HIPAA Privacy and Security: y y Surviving Heightened Enforcement - - PowerPoint PPT Presentation

Presenting a live 90‐minute webinar with interactive Q&A

HIPAA Privacy and Security: y y Surviving Heightened Enforcement

Crafting and Implementing Data Security Policies and Responding to Breaches

T d ’ f l f

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific THURS DAY, MAY 5, 2011

Today’s faculty features: Nathan A. Kottkamp, Partner, McGuireWoods, Richmond, Va. Gina M. Kastel, Partner, Faegre & Benson, Minneapolis Rebecca C. Fayed, Counsel, SNR Denton, Washington, D.C.

The audio portion of the conference may be accessed via the telephone or by using your computer's

• speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Conference Materials

If you have not printed the conference materials for this program, please complete the following steps:

• Click on the + sign next to “ Conference Materials” in the middle of the left-

hand column on your screen hand column on your screen.

• Click on the tab labeled “ Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

Continuing Education Credits

FOR LIVE EVENT ONLY

For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:

• Close the notification box
• In the chat box, type (1) your company name and (2) the number of

attendees at your location

• Click the blue icon beside the box to send

Tips for Optimal Quality

S d Q lit S

• und Quality

If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial 1-888-450-9970 and enter your PIN when prompted Otherwise please send us a chat or e mail when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Qualit y

To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again press the F11 key again.

HIPAA Enforcement: Th D f N E The Dawn of a New Era

Nathan A. Kottkamp May 5, 2011

www.mcguirewoods.com

HIPAA Enforcement: Before HITECH

All Bark and No Bite? All Bark, and No Bite?

McGuireWoods LLP | 6

HIPAA Enforcement Pre-HITECH

• Pre-HITECH

– Penalty limited to $100 per violation or $25K for all y p identical violations

• No Civil Money Penalties cases

McGuireWoods LLP | 7

Providence Health & Services-2008 la di da la di da . . .

McGuireWoods LLP | 8

Providence Health & Services-2008

• Providence agrees to pay $100 000 and implement a detailed
• Providence agrees to pay $100,000 and implement a detailed

Corrective Action Plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft

• r loss.
• The Resolution Agreement relates to Providence's loss of

electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006.

• Pro idence agreed to erfor

certain obligations (e g staff

• Providence agreed to perform certain obligations (e.g., staff

training) and make reports to HHS for three years.

• During the period, HHS monitors the compliance of the covered

entity with the obligations it has agreed to perform entity with the obligations it has agreed to perform. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/prov idenceresolutionagreement.html

McGuireWoods LLP | 9

idenceresolutionagreement.html

CVS-2009

Patient records? Patient records?

McGuireWoods LLP | 10

CVS-2009

Under the Resolution Agreement, CVS agreed to pay a $2,250,000 resolution amount and implement a strong Corrective Action Plan that requires: and implement a strong Corrective Action Plan that requires: 1.revising and distributing its policies and procedures regarding disposal of protected health information; 2.sanctioning workers who do not follow them; 2.sanctioning workers who do not follow them; 3.training workforce members on these new requirements; 4.conducting internal monitoring; 5.engaging a qualified, independent third-party assessor to conduct assessments of 5.engaging a qualified, independent third party assessor to conduct assessments of CVS compliance with the requirements of the Corrective Action Plan and render reports to HHS; 6.new internal reporting procedures requiring workers to report all violations of l these new privacy policies and procedures; and 7.submitting compliance reports to HHS for a period of three years.

McGuireWoods LLP | 11

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresolutionagre ement.html

HIPAA Penalties Under HITECH

The Health Information Technology for Economic and Clinical Health (HITECH) Act revised HIPAA’s enforcement regulations: – New Penalty Tiers:

• Unknowing ($100 per violation/ $25K max)

(HITECH) Act revised HIPAA s enforcement regulations:

• Reasonable Cause (($1K per violation /$100 K max)
• Willful neglect ($10K per violation/$250K max)
• Uncorrected willful neglect ($50K per violation/$1.5M

g ($ p $ max) – Civil and criminal liability for HIPAA violations extended to business associates – Mandatory investigations and civil penalties for violations due to willful neglect – Increased emphasis and significant funding on enforcement

McGuireWoods LLP | 12

Increased emphasis and significant funding on enforcement

Rite Aid-2010

McGuireWoods LLP | 13

Rite Aid-2010

Under the HHS resolution agreement, Rite Aid agreed to pay a $1 million l i S d i l i resolution amount to HHS and must implement a strong corrective action program that includes: – Revising and distributing its policies and procedures regarding di l f d h l h i f i d i i k disposal of protected health information and sanctioning workers who do not follow them; – Training workforce members on these new requirements; – Conducting internal monitoring; and – Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/riteai dresagr.html

McGuireWoods LLP | 14

g

2011

McGuireWoods LLP | 15

Enforcement

• To boost enforcement of the HIPAA security

To boost enforcement of the HIPAA security rule, OCR has added investigators in 10 regional offices.

