Current Developments in Privacy and Security Rule Enforcement

Transcription

1 Current Developments in Privacy and Security Rule Enforcement Hamline University College of Law Health Law Institute National Speakers Series Jerome B. Meites, Esq. Chief Regional Civil Rights Counsel Region V United States Department of Health and Human Services Office of the General Counsel

2 Disclaimer These power point slides, along with the remarks of Mr. Meites, are intended to be purely informational and informal in nature. Nothing in the slides or in Mr. Meites statements are intended to represent or reflect the official interpretation or position of the Department of Health and Human Services, the Office for Civil Rights, or the Office of General Counsel. 1

3 Topics 2013: A Major Year for Privacy and Security Recent OCR Enforcement Actions Enforcement Statistics and Upcoming Enforcement Activities Omnibus Regulations and Related Guidance Patients Right to Restrict and the Breach Notification Rule Compliance Audits Other Issues: State AGs and the Accounting Rule OCR Resources 2

4 HIPAA Enforcement Actions: Recent Cases and Trends Security Rule and Privacy Rule Cases from

5 Affinity Settles in Photocopier Security Rule Breach Case for $1,215,780 Affinity Health Plan impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. OCR s investigation revealed that Affinity failed to incorporate the electronic protected health information stored in copier s hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the hard drives to its leasing agents. The corrective action plan required Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased and that remained in the possession of the leasing agent, and to take certain measures to safeguard all ephi. 4

6 WellPoint pays $1.7 million for leaving information accessible over Internet WellPoint s breach report indicated that security weaknesses in an online application database left the electronic protected health information (ephi) of 612,402 individuals accessible to unauthorized individuals over the Internet. OCR s investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule: WellPoint did not adequately implement policies and procedures for authorizing access to the on-line application database. Did not perform an appropriate technical evaluation in response to a software upgrade to its information systems. Did not have technical safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database. 5

7 Hospice of North Idaho, a Small Provider, Pays $50,000 to Settle This was the first case involving a breach report for PHI of fewer than 500 individuals which resulted in the execution of a Resolution Agreement by the CE and the payment of a Resolution Amount to OCR, namely $50,000. In 2010, Hospice of North Idaho (HONI) submitted a breach notification, reporting that a laptop containing the PHI of 441 patients had been stolen. OCR s investigation showed that HONI had not conducted a risk analysis and had not promulgated a policy designed to ensure the security of PHI held on mobile media devices. Since the breach was discovered, HONI did take substantial steps to improve its privacy and security compliance program. 6

8 Adult & Pediatric Dermatology Pays $150,000 to Settle Breach Notification Case OCR received a report that an unencrypted thumb drive containing ephi for 2200 individuals was stolen from a staffer s car. The thumb drive was never recovered. OCR investigation showed that APDerm had not conducted an analysis of risks and vulnerabilities regarding ephi. APDerm did not have a written policy for reporting breaches and training employees on Privacy and Security Rule issues. 7

9 Shasta Regional Medical Center Settles Privacy Rule Case for $275,000 for Impermissible Disclosure SRMC failed to safeguard the patient s protected health information (PHI) from impermissible disclosure by intentionally disclosing PHI to multiple media outlets on at least three separate occasions, without a valid written authorization. OCR s review indicated that senior management at SRMC impermissibly shared details about the patient s medical condition, diagnosis and treatment in an to the entire workforce. In addition, SRMC failed to sanction its workforce members for impermissibly disclosing the patient s records pursuant to its internal sanctions policy. A corrective action plan (CAP) required SRMC to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures and to train its workforce members. The CAP also required fifteen other hospitals or medical centers under the same ownership or operational control as SRMC to attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media. 8

10 Lessons Learned HIPAA covered entities and their business associates are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals data, and have appropriate safeguards in place to protect this information. Take caution when implementing changes to information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers health data using the Internet. Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients rights are fully protected. 9

11 Enforcement Statistics and Upcoming Enforcement Activities 10

12 HIPAA Compliance/Enforcement (As of December 31, 2013) TOTAL (since 2003) Complaints Filed 90,000 Cases Investigated 31,925 Cases with Corrective Action 22,026 Civil Monetary Penalties & Resolution Agreements (since 2008) $18.6 million 11

13 Top Five Issues Nationally in Cases Closed in 2013 with Corrective Action 1. Impermissible Uses and Disclosures of PHI 2. Lack of adequate physical, technical, or administrative safeguards 3. Individuals or their Representatives Being Denied Access to their PHI 4. Minimum Necessary 5. Lack of Mitigation by CE 12

14 Minnesota Statistics Since 2003 Investigated Cases in which no violation of the Privacy or Security Rule was found 12% Cases resolved after Intake and Review with no investigation being undertaken 60% Investigated Cases Resolved with Corrective Action by CE 27% 13

15 Eye to the Future Increased efficiency High-impact cases Audit HHS expects full compliance, no matter the size of a covered entity. Assure that policies relating to privacy, security and breach notification are up- to- date and effectively implemented. 14

16 HIPAA Privacy, Security, Breach Compliance and Enforcement What s to Come Resolution Agreements/Corrective Action Plans Continue to increase activity and resources Maintain focus on fundamentals of compliance programs Address emerging issues Investigated Complaints/Compliance Reviews New web portal for complaints/centralized intake Strategic approach to increase efficiencies, identify cases for investigation Breach Reports Redesigned website for 500+ postings htool.html 15

17 Omnibus Regulations and Related Guidance 16

18 HIPAA/HITECH/GINA Omnibus Final Rule Important Dates Published in Federal Register January 25, 2013 Effective Date March 26, 2013 Compliance Date September 23, 2013 Deadline for Pre-Existing BA Contracts to Conform September 22,

19 HIPAA/HITECH/GINA Omnibus Final Rule What s Included HITECH Privacy & Security Business associates Electronic access Marketing Fundraising Sale of protected health information (PHI) Right to request restrictions HITECH Breach Notification HITECH Enforcement GINA Privacy Other Modifications Research Notice of privacy practices Decedents Student immunizations 18

20 HIPAA/HITECH Guidance What s Done Omnibus Final Rule De-identification Combined Regulation Text Sample BA provisions Refill Reminder Factsheets on Student Immunizations and Decedents Model Notice of Privacy Practices English and Spanish Versions Other Guidance Ability to report serious and imminent threats Permitted mental health disclosures Right to access updated for e-access requirements Law enforcement guide 19

21 Guidance and Proposed Rulemaking Regarding Potential Gun Violence On January 13, 2013, OCR issued a letter to health care providers throughout the country reminding them that the Privacy Rule permitted disclosures of an individual s PHI when the provider had a good faith reason to fear that the individual intends imminent harm to himself or others. See 45 C.F.R (j). On April 23, 2013, OCR published an Advanced Notice of Proposed Rulemaking in the Federal Register seeking public input on how to remove barriers states currently face under HIPAA in reporting such concerns without discouraging individuals from seeking necessary mental health services. OCR received over 2000 comments. On January 7, 2014, OCR published a proposed rule in the Federal Register. It allows states and certain CEs greater flexibility than was permitted previously in reporting to the National Instant Criminal Background Check System (NICS) minimum necessary identifying information about individuals who have been involuntarily committed or otherwise found by a lawful authority to be a threat to themselves or others. March 10, 2014 is the last day for the submission of comments on the proposed rule online or by mail. 20

22 Guidance Regarding the Sharing of Mental Health Information In September 2013, OCR issued extensive guidance regarding the issue of when information about an individual who is receiving mental health care treatment can be shared with the individual s family and others involved in his or her care. The guidance also addresses the patient s capacity to agree to or object to the sharing of such information. It also addresses related law enforcement issues. 21

23 Guidance Regarding Marketing and Refill Reminders Also in September 2013, OCR issued guidance regarding the refill exception from the marketing provision of the Privacy Rule. Normally, under the marketing provisions, as amended by the omnibus regulations that took effect in 2013, an individual has to provide written authorization before his or her PHI can be sued for marketing purposes. However, the guidance makes clear that prescription refill reminders and other communications about a currently prescribed drug or biologic are generally exempt from the authorization requirement. In addition, a CE can receive financial remuneration from the drug manufacturer or similar third party provided that the remuneration is reasonably related to the CE s cost of making the communication. 22

