Agenda 31-10-2013 Responsibilities of the HIPAA Privacy and Security Officer - Managing and

31-10-2013
Welcome to Compliance2go Live Web Seminar
Responsibilities of the HIPAA Privacy and
Security Officer - Managing and
Documenting HIPAA Compliance
Jim Sheldon-Dean
© Copyright 2013 www.compliance2go.com
1
Agenda
•
•
Learn about being a HIPAA Privacy and Security Officer
Responsibilities of the HIPAA Officer
•
Privacy Rule: Patient Rights and Controls on Entities
•
Security Rule: Having a Security Management Process
•
Breach Notification: Sooner or later…
•
Find out about the new, higher enforcement penalties
•
•
Discuss what is required to be in compliance and show it
Learn about being prepared for a HIPAA Compliance Audit
•
Q&A session
•
Disclaimer: I am not a lawyer and this is not legal advice –
I am only providing information and resources
© Copyright 2013 www.compliance2go.com
2
My Background
•
•
•
•
•
•
•
BSCE (Civil Engineering) from UVM,
MST (Transportation) from MIT
Three decades in consulting, information systems, and
software development
Process, problem-solving oriented
8 years as Vermont EMT, crew chief
12 years specializing in HIPAA and health information
privacy and security regulatory compliance
Involved in WEDI, HIMSS, frequent speaker about HIPAA
and information privacy and security
See www.lewiscreeksystems.com for more details,
resources, information security compliance news, etc.
© Copyright 2013 www.compliance2go.com
3
1
31-10-2013
Who is the HIPAA Privacy and
Security Officer?
• The person responsible for making sure
– All the right policies and procedures are in place
– Application of policies and procedures is
documented
– Compliance is reviewed
– Compliance documentation is maintained
• The person answering the call from HHS
• The person answering the call from the CEO
© Copyright 2013
www.compliance2go.com
4
HIPAA Privacy & Security Rules
• Privacy Rule
–
–
–
–
–
45 CFR Part 164 Subpart E; 45 CFR §164.5xx
Enforceable since 2003
Establishes Rights of Individuals
Controls on Uses and Disclosures
Several changes under the new rules
• Security Rule
–
–
–
–
–
–
45 CFR Part 164 Subpart C; 45 CFR §164.3xx
Enforceable since 2005
Applies to all electronic PHI
Flexible, customizable approach to health information security
Uses Risk Analysis to identify and plan the mitigation of security risks
Unchanged in new rules, except to apply to Business Associates
• Now being enforced more, including identity theft cases
© Copyright 2013 www.compliance2go.com
5
HIPAA Breach Notification Rule
• 45 CFR Part 164 Subpart D; 45 CFR §164.4xx
• Enforceable since February 2010, Final Rule now in effect, with
new changes in how to determine if a breach must be reported
• “Harm Standard” replaced by risk assessment showing
“Probability of Compromise”
• Requires reporting of all PHI breaches to HHS and individuals
• Extensive/expensive obligations
• Provides great examples of what not to do; HHS Wall of Shame:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachn
otificationrule/breachtool.html
© Copyright 2013 www.compliance2go.com
6
2
31-10-2013
HIPAA Omnibus Update
Implements the HITECH Act
• Health Information Technology for Economic and Clinical Health Act, or the
HITECH Act, under consideration already in 2008
• Became Title XIII of the American Recovery and Reinvestment Act of 2009, or
ARRA, signed February 17, 2009
• Title XIII, Subtitle D-Privacy (all the sections 134xx of ARRA)
• Most of the interim final and proposed rules now finalized in the big HIPAA
Omnibus Update published January 25, 2013, effective March 26, 2013,
enforceable September 23, 2013
• Omnibus Update Rule, with Preamble, available at:
http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf
• New Combined Rules published by HHS OCR, available at:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html
© Copyright 2013 www.compliance2go.com
7
What is a Breach Under HIPAA?
