HIPAA Overview

Don’t Get Hit by the
HIPAA Omnibus:
Are You Ready for Sept 23?

Disclaimers
The material in this presentation and/or any
remarks made by HealthCare Too, LLC personnel
are NOT meant to provide legal advice or counsel.
We intend this session to provide you with
highlights of the new HIPAA Omnibus for your
edification and for your own use at your own
professional discretion.
8/6/13HealthCareToo,LLCProprietary
2

Scope
45 CFR Parts 160 and 164
Modifications to the HIPAA
Privacy, Security, Enforcement, and Breach
Notification Rules Under the Health Information
Technology for Economic and Clinical Health Act
and the Genetic Information Nondiscrimination Act
Or “The HIPAA Omnibus” was 138 pages when
released on Jan 25, 2013. This presentation
introduces several major changes at a high level
but does not present all changes.
3

Your Presenters
• Tim Perry, MPA, CHTS-IS
• Chief Information Officer, HealthCare Too, LLC
• 25+ years of Health Information Technology and
Compliance experience
• Chief Technology Officer, Ecommerce, LLC (Cloud & Hosting)
• Senior Vice President of Infrastructure Services, Reed Elsevier
• Global IT Director, Johnson & Johnson
• Consulting engagements at SmithKline Beecham, Merck
• Education
• Master of Technology Management, Univ of Pennsylvania
• Master of Public Administration, The Ohio State University
• Bachelor of Arts, The Ohio State University
4

HIPAA Omnibus
• History / Definitions
• Omnibus – Major Changes
• When
• Who
• What
• Where
• How
• Why
• Question / Answers
5

HIPAA Omnibus
• When
• Who
• What
• Where
• How
• Why
6

8
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/process/index.html

9

10
HIPAA Resolutions by Type and Year (based on OCR data)

Reported 500+ Breaches in OH
11
Patients
Affected
Date of
Breach Type of Breach Location of Breach
60998 3/27/10 Theft Laptop
1001 4/22/10 Unauthorized Access/Disclosure Email
1200 6/13/10 Improper Disposal Paper
1309 6/11/10 Loss Laptop
13867 6/7/10 Theft Laptop
501 11/5/10 Theft Laptop, Computer
78,042 6/3/11 Theft Laptop
500 10/1/10 Improper Disposal Other (X-ray film)
15,000
10/01/2010
- 03/21/2012 Unauthorized Access/Disclosure Other
15000
10/1/2010
- 03/21/2012 Unauthorized Access/Disclosure Other
850 12/2/12 Theft Laptop, Network Server
2500 3/19/13 Theft Other
500
04/14/2013
- 04/19/2013 Loss Laptop
2203 5/29/13 Other Paper
78542 TOTAL

Notable Settlements
Entity Amount Year
WellPoint, Inc. $1.7 million July 2013
Walgreens $1.44 million July 2013
MN AG & Accretive Health
(started from July 2011 lost laptop)
$2.5 million July 2013
Shasta Regional Med Center $275,000 June 2013
Idaho State University $400,000 May 2013
Goldthwait Associates & 4 Pathology Groups $140,000 January 2013
12

What’s in
a Name?
• Mega Rule
• Omnibus
• Final Rule
13

HIPAA Omnibus
• When
• Who
• What
• Where
• How
• Why
14

Compliance Deadline
Omnibus HIPAA Final Rule
• Published in Federal Register – January 25, 2013
• Effective Date – March 26, 2013
• Compliance Date – September 23, 2013
• Transition Period to Conform BA Contracts – Up
to September 22, 2014, for Qualifying Contracts
15

HIPAA Omnibus
• When
• Who
• What
• Where
• How
• Why
16

Covered Entities, Business
Associates, and
Subcontractors, Oh My!
17

Who – “Covered Entity”
• (1) A health plan.
• (2) A health care clearinghouse.
• (3) A health care provider who transmits any
health information in electronic form in
connection with a transaction covered by this
subchapter.
• Note: if an electronic transaction is made on a
provider’s behalf… it is considered the provider’s
18

