hipaa hitech update 2014- practical effects and enforcement trends

HIPAA/HITECH Update: Practical Effects and Enforcement Trends

Presented by

Aldo M. Leiva, Esq. Data Security and Privacy Attorney

for American Health Lawyers Association

January 13, 2013

Aldo M. Leiva, Esq. Lubell Rosen, LLC Columbus Center 1 Alhambra Plaza Suite 1410 Coral Gables, Fl 33134 Phone: (305) 442- 9211 Fax: (305) 442-9047 Email: [email protected] www.lubellrosen.com

© 2014 Lubell Rosen, LLC

OVERVIEW OF PRESENTATION

! HIPAA Omnibus Rule Key Provisions ♦  Breach Notification ♦  New Penalty Structure ♦  Business Associates Re-Defined

! Compliance Activities and Considerations

! OCR Audit Overview – Past and Future ! Latest Enforcement Actions ! Insurance Considerations

! Questions and Answers


HIPAA/HITECH OMNIBUS RULE

! Effective Date- March 26, 2013 ! Compliance Deadline- September 23,

2013


HITECH ACT- KEY PROVISIONS

! Breach Notification Requirements ! New Penalty Levels ! Compliance Requirements for Business

Associates (BAs) ! Audits ! Extended Enforcement by State AGs


BREACH NOTIFICATION REQUIREMENTS ( ! Old Requirements under Interim Final

Rule ! Breach is event that “compromises the

security or privacy of the protected health information” and “poses a significant risk of financial, reputational, or other harm to the individual.”


BREACH NOTIFICATION FINAL RULE (OMNIBUS) ! Any impermissible use or disclosure of

protected health information is presumed to be a breach unless the regulated entity is able to demonstrate, through a risk assessment, that there is a low probability of compromise


FOUR FACTORS FOR RISK ASSESSMENT ! To whom the information was

impermissibly disclosed ! Whether the information was actually

accessed or viewed ! Potential ability of the recipient to

identify the subjects of the data ! Whether recipient took appropriate

mitigating action


TIERED PENALTY STRUCTURE

! Significant increase in penalties ! Reduction in number of Affirmative

Defenses ! Mandatory penalties for all violations

due to “willful neglect” ! Applies to violations occuring after

February 18, 2009


TIER 1- UNKNOWING

! CE or BA did not know and reasonably should not have known of the violation.

! $ 100 to $ 50,000 per violation ! Total of $ 1.5M for all violations of an

identical requirement or prohibition occurring within the same calendar year


TIER 2- REASONABLE CAUSE

! CE or BA knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the covered entity or business associate did not act with willful neglect

! $ 1,000- $ 50,000 per violation ! Total of $ 1.5M for all violations of an identical

requirement or prohibition occurring within the same calendar year


TIER 3- WILLFUL NEGLECT- CORRECTED

! The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the covered entity or business associate corrected the violation within 30 days of discovery.

! $ 10,000- $ 50,000 per violation ! Total of $ 1.5M for all violations of an identical



TIER 4- WILLFUL NEGLECT- UNCORRECTED

! The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate did not correct the violation within 30 days of discovery.

! At least $ 50,000 per violation ! Total of $ 1.5M for all violations of an identical



DEFENSE TO PENALTIES

! Penalty may not be imposed for violation that is not due to willful neglect and that is corrected within 30 days of actual or constructive knowledge of the violation, or during an additional period, as determined by the Secretary to be appropriate based on the nature and extent of the failure to comply


PRACTICE TIP

! CE or BA that discovers a violation of HIPAA that is not due to willful neglect should attempt to:

(i) correct the violation within 30 days of the discovery; (ii) document the date on which it discovered the violation(s); and (iii) document the date on which it implemented the correction in order to establish a basis for asserting the affirmative defense to the imposition of penalty for the violation.


HHS DISCRETION

! HHS may waive a penalty for violations that are not due to willful neglect, in whole or in part, to the extent that the penalty is excessive relative to the violation.

! HHS has discretion to use other measures to address HIPAA violations, such as providing direct technical assistance or resolving possible noncompliance through informal means.


CE AND BA LIABILITY

! CE is liable for the violations of its business associates (BA) that are its agents

! BA is liable for the acts of its agents (i.e. Subcontractors)


BUSINESS ASSOCIATES RE-DEFINED

! BA is person/entity that “creates, receives, maintains or transmits protected health information on behalf of a covered entity”.

! New definition of BA includes records management companies that “maintain” records containing PHI, regardless of whether they are accessed or reviewed

! BA subject to the rule if it has access to electronic or hard copy PHI


BEFORE HITECH ACT

! BA was subject to breach of contract claim for violation of BAA

! 2009- HITECH enacted- BA was now directly liable for PHI breach, but OCR agreed not to pursue enforcement actions against BA until finalization of the Rule

! Rule is finalized- enforcement actions can commence as of September 23, 2013


BA AGREEMENT TERMS

! Establish how BA is permitted or required to use and disclose PHI – must not use or further disclose PHI other than as permitted by or required by the BAA or by law

! Use appropriate safeguards to prevent PHI from being used or disclosed other than as permitted by the BAA

! Report to CE if it learns of any unauthorized use or disclosure of PHI


BA AGREEMENT TERMS (2)

! BAAs must also include a provision that allows the CE to terminate the underlying agreement if the BA violates a material term of the BAA

! Ensure that subcontractors receiving PHI from the BAA agree to the same restrictions on use and disclosure of PHI


NO FORMAL BAA ?