• §164.402 Breach is acquisition, access, use, or disclosure in
violation of the Privacy Rule
• Exceptions by law: Not Reportable if secured or destroyed;
unintentional, in good faith, with no further use (within the
entity); inadvertent and within job scope (within the entity);
or, info cannot be retained
• Not reportable if risk assessment shows “low probability of
compromise” based on four factors:
– what is the data, how identifiable is it, and might its release have an
“adverse impact” on the individuals
– to whom was it disclosed
– was it actually accessed or viewed
– has it been mitigated
© Copyright 2013
www.compliance2go.com
8
Statistics on
HIPAA Breach Notification
• For reported breaches of 500 or more individuals’ PHI in the
first year of the reporting requirement:
 76% of breaches involve loss (15%), theft (56%), or improper disposal
(5%) – Old-fashioned physical security of valuable data
 17% are caused by unauthorized access or disclosure
 6% are caused by hacking
 Portable data, laptops, smart phones, memory sticks the leaders for
larger breaches of PHI
• For smaller breaches:
 Largely single individuals affected
 Misdirected fax, e-mail, or hard copy communication
© Copyright 2013
www.compliance2go.com
9
3
31-10-2013
Breach Notification Deadlines
• New breach determination rules now in effect
• Must report breaches to individuals within 60 days
• Must report breaches affecting 500 or more individuals to
HHS and press within 60 days
• Must report ALL breaches of any size to HHS within 60 days of
the end of the calendar year (by March 1 st every year for the
preceding year)
• To file breaches with HHS go to:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breach
notificationrule/index.html
or http://tinyurl.com/yemwev8
© Copyright 2013
www.compliance2go.com
10
PHI, Uses, and Disclosures
• Protected Health Information (PHI): Individually identifiable
information about health, health care or payment for
healthcare services
• Disclosure: the release, transfer, provision of, access to, or
divulging in any other manner of information outside the
entity holding the information
• As distinct from Use: the sharing, employment, application,
utilization, examination, or analysis of individually identifiable
health information within an entity that maintains such
information
© Copyright 2013
www.compliance2go.com
11
More Definitions: DRS, TPO
• Designated Record Set
– The medical records and billing records about individuals maintained by or for a
covered health care provider;
– The enrollment, payment, claims adjudication, and case or medical management
record systems maintained by or for a health plan; or
– Used, in whole or in part, by or for the covered entity to make decisions about
individuals.
• TPO: Treatment, Payment, and Healthcare Operations
– Relating to provision, coordination, and management of healthcare services
– Reviews, determinations, billing, collection
– Case management, workforce evaluation, peer review, outcomes analysis, etc.
related to YOUR operations
– http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/usesand
disclosuresfortpo.html
© Copyright 2013
www.compliance2go.com
12
4
31-10-2013
Accounting of Disclosures
• Individual has right to an accounting of all disclosures of
health information in last six years
• Except for disclosures:
• For Treatment, Payment, and Healthcare Operations
• To the individual; under authorization; associated with disclosures
under §164.502; for facility directories; for national security; law
enforcement; limited data set…
• Proposed Rule to implement changes under HITECH Act
§13405(c) NOT included in the Omnibus HIPAA Update Final
Rule
• To be finalized at a point uncertain in the future; hearings are
under way to devise new proposed rules
© Copyright 2013
www.compliance2go.com
13
Restriction of Disclosures
•
Minimum Necessary is the basic rule
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/min
imumnecessary.html
•
HITECH §13405(a) Individual may request no disclosure to insurer if paid
out of pocket; provider must comply
•
(b)(1) Disclosers must provide only limited data set or “minimum
necessary,”
•
(b)(2) Disclosers will need to determine “minimum necessary,”
•
(d) No sale of PHI without authorization specifically allowing remuneration
•
Changes to HIPAA §164.522(a)(1)(vi), 502(b), 514(e), 508(a)(4) to
implement the new rules
– Guidance on “minimum necessary” will supersede (b)(1) above
– Was formerly requester’s responsibility
© Copyright 2013
www.compliance2go.com
14
Requests for Restrictions
•
Must have a process for individuals to request restrictions on use and
disclosure
– Need not honor requests
– Do what you reasonably can
•
•
New: Individual may request no information shared with insurer if paid in
full out of pocket; MUST honor!
Impacts of new restriction:
–
–
–
–
–
–
–
–
Must have a policy/procedure/process
Required in your EHR to meet the law
Can you flag such encounters?
What about pass-through effects?
Issues with aggregated data
What about contracts with insurers?
