Contenu connexe Similaire à HIPAA HITECH Update 2014- Practical Effects and Enforcement Trends (20) HIPAA HITECH Update 2014- Practical Effects and Enforcement Trends1. Aldo M. Leiva, Esq.
Lubell Rosen, LLC
Columbus Center
1 Alhambra Plaza
Suite 1410
Coral Gables, Fl 33134
Phone: (305) 442- 9211
Fax: (305) 442-9047
Email:
aml@lubellrosen.com
www.lubellrosen.com
HIPAA/HITECH Update:
Practical Effects and
Enforcement Trends
Presented by
Aldo M. Leiva, Esq.
Data Security and Privacy Attorney
for
American Health Lawyers Association
January 13, 2013
© 2014 Lubell Rosen, LLC
2. OVERVIEW OF PRESENTATION
!
HIPAA Omnibus Rule Key Provisions
♦
♦
♦
!
!
!
!
!
Breach Notification
New Penalty Structure
Business Associates Re-Defined
Compliance Activities and Considerations
OCR Audit Overview – Past and Future
Latest Enforcement Actions
Insurance Considerations
Questions and Answers
© 2014 Lubell Rosen, LLC
4. HITECH ACT- KEY PROVISIONS
!
!
!
!
!
Breach Notification Requirements
New Penalty Levels
Compliance Requirements for Business
Associates (BAs)
Audits
Extended Enforcement by State AGs
© 2014 Lubell Rosen, LLC
5. BREACH NOTIFICATION
REQUIREMENTS
( ! Old Requirements under Interim Final
!
Rule
Breach is event that “compromises the
security or privacy of the protected
health information” and “poses a
significant risk of financial, reputational,
or other harm to the individual.”
© 2014 Lubell Rosen, LLC
6. BREACH NOTIFICATION FINAL
RULE (OMNIBUS)
!
Any impermissible use or disclosure of
protected health information is
presumed to be a breach unless the
regulated entity is able to demonstrate,
through a risk assessment, that there is a
low probability of compromise
© 2014 Lubell Rosen, LLC
7. FOUR FACTORS FOR RISK
ASSESSMENT
!
!
!
!
To whom the information was
impermissibly disclosed
Whether the information was actually
accessed or viewed
Potential ability of the recipient to
identify the subjects of the data
Whether recipient took appropriate
mitigating action
© 2014 Lubell Rosen, LLC
8. TIERED PENALTY STRUCTURE
!
!
!
!
Significant increase in penalties
Reduction in number of Affirmative
Defenses
Mandatory penalties for all violations
due to “willful neglect”
Applies to violations occuring after
February 18, 2009
© 2014 Lubell Rosen, LLC
9. TIER 1- UNKNOWING
!
!
!
CE or BA did not know and reasonably
should not have known of the violation.
$ 100 to $ 50,000 per violation
Total of $ 1.5M for all violations of an
identical requirement or prohibition
occurring within the same calendar year
© 2014 Lubell Rosen, LLC
10. TIER 2- REASONABLE CAUSE
!
!
!
CE or BA knew, or by exercising reasonable
diligence would have known, that the act or omission
was a violation, but the covered entity or business
associate did not act with willful neglect
$ 1,000- $ 50,000 per violation
Total of $ 1.5M for all violations of an identical
requirement or prohibition occurring within the same
calendar year
© 2014 Lubell Rosen, LLC
11. TIER 3- WILLFUL NEGLECTCORRECTED
!
!
!
The violation was the result of conscious, intentional
failure or reckless indifference to fulfill the
obligation to comply with HIPAA. However, the
covered entity or business associate corrected the
violation within 30 days of discovery.
$ 10,000- $ 50,000 per violation
Total of $ 1.5M for all violations of an identical
requirement or prohibition occurring within the same
calendar year
© 2014 Lubell Rosen, LLC
12. TIER 4- WILLFUL NEGLECTUNCORRECTED
!
!
!
The violation was the result of conscious, intentional
failure or reckless indifference to fulfill the
obligation to comply with HIPAA, and the covered
entity or business associate did not correct the
violation within 30 days of discovery.
