hipaa hitech update 2014- practical effects and enforcement trends
DESCRIPTION
Overview of HIPAA Omnibus Rule, including impacts on: Covered Entities, Business Associates, Data Breach Management and Reporting, Audits, Enforcement, Cyberliability CoverageTRANSCRIPT
HIPAA/HITECH Update: Practical Effects and Enforcement Trends
Presented by
Aldo M. Leiva, Esq. Data Security and Privacy Attorney
for American Health Lawyers Association
January 13, 2013
Aldo M. Leiva, Esq. Lubell Rosen, LLC Columbus Center 1 Alhambra Plaza Suite 1410 Coral Gables, Fl 33134 Phone: (305) 442- 9211 Fax: (305) 442-9047 Email: [email protected] www.lubellrosen.com
© 2014 Lubell Rosen, LLC
OVERVIEW OF PRESENTATION
! HIPAA Omnibus Rule Key Provisions ♦ Breach Notification ♦ New Penalty Structure ♦ Business Associates Re-Defined
! Compliance Activities and Considerations
! OCR Audit Overview – Past and Future ! Latest Enforcement Actions ! Insurance Considerations
! Questions and Answers
© 2014 Lubell Rosen, LLC
HIPAA/HITECH OMNIBUS RULE
! Effective Date- March 26, 2013 ! Compliance Deadline- September 23,
2013
© 2014 Lubell Rosen, LLC
HITECH ACT- KEY PROVISIONS
! Breach Notification Requirements ! New Penalty Levels ! Compliance Requirements for Business
Associates (BAs) ! Audits ! Extended Enforcement by State AGs
© 2014 Lubell Rosen, LLC
BREACH NOTIFICATION REQUIREMENTS ( ! Old Requirements under Interim Final
Rule ! Breach is event that “compromises the
security or privacy of the protected health information” and “poses a significant risk of financial, reputational, or other harm to the individual.”
© 2014 Lubell Rosen, LLC
BREACH NOTIFICATION FINAL RULE (OMNIBUS) ! Any impermissible use or disclosure of
protected health information is presumed to be a breach unless the regulated entity is able to demonstrate, through a risk assessment, that there is a low probability of compromise
© 2014 Lubell Rosen, LLC
FOUR FACTORS FOR RISK ASSESSMENT ! To whom the information was
impermissibly disclosed ! Whether the information was actually
accessed or viewed ! Potential ability of the recipient to
identify the subjects of the data ! Whether recipient took appropriate
mitigating action
© 2014 Lubell Rosen, LLC
TIERED PENALTY STRUCTURE
! Significant increase in penalties ! Reduction in number of Affirmative
Defenses ! Mandatory penalties for all violations
due to “willful neglect” ! Applies to violations occuring after
February 18, 2009
© 2014 Lubell Rosen, LLC
TIER 1- UNKNOWING
! CE or BA did not know and reasonably should not have known of the violation.
! $ 100 to $ 50,000 per violation ! Total of $ 1.5M for all violations of an
identical requirement or prohibition occurring within the same calendar year
© 2014 Lubell Rosen, LLC
TIER 2- REASONABLE CAUSE
! CE or BA knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the covered entity or business associate did not act with willful neglect
! $ 1,000- $ 50,000 per violation ! Total of $ 1.5M for all violations of an identical
requirement or prohibition occurring within the same calendar year
© 2014 Lubell Rosen, LLC
TIER 3- WILLFUL NEGLECT- CORRECTED
! The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the covered entity or business associate corrected the violation within 30 days of discovery.
! $ 10,000- $ 50,000 per violation ! Total of $ 1.5M for all violations of an identical
requirement or prohibition occurring within the same calendar year
© 2014 Lubell Rosen, LLC
TIER 4- WILLFUL NEGLECT- UNCORRECTED
! The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate did not correct the violation within 30 days of discovery.