May need to update BA Agreements
Will need to update the Notice of Privacy Practices
© Copyright 2013
www.compliance2go.com
15
5
31-10-2013
Individual Access of PHI
• Must have a process for individual to request access, for
reasonable cost-based fee
• Must provide the entire record in the Designated Record Set if
requested:
– Medical and billing records used in whole or in part to make decisions
related to health care
– Information kept electronically must be available electronically if
requested
– Exceptions for Psychotherapy notes, CLIA, others
– Changes to HIPAA and CLIA proposed to allow access of lab
information by individuals, not finalized yet
• 30-day extension for offsite data no longer allowed
© Copyright 2013
www.compliance2go.com
16
Individual Preferences for
Communication
 §164.522(b)(1) Standard: Confidential Communications Requirements
 (i) A covered health care provider must permit individuals to request and must accommodate
reasonable requests by individuals to receive communications of protected health information
from the covered health care provider by alternative means or at alternative locations.
 §164.524(c) Provision of Access
 (2) Form of access requested. (i) The covered entity must provide the individual with access to
the protected health information in the form or format requested by the individual, if it is
readily producible in such form or format; or, if not, in a readable hard copy form or such other
form or format as agreed to by the covered entity and the individual.
 New (c)(2)(i): If PHI is electronic, individual may request electronic copy.
 Process:





Must accommodate reasonable requests
Provide ability to mail to alternate addresses, not receive telephone calls, etc.
May refuse if request is unreasonable
Individuals may want to use e-mail, texting, social media
Use Risk Analysis to determine suitability, obtain agreements
© Copyright 2013
www.compliance2go.com
17
Calculating/Evaluating Risk
• Each Risk Issue has an Impact and Likelihood
– Impact is how great the damage would be; more information about
more people with more detail has a greater Impact
– Likelihood is how likely it is that the risk issue would become a reality
• Risk = Impact x Likelihood
• If risk level appears low, it may be acceptable to both the
entity and the individual
– An informed risk decision can be made about the importance of
mitigating certain risks
– Rights can not be given up under HIPAA, but individuals can make an
informed risk decision
© Copyright 2013
www.compliance2go.com
18
6
31-10-2013
System Vendor Questions
 Can disclosures to insurers be properly restricted if
requested?
 Can systems provide access to DRS PHI for individuals?
 Does your Business Associate agreement with the vendor
supplying your systems require them to provide the abilities
you need to meet the new requirements?
 What about proposed changes in Accounting of Disclosures
(not in this final rule, but coming someday)?
 Can systems provide an access audit report good enough to
satisfy HIPAA Security Rule requirements?
© Copyright 2013
www.compliance2go.com
19
Marketing Changes
• Marketing is still marketing and still requires an authorization
• Treatment and Healthcare Operations are not marketing, but…
• Authorizations are now required for all treatment and healthcare
operations where the Covered Entity receives financial remuneration from
a third party whose product or service is being marketed
• New guidance available at:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/ma
rketingrefillreminder.html
• Exemptions:
• Face to Face communication
• Refill reminders or other info about a drug or biologic that is currently
prescribed but not exempt if remuneration above costs is involved
• Communications promoting health in general, such as routine tests
• Communications about government and government-sponsored programs
© Copyright 2013
www.compliance2go.com
20
Sale of PHI
• HIPAA §164.508(a)(4): If you disclose for
remuneration, you must have an authorization
stating that the disclosure results in remuneration
• Exceptions for public health, research, treatment and
payment purposes, sale of practice, transfer to a BA
providing services, to the individual, etc.