At least $ 50,000 per violation
Total of $ 1.5M for all violations of an identical
requirement or prohibition occurring within the same
calendar year
© 2014 Lubell Rosen, LLC
13. DEFENSE TO PENALTIES
!
Penalty may not be imposed for violation that
is not due to willful neglect and that is
corrected within 30 days of actual or
constructive knowledge of the violation, or
during an additional period, as determined by
the Secretary to be appropriate based on the
nature and extent of the failure to comply
© 2014 Lubell Rosen, LLC
14. PRACTICE TIP
CE or BA that discovers a violation of HIPAA that is
not due to willful neglect should attempt to:
(i) correct the violation within 30 days of the
discovery;
(ii) document the date on which it discovered the
violation(s); and
(iii) document the date on which it implemented the
correction in order to establish a basis for asserting the
affirmative defense to the imposition of penalty for the
violation.
!
© 2014 Lubell Rosen, LLC
15. HHS DISCRETION
!
!
HHS may waive a penalty for violations that
are not due to willful neglect, in whole or in
part, to the extent that the penalty is excessive
relative to the violation.
HHS has discretion to use other measures to
address HIPAA violations, such as providing
direct technical assistance or resolving
possible noncompliance through informal
means.
© 2014 Lubell Rosen, LLC
16. CE AND BA LIABILITY
!
!
CE is liable for the violations of its
business associates (BA) that are its
agents
BA is liable for the acts of its agents (i.e.
Subcontractors)
© 2014 Lubell Rosen, LLC
17. BUSINESS ASSOCIATES
RE-DEFINED
!
!
!
BA is person/entity that “creates, receives,
maintains or transmits protected health
information on behalf of a covered entity”.
New definition of BA includes records
management companies that “maintain”
records containing PHI, regardless of whether
they are accessed or reviewed
BA subject to the rule if it has access to
electronic or hard copy PHI
© 2014 Lubell Rosen, LLC
18. BEFORE HITECH ACT
!
!
!
BA was subject to breach of contract claim for
violation of BAA
2009- HITECH enacted- BA was now
directly liable for PHI breach, but OCR agreed
not to pursue enforcement actions against BA
until finalization of the Rule
Rule is finalized- enforcement actions can
commence as of September 23, 2013
© 2014 Lubell Rosen, LLC
19. BA AGREEMENT TERMS
!
!
!
Establish how BA is permitted or required to
use and disclose PHI – must not use or further
disclose PHI other than as permitted by or
required by the BAA or by law
Use appropriate safeguards to prevent PHI
from being used or disclosed other than as
permitted by the BAA
Report to CE if it learns of any unauthorized
use or disclosure of PHI
© 2014 Lubell Rosen, LLC
20. BA AGREEMENT TERMS (2)
!
!
BAAs must also include a provision that
allows the CE to terminate the underlying
agreement if the BA violates a material term
of the BAA
Ensure that subcontractors receiving PHI from
the BAA agree to the same restrictions on use
and disclosure of PHI
© 2014 Lubell Rosen, LLC
21. NO FORMAL BAA ?
!
!
Omnibus Rule still applies
BA must comply with the relevant
HIPAA provisions irrespective of BAA
terms or service contracts with customers
© 2014 Lubell Rosen, LLC
22. BA VIOLATIONS
!
!
!
!
BA does not contractually impose restrictions
on subcontractors
Fails to notify CE of security breach within 60
days
Fails to implement any of the administrative,
physical, and technical safeguards in the
HIPAA Security Rule
Fails to follow “minimum necessary” standard
© 2014 Lubell Rosen, LLC
23. COMPLIANCE ACTIVITIES
!
!
!
!
!
!
!
!
!
Develop and implement Privacy Policies
Conduct periodic Risk Assessments
Develop and adopt Email Policies
Develop and adopt Mobile Device Policies
Train employees
Designate Privacy/Security Officers
Update Notice of Privacy Practices
Revise BA Agreements
Adopt Breach Assessment/Notification Policies
© 2014 Lubell Rosen, LLC
25. OCR AUDIT PLANS FOR 2014
!
!
!
!
Streamlined audit process
Expanded scope of Audits (to include
BAs)
OCR is hiring more auditors
More audits are likely, with emphasis on
BA
© 2014 Lubell Rosen, LLC
26. PILOT AUDIT RESULTS
!
