Portable Electronic Devices in Healthcare: Portable Electronic - - PowerPoint PPT Presentation

Presenting a live 90‐minute webinar with interactive Q&A

Portable Electronic Devices in Healthcare: Portable Electronic Devices in Healthcare: Latest Legal Threat for Providers

Protecting Private Information in Text Messages, Emails and Other Electronic Transmissions

T d ’ f l f

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific TUES DAY, DECEMBER 11, 2012

Today’s faculty features:

Brian C. Vick, Partner, Williams Mullen, Raleigh, N.C.

• W. Clifford Mull, Benesch Friedlander Coplan & Aronoff, Cleveland

Dianne J. Bourque, Member, Mintz Levin Cohn Ferris Glovsky and Popeo, Boston Dianne J. Bourque, Member, Mintz Levin Cohn Ferris Glovsky and Popeo, Boston

The audio portion of the conference may be accessed via the telephone or by using your computer's

• speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Tips for Optimal Quality

S d Q lit S

• und Quality

If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial 1-866-370-2805 and enter your PIN when prompted Otherwise please send us a chat or e mail when prompted. Otherwise, please send us a chat or e-mail sound@ straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Qualit y

To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again press the F11 key again.

Continuing Education Credits

FOR LIVE EVENT ONLY

For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of

attendees at your location attendees at your location

• Click the word balloon button to send

Recent Trends In The Use Recent Trends In The Use Of Mobile Devices In Health Care Settings

Brian C. Vick 919.981.4023 b i k@ illi ll bvick@williamsmullen.com December 11 2012 December 11, 2012

Mobile Device Use Is On The Rise

85% f d lt i th U S bil h

• 85% of adults in the U.S. own a mobile phone
• 82% use their phone to take pictures
• 80% use their phone to send text messages
• 56% use their phone to access the internet
• 50% use their phone for email
• 44% use their phone to record video

44% use their phone to record video

• 43% use their phone to download apps.

* Pew Internet & American Life Project - 2012

5

2011 HIMSS Mobile Technology Survey

A survey of 164 hospitals and health systems revealed that mobile devices were being used by: 89% f h i i

• 89% of physicians
• 84% of non-physician clinicians
• 70% of healthcare executives
• 62% of administrative / support staff

6

Clinicians Are Using Mobile Devices To:

• Access non-PHI health information

Access non PHI health information

• View patient information
• Educational / training purposes

g p p

• Clinical notifications
• Tracking worklists
• Communicate regarding patients
• Data collection

A l i f ti t d t

• Analysis of patient data
• Monitor medical device data

* 2011 HIMSS Mobile Technology Survey, December 5, 2011

7

The Use Of Mobile Devices In Healthcare Will The Use Of Mobile Devices In Healthcare Will Increase Dramatically In The Coming Years

• The current push towards quality-based health care delivery systems is

increasing the importance of communication and information access

• Mobile access to EMR systems and clinical data will help improve patient

safety, reduce medical errors, and increase clinical outcomes

• Remote monitoring and real-time management of chronic diseases (i.e.,

diabetes, heart disease)

• Physicians are demanding greater mobile access to EMR systems and clinical

data

• Studies have shown that mobile devices can improve clinical outcomes by

facilitating better patient communications

• Stage 2 Meaningful Use Rules emphasize the importance of electronic

communication

But . . . information governance practices surrounding mobile devices have not kept pace with technological developments

8

HIMSS 2011 Mobile Technology Survey:

• 97% of respondents were using mobile devices of some type
• 77% allowed mobile access over a public network
• 75% allowed mobile access of patient information
• 41% allowed employees to use their own mobile devices
• 38% had a Mobile Technology Policy in place

38% had a Mobile Technology Policy in place

9

This Has Lead To Poor Information Governance

• Between 2009 and 2012, hundreds of HIPAA breaches

involving mobile devices were reported to HHS

10/10 two USB drives contained PHI on 1469 patients lost by a California hospital p 11/10 unencrypted laptop containing PHI on 4486 patients stolen from the home

• f an employee of a Texas medical practice

2/11 personal laptop containing PHI on 1700 individuals stolen from business p p p g associate of Arkansas social services agency in Arkansas 4/11 physician practice in Texas lost unencrypted USB drive containing PHI on 1,105 patients 4/11 unencrypted laptop containing PHI on 1500 patients stolen from Texas hospital 7/12 Alaska Medicaid agrees to pay HHS $1.7 million to resolve HIPAA breach after portable hard drive containing PHI was stolen from employee’s car 9/12 Massachusetts practice agrees to pay HHS $1.5 million to settle HIPAA breach based on inadequate management of PHI on mobile devices

10

Mobile Device Misuse Is Also On The Rise

• California 2007

9 hospital employees fired for taking or looking at cellphone pictures of patient x-rays

• Wisconsin 2009

Nurse fired for posting a cell-phone picture of a patient x-ray on Facebook O 2012 N t d t 8 d i j il ft ti

• Oregon 2012

Nurse sentenced to 8 days in jail after posting “disturbing” photos of elderly patients on Facebook C lif i 2012 5 fi d f di i ti t F b k

• California 2012

5 nurses fired for discussing patients on Facebook

11

Por table E le c tr

• nic De vic e s in He althc ar

e : L ate st L e gal T hr e at for Pr

• vide r

s : L e gal Risks for Hospitals and Pr

• vide r

s

De c e mbe r 11, 2012

• W. Cliffor

d Mull

Be ne sc h, F rie dlande r, Co plan & Aro no ff L L P , , p 200 Public S quare , S uite 2300 Cle ve land, OH 44114-2378 Dire c t: 216.363.4198 | F ax: 216.363.4588 | Mo bile : 216.287.9940 c mull@be ne sc hlaw.c o m | www.be ne sc hlaw.c o m | www.be ne sc hhe althlaw.c o m

Cleveland | Columbus | Indianapolis | Philadelphia | Shanghai | White Plains | Wilmington

www.beneschlaw.com

L e gal Risks L e gal Risks

I t d ti

• I

ntro duc tio n

• Pa tie nt Priva c y
• Pro fe ssio na l L

ia b ility

13

Patie nt Pr ivac y: HIPAA Pr ivac y and Se c ur ity Re gulations Re gulations Ge ne r ally Co ve re d E

ntitie s re q uire d to

• Ge ne r
• ally. Co ve re d E

ntitie s re q uire d to pro te c t e PHItha t the y use o r disc lo se to b usine ss a sso c ia te s tra ding pa rtne rs o r b usine ss a sso c ia te s, tra ding pa rtne rs, o r

• the r e ntitie s.
• Co ve re d E

ntitie s. He a lth Pla ns, He a lth Co ve re d E ntitie s. He a lth Pla ns, He a lth Ca re Cle a ring ho use s, a nd He a lth Ca re Pro vide rs.

14

Patie nt Pr ivac y: HIPAA Pr ivac y and Se c ur ity Re gulations Re gulations

• Pr

ivac y Re quir e me nts Re q uire Co ve re d E

ntitie s to limit use s a nd

• Pr

ivac y Re quir e me nts. Re q uire Co ve re d E

ntitie s to limit use s a nd disc lo sure s o f PHI , to e mplo y a dministra tive me a sure s to pro te c t PHI a nd to do c ume nt c o mplia nc e .

• Se c ur

ity Re quir e me nts Re q uire Co ve re d E

ntitie s to a do pt a nd

• Se c ur

ity Re quir e me nts. Re q uire Co ve re d E

ntitie s to a do pt a nd imple me nt a ppro pria te a dministra tive , te c hnic a l a nd physic a l sa fe g ua rds tha t:

• E

nsure the c o nfide ntia lity inte g rity a nd a va ila b ility o f e PHI ;

• E

nsure the c o nfide ntia lity, inte g rity a nd a va ila b ility o f e PHI ;

• Pro te c t a g a inst re a so na b ly a ntic ipa te d thre a ts o r ha za rds to

the se c urity o r inte g rity o f e PHI ; Pro te c t a g a inst re a so na b l a ntic ipa te d se s o r disc lo s re s o f

• Pro te c t a g a inst re a so na b ly a ntic ipa te d use s o r disc lo sure s o f

e PHI no t pe rmitte d b y the Priva c y Rule ; a nd

• E

nsure c o mplia nc e with a ll suc h pro te c tio n b y the Co ve re d

15

E ntity’ s wo rkfo rc e.