© Copyright 2013
www.compliance2go.com
21
7
31-10-2013
Fundraising Changes
• HITECH §13406(b) and HIPAA §164.514(f)(1) Opportunity to
Opt Out of Fundraising
• Demographic information, dates of healthcare services,
department providing services, physician, health plan status,
and outcome can be used for fundraising without
authorization
• Notice of Privacy Practices must state so
• Easy Opt-out must be provided, by campaign or for all
campaigns, must be honored, and can’t be used to condition
treatment or payment
© Copyright 2013
www.compliance2go.com
22
Additional Changes to HIPAA:
Genetic Information
Nondiscrimination Act (GINA)
• New changes to §164.502(a)(5)(i)
• Genetic information not to be used in health plan
underwriting, enrollment, eligibility, premium
computation, consideration of pre-existing
conditions, etc…
• Must update and redistribute Health Plan Notice of
Privacy Practices
© Copyright 2013
www.compliance2go.com
23
NPP Modifications
• Right to be notified in the event of a breach
• New Right to restrict disclosures to insurers if services paid in
full out of pocket, must comply
• New Right to receive electronic copy of electronic PHI
• Authorizations for sale of PHI for remuneration will say so
• Changes based on new Marketing and Healthcare Operations
definitions and exceptions
• Changes to PHI used for Fundraising, and easy opt-out
• Talk about PHI sharing, Health Information Exchanges
• New Templates from HHS and AMA
– http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html
– http://www.ama-assn.org/go/hipaa
© Copyright 2013
www.compliance2go.com
24
8
31-10-2013
Implementation
• Update Policies and Procedures to match new rights and
restrictions
• Update NPP to include new changes and required items
• Provide training in new policies and procedures, and the new
Notice of Privacy Practices
• Implement both NPP and P&Ps simultaneously
– Post new NPP on the wall (or a summary) and Website
– Have NPP readily available without having to ask
– Start handing out the new one
– Providers don’t have to mail a new one to everyone
© Copyright 2013
www.compliance2go.com
25
What is a Business Associate?
• An individual or entity, not acting as an employee, that:
– Creates, receives, maintains, or transmits protected health information
for a function or activity regulated by HIPAA on behalf of a covered
entity (CE) or another BA
– Provides legal, actuarial, accounting, consulting, data aggregation (as
defined in §164.501 of this subchapter), management, administrative,
accreditation, or financial services and needs PHI to do it
• Anything a CE or BA could do itself but has someone else do it
for them, involving using, disclosing, creating, receiving,
maintaining, or transmitting PHI
• May include any vendor with “persistence of custody” of PHI
© Copyright 2013 www.compliance2go.com 26
What is a Business Associate?
• Includes:
– Billing service
– Shredding service
– Systems vendors who access PHI
• Does not include those who would have no reason to use or
disclose PHI, such as:
– Tradesmen (plumber, etc.)
– Housekeeping, etc.
• Not Payers, other Providers, or Workforce Members
• Not Conduits (USPS, FedEx, etc.)
• BAs now include subcontractors, Health Information
Organizations, and Patient Safety Organizations
© Copyright 2013 www.compliance2go.com 27
9
31-10-2013
Business Associate Changes
• Business Associates now under HIPAA
–
–
–
–
–
–
–
Security Rule safeguards apply to BAs
Privacy Rule use & disclosure applies
Can use info only as stated in contract
Penalties can apply to BAs
BAs also responsible for having BAAs
Final Rule enforceable September 23, 2013
Valid BA Agreements in place under old rules executed by January 25,
2013 are OK until September 23, 2014
• New sample Business Associate Agreement language:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/covere
dentities/contractprov.html
© Copyright 2013 www.compliance2go.com 28
Information Security
Management Process
• Definition of Information Security:
•
Protecting information



Confidentiality
Integrity
Availability
• Definition of a Management Process:





Define and understand what you have
See how well it performs
Watch for problems
Review activities and issues
Make changes based on bang-for-buck
© Copyright 2013
www.compliance2go.com
29
Information Security
Management Process
 Information Inventory and Flow Analysis
 Access and Configuration Control
 Know who and what’s been going on in your
networks and systems
 Respond to and learn from Incidents
 Audit and review regularly, and when operations or
environment change
 Make risk-based improvements
 Focus: Confidentiality, Integrity, Availability
© Copyright 2013
www.compliance2go.com
30
10
31-10-2013
Security Requirements within the
Privacy Rule – §164.530(c)
• §164.530(c)(1): “A covered entity must have in place
appropriate physical, technical, and administrative safeguards
to protect the privacy of protected health information.”
• §164.530(c)(2)(i): “A covered entity must reasonably
safeguard protected health information from any intentional
or unintentional use or disclosure that is in violation of the
standards, implementation specifications, or other
requirements of this subpart.”