Business Associate
What it says What it means
“functions, activities or services on
behalf of covered entities”
“Create, receive, maintain, or transmit
PHI”
An employee of a CE is NOT a BA.
Clarifies definition of BA to include:
• Patient Safety Organizations,
• Health Information Exchanges,
• Personal Health Records
Must have BAA in place
Clarification that BAs are liable whether
or not they have an agreement in place
with the CE .
(Marissa Gordon-Nguyen, JD, MPH Office for Civil Rights)
19

Who – “Subcontractors”
"a person to whom a business associate
delegates a function, activity, or service,
other than in the capacity of a member
of the workforce of such business
associate." (45 CFR 160.103)
"under the final rule, covered entities
must ensure that they obtain
satisfactory assurances required by the
Rules from their BAs, and BAs must do
the same with regard to subcontractors,
and so on, no matter how far 'down the
chain' the information flows."
Subcontractors are BAs:
• Subject to HIPAA provisions
• Directly liable for HIPAA violations
• BA must have BAA with every
subcontractor
• Subcontractor must have BAA with its
subcontractors, who are also BAs
20

Agency
• Covered Entities can be held liable for the
violations caused by their Business Associates.
• Business Associates can be held liable for the
violations caused by their sub-contractors.
• Federal common law of Agency will govern
whether an agency relationship exists between
the parties - regardless of what the contract
actually says.
(WEDI presentation by Joseph R. McClure, Esq. Legal Counsel, Siemens Medical Solutions USA WEDI
Privacy & Security Co-Chair)
21

Your PHI Ecosystem is Explicit
22

WEDI Privacy & Security Workgroup, Business Associate Sub-Workgroup
23

WEDI Privacy & Security Workgroup, Business Associate Sub-Workgroup
24

Typical BA Functions (Again)
• Claims processing or
administration
• Data analysis, processing or
administration
• Utilization review
• Quality assurance billing
• Benefit management
• Practice management
• Repricing
• Legal
• Actuarial
• Accounting
• Consulting
• Data
aggregation
• Management
• Administrative
• Accreditation
• Financial 25

Business Associates Must:
1. Comply with the HIPAA Security Rule
2. Report to Covered Entity any breach of
unsecured PHI
3. Enter into BAAs with subcontractors imposing
the same obligations that apply to the Business
Associate
4. Comply with the HIPAA Privacy Rule to the
extent Business Associate is carrying out a
Covered Entity’s Privacy Rule obligations
(WEDI presentation by Joseph R. McClure, Esq. Legal Counsel, Siemens Medical
Solutions USA WEDI Privacy & Security Co-Chair)
26

Leon Rodriguez
“I am the first Director of the
Office of Civil Rights to come to
the Office with
experience, extensive
experience, both in law
enforcement and a healthcare
provider lawyer and its my
commitment to ramp up the
enforcement of the Office.”
Oral Testimony to Senate Judiciary Subcommittee on Privacy, Technology, and Law “Your
Health and Your Privacy: Protecting Health Information in a Digital World.”, Nov 2, 2011.
27

HIPAA Omnibus
• When
• Who
• What
• Where
• How
• Why
28

Business Associate Agreements
29

Protected Health Information
(PHI)
Individually identifiable Health Information
List of 18 Identifiers
• Names
• All geographic subdivisions smaller than state
• All elements of dates except year
• Phone numbers
• Fax numbers
• Electronic mail addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers
• Device identifiers and serial numbers;
• Web Universal Resource Locators (URLs);
• Internet Protocol (IP) address numbers;
• Biometric identifiers
• Full face photographic images
• Any other unique identifying number
Health information means any information,
including genetic information, whether oral or
recorded in any form or medium, that:
(1) Is created or received by a health care
provider, health plan, public health authority,
employer, life insurer, school or university, or
health care clearinghouse;
and
(2) Relates to the past, present, or future
physical or mental health or condition of an
individual; the provision of health care to an
individual; or the past, present, or future
payment for the provision of health care to an
individual.
30