! At least $ 50,000 per violation ! Total of $ 1.5M for all violations of an identical
requirement or prohibition occurring within the same calendar year
© 2014 Lubell Rosen, LLC
DEFENSE TO PENALTIES
! Penalty may not be imposed for violation that is not due to willful neglect and that is corrected within 30 days of actual or constructive knowledge of the violation, or during an additional period, as determined by the Secretary to be appropriate based on the nature and extent of the failure to comply
© 2014 Lubell Rosen, LLC
PRACTICE TIP
! CE or BA that discovers a violation of HIPAA that is not due to willful neglect should attempt to:
(i) correct the violation within 30 days of the discovery; (ii) document the date on which it discovered the violation(s); and (iii) document the date on which it implemented the correction in order to establish a basis for asserting the affirmative defense to the imposition of penalty for the violation.
© 2014 Lubell Rosen, LLC
HHS DISCRETION
! HHS may waive a penalty for violations that are not due to willful neglect, in whole or in part, to the extent that the penalty is excessive relative to the violation.
! HHS has discretion to use other measures to address HIPAA violations, such as providing direct technical assistance or resolving possible noncompliance through informal means.
© 2014 Lubell Rosen, LLC
CE AND BA LIABILITY
! CE is liable for the violations of its business associates (BA) that are its agents
! BA is liable for the acts of its agents (i.e. Subcontractors)
© 2014 Lubell Rosen, LLC
BUSINESS ASSOCIATES RE-DEFINED
! BA is person/entity that “creates, receives, maintains or transmits protected health information on behalf of a covered entity”.
! New definition of BA includes records management companies that “maintain” records containing PHI, regardless of whether they are accessed or reviewed
! BA subject to the rule if it has access to electronic or hard copy PHI
© 2014 Lubell Rosen, LLC
BEFORE HITECH ACT
! BA was subject to breach of contract claim for violation of BAA
! 2009- HITECH enacted- BA was now directly liable for PHI breach, but OCR agreed not to pursue enforcement actions against BA until finalization of the Rule
! Rule is finalized- enforcement actions can commence as of September 23, 2013
© 2014 Lubell Rosen, LLC
BA AGREEMENT TERMS
! Establish how BA is permitted or required to use and disclose PHI – must not use or further disclose PHI other than as permitted by or required by the BAA or by law
! Use appropriate safeguards to prevent PHI from being used or disclosed other than as permitted by the BAA
! Report to CE if it learns of any unauthorized use or disclosure of PHI
© 2014 Lubell Rosen, LLC
BA AGREEMENT TERMS (2)
! BAAs must also include a provision that allows the CE to terminate the underlying agreement if the BA violates a material term of the BAA
! Ensure that subcontractors receiving PHI from the BAA agree to the same restrictions on use and disclosure of PHI
© 2014 Lubell Rosen, LLC
NO FORMAL BAA ?
! Omnibus Rule still applies ! BA must comply with the relevant
HIPAA provisions irrespective of BAA terms or service contracts with customers
© 2014 Lubell Rosen, LLC
BA VIOLATIONS
! BA does not contractually impose restrictions on subcontractors
! Fails to notify CE of security breach within 60 days
! Fails to implement any of the administrative, physical, and technical safeguards in the HIPAA Security Rule
! Fails to follow “minimum necessary” standard
© 2014 Lubell Rosen, LLC
COMPLIANCE ACTIVITIES
! Develop and implement Privacy Policies ! Conduct periodic Risk Assessments ! Develop and adopt Email Policies ! Develop and adopt Mobile Device Policies ! Train employees ! Designate Privacy/Security Officers ! Update Notice of Privacy Practices ! Revise BA Agreements ! Adopt Breach Assessment/Notification Policies © 2014 Lubell Rosen, LLC
AUDITS
! December 2012- Pilot Audits Completed ! Evaluations of Pilot Program ! BAs to be audited as well
© 2014 Lubell Rosen, LLC
OCR AUDIT PLANS FOR 2014
! Streamlined audit process ! Expanded scope of Audits (to include
BAs) ! OCR is hiring more auditors ! More audits are likely, with emphasis on
BA
© 2014 Lubell Rosen, LLC
PILOT AUDIT RESULTS
! “Small” CE (< $ 50M in revenue) had more compliance issues (66% of deficiencies)
! Health care providers responsible for 81% of deficiencies
! Majority of deficiencies related to the Security Rule
© 2014 Lubell Rosen, LLC
PILOT AUDIT RESULTS (2)
! 80% of health care providers did not have a complete and accurate risk analysis
! Encryption - Organizations deciding against encryption did not document basis for doing so
© 2014 Lubell Rosen, LLC
AUDIT PROTOCOL
! Tool for Audit Preparation ! http://www.hhs.gov/ocr/privacy/hipaa/
enforcement/audit/protocol.html
© 2014 Lubell Rosen, LLC
STATE AG ENFORCEMENT
! HITECH gave State Attorneys General authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules.
! State AGs may obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules.
© 2014 Lubell Rosen, LLC
STATE AG PENALTIES
! Penalties are calculated by multiplying the number of violations by up to $100.
! Total penalties imposed for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
! The court, in its discretion, may award the costs of the action and reasonable attorney fees to the State.
© 2014 Lubell Rosen, LLC
ENFORCEMENT TRENDS
! As of June 30, 2013, OCR has investigated and resolved over 20,359 cases by requiring changes in privacy practices and other corrective actions by CEs.
! WellPoint pays $ 1.7M to settle potential violations (2013)
! Mass. Eye & Ear pays $ 1.5M to settle potential violations (2012)
© 2014 Lubell Rosen, LLC
ENFORCEMENT TRENDS (2)
! December 24, 2013- OCR imposed $ 150,000 penalty and corrective action plan
! CE reported stolen UNENCRYPTED thumb drive with PHI to OCR and notified patients within 30 days
! OCR issued penalty due to failure of CE to: - conduct adequate risk assessment of ePHI - adopt written policies and train personnel - reasonably safeguard unencrypted thumb drive © 2014 Lubell Rosen, LLC
ENFORCEMENT TRENDS (3)
! Barry University Data Breach – Dec. 31, 2013 ! CE reported data breach SEVEN MONTHS
after laptop was infected with malware ! Violation of HITECH Rules- individual
notifications must be provided without unreasonable delay and in no case later than 60 days following discovery of data breach
© 2014 Lubell Rosen, LLC
AUDIT TRENDS TO TRACK- 2014
! Much larger pool of entities subject to enforcement
! Likely that enforcement actions will increase ! BA focusing on record storage and document
destruction may be subject to more scrutiny due to large volume of PHI potentially at risk
! OCR is hiring more auditors ! More audits are likely, with emphasis on BA © 2014 Lubell Rosen, LLC
AUDIT TRENDS TO TRACK- 2014
! OCR is requesting budget increase ! OCR will use $ 4.5 million in collected
HIPAA penalties to help fund audit program ! OCR is seeking contractor for permanent audit
program ! OCR Director Leon Rodriguez is slated to
leave OCR for post at Homeland Security
© 2014 Lubell Rosen, LLC
CYBERLIABILITY COVERAGE
! Review existing insurance policies ! Traditional D & O and E & O Policies may
provide HIPAA coverage, unless excluded ! Consider additional coverage ! HIPAA Policies- investigations, defense costs,
and penalties ! Consult with Insurance coverage counsel
© 2014 Lubell Rosen, LLC
THANK YOU
Aldo M. Leiva, Esq. Chair, Data Security and Privacy Practice
Lubell Rosen One Alhambra Plaza, Suite 1410
Coral Gables, FL 33134 [email protected] www.lubellrosen.com
Direct: (305) 442-9211
© 2014 Lubell Rosen, LLC