This document discusses navigating HIPAA compliance. It begins with examples of HIPAA violations like employees sharing patient photos on social media. It then explains what entities and information are covered by HIPAA and permissible uses of protected health information. It discusses defining a breach, performing risk assessments, and penalties for noncompliance. It provides tips for modifying business associate agreements, privacy practices, conducting risk assessments, updating policies and procedures, and training employees on HIPAA requirements.
3. Š 2013 Armstrong Teasdale LLP
Call From Employee
1) Staff Texting Nude Patient Photo.
⢠Patient is Identifiable.
⢠Hospital Name is visible on scrubs.
2) Nurses photograph x-ray.
⢠Post x-ray to Facebook.
⢠Nurse comments regarding patient.
4. Š 2013 Armstrong Teasdale LLP
HIPAA
ď§ Regulations Apply to:
⢠Covered Entities (CE)
1) Providers
2) Health Plans
3) Clearinghouses
ď§ Business Associates of CEâs
⢠Insurance Broker, Benefit Specialists
⢠Strategic Consultants
5. Š 2013 Armstrong Teasdale LLP
HIPAA Protects
PHI
PERSONAL HEALTH INFORMATION
6. Š 2013 Armstrong Teasdale LLP
PHI Uses & Disclosures
ď§ OK to use PHI for:
1) Treatment
2)Payment
3) Health Care Operations
ď§ General Rule: Other Uses Require an Authorization.
7. Š 2013 Armstrong Teasdale LLP
HIPAA Breach - New Definition
ď§ A Breach is
1. Unauthorized acquisition, access, use or disclosure of
2. Unsecured PHI
3. Compromises the privacy or security of the PHI
ď§ Presumption of Reportable Breach UNLESS
⢠CE determines there is a low probability the
⢠PHI has been compromised after risk assessment.
8. Š 2013 Armstrong Teasdale LLP
HIPAA Risk Assessment
ď§ What is Compromised?
⢠Rule does not tell us.
ď§ Must Perform Risk Assessment.
9. Š 2013 Armstrong Teasdale LLP
HIPAA Risk Assessment
ď§ 4 Elements:
1. Nature and extent of PHI involved.
2. The unauthorized person who used PHI or to whom
disclosure was made.
3. Whether PHI was actually acquired or viewed.
4. Extent to which the risk to PHI has been mitigated.
10. Š 2013 Armstrong Teasdale LLP
HIPAA Risk Assessment
ď§ If you do not do a breach notification you
MUST do a Risk Assessment.
ď§ DOCUMENT, DOCUMENT, DOCUMENT.
11. Š 2013 Armstrong Teasdale LLP
HIPAA Breaches
ď§ CVS 2009-Pill bottles thrown in dumpsters.
⢠$2.25 Million Settlement
⢠No policies.
⢠No training.
12. Š 2013 Armstrong Teasdale LLP
HIPAA Breaches
ď§ Million Dollar Subway Ride
⢠Massachusetts General Hospital employee leaves documents
on subway.
⢠PHI of 192 patients. (Included HIV/AIDS status)
⢠$1 Million Settlement.
ď§ Stanford 2011. BA posts PHI on web.
⢠20,000 patients X $1,000 = $20 Million
13. Š 2013 Armstrong Teasdale LLP
HIPAA Breaches
ď§ WellPointâJuly 11, 2013
ď§ Left Accessible Information on Internet
ď§ $1.7 Million Settlement
ď§ 600,000 Patientsâ Information
ď§ WellPoint failed to:
1) Have Policies to authorize access to PHI;
2) Perform technical evaluation of software & database;
3) Have technical safeguards to verify identify of persons
accessing PHI.
14. Š 2013 Armstrong Teasdale LLP
HIPAA Breaches-Laptops
ď§ Sutter 2011. Stolen unencrypted laptop.
⢠4 million patients X $1,000 nominal damages per patient.
⢠$1 Billion Potential Damages.
ď§ UCLA 2011.
⢠Encrypted laptop stolen. Paper also stolen.
⢠16,000 patients X $1,000
⢠$16 Million.
15. Š 2013 Armstrong Teasdale LLP
HIPAA Breaches-Hardware
ď§ Blue Cross Blue Shield Tennessee 2012
⢠Self Reported 57 unencrypted hard drives stolen.
⢠1 Million people. $1.5 Million Settlement.
ď§ Pentagon 2011
⢠BA lost backup tapes, 4.9 Million Tricare beneficiaries.
⢠If damages are $1,000 per patient = $4.9 Billion.
⢠Attempted to use HIPAA for basis of claims.
16. Š 2013 Armstrong Teasdale LLP
Lawsuits Pending
ď§ Plaintiffs claim HIPAA violations. (Negligence Per Se)
ď§ Case law is not clear.
ď§ We argue no private right of action.
ď§ Motions to dismiss granted.
ď§ Breach of Fiduciary Duty & Public Disclosure of Private Fact
claims remain.
ď§ Each suit involved OCR investigation.
17. Š 2013 Armstrong Teasdale LLP
HIPAA Breach
ď§ If you donât need it for your job=Unauthorized.
Snooping.
18. Š 2013 Armstrong Teasdale LLP
Snooping
ď§ There once was a girl âŚ
ď§ Later goes to psych ward at UCLAâŚ
ď§ People get curious.
ď§ 13 fired & 12 disciplined.
ď§ OCR investigatesď $865,000
ď§ No evidence PHI disclosed or sold.
19. Š 2013 Armstrong Teasdale LLP
Snooping
ď§ Little Rock: News anchor in hospital.
ď§ Physician watches news from home.
ď§ Unit Coordinator & Billing employee.
ď§ 2 fired; physician suspended 2 weeks.
⢠Face prison & fine.
⢠Each had HIPAA training.
ď§ Mom sues Hospital.
⢠AR SC allows outrageous behavior claim.
20. Š 2013 Armstrong Teasdale LLP
Yes, Someone Went to Prison.
ď§ Researcher at UCLA
ď§ Reviewed records 323 times in 3 weeks.
ď§ His Boss,
ď§ No Evidence PHI was Used or Sold.
ď§ 4 Months in Prison.
21. Š 2013 Armstrong Teasdale LLP
Breach Notifications < 500
ď§ Breach
⢠Must Notify Individual(s)
â In Writing including what happened & steps taken.
â Within 60 days of date breach discovered.
⢠Notify HHS Secretary
ď§ Donât Delay.
22. Š 2013 Armstrong Teasdale LLP
Breach Notifications > 500
ď§ Where a Breach Involves Greater than 500 Residents:
⢠Notify Individuals in Writing
⢠Notify HHS Secretary
⢠Notify Media
â Press Release to âProminentâ media outlets.
â Within 60 days.
23. Š 2013 Armstrong Teasdale LLP
Penalties-Civil
ď§ Per identical violation in a calendar year:
Did Not Know: $100 up to $25,000
Willful Neglect Uncorrected: $50,000 up to $1,500,000
Willful Neglect: Conscious, intentional failure or reckless
indifference.
ď§ Can be Per Record.
ď§ Extend to BAâs.
ď§ Can impose penalty without seeking informal resolution.
24. Š 2013 Armstrong Teasdale LLP
Penalties-Criminal
ď§ People that knowingly obtain or disclose PHI:
⢠Up to $50,000 AND 1 year imprisonment.
ď§ With False Pretenses:
⢠Up to $100,000 AND 5 years.
ď§ With Intent to sell or use for personal gain or malicious harm:
⢠Up to $250,000 AND 10 years.
25. Š 2013 Armstrong Teasdale LLP
When a Breach Occurs:
ď§ Call Us.
ď§ What We Can Do:
⢠Walk you through whether it is reportable.
â Multiple factors.
⢠Advise during investigation.
⢠Assist with Proactive Prevention.
26. Š 2013 Armstrong Teasdale LLP
What Can/Should be Done to Comply?
ď§ Most obvious
⢠Modify your Business Associate Agreements
⢠Modify your Notice of Privacy Practices
ď§ Not so obviousâŚ
⢠Conduct a Risk Assessment
⢠Review, evaluate and update polices and procedures
⢠Educate and train staff/employees
27. Š 2013 Armstrong Teasdale LLP
Modifications to the BAAâs
ď§ A statement that the Business Associate (âBAâ) now needs to
comply with the administrative, physical, and technical
components of the Security Rule
⢠Should also reflect that the BA is required to implement and
maintain compliance with the administrative, physical, and
technical components of the Security Rule
28. Š 2013 Armstrong Teasdale LLP
Modifications to BAAs
ď§ A statement that the BA must report to the Covered Entity any
breach of unsecured PHI (in addition to any unauthorized use or
disclosure)
⢠Should reflect exactly what the BA should do in order to notify the
Covered Entity of the breach:
â Date of incident
â Date of discovery of incident (if different than above)
â Categories of the affected information
â Individual(s) who were affected
â Steps for mitigation
â Steps for prevention
29. Š 2013 Armstrong Teasdale LLP
Modifications to BAAs
ď§ A statement that the BA must ensure that any subcontractor
will agree to the same restrictions and conditions that apply
to the BA
⢠In other words, BAs now need to enter into BAAs with
subcontractors
ď§ A statement requiring the BA to implement a system for
documenting and recording uses and disclosures in
compliance with the Security Rule
ď§ A statement that provides for retention of information for 6
years from the date of the disclosure
30. Š 2013 Armstrong Teasdale LLP
Modifications to BAAs
ď§ Other Aspects to Consider
⢠Liability is determined on Agency principles, so a statement
that reflects the status of the parties
⢠Consider modifying or adding insurance requirements
⢠Consider modifying or adding limitations of liability and
indemnification provisions
31. Š 2013 Armstrong Teasdale LLP
Modifications to BAAs
ď§ Compliance Deadline
⢠depends on whether there is an existing BAA or whether
there will be a new BAA entered into between the parties
â If existing BAA, then September 22, 2014
â If no existing BAA, then September 23, 2013
32. Š 2013 Armstrong Teasdale LLP
Modifications to Notice of Privacy Practices
ď§ Must now include statements regarding the Sale of PHI
ď§ Must now include statements regarding marketing and other
purposes that require an authorization
ď§ Must now include statement that an individual can opt out of
fundraising communications/efforts
33. Š 2013 Armstrong Teasdale LLP
Modifications to Notice of Privacy Practices
ď§ Must now include statement that the Covered Entity must
agree to restrict disclosures to health plans if the individual
pays out of pocket in full for the health care service
ď§ Must now include a statement about an individualâs right to
receive breach notifications
34. Š 2013 Armstrong Teasdale LLP
Conducting a Risk Assessment
ď§ Elements of a general risk assessment include:
1. Identify the scope â what are potential risks and
vulnerabilities to your organization?