Patie nt Pr ivac y: Polic ie s and Pr

• c e dur

e s Ide ntifie d by OCR for Por table De vic e s Ide ntifie d by OCR for Por table De vic e s

D l d I l t P li i d P d

• De ve lo p a nd I

mple me nt Po lic ie s a nd Pro c e dure s Autho rizing e PHI Ac c e ss

• De ve lo p a nd I

mple me nt Po lic ie s a nd Pro c e dure s De ve lo p a nd I mple me nt Po lic ie s a nd Pro c e dure s to pro te c te d e PHI sto re d o n re mo te o r po rta b le de vic e s o r o n po te ntia lly tra nspo rta b le me dia

• De ve lo p a nd imple me nt a ppro pria te po lic ie s

a nd pro c e dure s to se c ure e PHI tha t is b e ing tra nsmitte d o ve r a n e le c tro nic c o mmunic a tio ns ne two rk

16

Patie nt Pr ivac y: HIPAA Br e ac h Notific ation Re quir e me nts Re quir e me nts

• Co ve re d E

ntitie s a re re q uire d to re po rt b re a c he s o f

• Co ve re d E

ntitie s a re re q uire d to re po rt b re a c he s o f unse c ure d PHI to a ll a ffe c te d individua ls, fe de ra l re g ula to rs, a nd, unde r c e rta in c irc umsta nc e s, the me dia .

• “Unse c ur

e d PHI ” PHI

tha t is no t se c ure d using te c hno lo g y

• Unse c ur

e d PHI.

PHI tha t is no t se c ure d using te c hno lo g y

• r me tho do lo g y tha t re nde rs it unusa b le , unre a da b le o r

inde c iphe ra b le b y una utho rize d individua ls.

• “Br

e ac h ” T

he a c c e ss use o r disc lo sure o f PHI in a ma nne r

• Br

e ac h.

T he a c c e ss, use o r disc lo sure o f PHI in a ma nne r no t pe rmitte d b y the Priva c y Rule whic h c o mpro mise s the PHI ’ s se c urity o r priva c y.

• “Me dia Notific ation ” Bre a c he s a ffe c ting mo re tha n 500
• Me dia Notific ation.

Bre a c he s a ffe c ting mo re tha n 500 re side nts o f the Sta te o r jurisdic tio n.

17

Patie nt Pr ivac y: Pe naltie s for Violations Patie nt Pr ivac y: Pe naltie s for Violations

• Civil Mone tar

y Pe naltie s

• Civil Mone tar

y Pe naltie s.

• Did no t kno w a nd, e xe rc ising re a so na b le dilig e nc e , wo uld

no t ha ve kno wn o f vio la tio n, the n c ivil mo ne ta ry pe na lty b y c a nno t b e : b y c a nno t b e :

• le ss tha n $100 pe r vio la tio n; a nd
• mo re tha n: (i) $50,000 pe r vio la tio n o r (ii) $1,500,000 pe r

l d f id ti l i l ti c a le nda r ye a r fo r ide ntic a l vio la tio ns.

• Vio la tio n due to re a so na b le c a use a nd no t willful ne g le c t,

the n the c ivil mo ne ta ry pe na lty c a nno t b e :

• le ss tha n $1000 pe r vio la tio n; o r
• mo re tha n: (i) $50,000 pe r vio la tio n; o r (ii) $1,500,000 pe r

c a le nda r ye a r fo r ide ntic a l vio la tio ns.

18

Patie nt Pr ivac y: Pe naltie s for Violations c ontinue d c ontinue d

• Civil Mone tar

y Pe naltie s Continue d

• Civil Mone tar

y Pe naltie s Continue d.

• Vio la tio n due to willful ne g le c t b ut is c o rre c te d within 30 da ys o f

the c o ve re d e ntity kno wing , o r e xe rc ising re a so na b le dilig e nc e , whe n the c o ve re d e ntity wo uld ha ve kno wn o f the vio la tio n, the n y the c ivil mo ne ta ry pe na lty c a nno t b e :

• le ss tha n $10,00 pe r vio la tio n; o r
• mo re tha n: (i) $50,000 pe r vio la tio n; o r (ii) $1,500,000 pe r

c a le nda r ye a r fo r ide ntic a l vio la tio ns.

• Vio la tio n due to willful ne g le c t b ut is no t c o rre c te d within 30 da ys,

the n the c ivil mo ne ta ry pe na lty c a nno t b e : l th $50 000 i l ti

• le ss tha n $50,000 pe r vio la tio n; o r
• mo re tha n $1,500,000 pe r c a le nda r ye a r fo r ide ntic a l

vio la tio ns.

• State AG E

nfor c e me nt

19

• State AG E

nfor c e me nt.

Patie nt Pr ivac y: Risk Ar e as Ide ntifie d by OCR for Por table E le c tr

• nic De vic e s and Ove r

vie w of Re por te d Br e ac he s E le c tr

• nic De vic e s and Ove r

vie w of Re por te d Br e ac he s

“Ne w sta nda rds a nd te c hno lo g ie s ha ve sig nific a ntly Ne w sta nda rds a nd te c hno lo g ie s ha ve sig nific a ntly simplifie d the wa y in whic h da ta is tra nsmitte d thro ug ho ut the he a lthc a re industry a nd c re a te d tre me ndo us o ppo rtunitie s fo r impro ve me nts to the he a lthc a re syste m. Ho we ve r, the se te c hno lo g ie s ha ve a lso c re a te d c o mplic a tio ns a nd inc re a se d the risk o f a lso c re a te d c o mplic a tio ns a nd inc re a se d the risk o f lo ss a nd una utho rize d use a nd disc lo sure o f this se nsitive info rma tio n.” OCR HI

PAA S e c urity Guidanc e fo r L apto ps Othe r Po rtable and/

• r Mo bile De vic e s

fo r L apto ps, Othe r Po rtable and/

• r Mo bile De vic e s

and E xte rnal Hardware .

20

Patie nt Pr ivac y: Risk Ar e as Ide ntifie d by OCR for Por table E le c tr

• nic De vic e s and Ove r

vie w of Re por te d Br e ac he s E le c tr

• nic De vic e s and Ove r

vie w of Re por te d Br e ac he s

Ac c e ssing e PHI (Unauthor ize d Ac c e ss)

• Ac c e ssing e PHI (Unauthor

ize d Ac c e ss)

• L
• g -in Cre de ntia ls L
• st o r Sto le n

U th i d A Off it

• Una utho rize d Ac c e ss Offsite
• Una tte nde d Offsite Wo rksta tio n
• I

ntro duc tio n o f Virus thro ug h E xte rna l De vic e use d fo r Re mo te Ac c e ss

21

Patie nt Pr ivac y: Risk Ar e as Ide ntifie d by OCR for Por table E le c tr

• nic De vic e s and Ove r

vie w of Re por te d Br e ac he s E le c tr

• nic De vic e s and Ove r

vie w of Re por te d Br e ac he s

Stor ing e PHI

• Stor

ing e PHI

• Po rta b le De vic e L
• st o r Sto le n

L f O ti ll C iti l PHI

• L
• ss o f Ope ra tio na lly Critic a l e PHIo n

re mo te de vic e I na ppro pria te Dispo sa l o f Po rta b le De ic e

• I

na ppro pria te Dispo sa l o f Po rta b le De vic e

• Da ta L

e ft o n T hird Pa rty E xte rna l De vic e I t d ti f Vi th h P t b l

• I

ntro duc tio n o f Virus thro ug h Po rta b le Sto ra g e De vic e

22

Patie nt Pr ivac y: Risk Ar e as Ide ntifie d by OCR for Por table E le c tr

• nic De vic e s and Ove r

vie w of Re por te d Br e ac he s E le c tr

• nic De vic e s and Ove r

vie w of Re por te d Br e ac he s

T r ansmitting e PHI (Inte gr ity and Safe ty)

• T

r ansmitting e PHI (Inte gr ity and Safe ty)

• I

nte rc e ptio n o r Mo dific a tio n o f Da ta during T ra nsmissio n T ra nsmissio n

• I

ntro duc tio n o f Virus fro m E xte rna l T ra nsmissio n De vic e T ra nsmissio n De vic e

23

Patie nt Pr ivac y: Re c e nt HIPAA Se ttle me nts Patie nt Pr ivac y: Re c e nt HIPAA Se ttle me nts

Alaska De par tme nt of He alth and Soc ial

• Alaska De par

tme nt of He alth and Soc ial Se r vic e s (June 2012)

• $1 7 Millio n Se ttle me nt
• $1.7 Millio n Se ttle me nt
• L
• st USB ha rd drive

24

Patie nt Pr ivac y: Re c e nt HIPAA Se ttle me nts Patie nt Pr ivac y: Re c e nt HIPAA Se ttle me nts

Blue Cr

• ss Blue Shie ld of T

e nne sse e (Mar c h

• Blue Cr
• ss Blue Shie ld of T

e nne sse e (Mar c h 2012)

• $1 5 Millio n Se ttle me nt
• $1.5 Millio n Se ttle me nt
• L
• ss o f Co mpute r Ha rd Drive s

25

Patie nt Pr ivac y: Re c e nt HIPAA Se ttle me nts Patie nt Pr ivac y: Re c e nt HIPAA Se ttle me nts

Massac huse tts E ye and E ar Infir mar y and

• Massac huse tts E

ye and E ar Infir mar y and Massac huc e tts E ye and E ar Assoc iate s (Se pte mbe r 2012) (Se pte mbe r 2012)

• $1.5 Millio n Se ttle me nt
• T

he ft o f Pe rso na l L a pto p

• T

he ft o f Pe rso na l L a pto p

26

Patie nt Pr ivac y: Re c e nt HIPAA Se ttle me nts Patie nt Pr ivac y: Re c e nt HIPAA Se ttle me nts

Pr

• vide nc e He alth & Se r

vic e s (July 2008)

• Pr
• vide nc e He alth & Se r

vic e s (July 2008)

• $100K

Se ttle me nt L t t l b k t ti l di k

• L
• st o r sto le n b a c kup ta pe s, o ptic a l disks,

a nd la pto ps

27

Pr

• fe ssional L

iability Pr

• fe ssional L

iability

Distr ac tion of He alth Car e Pr

• fe ssionals
• Distr

ac tion of He alth Car e Pr

• fe ssionals
• Cybe r

L iability D f ti d Oth St t I i f

• De famation and Othe r

State Invasion of Pr ivac y

28

Portable Electronic Devices in Healthcare: Portable Electronic Devices in Healthcare: Latest Legal Threat for Providers

Protecting Private Information in Text Messages Emails and Other Protecting Private Information in Text Messages, Emails and Other Electronic Transmissions

December 11, 2012

BYOD and RISK MANAGEMENT

Dianne J. Bourque, Esq.

Portable devices offer a variety of benefits to covered entities and business associates alike. A deliberate and well-planned approach is the key to minimizing the risks associated with g BYOD.

30

• A comprehensive risk assessment is the first step in managing a BYOD

Risk Assessment

p p g g program

– It may reveal that employees are already using their own devices and associated risks to PHI associated risks to PHI – It may reveal that BYOD is technically or financially infeasible for your

• rganization
• If BYOD is feasible, a risk assessment will help you to identify the best

technical means for program impelementation

• Risk assessment findings will also support the development of BYOD
• Risk assessment findings will also support the development of BYOD

policies and procedures

• A risk assessment will demonstrate HIPAA compliance in the event of

an OCR audit or investigation

31

Risk Assessment, continued

• Your risk assessment should include:

–Documentation of the risks associated with devices outside of your control control –Documentation of applications and resources potentially exposed by individuals using their own devices –Documentation of technology solutions to facilitate BYOD (make sure that the solutions address identified risks)

32

• Once your risk assessment is complete and your organization has

Policies and Procedures

• Once your risk assessment is complete and your organization has

selected the best technical approach for program implementation, written policies and procedures should be developed governing BYOD.

• Policies and procedures should define:

– How mobile devices support the overall mission and business goals of your

• rganization
• rganization.

– What type/s of mobile devices your organization will support – Which classes of employees will be permitted to use mobile devices for business purposes – Which classes of employees will be permitted to store or transmit ePHI locally on a device and how such data will be encrypted

33

P li i d d h ld i l d i

Policies and Procedures, continued

• Policies and procedures should include notice to

employees that violations of the company’s BYOD policies may result in disciplinary action and/or the loss of the may result in disciplinary action and/or the loss of the privilege of using a personal device for business purposes

34

Employee Agreement

• Policies and procedures ought to include a written agreement to be

signed by the employee acknowledging conditions for participation in the BYOD program. The agreement would memorialize the employee's agreement to:

– Install, update and administer security software – Remotely wipe or lock the device if lost or stolen – Abide by the company’s data access, use and other security measures

35

Training

• The key to any successful security program is training
• Regular, formal training and informal reminders are equally

g , g q y critical for maintaining a culture of compliance

• Practical training, with real-life examples is most effective

g, p

• Don't forget to document training in order to demonstrate

compliance in the event of audit or investigation p g

36

Thank you !

Dianne J Bourque Esq Dianne J. Bourque, Esq. Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. One Financial Center Boston MA 02111 Boston, MA 02111 (617) 348-1614 / DBourque@mintz.com

37