!
!
“Small” CE (< $ 50M in revenue) had
more compliance issues (66% of
deficiencies)
Health care providers responsible for
81% of deficiencies
Majority of deficiencies related to the
Security Rule
© 2014 Lubell Rosen, LLC
27. PILOT AUDIT RESULTS (2)
!
!
80% of health care providers did not
have a complete and accurate risk
analysis
Encryption - Organizations deciding
against encryption did not document
basis for doing so
© 2014 Lubell Rosen, LLC
28. AUDIT PROTOCOL
!
!
Tool for Audit Preparation
http://www.hhs.gov/ocr/privacy/hipaa/
enforcement/audit/protocol.html
© 2014 Lubell Rosen, LLC
29. STATE AG ENFORCEMENT
!
!
HITECH gave State Attorneys General
authority to bring civil actions on behalf
of state residents for violations of the
HIPAA Privacy and Security Rules.
State AGs may obtain damages on behalf
of state residents or to enjoin further
violations of the HIPAA Privacy and
Security Rules.
© 2014 Lubell Rosen, LLC
30. STATE AG PENALTIES
!
!
!
Penalties are calculated by multiplying the
number of violations by up to $100.
Total penalties imposed for all violations of an
identical requirement or prohibition during a
calendar year may not exceed $25,000.
The court, in its discretion, may award the
costs of the action and reasonable attorney
fees to the State.
© 2014 Lubell Rosen, LLC
31. ENFORCEMENT TRENDS
!
!
!
As of June 30, 2013, OCR has investigated
and resolved over 20,359 cases by requiring
changes in privacy practices and other
corrective actions by CEs.
WellPoint pays $ 1.7M to settle potential
violations (2013)
Mass. Eye & Ear pays $ 1.5M to settle
potential violations (2012)
© 2014 Lubell Rosen, LLC
32. ENFORCEMENT TRENDS (2)
!
!
!
December 24, 2013- OCR imposed $ 150,000
penalty and corrective action plan
CE reported stolen UNENCRYPTED thumb drive
with PHI to OCR and notified patients within 30
days
OCR issued penalty due to failure of CE to:
- conduct adequate risk assessment of ePHI
- adopt written policies and train personnel
- reasonably safeguard unencrypted thumb drive
© 2014 Lubell Rosen, LLC
33. ENFORCEMENT TRENDS (3)
!
!
!
Barry University Data Breach – Dec. 31, 2013
CE reported data breach SEVEN MONTHS
after laptop was infected with malware
Violation of HITECH Rules- individual
notifications must be provided without
unreasonable delay and in no case later than
60 days following discovery of data breach
© 2014 Lubell Rosen, LLC
34. AUDIT TRENDS TO TRACK- 2014
!
!
!
!
!
Much larger pool of entities subject to
enforcement
Likely that enforcement actions will increase
BA focusing on record storage and document
destruction may be subject to more scrutiny
due to large volume of PHI potentially at risk
OCR is hiring more auditors
More audits are likely, with emphasis on BA
© 2014 Lubell Rosen, LLC
35. AUDIT TRENDS TO TRACK- 2014
!
!
!
!
OCR is requesting budget increase
OCR will use $ 4.5 million in collected
HIPAA penalties to help fund audit program
OCR is seeking contractor for permanent audit
program
OCR Director Leon Rodriguez is slated to
leave OCR for post at Homeland Security
© 2014 Lubell Rosen, LLC
36. CYBERLIABILITY COVERAGE
!
!
!
!
!
Review existing insurance policies
Traditional D & O and E & O Policies may
provide HIPAA coverage, unless excluded
Consider additional coverage
HIPAA Policies- investigations, defense costs,
and penalties
Consult with Insurance coverage counsel
© 2014 Lubell Rosen, LLC
37. THANK YOU
Aldo M. Leiva, Esq.
Chair, Data Security and Privacy Practice
Lubell Rosen
One Alhambra Plaza, Suite 1410
Coral Gables, FL 33134
aml@lubellrosen.com
www.lubellrosen.com
Direct: (305) 442-9211
© 2014 Lubell Rosen, LLC