF PRIVACY PRACTICES

• Must be provided to all individuals prior to service delivery

• Identifies the types of uses and disclosures that are permitted and required by you

• Sets forth description of individual’s rights

• States your duties to maintain the confidentiality of the PHI

• Outlines the process for an individual to submit a complaint concerning a suspected privacy violation

16

ACKNOWLEDGMENT /CONSENT FORM

• Patient acknowledges receipt of Notice of Privacy Practices

• Consent to use for treatment, payment and health care operations

• Not the same as an Authorization

17

• Basic rights of individuals under HIPAA– Access– Amendment– Accounting of disclosures– Restrictions on use and disclosures– Confidential communications– Complaint process

RIGHTS OF INDIVIDUALS

18

RETALIATION AND WAIVER

• Retaliation: You may not intimidate, threaten, coerce, discriminate against or take retaliatory action against another person for:– Exercising a right provided by HIPAA– Filing a complaint with OCR– Assisting in a HIPAA-related investigation or hearing– Opposing any act unlawful under HIPAA

• Waiver: You may not require individuals to waive rights to file a complaint under HIPAA as a condition of treatment.

19

BUSINESS ASSOCIATES

• Perform functions, activities or services on behalf of covered entities involving the use or disclosure of PHI, including:– Functions or Activities

• Claims processing or administration• Data analysis• Utilization Review• Quality Assurance• Billing• Benefit Management• Practice Management

– Services• Legal• Actuarial• Accounting• Administrative • Financial

20

PENALTIES

• Civil Penalties– Unknowingly - $100/violation– Reasonable cause – at least $1,000/violation– Willful neglect – HHS will conduct an

investigation• If willful neglect but corrected, no less than $10,000,

not to exceed $50,000• If not corrected, $50,000 per violation, not to exceed

$1,500,000/year. – State Attorney General

• Criminal Penalties (e.g. intent to sell)

21

BREACH NOTIFICATION REQUIREMENTS

22

Breach Notice Requirement• Part of HITECH

• Notify each individual whose Unsecured PHI has been or

is reasonably believed to have been accessed, acquired, used or disclosed as a result of a breach of Unsecured PHI (“Affected Individual”)

• “Unsecured PHI” is any PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through encryption or destruction

23

Definition of Breach

• “Breach” is the unauthorized acquisition, access, use or disclosure of PHI that (i) violates the HIPAA privacy rules and (ii) compromises the security or privacy of such PHI

• “Compromises the security or privacy of PHI” = poses a significant risk of financial, reputational, or other harm to the Affected Individual

24

Definition of Breach (cont.)• Exclusions to definition of “breach”

– Unintentional acquisition/access/use of PHI by a workforce member or individual acting under the authority of a covered entity or business associate if:• made in good faith • within the course and scope of authority• does not result in further use or disclosure

25

Definition of Breach (cont.)• Exclusions (cont.)

– Inadvertent disclosures by individual authorized to access PHI to another individual authorized to access PHI at the same entity and such information is not further used or disclosed

– Disclosure with good faith belief that the unauthorized individual to whom PHI has been disclosed would not reasonably have been able to retain the information

• Document the reasons why such use ordisclosure satisfies the respective exception

26

Risk Assessment

• Fact specific analysis that varies with each impermissible use or disclosure

• If there is less than a significant risk of harm then no notice is required

• Document risk assessments

27

When a Breach is Considered Discovered

• As of the first day the breach is known or, by exercising reasonable diligence, would have

been known • Knowledge of workforce member or agent is

imputed

28

Content of NoticeCovered entities must provide breach notices that are written in plain language and include:

• What happened• Types of Unsecured PHI involved (E.g. full name, SSN) • Steps the Affected Individuals should take to protect

themselves from potential harm• Covered entity’s actions to investigate the breach, mitigate

harm to the Affected Individual, and protect against any further breaches

• Contact procedures that Affected Individuals can use to ask questions or learn additional information

29

Delivery of Notice • Sent by first-class mail (or by electronic mail if the Affected