24 Guidance Regarding Disclosure of Decedents PHI The omnibus regulations contained changes to the original April 2003 version of the Privacy Rule regarding the ability of family members to access a deceased relative s PHI. Originally, only an executor or administrator could access a decedent s PHI, unless state law permitted other individuals, such as surviving spouses or adult children to do so. Now, in most instances, any member of the family or other person who was involved in the provision of care to a deceased individual has a right to access his or her PHI, even if that person is not the decedent s personal representative. In September 2013, OCR issued guidance regarding these changes to the Privacy Rule. 23

25 Model Notice of Privacy Practices Notice in the form of a booklet; A layered notice that presents a summary of the information on the first page, followed by the full content on the following pages; A notice with the design elements found in the booklet, but formatted for full page presentation. A text only version of the notice; Different versions for plans and health care providers. 24

26 HIPAA/CLIA Final Rule Now in Effect: Patient Right of Access to Test Results Center for Medicare and Medicaid Services Enforcement Amends Clinical Laboratory Improvement Amendments (CLIA) regulations to allow labs to give patients completed test results OCR Enforcement Amends HIPAA right to access to remove exemption for CLIA labs Individual has right to access and get copy of PHI in DRS of labs, including right to electronic copy Access obligations on labs same as for other covered entities Individual can still go through physician to obtain test results Dates Publish in FR -- February 6 Effective Date -- April 7 HIPAA Compliance Date -- October 8 25

27 HIPAA/HITECH Guidance What s to Come Guidance on Omnibus Final Rule Breach Safe Harbor Update Breach Risk Assessment Tool Minimum Necessary More on Marketing Security Rule Updates small provider risk analysis tool More Factsheets on other provision Model Notice Web based version challenge issued Other YouTube new content; more Spanish versions Medscape new module coming soon -- EHRs and HIPAA: Steps for Maintaining the Privacy and Security of Patient Information 26

28 Patients Right To Restrict and The Breach Notification Rule 27

29 Patient Right to Request Restrictions Old Rule Under the April 2003 version of the Privacy Rule, an individual had the right to request a covered entity to place a restriction regarding use and disclosure of his or her PHI for treatment, payment, and health care operations (and certain other reasons). The CE was not required to agree to any restriction. However, if the CE did agree, the CE was bound by the restriction. 28

30 Right to Require Restrictions New Rule as of September 2013 Under the Omnibus Regulations, the CE must agree to an individual s request to restrict the disclosure of PHI to the individual s health plan if: PHI pertains solely to health care for which the individual (or a person on behalf of individual other than the health plan) has paid the CE in full, out-of-pocket; and The disclosure is not required by other law. The CE is encouraged, but not required, to notify downstream providers of the restriction The Preamble to the Omnibus Regulations contained in the January 25, 2013 issue of the Federal Register provides guidance on the scope of the restriction and other potential implementation issues, including a number of illustrative, hypothetical cases. The old permissive rule still applies to all other requests for restrictions from an individual. 29

31 Breach Notification Interim Final Rule Issued in August 2009 & Effective Until September 2013 Pertained to impermissible use or disclosure of unsecured PHI which compromises the security or privacy of the information Compromises meant that the breach posed a significant risk of financial, reputational, or other harm to the individual To determine if it must notify OCR, the Preamble to the interim final rule stated that the CE/BA had to perform a risk assessment, based on at least: What type or amount of PHI was used or disclosed Who received/accessed the information Potential that PHI was actually accessed or acquired What steps were taken to mitigate There were exceptions for inadvertent, harmless mistakes There was also a narrow exception for limited data sets without dates of birth and zip codes 30

32 Definition of Breach New Rule Under the omnibus regulations, the risk of harm standard has been removed Impermissible use/disclosure of (unsecured) PHI is presumed to require the issuance of a breach notification, unless the CE/BA can demonstrate that there is a low probability that PHI has been compromised, based on a risk assessment of at least the following: Nature and extent of the PHI involved Who received/accessed the PHI What is the potential that PHI was actually acquired or viewed The extent to which risk to the data has been mitigated Exceptions for inadvertent, harmless mistakes remain Exception for limited data sets without dates of birth and zip codes has been removed 31

33 Breach Notification Makes permanent the notification and other provisions of the August 2009 interim final rule, with only minor changes/clarifications, e.g., Clarifies that notification to Secretary of smaller breaches to occur within 60 days of end of calendar year in which breaches were discovered (versus occurred) 32