© Copyright 2013
www.compliance2go.com
31
HIPAA Security Rule §164.306:
General Rules
• (a)(1) Ensure confidentiality, integrity, and availability of
electronic PHI
• (a)(2) Protect against “reasonably anticipated” threats or
hazards to security of PHI
• (a)(3) Protect against “reasonably anticipated” improper uses
and disclosures under Privacy Rule
• (a)(4) Ensure compliance by the Workforce
• (b) Flexibility
• (c) Requirement to meet all Standards (18)
• (d) Meet Required Implementation Specifications (14);
Assess Addressable Specifications (22) and Document
• (e) Regularly Review
© Copyright 2013
www.compliance2go.com
32
§164.306(b):
The Flexibility Section
• “… may use any security measures that allow the CE
or BA to reasonably and appropriately implement the
standards and implementation specifications as
specified…”
• Must consider a number of factors...
– Size, Complexity, and Capabilities
– Technical Infrastructure, Hardware, and Software Security
Capabilities
– Costs
– Probability and Criticality of RISKS
© Copyright 2013
www.compliance2go.com
33
11
31-10-2013
Standards and
Implementation Specifications
• Standards (18) Provide the Objectives and Primary Mission
– All Standards are Required to be met
– 12 Standards have Implementation Specifications
• Implementation Specifications (36) Provide Additional Details
– 14 are Required – 22 are Addressable
• Required vs. Addressable Implementation Specifications
– If Required, implement as specified
– If Addressable, implement if “reasonable and appropriate”
– If not reasonable and appropriate, implement an alternative if you can and
JUSTIFY YOUR ACTIONS
© Copyright 2013
www.compliance2go.com
34
Six Steps to Compliance
1. Enumerate All Your Systems
2. Information Flow Analysis
3. Preliminary Risk Analysis
4. Detailed Risk Assessment
5. Risk Determination
6. Mitigation, Policies and Procedures, and Training
•
And document every step of the way
© Copyright 2013
www.compliance2go.com
35
Security Regulation §164.308
Administrative Safeguards
•
(a)(1) Security Management Process
– Risk Analysis (R) and Risk Management (R)
– Sanction Policy (R), Information System Activity Review (R)
•
(a)(2) Assigned Security Responsibility (R)
•
(a)(3) Workforce Security
•
(a)(4) Information Access Management
– Authorization and/or Supervision (A), Clearance Procedure (A), Termination
Procedures (A)
– Access Authorization (A)
– Access Establishment and Modification (A)
•
(a)(5) Security Awareness and Training (A)
– For ALL staff, initially and continuing – a PROGRAM
© Copyright 2013
www.compliance2go.com
36
12
31-10-2013
Security Regulation §164.308
Administrative Safeguards
•
(a)(6) Security Incident Procedures (R)
– For reporting and responding to various kinds of security incidents and policy
violations, with documentation
•
(a)(7) Contingency Plan
– Data Backup (R); Disaster Recovery (R)
– Emergency Mode Operation Plans (R)
– Testing & Revision Procedures, Applications & Data Criticality Analyses (A)
•
(a)(8) Evaluation (R)
– Must formally periodically evaluate compliance
– By Calendar or if Changes in Systems or Environment
•
(b) Business Associates (R)
– Must have Written Contracts; See §164.314 for details
© Copyright 2013
www.compliance2go.com
37
Security Regulation §164.310
Physical Safeguards
•
(a) Facility Access Controls (A)
– Contingency Operations; Facility Security Plan; Access Control and Validation
Procedures; Maintenance Records
•
(b) Workstation Use (R)
– Policies and Procedures Required; Acceptable Use Policy
•
(c) Workstation Security (R)
– Must restrict access to Authorized Users only;
Work area access; Monitor placement
•
(d) Device and Media Controls
– Disposal and Re-Use (R) – Must clear old data before disposal or re-use
– Accountability (A) – Record of equipment movements and responsibility
© Copyright 2013
www.compliance2go.com
38
Security Regulation §164.312
Technical Safeguards
•
(a) Access Control
•
(b) Audit Controls (R)
– Unique User Identification (R); Emergency Access Procedure (R); Automatic
Logoff (A); Encryption and Decryption (A)
– Hardware, software, or procedural means to record and examine system
activity
– How to accomplish? Log all activity, or sample activity for a period of time or a
subset of users and systems
•
•
•
(c) Integrity (A)
(d) Person or Entity Authentication (R)
(e) Transmission Security
– Integrity Controls (A); Encryption (A)
© Copyright 2013
www.compliance2go.com
39
13
31-10-2013
Security Policy Framework
• Four Basic Policies
– Security Management Process
– Information Access Controls
– Data Management (Contingency-Backup-Retention)
– User Policy
• Include enabling language in Policy
• Define details in Procedures
• Documentation, Documentation, Documentation
© Copyright 2013
www.compliance2go.com
40
Security Policy Help
 The SANS Security Policy Project
 Samples of several policies, guidance in policy development and deployment
 Available at: http://www.sans.org/resources/policies/
 New York University HIPAA security policies
 Does provide a good level of detail
 Many of the concepts are directly transferable to other organizations
 Available at: http://www.nyu.edu/its/policies/#hipaa
 NIST Incident Handling Guide
 Computer Security Incident Handling Guide
SP 800-61 Revision 2, a practical guide to responding to incidents and establishing a
computer security incident policy and process:
http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
 In addition, the September 2012 NIST ITL Bulletin focuses on the revised SP 800-61,
providing additional insights and guidance, available at:
http://csrc.nist.gov/publications/nistbul/itlbul2012_09.pdf
© Copyright 2013
www.compliance2go.com
41
Enforcement and Penalties
• HITECH Act §13409 – Wrongful Disclosures
– Law specifically applies to individuals for wrongful disclosures
• HITECH Act §13410 – New Penalty Structure
– (a), (b) “Willful Neglect” violations
• Must be investigated, penalties mandatory
– (c) Distribution of penalties
• To provide more enforcement
• Portion will go to those harmed, regulations overdue
– (d) Higher penalties effective for violations
• New, four tier penalty structure, with up to $1.5 million maximum for all
violations of the same provision in a calendar year
– (e) State Attorneys General may bring HIPAA action
– (f) Continued corrective action allowed, even if no penalty
© Copyright 2013
www.compliance2go.com
42
14
31-10-2013
New Enforcement Definitions
•
Reasonable Cause (revised): An act or omission in which a covered entity
or business associate knew, or by exercising reasonable diligence would
have known, that the act or omission violated an administrative
simplification provision, but in which the covered entity or business
associate did not act with willful neglect
•
Reasonable Diligence: Business care and prudence expected from a
person seeking to satisfy a legal requirement under similar circumstances
•
Willful Neglect: Conscious, intentional failure or reckless indifference to
the obligation to comply with the administrative simplification provision
violated
© Copyright 2013
www.compliance2go.com
43
Tiered Penalty Structure
•
HIPAA §160.404: Penalty Amounts
•
Tier 1: Did not know and, with reasonable diligence, would not have
known
•
Tier 2: Violation due to reasonable cause and not willful neglect
•
Tier 3: Violation due to willful neglect and corrected within 30 days of
when known or should have been known with reasonable diligence
•
Tier 4: Violation due to willful neglect and NOT corrected within 30 days of
when known or should have been known with reasonable diligence
•
$1.5 million maximum for all violations of a similar type in a calendar year
– $100 - $50,000 per violation
– $1000 - $50,000 per violation
– $10,000 - $50,000 per violation
– $50,000 per violation
© Copyright 2013 www.compliance2go.com 44
Affirmative Defenses and Waivers
• Affirmative Defenses
– §160.410: For violations after 2/17/2009:
– Act is punishable under 42 USC 1320d-6 (wrongful disclosures)
– Or Secretary is satisfied that violation is:
• Not due to willful neglect (reasonable cause requirement now removed), and
• Corrected during:
– 30 days from when known or should have known
– Additional period as Secretary determines
• Waivers
– §160.412: For violations due to reasonable cause and not willful neglect
– Not corrected within the 30-day (or extended) period
– Secretary may waive penalty or a portion, to the extent penalty is
excessive relative to the violation
© Copyright 2013
www.compliance2go.com
45
15
31-10-2013
HHS Is Serious About Enforcement
• $4.3 million fine for Cignet Health of Maryland for multiple HIPAA violations
including ignoring OCR investigators – the first actual fine!