Individual has specified such preference)

• “Without unreasonable delay,” but no later than 60 days after the discovery of such breach

• No current contact information for one or more Affected Individuals, notify through substitute form as soon as reasonably possible– Less than 10 Affected Individuals

• Alternative written means– More than 10 Affected Individuals

• Conspicuous posting for a period of 90 days on home page of Web site or in major print or broadcast media

30

Notice to HHS and Media Outlets• Less than 500 Affected Individuals

– Maintain a log of breaches– Notify HHS of breaches 60 days after end of calendar year

in manner specified on HHS website

• More than 500 Affected Individuals– Notify HHS contemporaneously with the notice provided to

the Affected Individuals– If reside in the same state

• Notify prominent media outlets serving the state • Written notice to the Affected Individuals • Notify HHS of such breach

• HHS to specify on its Web site the information that covered entities must submit to HHS and how such information should be submitted to HHS

31

Business Associate Requirements• Notify covered entity upon discovery of breach of Unsecured

PHI

• “Without unreasonable delay” and in no case later than 60 days after discovery of breach

• Identity of each individual subject to breach

• Provide other available information that covered entity is required to include in notice to Affected Individual

• Provide information even if not available until after notifications have been sent to Affected Individuals or after 60-day period has elapsed.

32

Delaying Notice• Delay if law enforcement official determines that providing

notice would impede a criminal investigation or cause damage to national security

• If notice of delay is provided in writing and includes length of time that notice must be delayed, delay providing notice for time specified

• If notice of delay is given orally, document statement and identity of official and delay notification for no longer than 30 days, unless written statement is provided

33

Step-by-Step Analysis

• Practical steps when determining whether a breach of Unsecured PHI has occurred:

Step 1: Determine whether there has been an impermissible use or disclosure of PHI that would violate the HIPAA privacy rules

Step 2: Perform a risk assessment to determine harm

Step 3: Determine whether exception to definition of “breach” applies

• If there has been a breach of Unsecured PHI, provide appropriate notice

34

STATE PREEMPTION

35

HIPAA or State Law?

• HIPAA is a federal floor of privacy and security protections

• General rule: State laws contrary to HIPAA are preempted by HIPAA

• State laws providing greater protection than HIPAA are not preempted by HIPAA

36

HIPAA SECURITY

37

HIPAA Security Rule

• Protects the confidentiality, integrity and availability of protected health information that is maintained or transmitted electronically (“ePHI”)

38

HIPAA Security Rule

• CONFIDENTIALITY – ePHI must not be made available or disclosed to an unauthorized person or process, including employees who do not have a need to use the information

• INTEGRITY – ePHI must not be altered or destroyed in an unauthorized manner

• AVAILABILITY- ePHI must be accessible and useable by an authorized person at all times

39

What Information is Protected Under Security Rule?

• Electronic transmissions of ePHI within the company, as well as transmissions to outside entities – Extends to all members of the workforce,

including those who work at home• Exceptions:

– Facsimile– Telephone systems (voice or keypad)– Copy machines– Videoconferencing systems– Voicemail

40

Who Must Comply with Security Rule?

• Covered entities and business associates are required to comply with the Security Rule

• The HIPAA Security Rule mandates that certain safeguards be implemented to protect ePHI including:– Administrative safeguards– Physical safeguards– Technical safeguards

• Safeguards include:– Controls to limit access to ePHI by workforce– Audits to determine who accessed ePHI and when

ePHI was accessed

41

Who is Responsible for Implementing Security Safeguards?• “Security Officer” is responsible for:

– Developing and implementing security safeguards to protect ePHI– Addressing security concerns– Periodically auditing and assessing the security of ePHI

• The designation of a Security Officer must be documented and may be the same person as the Privacy Officer

• Security Standards must be addressed

• Implementation Specifications– Required– Addressable

• If not reasonable and appropriate Document reasons

42

Administrative Safeguards

• Documented policies and procedures for:– Managing day-to-day operations– The conduct and access of workforce members to

ePHI– The selection, development and use of security

controls

43

• Standard: Security Management Process • Risk analysis (required)• Risk management (required)• Sanction policy (required)• Information system activity overview (required)

• Standard: Security Responsibility

• Standard: Workforce Security• Authorization and/or Supervision (addressable)• Workforce Clearance Procedure (addressable)• Termination Procedure (addressable)

Administrative Safeguards (cont.)

44

• Standard: Information Access Management– Access Authorization (addressable)– Access Establishment and Modification (addressable)

• Standard: Security Awareness and Training– Security Reminders (addressable)– Protection from Malicious Software (addressable)– Log-in Monitoring (addressable)– Password Management (addressable)

• Standard: Security Incident Procedures– Response and Reporting (required)

Administrative Safeguards (cont.)

45

• Standard: Contingency Plan– Data Backup Plan (required)– Disaster Recovery Plan (required)– Emergency Mode Operation Plan (required)– Testing and Revision Procedures (addressable)– Applications and Data Criticality Analysis (addressable)

• Standard: Evaluation

• Standard: Business Associate Contracts and Other Arrangements– Written Contract or Other Arrangement (required)

Administrative Safeguards (cont.)

46

Physical Safeguards

Physical measures and policies and procedures that protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion

47

• Standard: Facility Access Controls– Contingency Operations (addressable)– Facility Security Plan (addressable)– Access Control and Validation Procedures (addressable)– Maintenance Records (addressable)

• Standard: Workstation Use

• Standard: Workstation Security

• Standard: Device and Media Controls– Disposal (required)– Media Re-use (required)– Accountability (addressable)– Data Backup and Storage (addressable)

Physical Safeguards (cont.)

48

Technical Safeguards

The technology and the policy and procedures that protect ePHI and control access to it

49

• Standard: Access Control– Unique User Identification (required)– Emergency Access Procedure (required)– Automatic Logoff (addressable)– Encryption and Decryption (addressable)

• Standard: Audit Controls

• Standard: Integrity– Mechanism to Authenticate ePHI (addressable)

Technical Safeguards (cont.)

50

• Standard: Person or Entity Authentication

• Standard: Transmission Security– Integrity Controls (addressable)– Encryption (addressable)

• Standard: Policies and Procedures

• Standard: Documentation Requirements– Time Limit (required)– Availability (required)– Updates (required)

Technical Safeguards (cont.)

51

Documentation Requirements

• Retain documentation in paper or electronic format for 6 years or longer if required by state law, including:– Policies and procedures related to Security Rule

compliance – Documentation of any activity, action or

assessment required by the Security Rule• Policies and procedures must be reviewed and updated

periodically in order to address environmental or operational changes affecting the security of ePHI

52

HIPAA Audit Protocols

53

Stimulus Act – Generally

Effects on HIPAA Expanded protection of PHI

Increased privacy and

security obligations for covered

entities and business associates

Generally effective February 17, 2010

54

HITECH Act: HIPAA Audits

• Requires HHS to conduct periodic audits on covered entities and business associates to ensure compliance with:– Privacy Rule– Security Rule– Breach Notification

• Congressional mandate is the floor. OCR has discretion.

• Up to 150 audits originally planned, at this time adjusted to 115

55

Objectives of the Audit Program

• Consider methods of compliance• Ascertain best practices• Identify risks/vulnerabilities not identified

through previous enforcement efforts• Foster compliance efforts

56

Previous HIPAA Enforcement Efforts

• Complaints – large volume, but generally did not result in formal action

• Compliance Reviews – incident-based• Breach Reports

Reactive in nature, Congress wanted to be more proactive.

57

OCR Uses Contractors for Audits

Source: http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-2_lsanches_ocr-audit.pdf

Description Vendor Status/Timeframe

Audit program development study

Booz Allen Hamilton

Closed 2010

Covered entity & business associate identification and catalog

Booz Allen Hamilton

Closed 2012

Develop audit protocol and conduct audit

KPMG, Inc. Open 2011 – 2012

Evaluation of Audit Program

TBD To be Awarded – Conclude in 2013

58

The Audit Protocols

• Developed by contractor• Three areas:

– Privacy– Security– Breach Notification

• Focus on:– Management inquiries– Reviewing policies and procedures– Evidence of implementation– Documentation of reasons why not implemented

• Currently located at: http://ocrnotifications.hhs.gov/hipaa.html

59

Who Can be Audited?

• Every type and size of covered entity is eligible for an audit

• Randomly selected based on type, size and geography, not prior incidents. Criteria includes:– Public vs. Private– Level of assets/revenue– Number of patients/employees

• To date, approximately 50% of audited entities have been health care providers

• Business associates may be included in future audits

60

What is the audit process?

• Entity receives notice of audit from OCR. Notice includes a request for documentation– By registered mail– Addressed to CEO – redirect as soon as it arrives!– In some instances, you may know in advance of

written notice– Audit response team takes action

• Walk-throughs, mock interviews– Notify support team (internal/external)

61

What is the audit process? (con’t)

• Assemble and submit documentation by deadline• Documentation may include:

– Policies and procedures• Breach notification process• Risk assessments• Security incident management plan• Business continuity/disaster recovery plan• Disaster recovery exercise documentation • Information security training and awareness• Organizational chart

– Forms– Previous audit reports and assessments

62

What is the audit process? (con’t)

• Auditor reviews documentation (min. 15 days)• On-site visit

– Conducted 30-90 days from receipt of notice– Lasts 3-10 business days (5-10 days is most common)– Personnel interviews (all levels, clinical and non-

clinical)– Walk-throughs– Operational reviews– Requests for additional information

The Audit Protocols are a guideline,

each audit is unique

63

What is the audit process? (con’t)

• Draft Audit Report – 20-30 days after on-site visit– Follow-up questions and additional requests for

information are likely

You will likely know what many of the findings will be, and should focus on preparing a response

64

What is the audit process? (con’t)

• Review and Respond to Draft Report– Report includes findings and recommendations– 10 business days to respond– Review closely!– Identify mitigating information – Consider plan for remediation– Consult with consultants/legal counsel (e.g. legal

arguments re: how rules are applied)– Challenge findings if warranted (e.g., inaccuracies,

justification of approach for implementation)

65

What is the audit process? (con’t)

• Final Report– Submitted to OCR– Within 30 days of covered entity’s response– Includes steps taken to resolve compliance issues

• Action by Covered Entity– Consider implementing recommendations for

compliance– Ongoing compliance efforts– Cooperation with OCR

66

What happens next?

• OCR reviews final report• Primarily a compliance improvement tool• Not intended to investigate particular violations• Best practices will be shared• Targeted compliance guidance will be published• Serious compliance issues may trigger separate

investigation and enforcement action

67

Initial 20 Findings Analysis Overview

68

Initial 20 Findings Analysis Overview

69

Initial 20 Findings Analysis Overview

70

Initial 20 Findings Analysis Overview

71

Initial 20 Findings Analysis Overview

72

Initial 20 Findings Analysis Overview

73

Initial 20 Findings Analysis Overview

74

Initial 20 Findings Analysis Overview

75

Initial 20 Findings Analysis Overview

76

Initial 20 Findings Analysis Overview

Source for tables and charts: http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-2_lsanches_ocr-audit.pdf

77

Why is this important?

• Likelihood of being chosen for audit is small, but short turnaround time if chosen

• Ongoing audit efforts, increased enforcement• Reason to review policies, procedures and actual

operations• Identify/resolve weaknesses and concerns

78

What to include in your HIPAA Policies and Procedures Manual

79

Where is your PHI?

• Paper• Electronic, even if no EHR • Computers, laptops, smart phones• On-site/Off-site• Movement within organization• To/from third parties

80

Written Policies and Procedures

• Implement policies and procedures for HIPAA compliance including privacy, security and breach notification

• Organized, easy to search/find

• Centralized index for compliance documents

• Review for completeness, ensure they are up-to-date

• Maintain for 6 years and make available to HHS upon request

81

Privacy Policies: What to Include?

Use and disclosure of PHI Patient’s rights

Notice of uses and disclosures of PHI Access to PHI Request for amendment of PHI

82

Privacy Policies: What to Include? (cont.)

• Patient’s Rights (cont.)– Accounting for disclosures of PHI– Request for restriction on use or disclosures of PHI– Request for confidential communication of PHI

• Use and disclosure of PHI subject to an authorization

• Use and disclosure of PHI subject to minimum necessary

• Use and disclosure of PHI for fundraising• Personal representation of individuals

83

Privacy Policies: What to Include? (cont.)

Use and disclosure of PHI not subject to an individual’s authorization or opportunity to agree or object

Accounting for disclosures of PHI – tracking disclosures

Use and disclosure of PHI for research purposes Use and disclosure of PHI to persons involved in the

individual’s care and for notification purposes Use and disclosure of de-identified health

information

84

Privacy Policies: What to Include? (cont.)

Use and disclosure of PHI within a limited data set Safeguarding against wrongful uses and disclosures

against PHI Human Resources Complaints regarding privacy practices HIPAA Recordkeeping Verification of entities or persons to whom protected

health information may be disclosed Use and disclosure of PHI by business associates Notification of breach of PHI to individuals, media

and HHS.

85

Privacy Policies: What to Include? (cont.)

Privacy Officer’s Name and Contact Information, Job Description

Off-site disposal procedures (e.g. shredding of paper records or return to home office for shredding).

Forms, including: Request for Access Request for Amendment Request for Accounting of Disclosures Request for Restrictions on Uses and Disclosures Request for Confidential Communications

86

Privacy Policies: What to include? (cont.)

Forms (cont.) Authorization for Release of Protected Health

Information Notices re: Approval/Denial of Requests, Extensions

of Time, Additional Rights Privacy Practices Complaint Form Business Associate Agreement Disclosure Tracking Log Form

• Patient Name• Medical Record Number

Date Request Received

Name of Requestor

Address (if known)

Written Request (Y/N)

Purpose of Disclosure

Description of PHI

Disclosed

Date Disclosed

Disclosed by

87

Privacy Policies: What to include? (cont.)

Sanction Guidelines for HIPAA Violations– Violation/Possible Sanction– Example 1:

• Violation: Obtaining, using or disclosing PHI under false pretenses, such as if workforce member misrepresents a fact in order to obtain, use or disclose an individual’s PHI.

• Possible Sanction: Termination– Example 2:

• Violation: Unintentionally violating privacy practices.• Possible Sanction: First offense – formal letter of

reprimand and applicable training. Second offense – suspension for a period of time commensurate with violation. Third offense – termination.

88

Security Policies: What to Include?

Administrative Safeguards Security management

Risk analysis and mitigationRisk managementSanctionsInformation system activity

review Security responsibility –

Assignment of security responsibility

89

Security Policies: What to Include? (cont.)

Administrative Safeguards (cont.) Workforce security

Access authorization an supervisionWorkforce clearanceWorkforce termination

Information access management Access authorizationAccess establishment and modification

Security awareness and trainingSecurity remindersMalicious software

90

Security Policies: What to Include? (cont.)

Administrative Safeguards (cont.) Security awareness and training (cont.)

Login monitoringPassword management

Security Incident Procedures – response and reporting

Contingency PlanData backupDisaster recoveryEmergency mode operationsTesting and revision

91

Security Policies: What to Include? (cont.)

Administrative Safeguards (cont.) Contingency Plan

Application and data criticality analysis Evaluation – Compliance evaluation

Physical Safeguards Facility Access Controls

Facility contingency operationsFacility security Facility access control and validationFacility maintenance records

92

Security Policies: What to Include? (cont.)

Physical Safeguards (cont.) Workstation Use – Workstation Security Device and Media Controls

Device disposalMedia re-use/transferAccountabilityData backup and storage

Technical Safeguards Access Control

Unique user identificationEmergency Access

93

Security Policies: What to Include? (cont.)

Technical Safeguards (cont.) Access Control (cont.)

Automatic logoffEncryption & decryption

Audit Controls Integrity Controls Person/Entity Authentication Transmission Security

Transmission integrity controlsTransmission encryption

94

Security Policies: What to include? (cont.)

Security Officer’s Name and Contact Information, Job Description

Risk Assessment for entity and ePHI systems Plans (or where to find them)

Security incident management plan Business continuity/disaster recovery plan Data backup and recovery procedures

95

Security Policies: What to include? (cont.)

Forms, e.g.: Maintenance request form Equipment/Media Disposal and Sanitation Log Access Authorization and Supervision Form used by

Security Officer to grant/establish/modify access rights to systems, applications, etc.:

Name Position Access Level based on Job Description

Supervision Level

Supervisor Approval

96

Breach Notification: What to include?

Internal reporting requirements and processes Written incident response plan Breach Evaluation Form

Description of incident Analysis or Risk Assessment List of individuals who participated in analysis or risk

assessment Other risk assessment documentation

97

Additional Considerations: Transmission of Emails Containing ePHI

• E-mails sent from one employee to another do not need to be encrypted or password protected

• E-mails should only be sent to employees who need to know the information

• E-mails sent outside of the company must be password protected or encrypted

• Unsolicited ePHI received in an unsecure manner must be appropriately secured once it is in the possession of the covered entity or business associate

• ePHI should never appear in the subject matter line of an e-mail

98

Other Documentation

• Policies are not enough! Need evidence of implementation and ongoing compliance– Risk assessment – document the process!– Disclosure logs– Logs of security breaches– Documentation of access rights, periodically updated

to reflect changes in workforce– Evidence of systems activity review– Training documentation for each employee– Evidence of responses to violations (sanctions,

updated risk assessments, revisions to policies)

99

Other Documentation (con’t)

– List of all business associates, including contact information, phone and email address, what the relationship is, name of applicable agreement

– Custodial Staff• Not generally regarded as business associates, consider

confidentiality agreement, procedures for inadvertent encounters with PHI, termination for breach of confidentiality

100

INTERNAL DISCIPLINARY SANCTIONS

• Have them• Apply them• Document them• You will be penalized if you violate applicable

privacy policies or HIPAA• Depending on your violation, you may receive a

warning letter, suspension or termination

101

Be consistent with

what is in your policies

and

what occurs in practice!

102

HIPAA Training for Employees and Staff

103

Training Overview

• Every person accessing data holds a position of trust. Each individual must recognize his or her responsibility to protect the privacy and security of this information.

• All levels of the workforce need HIPAA awareness and training

• Training should be consistent, ongoing and documented

104

Initial Training -- Fundamentals

• What is HIPAA?• What does HIPAA cover?

– Privacy• What is PHI?• What is excluded from the definition of PHI?

– Security• What is ePHI?• What is excluded from the definition of ePHI?

105

Initial Training – Fundamentals (cont.)

• How does HIPAA affect us? • What is required of us under HIPAA?

– Uses and disclosures– Rights of individuals– Appropriate safeguards– Administrative requirements

• Report impermissible uses or disclosures that you become aware of either to the Privacy Officer or other designated individual

106

Initial Training – Fundamentals (cont.)

• Who do I contact with questions?– Employees need to know who to contact!– Who advises on HIPAA implementation?– Who handles requests for access, complaints, etc.?– Who monitors system activity?– Who is responsible for business associate

agreements?– Who keeps the forms?

107

Training Considerations

• Make training simple, easy to understand• Depending on level of access, consider an

evaluation of individual’s understanding at end of training session

• Promote culture of compliance through understanding that training is not an obstacle, protects employee as much as it protects the organization

• Employees should understand their role in the process. Security measures are not effective if they are not followed.

108

Training Considerations (cont.)

• Initial training is not enough! Additional training and security reminders should be provided. – Source compliance plan, HIPAA policies and

procedures for ideas– Pay attention to news media for violations

involving other organizations, use them as training opportunities• E.g. 2011 news article re: Rhode Island physician who

was reprimanded by state regulators for posting information that led to the identification of a patient

• E.g. 2010 article re: negative comments about a patient posted on Facebook

• Inform them that usage will be monitored and audits will be performed.

109

NO PEEKING!

Employees must know that if they do not have a bona fide medical or administrative reason to access

a patient’s medical record, then they should not access the record!

110

Recent Enforcement Efforts

And

Upcoming Regulatory Updates

111

Recent Enforcement Efforts

Source: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/data/historicalnumbers.html#resol

112

Recent Enforcement Efforts (cont.)• Blue Cross Blue Shield of Tennessee (“BCBST”)

– First enforcement action under HITECH’s breach notification rule

– 2009: BCBST submitted breach report to OCR • 57 unencrypted hard drives stolen• Hard drives were located in storage closet leased by

BCBST• Contained audio/video recordings of customer service

calls, including PHI– 2012: OCR and BCBST entered into Resolution

Agreement. BCBST did not admit liability, OCR did not concede that BCBST did not violate HIPAA.

113

Recent Enforcement Efforts (cont.)

• BCBST (cont.)– $1,500,000 payment– Corrective Action Plan, including updating policies

and procedures, training workforce in Security Rule measures regarding ePHI.

114

Recent Enforcement Efforts (cont.)• OCR Enforcement Action Against Alaska’s

Department of Health and Human Services– In 2009, submitted a breach report to OCR stating

that a portable storage device containing PHI had been stolen from the vehicle of a computer technician.

– OCR determined that AK-HHS failed to comply with five HIPAA requirements:• No risk analysis• Insufficient risk management precautions• Failure to train workforce members• Failure to implement device/media controls• Failed to address device/media encryption

115

Recent Enforcement Efforts (cont.)• OCR Enforcement Against AK-HHS (cont.)

– June 2012: OCR and AK-HHS entered into Resolution Agreement. AK-HHS did not admit liability, OCR did not concede that AK-HHS did not violate HIPAA.

– $1,700,000 payment– Corrective action plan, including requirement to

develop, review and revise HIPAA Security Rule policies and train workforce in Security Rule measures regarding ePHI.

116

Recent Enforcement Efforts (cont.)

• United States v. Zhou– U.S. Attorney General for Central District of

California charged Huping Zhou with violating HIPAA by accessing patient records without authorization.

– 2003: Hired University of California at Los Angeles Health System (“UHS”) as research assistant in rheumatology. Terminated in same year for poor performance.

– After termination, accessed patient records at least 4 times.

117

Recent Enforcement Efforts (cont.)

• United States v. Zhou (cont.)– Government alleged that Zhou violated 1320d-6(a)

(2), which applies to persons who “knowingly and in violation of HIPAA” obtain PHI.

– Zhou moved to dismiss charges, stating no assertion that his actions were illegal.

– District Court denied. Sentenced to 4 months in prison plus 1 year of supervised release, $2,000 fine…

– Zhou appealed to Ninth Circuit Court of Appeals. Stated that he did not know his actions were illegal, government misapplied “knowing” requirement of the statute.

118

Recent Enforcement Efforts (cont.)

• United States v. Zhou (cont.)– Court: “knowingly and in violation” of the statute =

two separate elements: (1) must knowingly obtain an individual’s PHI; and (2) must obtain the information in violation of HIPAA. Do not need to know that your conduct was in violation of HIPAA.

119

Upcoming Regulatory Updates

• A final “omnibus” rule was expected to be released in July, 2012. Has since been delayed. Expected to include:– Final Enforcement Rule– Final Beach Notification Rule– Changes to HIPAA Privacy and Security

Standards

120

Disclaimer

Consult with legal counsel!

121

Questions???

Pamela H. Del Negro

Robinson & Cole LLP

[email protected]

(860) 275-8261