34 Breach Notification Highlights September 2009 through November 6, reports involving over 500 individuals 84,963 reports involving under 500 individuals Top types of large breaches Theft Unauthorized Access/Disclosure Loss Top locations for large breaches Laptops Paper records Desktop Computers Portable Electronic Device 33

35 Spotlight on Largest Breaches of 2012 Hacking network server 780,000 affected Backup tapes stored at hospital cannot be found and are presumed lost 315,000 affected Unencrypted s sent to employee s unsecured address 228,435 affected Theft of laptop from employee s vehicle 116,506 affected Unauthorized access to e-phi stored in database 105,646 affected Hacking database stored on network server 70,000 affected 34

36 Breach Notification: 500+ Breaches by Type of Breach Hacking/IT Incident 7% Loss 14% Improper Disposal 5% Unknown 3% Unauthorized Access/ Disclosure 20% Theft 51% Data as of January

37 Breach Notification: 500+ Breaches by Location of Breach EMR 2% 3% Other 10% Network Server 11% Paper Records 22% Portable Electronic Device 14% Laptop 23% Desktop Computer 15% Data as of January

38 COMPLIANCE AUDITS 37

39 Audit Program HITECH Act Sec Periodic audits to ensure covered entities and business associates comply with requirements of HIPAA and HITECH Audit Objectives Examine mechanisms for compliance Identify best practices Discover risks and vulnerabilities that may not have come to light through complaint investigations and compliance reviews Renew attention of covered entities to health information privacy and security compliance activities 38

40 Compliance and Enforcement: Audit Where We Have Been Description Vendor Status/Timeframe Audit program development study Booz Allen Hamilton Closed 2010 Covered entity identification and cataloguing Booz Allen Hamilton Closed 2011 Develop audit protocol and conduct audits KPMG, Inc. Closed Evaluation of audit program PWC, LLP Closed

41 Pilot Process Audit Pilot Completed Tiered approach for snapshot of compliance across covered entity types, sizes, complexity Sample of 115 covered entities selected spread across 4 tiers All audits were completed by December 2012 OCR published audit protocol Issued final reports to entities audited in pilot 40

42 Audit Pilot Observations Completed Audits of 115 entities 61 Providers, 47 Health Plans, 7 Clearinghouses No findings or negative observations for 13 entities (11%) 2 Providers, 9 Health Plans, 2 Clearinghouses Total 979 audit findings and observations 293 Privacy 592 Security 94 Breach Notification Percentage of Security Rule findings and observations was double what would have been expected based on the protocol Smaller entities (Level 4) struggled with all three areas 41

43 Summary of Entities Audited Level 1 Entities Large Provider / Payer Extensive use of HIT - complicated HIT enabled clinical /business work streams Revenues and or assets greater than $1 billion Level 2 Entities Large regional hospital system (3-10 hospitals/region) / Regional Insurance Company Paper and HIT enabled work flows Revenues and or assets between $300 million and $1 billion Level 3 Entities Community hospitals, outpatient surgery, regional pharmacy / All Self-Insured entities that don t adjudicate their claims Some but not extensive use of HIT mostly paper based workflows Revenues between $50 million and $300 million Level 4 Entities Small Providers (10 to 50 Provider Practices, Community or rural pharmacy) Little to no use of HIT almost exclusively paper based workflows Revenues less than $50 million 42

44 Size/Type of Entities Audited Level 1 Level 2 Level 3 Level 4 Total Health Plans Healthcare Providers Healthcare Clearinghouses Total Data as of December

45 Types of Privacy Rule Audit Findings 50% 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% 20% Notice of Privacy Practices 2% Restriction Requests & Alternative Communications 16% Individual Right of Access 18% Administrative Standards 44% Uses and Disclosures of PHI Data as of December

46 Types of Security Rule Audit Findings 20% 18% 18% 16% 14% 12% 10% 12% 14% 9% 14% 14% 8% 6% 4% 2% 0% Risk Analysis Access Management Security Incident Procedures Contingency Planning Audit Controls and Monitoring Movement and Destruction of Media Data as of December

47 Compliance and Enforcement Audit What s Ahead in 2014 Formal Program Evaluation 2013 Internal analysis for follow up and next steps Creation of technical assistance based on results Determine where entity follow up is appropriate Identify leading practices Revise Protocol to reflect Omnibus Rule Ongoing program design and focus Business Associates Accreditation /Certification correlations 46