• $1 million settlement with Mass General Hospital in connection with a staff
member’s leaving sensitive records for 192 individuals on the subway
• $865K+ settlement with UCLA Medical Center for snooping in celebrity records
• Multiple multi-million dollar settlements with pharmacies
• $100K settlement with a physician’s office for Security Rule violations
•
•
•
•
•
•
$1.5 million settlement with BC/BS of Tennessee for lost hard drives
$1.7 million settlement with Alaska Medicaid for lack of security process
$1.5 million settlement with MEEI for lack of security for portable devices
$500K settlement with Hospice of North Idaho for insecure laptop, no process
$400K settlement with Idaho State University for insecure server, no process
$275K settlement with Shasta Regional Med Center for inappropriate disclosure of
PHI and lack of sanctions for violations
• $1.7 million settlement with WellPoint for insecure server, no process
• $1.2 million settlement with Affinity Health for improper disposal of copiers
© Copyright 2013
www.compliance2go.com
46
HIPAA Audits
•
HITECH §13411 now requires HHS to conduct periodic audits
•
Initial program conducted in 2012, being revised
•
New program to begin in 2014
•
Will focus on identified problem areas: laptops, encryption, audits, NPPs
•
Show you have in place all the policies and procedures required by the
HIPAA Privacy and Security Rules
•
Show you have been using them
– e.g., Show training policy, training materials, and training rosters
– e.g., Show security incident policy and security incident reports
•
3 week notice – you must be prepared in advance or it’s too late!
•
HHS site for the audit program:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html
© Copyright 2013 www.compliance2go.com 47
What will they ask for in an Audit?
• HIPAA Privacy, Security, and Breach Notification Rule policies
and procedures and evidence of their application
– 42 questions asked in first OIG HIPAA Security audit in March 2007 at:
http://tinyurl.com/2ac9jm
– CMS OESS 2008 Interview and Document Request for HIPAA Security
Onsite Investigations and Compliance Reviews, at:
http://tinyurl.com/2gaswf
– Questions asked of a small provider after a data breach involving theft
of a laptop and server, at: http://tinyurl.com/3jpoa4p
– Questions asked in early 2012 audits, at: http://tinyurl.com/cbcllz7
– HHS’s 2012 HIPAA Audit Protocol, not revised for new rules:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.h
tml
© Copyright 2013 www.compliance2go.com 48
16
31-10-2013
How to Prepare for an Audit
• Do it NOW, before they call
• Be ready to answer the questions asked in prior audits
• Make sure your documentation is complete and up-to-date –
use tools such as the HIPAA Audit Protocol and the NIST HIPAA
Security Rule Toolkit to evaluate and document compliance
– HIPAA Audit Protocol (download it to a spreadsheet!):
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.h
tml
– NIST HIPAA Security Rule Toolkit: http://scap.nist.gov/hipaa/
© Copyright 2013 www.compliance2go.com 49
Your to-do list…










Don’t be in denial – willful neglect will cost you
Review your policies and procedures per the new rights
and restrictions
Update your policies and Notice of Privacy Practices
Review Business Associate Agreements
Make sure EHR vendors can meet restriction
requirements and provide electronic copies
Prepare for Breach Notification
Review the questions asked in prior HIPAA audits
Be ready for incidents and audits – conduct drills
Provide training and document compliance
Always have a plan for moving forward, and follow it!
© Copyright 2013 www.compliance2go.com
50
Thank You!
•
Numerous resources, regulations, laws, guidance, and tools are
available without charge or registration at:
•
News items of interest to those involved with health
information privacy and security are available without charge
or registration at:
www.lewiscreeksystems.com/resources.html
www.lewiscreeksystems.com/privacy_security_and_compli.html
•
If there are any further questions which we are not able to get
to today please feel free to contact me at:
Jim Sheldon-Dean
Lewis Creek Systems, LLC
© Copyright 2013 www.compliance2go.com
51
17
31-10-2013
Q/A Session
© Copyright 2013 www.compliance2go.com
52
Upcoming Webinar from Jim Sheldon-Dean
• New HIPAA Business Associate Responsibilities and
Agreements Under the HITECH Act Omnibus HIPAA
Update
• Wednesday, November 20, 2013 at 1:00 PM Eastern
time.
• For additional information and registration, please
see: https://www.compliance2go.com/product/?pid=CP2013228
© Copyright 2013 www.compliance2go.com
53
Thankyou for Attending Our Live Web Seminar
Please feel free to contact us for any questions on the web seminar at
[email protected] /[email protected] or call us at Toll
Free 877.782.4696
© Copyright 2013 www.compliance2go.com
54
18