Breach
Unauthorized acquisition, access, use or disclosure
that compromises the security or privacy of the
protected health information such that the use or
disclosure poses a significant risk of financial,
reputational, or other harm to the affected
individual.
31

Four-Factor PHI Breach
Assessment
1. Nature and extent of PHI involved
2. Unauthorized person who used PHI or to
whom disclosure was made
3. Whether PHI was actually acquired or viewed
4. Extent to which risk to PHI has been mitigated
“Guilty until proven innocent”
Breach is now presumed
32

Breach Notification
Less Than 500 Patient Records 500+ Patient Records
Individual notifications must be
provided without unreasonable delay
and in no case later than 60 days
following the discovery of a breach
Notify HHS on an annual basis.
Individual notifications must be
provided without unreasonable delay
and in no case later than 60 days
following the discovery of a breach
Notify the Secretary without
unreasonable delay and in no case
later than 60 days following a breach.
Provide notice to prominent media
outlets serving the State or jurisdiction
HHS provides “safe harbor” for PHI that is encrypted or properly disposed of
in keeping with early guidance.
Note: When you notify of a breach, you are self-reporting a HIPAA violation
and should make your counsel aware as well as conduct a new risk analysis
with corrective actions.
33

Breach
Discovered
Risk
Assessment
1. Nature and extent of PHI involved
2. Unauthorized person who used PHI or to
whom disclosure was made
3. Whether PHI was actually acquired or
viewed
4. Extent to which risk to PHI has been
mitigated
Document
& Done
No
Breach
Less Than
500?
Notify Individuals
Notify HHS Annually
Notify Individuals
Notify HHS w/i 60 days
Notify Media
Breach
Yes
No
34

HIPAA Omnibus
• When
• Who
• What
• Where
• How
• Why
35

Where?
• Privacy Rule applies to any form of PHI
• It’s about disclosures
• Security Rule applies to electronic forms of PHI
• Desktop
• Laptop
• Tablet Computer
• Smart Phone
• Cloud
• USB “thumb drive”
• CD / DVD
• Floppy disk (if those even still exist)
• ….
36

HIPAA Omnibus
• When
• Who
• What
• Where
• How
• Why
37

Privacy Rule
Privacy Rule
Covered Entity • Marketing & Fundraising
• Sale of protected health information (PHI)
• Right to request restrictions
• Electronic access for patient
• Delegates
• Genetic info for underwriting prohibited
• Immunization records with parent approval
• Decedent PHI protected for 50 years
Business Associate BAA at least as strict as CE
Subcontractor BAA at least as strict as BA
38

Security Rule: Phys Safeguards
Required Addressable
Workstation Use (R)
Workstation Security (R)
Disposal (R)
Media Re-use (R)
Contingency Operations (A)
Facility Security Plan (A)
Access Control and Validation
Procedures (A)
Maintenance Records (A)
Accountability (A)
Data Backup and Storage (A)
39
Applies to: Covered Entity, Business Associates, and Subcontractors

Security Rule: Admin Safeguards
Risk Analysis (R)
Risk Management (R)
Sanction Policy (R)
Information System Activity Review (R)
Assigned Security Responsibility (R)
Isolating Health Care Clearinghouse
Function (R)
Response and Reporting (R)
Data Backup Plan (R)
Disaster Recovery Plan (R)
Emergency Mode Operation Plan (R)
Evaluation (R)
Written Contract or Other
Arrangement (R)
Authorization and/or Supervision (A)
Workforce Clearance Procedure (A)
Termination Procedures (A)
Access Authorization (A)
Access Establishment and
Modification (A)
Security Reminders (A)
Protection from Malicious Software (A)
Log-in Monitoring (A)
Password Management (A)
Testing and Revision Procedure (A)
Applications and Data Criticality
Analysis (A)
40