• HHS is seeking $5.6 million increase in

funding for Fiscal 2012 enforcement.

• In FY 2010, the office received approximately

9,400 complaints associated with HIPAA i d i l privacy and security rules

McGuireWoods LLP | 16

Cignet Health-Landmark HIPAA Civil Monetary Penalty February 4 2011 Penalty, February 4, 2011

Today the message is loud and clear: HHS is

“

y g serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule and ensuring provider cooperation with our

“

ensuring provider cooperation with our enforcement efforts.”

• OCR Director Georgina Verdugo

http://www hhs gov/ocr/privacy/hipaa/enforcement/examples/cign http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cign etresolutionagreement.html

McGuireWoods LLP | 17

Cignet Health of Prince George’s County

McGuireWoods LLP | 18

Cignet Health of Prince George’s County, MD-Landmark HIPAA Civil Monetary Penalty, February 4, 2011 HIPAA Civil Monetary Penalty, February 4, 2011

• The first-ever civil money penalty of $4.3 million

The first ever civil money penalty of $4.3 million

• Cignet violated 41 patients’ rights by denying them access to their

medical records when requested between September 2008 and October 2009. The HIPAA Pri acy Rule re uires that a co ered entity ro ide – The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. – The CMP for these violations is $1.3 million.

• Cignet failed to cooperate with OCR’s investigations of the

complaints and produce the records in response to OCR’s subpoena. Covered entities are required under law to cooperate with the – Covered entities are required under law to cooperate with the Department’s investigations. – The CMP for these violations is $3 million.

McGuireWoods LLP | 19

Cignet Health-Landmark HIPAA Civil Monetary Penalty February 4 2011 Penalty, February 4, 2011

Covered entities and business associates must

“

uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements . . . . The

“

y q U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly g g g y disregard their obligations under these rules.” OCR Director Georgina Verdugo

• OCR Director Georgina Verdugo

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cign etresolutionagree ent ht l

McGuireWoods LLP | 20

etresolutionagreement.html

Mass General-“The Million Dollar Subway Ride,” February 14 2011 February 14, 2011

$1M

McGuireWoods LLP | 21

$1M

Seriously?

McGuireWoods LLP | 22

Mass General-“The Million Dollar Subway Ride,” February 14 2011 February 14, 2011

• An employee of General Hospital Corporation and

Massachusetts General Physicians Organization Inc Massachusetts General Physicians Organization Inc. (“Mass General”) left documents on a subway that included a patient schedule containing protected health information (“PHI”) of 192 patients, and billing health information ( PHI ) of 192 patients, and billing forms with PHI for 66 of those patients. This included PHI of patients with HIV/AIDS.

• The records were bound only by a rubber band!

y y

McGuireWoods LLP | 23

Mass General-“The Million Dollar Subway Ride,” February 14 2011 February 14, 2011

• Mass General paid the US Government a $1,000,000

settlement and entered into a Corrective Action Plan settlement and entered into a Corrective Action Plan (“CAP”): – Develop and implement a comprehensive set of policies and procedures that ensure PHI is protected policies and procedures that ensure PHI is protected when removed from Mass General’s premises; – Train workforce members on these policies and procedures; and procedures; and – Designate the Director of Internal Audit Services to serve as an internal monitor who will conduct assessments compliance with the CAP and render assessments compliance with the CAP and render semi-annual reports to HHS for a 3-year period.

McGuireWoods LLP | 24

Mass General-“The Million Dollar Subway Ride,” February 14 2011 February 14, 2011

To avoid enforcement penalties, covered entities

“

p , must ensure they are always in compliance with the HIPAA Privacy and Security Rules. . . . A robust compliance program includes employee

“

robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt l action plan to respond to incidents.” OCR Director Georgina Verdugo

• OCR Director Georgina Verdugo

McGuireWoods LLP | 25

Consequences

• MORE, MORE, MORE

– Education – Policies Monitoring – Monitoring – Documentation – Scrutiny

McGuireWoods LLP | 26

y

Lessons Learned

• Expect HHS to continue its HIPAA enforcement efforts
• Expect HHS to continue its HIPAA enforcement efforts
• Cooperate with HHS investigations to limit penalties
• Covered Entities must have a robust Compliance Plan

Covered Entities must have a robust Compliance Plan

– Updated policies and procedures – Workforce training – Internal audits – Mitigation plan upon discovery of a potential HIPAA violation violation

McGuireWoods LLP | 27

Contact Information Nathan A. Kottkamp

804.775.1092 nkottkamp@mcguirewoods.com www.mcguirewoods.com

Ó 2011 McGuireWoods LLP McGuireWoods LLP | 28

HIPAA P i d S it HIPAA Privacy and Security: Surviving Heightened Enforcement

Gina M. Kastel 612.766.7923 gkastel@faegre com gkastel@faegre.com

Agenda

• Background

Agenda

• Recent developments
• Best practices
• Best practices

30

Background

• Historic (non)enforcement—complaint driven and non-aggressive

Background

• No civil penalties imposed from 2003 to 2011 by Office of Civil

Rights

• Minimal criminal prosecution
• Penalties increased under HITECH
• Penalties increased under HITECH
• Easy to be complacent?

31

Recent Developments

• Cignet, Massachusetts General, CVS, Rite Aid

Recent Developments

• Recent criminal prosecutions

– Arkansas physician and hospital staff plead guilty to a criminal

misdemeanor violation for accessing a patient’s record without any legitimate purpose. Each sentenced to a year’s probation, physician fined $5 000 and had to perform community service physician fined $5,000 and had to perform community service.

– Hospital clerk sentenced to year in prison for sharing patient information

• n myspace.com.

Medical records administrator received two years in prison for stealing

– Medical records administrator received two years in prison for stealing

patient information in credit card scam.

• Enforcement generally on the rise

g y

32

The View from Office of Civil Rights The View from Office of Civil Rights

“We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement It is a covered entity’s responsibility to protect its

• enforcement. It is a covered entity s responsibility to protect its

patients’ health information.” “To avoid enforcement penalties covered entities must ensure they are To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules,” said Verdugo. “A robust compliance program includes employee t i i i il t i l t ti f li i d d l training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”

• Georgina Verdugo, OCR Director

g g

33

Best Practices

34

Learn from the Mistakes of Others

• Massachusetts General Resolution Agreement

Learn from the Mistakes of Others

www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/massgeneralra.pdf

• Cignet Notice of Final Determination

www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cignetpenaltyletter.pdf

• OCR enforcement examples and resolution available at

OCR enforcement examples and resolution available at www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html OCR it b h li t

• OCR security breach list

www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

35

Reassess Organization’s Current Compliance Review and update policies and procedures Reassess Organization s Current Compliance p p p

• Complete? Accessible?
• Ensure HITECH requirements are included

Look at recent enforcement decisions for guidance

• Look at recent enforcement decisions for guidance

– Removal of PHI from facility

Encryption of mobile devices

– Encryption of mobile devices

• Be sure staff follows them – do not get hung by

“ bi ” li i “zombie” policies

36

Train Train Train

• Consider mix of training methods

Train, Train, Train

• Train regularly

Focus on high risk issues

• Focus on high risk issues
• Have staff take tests and certify to completion of training
• Keep training materials

37

Respond Quickly

• Ensure prompt incident response processes are in

Respond Quickly p p p p place Investigate thoroughly

• Investigate thoroughly
• Implement appropriate corrective action

p pp p

• Take appropriate disciplinary action
• COOPERATE WITH THE GOVERNMENT!

38

Set the Tone at the Top

• Get buy in on health care compliance from executive

Set the Tone at the Top y p team Ensure managers and supervisors stress importance

• Ensure managers and supervisors stress importance
• f compliance

39

Conduct Ongoing Compliance Assessments

• Develop a program of self-monitoring and auditing

Conduct Ongoing Compliance Assessments p p g g g

• Focus on high risk areas

M bil d i

–Mobile devices –High profile patients and members

I di l

–Improper disclosures –Disposal of records

• Follow up when problems are found

40

Monitor New Developments

• Someone in organization should be responsible for

Monitor New Developments g p tracking new developments Share information when the law or enforcement

• Share information when the law or enforcement

activity changes

• Have mechanism in place to respond to new

developments p

41

HIPAA Privacy and Security: Surviving Heightened Enforcement g g

Strategies to Prepare For or Respond To a Breach

May 5, 2011

Rebecca C. Fayed rebecca.fayed@snrdenton.com

10-Step Breach Response Plan Overview

1. Prepare for the possibility of a breach. 2 Investigate the incident 2. Investigate the incident. 3. Mitigate the harm and take corrective action. 4. Assess and document whether the incident is a “breach” under the HITECH Act / HHS Breach Notification Rule HITECH Act / HHS Breach Notification Rule. 5. Analyze whether incident is a breach under applicable state law. 6. Notify individuals (or the covered entity). 7 N tif th di 7. Notify the media. 8. Notify HHS and, if applicable, state agencies. 9. Reassess privacy and security compliance policies and procedures.

• 10. Prepare for possibility of HHS-OCR or state AG investigation.

43

Step 1: Prepare for the Possibility of a Breach

• Develop and implement an incident response and breach

p p p notification procedure.

• Establish an incident response team.
• Consider encrypting protected health information.
• When negotiating business associate agreements, consider

including an indemnification clause and a breach notification provision addressing who is responsible for what.

• Consider purchasing data security breach insurance.

44

Step 2: Investigate the Incident

• Do you have a breach notification procedure in place? Do you

have an incident response team? have an incident response team?

• If yes, follow the procedure and initiate actions of incident response

team.

• If no, identify individuals in the best positions to help investigate and

d t th i id t respond to the incident.

• Identify the following:
• Facts surrounding the incident (e.g., stolen or lost laptop, backup

tape, portable storage device; email or fax sent to wrong recipient; tape, portable storage device; email or fax sent to wrong recipient; paper records thrown in the trash).

• Data elements (e.g., names, address, phone numbers, PHI, Social

Security Numbers, credit card numbers).

• Number of people affected
• Number of people affected.
• States in which affected people live and total in each state.
• Whether the information was encrypted.

45

Step 3: Mitigate Harm & Take Corrective Action

• Mitigate: A covered entity must mitigate to the extent practicable
• Mitigate: A covered entity must mitigate, to the extent practicable,

any harmful effect that is known to the covered entity of a use or disclosure of PHI in violation of its policies and procedures or the Privacy Rule by the covered entity or its business associate. 45 C.F.R. 164.530(f).

• e.g., file a police report, contact recipient and ask for information to

be returned or destroyed.

C ti ti M d t t i t t ith BA

• Corrective action: May need to terminate agreement with BA,

revise procedures, sanction employees.

• If determined to be a breach, decide whether credit monitoring

services will be offered services will be offered.

46

Step 4: Assess and Document Whether Incident is a Breach Under the HITECH Act / HHS Breach Notification Rule

• Breach: Acquisition, access, use, or disclosure of PHI (either

electronic or hard copy) not permitted by the Privacy Rule which compromises the sec rit or pri ac of PHI (i e it poses a compromises the security or privacy of PHI (i.e., it poses a significant risk of financial, reputational, or other harm to the individual).

• 3 Steps to Determine if Incident is a Breach:

p

• Impermissible use or disclosure of PHI under Privacy Rule?
• Compromises the privacy or security of PHI by creating significant

risk of harm?

• I th

i id t l d d f th d fi iti f b h?

• Is the incident excluded from the definition of a breach?
• An unintentional use of PHI by a workforce member acting in good faith

and within the scope of his or her authority, and the PHI is not further used or disclosed improperly; A i d t t di l f PHI b th i d t th

• An inadvertent disclosure of PHI by an authorized person to another

authorized person, and the PHI is not further used or disclosed improperly; or

• A disclosure of PHI to an unauthorized person where there is a good faith

belief that the unauthorized person would not reasonably have been able

47

belief that the unauthorized person would not reasonably have been able to retain the PHI.

Step 4: Assess and Document Whether Incident is a Breach Under the HITECH Act / HHS Breach Notification Rule

• HITECH Act breach notification

requirement applies only to the breach requirement applies only to the breach

• f unsecured PHI.
• The breach of secure PHI is not subject

to the breach notification requirement.

• If PHI is rendered “unusable,

unreadable, or indecipherable” to unauthorized individuals, it is secure.

• Technologies and Methodologies that
• Technologies and Methodologies that

will render PHI secure:

• 1. Encryption.
• 2. Destruction.

