Investigating Privacy Breaches under HITECH and HIPAA

Transcription

1 Investigating Privacy Breaches under HITECH and HIPAA Barry Herrin Smith Moore Leatherwood LLP 1180 W. Peachtree St. NW, Suite 2300 Atlanta, Georgia T (404) F (404) Presented by: Allyson Jones Labban Smith Moore Leatherwood LLP 300 N. Greene Street, Suite 1400 Greensboro, North Carolina T (336) F (336) To ask a question during the presentation, click the Q&A menu at the top of this window, type your question in the Q&A text box, and then click Ask. Presented by: Attorney Name Smith Moore Leatherwood LLP Address T: F: After you click Ask, the button name will change to Edit. Questions will be queued and most will be answered at the end of the meeting as time allows.

2 What is HITECH? Health Information Technology for Economic and Clinical Health Act Enacted as part of the American Recovery and Reinvestment Act of 2009 ( Stimulus Bill ), P.L

3 What is HITECH? Two primary components: Encourages implementation of health information technology and transition from paper records to EHR Amends HIPAA to impose significant new duties on covered entities and business associates to notify patients, the Federal Government, and the media of breaches of unsecured PHI

4 What is HITECH? Notification requirement went into effect on September 23, 2009 Enforcement begins on February 17, 2010 Recent Ponemon Institute survey of 77 health care organizations revealed that 94% will not be ready to comply with HITECH by February 2010.

5 Definitions Unsecured PHI : PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of encryption technologies or methods of physical destruction approved by the Secretary of the Federal Department of Health and Human Services ( HHS ) Approved technologies/destruction methods are listed at 74 Fed. Reg

6 Definitions Breach : The acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under the HIPAA privacy rule (45 C.F.R , et seq.) that compromises the security or privacy of the PHI

7 Definitions Significant Risk of Harm : Fact-based inquiry that focuses on financial, reputational, or other harm that may result to the patient as a result of the use or disclosure.

8 To Be or Not to Be... A Breach Should not assume every use/disclosure is a breach A use/disclosure is not a breach: When the PHI is properly encrypted/destroyed When the use/disclosure is permitted under HIPAA When a HITECH exception applies When the privacy or security of the data is not compromised

9 Step 1: Is the information unsecured PHI?

10 Step 1: Unsecured PHI PHI is secured: Encrypted (for approved encryption methods, see 74 Fed. Reg list of National Institute of Standards and Technology publications, available at Destroyed (shredded, burned, purged, cut proper destruction method depends on the medium)

11 Step 1: Unsecured PHI Also not a breach if: Individually identifiable health information held by covered entity or business associate in its capacity as an employer De-identified in accordance with HIPAA guidelines

12 Step 1: Unsecured PHI Also not a breach if the PHI: Is de-identified pursuant to 45 C.F.R (e)(2); and Does not include the patient s zip code; and Does not include the patient s date of birth.

13 Step 2: Is the acquisition, access, use or disclosure permitted under HIPAA?

14 Step 2: Permissible Use/Disclosure (HIPAA) A breach is an impermissible use or disclosure; if HIPAA permits or requires the use/disclosure, not a breach If use/disclosure not permitted under HIPAA, must still ask: Does the use/disclosure compromise the security or privacy of the PHI? Not every impermissible disclosure = breach, but may be a violation of the privacy rule!)

15 Step 3: Does the acquisition, access, use or disclosure fit within one of the exceptions to HITECH?

16 Step 3: HITECH Exceptions HITECH contains three narrowly construed exceptions If an acquisition, access, use, or disclosure fits within an exception, it is not a breach, even if information was unsecured PHI and the disclosure is not permitted under HIPAA This is a departure from the order set forth in the regulation

17 Step 3: HITECH Exceptions

18 Step 3: HITECH Exceptions Exception 1: Unintentional access to, or acquisition or use of, PHI: By a workforce member for the covered entity or BA Acting in good faith Within the course and scope of duties If the access, acquisition, or use does not result in any further use or disclosure in a manner not permitted by HIPAA

19 Step 3: HITECH Exceptions Example: Billing employee receives and opens an containing patient s PHI that was mistakenly sent to her. Billing employee notifies the sender of the error, and then deletes the without further using or disclosing the information. Exception applies no breach.

20 Step 3: HITECH Exceptions Example: Receptionist, who is not authorized to access PHI, decides to browse through patient files to find out information about a friend s treatment. Exception does not apply breach.