Security Rule: Tech Safeguards
Unique User Identification (R)
Emergency Access Procedure (R)
Audit Controls (R)
Person or Entity Authentication (R)
Automatic Logoff (A)
Encryption and Decryption (A)
Mechanism to Authenticate Electronic
PHI (A)
Integrity Controls (A)
Encryption (A)
41

2007
Original Omnibus
42

Fine Structure
Violation Category Per Violation Per Calendar Year
Did Not Know $100 - $50,000 $1,500,000
Reasonable Cause $1,000 - $50,000 $1,500,000
Willful Neglect –
Corrected
$10,000 - $50,000 $1,500,000
Willful Neglect –
Not Corrected
$50,000 $1,500,000
43

Last year we had a $1.5M settlement with BCBS TN
that had 57 hard drives stolen from a storage facility.
The citation that drove the penalty was NOT the
breach. Rather, the penalty was applied because of the
failure to implement appropriate administrative
safeguards, not performing a risk assessment, and
failure to implement access controls for physical
safeguards. They could have turned that storage
facility into Fort Knox, and it might have still been
breached. But the problem was they didn’t implement
any preventive policies or procedures or appropriate
administrative or physical safeguards. This is a great
example of the lack of ongoing attention to
compliance.
HIPAA in a HITECH World: HIPAA Violations on the Rise, According to Director of OCR
Posted on March 22, 2013 by April Sage
Leon Rodriguez, Director Office for Civil Rights
44

Another Real Life Example
Breach of less than 500 patients' PHI
• Hospice of North Idaho fined $50,000
• Unencrypted laptop was stolen from an
employee's car.
• OCR found that HONI (1) did not conduct a risk
analysis to safeguard ePHI and (2) did not have
policies/procedures in place to address mobile
device security.
45

HIPAA Omnibus
• When
• Who
• What
• Where
• How
• Why
46

Patient Rights over PHI
In this final rule, we strengthen an
individual’s right to receive an
electronic copy of his or her protected
health information.
The final rule requires that a covered
health care provider agree in most cases
to an individual’s request to restrict
disclosure to a health plan of the
individual’s protected health
information that pertains to a health
care service for which the individual
has paid the health care provider in full
out of pocket.
If you use an EHR, you must provide an
e-copy of PHI to patients upon request,
within timeframe and costs of Final Rule.
Patients may pay for treatment and ask
provider to withhold PHI from insurer.
47

Greater Use of Health
Information Technology
48

Street Value of Medical Records
A thief downloading and stealing data can get $50
on the street for a medical identification number
compared to just $1 for a Social Security number.
For those receiving the medical ID number and
using it to defraud a health care organization, the
average payout is more than $20,000,” according
to Pam Dixon, executive director of the World
Privacy Forum. "Compare that to just $2,000 for
the average payout for regular ID theft.
“Protected Health Information (PHI): High Value to Hackers: Medical Facilities at
Risk”, http://www.prweb.com/releases/2013/2/prweb10412883.htm
49

Resources
• Jan 17, 2013 New Release on Omnibus
http://www.hhs.gov/news/press/2013pres/01/20130117
b.html
• Poyner Spruill Summary of HIPAA Omnibus
http://www.poynerspruill.com/publications/Pages/sum
maryofNewHIPAARules.aspx
• Health Information Privacy
http://www.hhs.gov/ocr/privacy/hipaa/understanding/in
dex.html
• Enforcement Examples
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/exa
mples/index.html
• HHS “Wall of Shame”
http://www.hhs.gov/ocr/privacy/hipaa/administrative/br
eachnotificationrule/breachtool.html
50

info@healthcaretoo.com
51

HIPAA Overview

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to HIPAA Overview

Similar to HIPAA Overview (20)

Recently uploaded

Recently uploaded (20)

HIPAA Overview