48

Step 5: Analyze Whether Incident is a Breach Under State Law

• Vast majority of states have data breach notification laws.
• Need to analyze state law’s definition of “personal information ”
• Need to analyze state law s definition of personal information.
• Small number of states include health or medical information

within the definition. N d t l ti t b h tifi ti bli ti

• Need to analyze any exceptions to breach notification obligations

(e.g., encryption, harm-based standards).

• If state breach notification law is triggered, notification obligations

i t i dditi t th i d b th HITECH A t may exist in addition to those required by the HITECH Act.

49

Step 6: Notify Individuals or the Covered Entity

• HITECH Act and HHS Breach Notification Rule: Notice must be

provided to the individual “without unreasonable delay” and no later than 60 days after breach is discovered. y

• Notification should be made sooner than 60 days if possible. Many

state laws require notification sooner.

• Via first-class mail unless the individual has specified a

preference for email preference for email.

• Notice must include the following:
• Description of facts about breach.
• Type of PHI involved
• Type of PHI involved.
• Steps individuals should take to protect themselves.
• What the covered entity is doing to investigate the situation and

prevent future breaches.

• Contact information for individuals to ask questions.
• Substitute notice may be required if not able to contact people.
• HIPAA business associates must notify the covered entity of the

b h C t t if h ill tif th i di id l d/

50

• breach. Contract may specify who will notify the individual and/or

who will pay for such notification.

Step 7: Notify Media

• If PHI of more than 500 individuals in one state is breached, the

entity must notify “prominent media outlets” in the state. y y p

51

Step 8: Notify HHS and/or State Agencies

• Covered entities must notify HHS of the breach:
• If more than 500 affected individuals – must notify HHS
• If more than 500 affected individuals – must notify HHS

contemporaneously with notification to the individual via online notification.

• If less than 500 affected individuals – must notify HHS via an
• If less than 500 affected individuals – must notify HHS via an

annual log of events no later than 60 days following the end of the calendar year.

• Check state laws to determine whether any state agencies must

Check state laws to determine whether any state agencies must be notified (e.g., police department, consumer protection agencies, Attorney General’s office).

52

Step 9: Reassess Privacy & Security Policies and Procedures

• Compliance policies and procedures should be evaluated and

revised if they do not work for an organization or do not prevent y g p against privacy and security violations.

• For example:
• If incident involved lost or stolen backup data tape, consider

p p , changing procedure for transport and/or storage.

• If incident involved faxing information to a wrong number,

consider changing procedure to require contacting the i d d i i b f h f i fi b intended recipient before the fax is sent to confirm number and after the fax is sent to confirm receipt.

• If incident was the result of employee error, consider retraining

employees employees.

• If incident was the result of a business associate’s error, consider

terminating the agreement or imposing more stringent safeguards under the agreement

53

under the agreement.

Step 10: Prepare for a Possible Investigation by OCR or AG

• HHS-OCR recently stated that they have initiated an investigation

into every breach reported to their office via the online notification s stem that in ol ed more than 500 indi id als system that involved more than 500 individuals.

• OCR is in the midst of training state AGs on HIPAA enforcement.
• Investigations have been initiated via letter and by phone.

A id d b t ti OCR t ti

• As evidenced by recent actions, OCR expects cooperation.
• Generally, OCR has been asking for:
• Facts surrounding the breach.
• C

i f tifi ti l tt di ti b i i t

• Copies of notification letters, media notices, business associate

agreements.

• Actions taken to locate missing data, prevent further loss of data,

and protect affected individuals (e.g., credit monitoring services).

• Security Rule risk assessments.
• Description of safeguards in place to protect the information,

specifically requesting information related to whether data was encrypted.

54

yp

• Compliance efforts related to policies and procedure revisions,

training, and sanctions imposed.

CONTACT INFORMATION

Rebecca C. Fayed y SNR Denton US LLP rebecca.fayed@snrdenton.com d t www.snrdenton.com 202-408-6351

DISCLAIMER

These materials should not be considered as, or as a substitute for, legal advice and they are not intended to nor do they create an g y y attorney-client relationship. Because the materials included here are general, they may not apply to your individual legal or factual

• circumstances. You should not take (or refrain from taking) any

ti b d th i f ti bt i f th t i l action based on the information you obtain from these materials without first obtaining professional counsel. The views expressed do not necessarily reflect those of the firm, its lawyers, or clients.