Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.

HIPAA Compliance Program

Importance of the Information Risk Assessment

Compliance Programs are intended to proactively audit and assess an organization’s operations to detect and prevent improper or illegal activities.

Effective Compliance Programs can support mitigation of fines and penalties, but it must be effective within the organization

COMPLIANCE PROGRAM

HIPAA requires organizations that handle protected health information to regularly review:

administrative, physical; and technical safeguards

they have in place to protect the security of the information

INFORMATION RISK ASSESSMENT

On March 28, 2014, a new security risk assessment (SRA) tool to help guide health care providers in small to medium sized offices conduct risk assessments of their organizations was made available from HHS.

http://www.HealthIT.gov/security-risk-assessment

INFORMATION RISK ASSESSMENT TOOL

The scope of risk analysis that the Security Rule encompasses includes the potential risksand vulnerabilities to the confidentiality, availability and integrity of all e-PHI that anorganization creates, receives, maintains, or transmits. (45 C.F.R. § 164.306(a)

Risk Analysis

Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information

Administrative Safeguards

Security Management

Process Assigned Security

Responsibility Workforce Security Information Access

Management Security Awareness

and Training

Security IncidentProcedures

Contingency Plan Evaluation

Business AssociateContracts and Other Arrangements

Administrative Safeguards

physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion

Physical Safeguards

Facility AccessControls

Device and MediaControls

Workstation Use

Workstation Security

Physical Safeguards

the technology and the policy and procedures for its use that protect electronic protected health information and control access to it

Technical Safeguards

Access Control

Audit Controls

Integrity

Person or EntityAuthentication

Transmission Security

Technical Safeguards

Business AssociatesSecurity Breach Notification

Expanded Definition of Business Associate

• Certain entities now explicitly included in definition of “business associate”◦ Health Information Organizations, E-prescribing Gateways and other persons that

provide data transmission services to a covered entity that require access on a routine basis to PHI

◦ Patient Safety Organizations

◦ Any person offering PHRs on behalf of a covered entity

• Data transmission organization that acts as a mere conduit for the transport of PHI and does not access PHI other than on a random or infrequent basis is NOT a business associate (transient vs. persistent analysis)

• Subcontractors of BAs are considered BAs if they handle PHI

13

Subcontractors as Business Associates • A “subcontractor” is any person to whom BA delegates a

function, activity or service, other than as a member of BA’s workforce

• Subcontractor is a BA if it creates, receives, maintains or transmits PHI on behalf of a business associate

• Person who receives or accesses PHI to assist BA with BA’s own management and administration or legal responsibilities is not a subcontractor and therefore not a BA◦ But BA must obtain “reasonable assurances”

• Status as business associate flows “down the chain”

14

Major Regulatory Duties of Business Associates• Comply with applicable requirements of Security Rule• Provide security breach notification to CE• Use and disclose PHI only as permitted by BA Agreement• Not use or disclose PHI in a way that would violate the HIPAA Privacy Rule

if done by covered entity (subject to narrow exceptions)• Execute BA Agreements with subcontractors that create, receive or

maintain PHI on BA’s behalf• If subcontractor engages in pattern or practice in material breach of its BA

Agreement, take reasonable steps to cure breach or terminate if feasible• Use reasonable efforts to limit PHI to minimum necessary• Disclose PHI

◦ To covered entity, individual or individual’s designee when required to provide electronic copy of PHI

◦ To Secretary of HHS when required• Provide accounting of disclosures

15

Changes to Business Associate Agreement

• New elements◦ BA must comply with applicable provisions of Security Rule◦ BA must report any use or disclosure not in compliance with agreement (existing

requirement), specifically including breaches of unsecured PHI ◦ BA must ensure that any subcontractor that creates, receives or maintains PHI on

its behalf enters into BA Agreement◦ To the extent BA is to carry out CE’s obligations under Privacy Rule, BA must

comply with requirements of Privacy Rule that apply to CE in performing obligations

• Compliance deadlines◦ BA Agreements must comply by 9/23/13 unless grandfathered◦ Grandfathered agreements:

If prior to 1/25/13, had BA or subcontractor agreement in place that was compliant with pre-HITECH standards, and agreement not renewed or modified between 3/26/13 and 9/23/13, agreement is deemed compliant until earlier of (i) renewed or modified or (ii) 9/22/14

Automatic or “evergreen” renewal does not end deemed compliance period

16

Security provisions of HIPAA now apply to a Business Associate of a Covered Entity in the same manner that such sections apply to the Covered Entity.

Business associates subject to same penalties as Covered Entities

Also applies to vendors of personal health records

Security and Notice Requirements

18

Security and Notice Requirements

Applies to any Covered Entity or BA/vendor that: Accesses, maintains, retains, modifies, records,

stores, destroys or otherwise holds, uses, or discloses unsecured protected health information

Applies directly to vendors, regardless of whether a business associated agreement is executed

19

Security and Notice Requirements

Unsecured Protected Health Information means (Section 13402(h))

◦ protected health information that is not secured through the use of a technology or methodology specified by the Secretary in the guidance issued under this section

20

Security and Notice Requirements

Obligation to notify triggers upon discovery of a breach◦ Discovery determined to be the first day on which

such breach is known or should reasonably have been known to such entity or associate to have occurred

◦ Knowledge by any person that is an employee, officer or other agent of the entity or associate

21

Security and Notice Requirements

Notice to Individual must include:◦ Identification of each individual whose

unsecured protected health information has been, or is reasonably believed to have been accessed, acquired, or disclosed during such breach

◦ Brief description of what happened, including the date of the breach and the date of discovery of the breach

◦ Description of the types of unsecured protected health information that were involved

22

Security and Notice Requirements

Steps the individual should take to protect themselves from potential harm resulting from the breach

Description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches

Contact procedures for individuals to ask question or learn additional information

Security and Notice RequirementsNotice to the Secretary by Covered Entities:

For breaches impacting 500 or more individuals, notify the Secretary immediately

For breaches impacting fewer than 500 individuals, maintain a log and notify the Secretary annually submit such log

24

Security and Notice RequirementsNotice Process Notice Timing:

Notice must be made without unreasonable delay and in no case later than 60 calendar days after discovery of a breach

Delay allowed if a law enforcement official determines that a notification, notice or posting would impede a criminal investigation or cause damage to national security

Methods of Notice: Written notification by first class mail to individual Substitute notice process for insufficient or out of date contact

information Media notice information for 500 individuals or more

25

“Safe Harbor”Safe Harbor from Notification Requirement is to ensure the data is maintained in a “secure” manner.

June 2009 --Requested comments on the proposed form of “secure” data.

◦ Encryption◦ De-Identification

26

Enforcement

28

Of the 90,000 complaints investigated most are, compiled cumulatively, in order of frequency:

Impermissible uses and disclosures of protected health information;

Lack of safeguards of protected health information;

Lack of patient access to their protected health information;

Uses or disclosures of more than the minimum necessary protected health information; and

Lack of administrative safeguards of electronic protected health information.

Common Violations

29

The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:

PRIVATE PRACTICES;

General Hospitals;

Outpatient Facilities;

Health Plans (group health plans and health insurance issuers); and,

Pharmacies.

Most Common Violators

$800,000 HIPAA Settlement in Medical Records Dumping Case - June 23, 2014

Data Breach Results in $4.8 Million HIPAA Settlements - May 7, 2014

Concentra Settles HIPAA Case for $1,725,220 - April 22, 2014

2014 Enforcement Highlights

QCA Settles HIPAA Case for $250,000 – April 22, 2014

County Government Settles Potential HIPAA Violations - March 7, 2014

2014 Enforcement Highlights

32

Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts (APDerm) -$150,000.00

Affinity Health Plan, Inc. will settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for $1,215,780. 

WellPoint Inc. has agreed to pay the U.S. Department of Health and Human Services $1.7 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules

Enforcement Activities

33

Questions

Michele Madison, Partner, Morris, Manning & Martin, LLPHealthcare & Healthcare IT Practices

[email protected]: 404-504-7621

The materials and information presented and contained within this document are provided by MMM as general information only, and do not, and are not intended to constitute legal advice.

Any opinions expressed within this document are solely the opinion of the individual author(s) and may not reflect the opinions of MMM, individual attorneys, or personnel, or the opinions of MMM clients.

The materials and information are for the sole use of their recipient and should not be distributed or repurposed without the approval of the individual author(s) and Morris, Manning & Martin LLP.

This document is Copyright ©2011 Morris, Manning & Martin, LLP. All Rights Reserved worldwide.

34

Disclaimer