! Omnibus Rule still applies ! BA must comply with the relevant

HIPAA provisions irrespective of BAA terms or service contracts with customers


BA VIOLATIONS

! BA does not contractually impose restrictions on subcontractors

! Fails to notify CE of security breach within 60 days

! Fails to implement any of the administrative, physical, and technical safeguards in the HIPAA Security Rule

! Fails to follow “minimum necessary” standard


COMPLIANCE ACTIVITIES

! Develop and implement Privacy Policies ! Conduct periodic Risk Assessments ! Develop and adopt Email Policies ! Develop and adopt Mobile Device Policies ! Train employees ! Designate Privacy/Security Officers ! Update Notice of Privacy Practices ! Revise BA Agreements ! Adopt Breach Assessment/Notification Policies © 2014 Lubell Rosen, LLC

AUDITS

! December 2012- Pilot Audits Completed ! Evaluations of Pilot Program ! BAs to be audited as well


OCR AUDIT PLANS FOR 2014

! Streamlined audit process ! Expanded scope of Audits (to include

BAs) ! OCR is hiring more auditors ! More audits are likely, with emphasis on

BA


PILOT AUDIT RESULTS

! “Small” CE (< $ 50M in revenue) had more compliance issues (66% of deficiencies)

! Health care providers responsible for 81% of deficiencies

! Majority of deficiencies related to the Security Rule


PILOT AUDIT RESULTS (2)

! 80% of health care providers did not have a complete and accurate risk analysis

! Encryption - Organizations deciding against encryption did not document basis for doing so


AUDIT PROTOCOL

! Tool for Audit Preparation ! http://www.hhs.gov/ocr/privacy/hipaa/

enforcement/audit/protocol.html


STATE AG ENFORCEMENT

! HITECH gave State Attorneys General authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules.

! State AGs may obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules.


STATE AG PENALTIES

! Penalties are calculated by multiplying the number of violations by up to $100.

! Total penalties imposed for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.

! The court, in its discretion, may award the costs of the action and reasonable attorney fees to the State.


ENFORCEMENT TRENDS

! As of June 30, 2013, OCR has investigated and resolved over 20,359 cases by requiring changes in privacy practices and other corrective actions by CEs.

! WellPoint pays $ 1.7M to settle potential violations (2013)

! Mass. Eye & Ear pays $ 1.5M to settle potential violations (2012)


ENFORCEMENT TRENDS (2)

! December 24, 2013- OCR imposed $ 150,000 penalty and corrective action plan

! CE reported stolen UNENCRYPTED thumb drive with PHI to OCR and notified patients within 30 days

! OCR issued penalty due to failure of CE to: - conduct adequate risk assessment of ePHI - adopt written policies and train personnel - reasonably safeguard unencrypted thumb drive © 2014 Lubell Rosen, LLC

ENFORCEMENT TRENDS (3)

! Barry University Data Breach – Dec. 31, 2013 ! CE reported data breach SEVEN MONTHS

after laptop was infected with malware ! Violation of HITECH Rules- individual

notifications must be provided without unreasonable delay and in no case later than 60 days following discovery of data breach


AUDIT TRENDS TO TRACK- 2014

! Much larger pool of entities subject to enforcement

! Likely that enforcement actions will increase ! BA focusing on record storage and document

destruction may be subject to more scrutiny due to large volume of PHI potentially at risk

! OCR is hiring more auditors ! More audits are likely, with emphasis on BA © 2014 Lubell Rosen, LLC

AUDIT TRENDS TO TRACK- 2014

! OCR is requesting budget increase ! OCR will use $ 4.5 million in collected

HIPAA penalties to help fund audit program ! OCR is seeking contractor for permanent audit

program ! OCR Director Leon Rodriguez is slated to

leave OCR for post at Homeland Security


CYBERLIABILITY COVERAGE

! Review existing insurance policies ! Traditional D & O and E & O Policies may

provide HIPAA coverage, unless excluded ! Consider additional coverage ! HIPAA Policies- investigations, defense costs,

and penalties ! Consult with Insurance coverage counsel


THANK YOU

Aldo M. Leiva, Esq. Chair, Data Security and Privacy Practice

Lubell Rosen One Alhambra Plaza, Suite 1410

Coral Gables, FL 33134 [email protected] www.lubellrosen.com

Direct: (305) 442-9211


hipaa hitech update 2014- practical effects and enforcement trends

Health & Medicine