21 Step 3: HITECH Exceptions Example: A physician on the medical staff, who is authorized to access PHI, looks through the medical records of patients she has not treated and whose cases she has not been asked to consult. Exception does not apply breach.

22 Step 3: HITECH Exceptions Exception 2: Inadvertent disclosure of PHI From one workforce member at the covered entity or BA to another at the same covered entity or BA Where both workforce members are authorized to access the information If the access, acquisition, or use does not result in any further use or disclosure in a manner not permitted by HIPAA

23 Step 3: HITECH Exceptions Example: Inadvertent disclosure by a member of the hospital medical staff, even if she is not a hospital employee, to a hospital employee who is authorized to receive PHI, provided that the employee does not subsequently inappropriately use or disclose the information. Exception applies no breach.

24 Step 3: HITECH Exceptions Example: A member of the medical staff deliberately discloses information to another member of the medical staff regarding a patient for whom the receiving medical staff member has no treatment or consultation responsibilities. Exception does not apply breach.

25 Step 3: HITECH Exceptions Exception 3: Unauthorized disclosure to an unauthorized person of PHI: Where there is a reasonable good faith belief That the unauthorized recipient would not reasonably have been able to retain the information

26 Step 3: HITECH Exceptions Example: A nurse mistakenly hands Patient A the discharge instructions for Patient B. The nurse immediately recognizes his error and retrieves the document before Patient A has a chance to review the information. Exception applies no breach.

27 Step 3: HITECH Exceptions Example: The billing office, due to a lack of reasonable safeguards, send a number of patient statements to the wrong individuals. Some of the statements are returned unopened, marked undeliverable. Exception applies no breach. The other statements that were sent to the wrong addresses, however, are not returned. Exception does not apply breach.

28 Step 4: Does the disclosure result in a significant risk of harm to the patient?

29 Step 4: Risk Assessment Must determine whether the patient is at significant risk of financial, reputational, or other harm as a result of the use or disclosure Involves a fact-specific weighing of various factors

30 Step 4: Risk Assessment Who impermissibly used the information / to whom was the information impermissibly disclosed? Disclosure to another entity subject to HIPAA: likely small risk of harm Disclosure to member of the general public: likely high risk of harm

31 Step 4: Risk Assessment What steps were taken to mitigate the impermissible use or disclosure? Obtain recipient s satisfactory assurance that information will be destroyed and not used: likely small risk of harm Information is returned before it is accessed (laptop analysis reveals no access): likely small risk of harm

32 Step 4: Risk Assessment What information was the subject of the impermissible use or disclosure? Information concerning STDs and abuse: deemed to be significant risk of reputational harm Information concerning fact of treatment: depends on nature of treatment ( General Hospital likely small risk of harm; Communicable Disease Clinic likely high risk of harm) Information that is vulnerable to identity theft (social security number, etc.): likely high risk of harm

33 If a significant risk of harm to the patient exists, the breach notification requirements must be followed

34 Breach Notification Breaches Involving Fewer than 500 Individuals: Notice must be provided: To the individuals whose information was breached To the Secretary of HHS using the online form at e/breachnotificationrule/brinstruction.html

35 Breach Notification Breaches Involving More than 500 Individuals: Notice must be provided: To the individuals whose information was breached To the Secretary of HHS using the online form at e/breachnotificationrule/brinstruction.html To the local media

36 Breach Notification Business associates now have an affirmative duty to notify the covered entity of a breach Business associate agreements, as well as agreements with subcontractors, should be revised to explicitly memorialize this duty to report

37 Breach Notification Notifications to individuals must be written in plain language and include: A brief description of the incident (date of breach and date of discovery, if known) A description of the types of information breached (names, social security numbers, diagnoses); no actual PHI should be disclosed in the notice

38 Breach Notification Steps the individual should take to protect himself or herself from potential harm resulting from the breach A brief description of the steps being taken to investigate, mitigate, and prevent future breaches Contact procedures by which the individual can contact the covered entity about the breach (toll-free number, , web site)

39 Breach Notification Notifications to the media must be written in plain language and include: A brief description of the incident (date of breach and date of discovery, if known) A description of the types of information breached (names, social security numbers, diagnoses); no actual PHI should be disclosed in the notice

40 Breach Notification Steps individuals should take to protect themselves from potential harm resulting from the breach A brief description of the steps being taken to investigate, mitigate, and prevent future breaches Contact procedures by which individuals can contact the covered entity about the breach (toll-free number, , web site)