48 Resumption of Audits in 2014 OCR will be conducting a second round of compliance audits on its own beginning later in 2014 and continuing into OCR selected from a very large data base an oversupply of 1200 organizations as possible subjects of the new round of audits. OCR is currently making determinations about the listed organizations to determine their suitability for audit. Roughly 800 of the organizations are covered entities and 400 are business associates. 47

49 New Issues Likely to be Covered in Audits OCR expects to revise its 2012 audit protocol to include changes brought by the Omnibus Regulations. OCR also expects a more intensive focus on organizations analysis of potential risks and vulnerabilities involving the PHI which they generate and which comes in their custody as OCR found the lack of any and/or adequate risks analysis to be very high in the 2012 audit. 48

50 Other Issues State AGs and the Accounting Rule 49

51 OCR and State Attorneys General Under the HITECH Act, enacted in 2009, state attorneys general were authorized, for the first time, to bring actions for injunction in federal district court to enforce the Privacy and Security Rule. State AGs must inform OCR prior to their commencement of such actions. Under the HITECH Act, OCR (HHS) can intervene in any such litigation as of right. 50

52 Result of AG Intervention So far, AGs have brought cases in five different states, including the Accretive litigation in Minnesota. OCR has not yet chosen to intervene in any of the AG cases. In 2010, OCR provided extensive training to the AGs from all 50 states. The training manuals are on the OCR website. OCR regional attorneys continue to work closely with the AGs, providing guidance when requested. 51

53 Accounting for Disclosures Final Rule When OCR issued as proposed rules, most of the provisions which became the final Omnibus Regulations in 2013, the proposed rules included significant changes to the original 2003 requirements for covered entities to provide accountings to individuals as to who accessed the individual s PHI. Industry publications indicated that many compliance officers and other representatives of covered entities had serious reservations or objections to the proposed changes regarding the accounting provisions and submitted comments to OCR, expressing their concerns. OCR did not include a final version of the accounting provisions in the omnibus regulations. OCR has stated publicly that it is still reviewing the comments it received regarding the accounting issues and does not know when it will publish a further issuance regarding accountings in the Federal Register. 52

54 OCR RESOURCES 53

55 We ve Been Busy New Compliance Assistance Tools for Covered Entities and Business Associates The HIPAA Omnibus Rule X-QL9PoePU 54

56 New OCR Resource Center at Medscape.org Video Programs module imbedded into page for dynamic interest OCR Educational Links, Including Mobile Device Content 55

57 Two New Learning Modules for Free CME and CE Credit The goal of this activity is to describe steps in analyzing and managing risks related to the security of protected health information The goal of this activity is to describe steps healthcare practices should take to assess and improve the security of protected health information on mobile devices. 56

58 Your Mobile Device and Health Information Privacy and Security Posting Date: 9/13/13 13,969 Total Learners 28,518 Total Page Views 7,657 MD Learners 3,627 Nurse Learners 252 Pharmacist Learners 586 Physician Assistants 1,847 (Other HCP s) 3,378 MD Test Takers Credits 57

59 Consumer Awareness and Engagement Your New Rights Under HIPAA - Consumers =3-wV23_E4eQ Over 262,000 views since September 4, 2013 Visit us at 58

60 OCR s YouTube Videos Your New Rights Under HIPAA 264,781 Views The HIPAA Omnibus Rule 273,927 Views Your Health Information, Your Rights 116,291 Views The Right to Access Your Health Information 84,909 Views EHRs: Privacy and Security 5,645 Views Su Informacion de Salud, Sus Derechos 503,898 Views Treatment, Payment and Health Care Operations 77,967 Views Communicating with Friends and Family 97,428 Views Explaining the Notice of Privacy Practices 124,888 Views HIPAA Security Rule 291,263 Views 1,840,997 TOTAL VIEWS FROM FEB to JAN 30, 2013 Visit us at 59

61 Contact Information Jerome B. Meites Chief Regional Civil Rights Counsel Office of the General Counsel Region V United States Department of Health and Human Services 233 North Michigan Avenue Suite 700 Chicago, Illinois Jerome.Meites@hhs.gov 60