2. Identify where all the PHI is stored, received, maintained
or transmitted
3. Assess current security measures:
â Do you utilize encryption software?
â Are passwords used and changed frequently?
â Are firewalls used?
â Are mobile devices protected?
35. Š 2013 Armstrong Teasdale LLP
Conducting a Risk Assessment
ď§ Other Aspects:
⢠Determine likelihood of the occurrence of a threat
⢠Determine the potential impact of that threat
⢠Determine the level of risk
ď§ Which becomes a mathematical equationâŚ
⢠Vulnerability x likelihood x impact = level of risk
ď§ Which can then assist in the mitigation that risk
36. Š 2013 Armstrong Teasdale LLP
Conducting a Risk Assessment
Threat Source Terminated EE Calculation
Threat Unauthorized Access to Patient
Information
Vulnerability No formal process in place to notify
the IT department when eeâs are
terminated and periodic reviews
are not performed
3
Likelihood Removal of access for terminated
ee has not been performed
3
Impact PHI is viewed, altered or destroyed 3
Risk Disgruntled ee gains unauthorized
access to PHI after termination,
deleting records
Total = 27
Risk Mitigation IT implements daily automated
program to read ee database in
payroll system and automatically
removes access to network and
application systems for terminated
ees
Risk is now significantly reduced
37. Š 2013 Armstrong Teasdale LLP
Reviewing/Updating Policies and Procedures
ď§ Update policies and procedures on breach notification and
integrate into the policy the four factors of whether a breach
occurred by a risk assessment:
1. Nature and extent of the PHI involved
2. The unauthorized person who used the PHI or to whom the
disclosure was made
3. Whether PHI was actually acquired or viewed
4. Extent to which the risk has been mitigated
38. Š 2013 Armstrong Teasdale LLP
Reviewing/Updating Policies and Procedures
ď§ Use and disclosure of PHI for marketing
⢠Requires determination of what is and is not considered
marketing
⢠Once that determination is made, then clarify the policy to
reflect what requires an authorization from the individual
ď§ Sale of PHI
⢠Selling an individualâs PHI without an authorization is
prohibited
39. Š 2013 Armstrong Teasdale LLP
Reviewing/Updating Policies and Procedures
ď§ Electronic Access to PHI
⢠May require revisions to job descriptions to clearly delineate who
has access and in what situation
⢠May require revisions to IT policies and procedures
ď§ Requests for Restrictions
ď§ Use and disclosures of decedent information
ď§ Social media and cell phone policies
40. Š 2013 Armstrong Teasdale LLP
Reviewing/Updating Policies and Procedures
ď§ Covered entities may use any security measures that allow
them to reasonably and appropriately implement the HIPAA
regulations. So, in determining whether to draft new or
revise old policies and procedures, you should consider:
⢠Size, complexity, and capabilities of the Covered Entity
⢠Technical infrastructure, hardware, and software
⢠Costs
⢠Likelihood and impact of risks or potential risks, i.e., risk
assessment
41. Š 2013 Armstrong Teasdale LLP
Educate and Train Staff/Employees
ď§ Must ensure that the policies and procedures reviewed,
revised, and/or created are implemented by staff/employees.
ď§ Sign-in sheets should be passed around so attendance of staff
members/employees is documented
ď§ Staff/Employee training must be conducted at the following
intervals:
⢠At the start of employment
⢠Annual basis
ď§ If staff/employees do not apply these policies to their
everyday practice, then organizations are at risk!