41 Breach Notification Notification to individuals must be sent via first-class mail or, if the person agreed to electronic notice, by e- mail Where the individual is deceased, notice should be sent to the next-of-kin

42 Breach Notification Substitute notice may be provided if no valid contact information: Fewer than 10 individuals: By telephone, alternate form of written notice, or other means More than 10 individuals: By conspicuous notice on the entity s web site or in local print or broadcast media; must include a toll-free information number valid for at least 90 days

43 Breach Notification Deadlines for notice key off date the breach was discovered Breach is discovered as of the first day on which the entity knew or should have known through the exercise of reasonable diligence that a breach occurred.

44 Breach Notification Notice to Individuals: Without unreasonable delay, and no later than 60 calendar days after discovery of the breach Notice to the Media: Without unreasonable delay, and no later than 60 calendar days after discovery of a breach involving 500 or more individuals

45 Breach Notification Notice to the Secretary: Fewer than 500 individuals: Covered entity must maintain a log and submit the log within 60 calendar days after the end of the calendar year More than 500 individuals: Notice must be provided contemporaneously with that provided to the individuals Reporting is to be done electronically

46 Breach Notification Notice by a Business Associate: A business associate must provide notice to the covered entity without unreasonable delay, and no later than 60 calendar days after discovery of the breach

47 Breach Notification HITECH permits covered entities and business associates to delay notification if law enforcement states that notification would impede a criminal investigation or damage national security Length of delay depends on manner in which law enforcement requests the delay

48 Breach Notification If the law enforcement statement is in writing and specifies the time for which delay is required, follow the written notification If the statement is made orally, document the statement and identity of the law enforcement official, then delay no more than 30 days from the date of the oral statement, unless a subsequent written statement is provided

49 Breach Penalties Four new penalty tiers have been implemented, effective November 30, 2009 For violations occurring on or after February 18, 2010: CMPs ranging from $100 to $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the entity did not and, by exercising reasonable diligence, would not have known that a violation occurred;

50 Breach Penalties CMPs ranging from $1,000 to $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the violation was due to reasonable cause and not willful neglect (reasonable cause = circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply );

51 Breach Penalties CMPs ranging from $10,000 to $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the violation was due to willful neglect and was corrected during the 30 day period following the date the covered entity knew or should have known the violation occurred

52 Breach Penalties CMPs of at least $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the violation was due to willful neglect and was not corrected during the 30 day period following the date the covered entity knew or should have known the violation occurred

53 Breach Penalties Penalties may be avoided if the entity can demonstrate: Violation is the result of a knowing, criminal act by an individual that is punishable under 42 U.S.C. 1320d-6; or Violation is not due to willful neglect and was corrected within the 30 days following discovery or such additional period as the Secretary deems appropriate

54 Breach Penalties Secretary may waive an imposed CMP if the CMP would be excessive if the violation was due to reasonable cause, even where the violation was not corrected during the 30 day period following discovery or other period deemed appropriate by the Secretary.

55 Action Steps Revise policies and procedures to reflect HITECH investigation and notification requirements Assemble privacy investigation team Train staff members on new breach requirements Scrutinize policies regarding the use of , laptops, and handheld devices to transmit or store PHI

56 Action Steps Work closely with IT staff to evaluate feasibility of encryption technologies Evaluate current IT systems for ability to track disclosures of e-phi Implement amended business associate agreements and subcontractor agreements Consult with insurance advisors regarding enhancing risk protections (increased coverage and limits for losses and defense costs)

57 Action Steps Evaluate and strengthen existing audit procedures Determine need for third party assistance (attorneys, IT specialists, consultants)

58 Action Steps Keep an eye out for additional HITECH rule updates and implementation specifications

59 HIPAA/HITECH Team Atlanta Barry Herrin (404) Greensboro Maureen Demarest Murray (336) Allyson Jones Labban (336) Raleigh Trish Markus (919)

60 QUESTIONS?

61 Investigating Privacy Breaches under HITECH and HIPAA Barry Herrin Smith Moore Leatherwood LLP 1180 W. Peachtree St. NW, Suite 2300 Atlanta, Georgia T (404) F (404) Presented by: Allyson Jones Labban Smith Moore Leatherwood LLP 300 N. Greene Street, Suite 1400 Greensboro, North Carolina T (336) F (336) Presented by: Attorney Name Smith Moore Leatherwood LLP Address T: F: