1 / 61

Investigating Privacy Breaches under HITECH and HIPAA

Investigating Privacy Breaches under HITECH and HIPAA. Presented by:. Allyson Jones Labban Smith Moore Leatherwood LLP 300 N. Greene Street, Suite 1400 Greensboro, North Carolina 17401 T (336) 378-5261 F (336) 378-5400. Barry Herrin Smith Moore Leatherwood LLP

Mercy
Download Presentation

Investigating Privacy Breaches under HITECH and HIPAA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Investigating Privacy Breaches under HITECH and HIPAA Presented by: Allyson Jones Labban Smith Moore Leatherwood LLP 300 N. Greene Street, Suite 1400 Greensboro, North Carolina 17401 T (336) 378-5261 F (336) 378-5400 Barry Herrin Smith Moore Leatherwood LLP 1180 W. Peachtree St. NW, Suite 2300 Atlanta, Georgia 30309 T (404) 962-1027 F (404) 962-1200 To ask a question during the presentation, click the Q&A menu at the top of this window, type your question in the Q&A text box, and then click “Ask.” After you click Ask, the button name will change to “Edit.” Questions will be queued and most will be answered at the end of the meeting as time allows.

  2. What is “HITECH”? • Health Information Technology for Economic and Clinical Health Act • Enacted as part of the American Recovery and Reinvestment Act of 2009 (“Stimulus Bill”), P.L. 111-5

  3. What is “HITECH”? • Two primary components: • Encourages implementation of health information technology and transition from paper records to EHR • Amends HIPAA to impose significant new duties on covered entities and business associates to notify patients, the Federal Government, and the media of breaches of unsecured PHI

  4. What is “HITECH”? • Notification requirement went into effect on September 23, 2009 • Enforcement begins on February 17, 2010 • Recent Ponemon Institute survey of 77 health care organizations revealed that 94% will not be ready to comply with HITECH by February 2010.

  5. Definitions • “Unsecured PHI”: PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of encryption technologies or methods of physical destruction approved by the Secretary of the Federal Department of Health and Human Services (“HHS”) • Approved technologies/destruction methods are listed at 74 Fed. Reg. 42742

  6. Definitions • “Breach”: • The acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under the HIPAA privacy rule (45 C.F.R. § 164.500, et seq.) • that compromises the security or privacy of the PHI

  7. Definitions • “Significant Risk of Harm”: Fact-based inquiry that focuses on financial, reputational, or other harm that may result to the patient as a result of the use or disclosure.

  8. To Be or Not to Be . . . A Breach • Should not assume every use/disclosure is a “breach” • A use/disclosure is not a breach: • When the PHI is properly encrypted/destroyed • When the use/disclosure is permitted under HIPAA • When a HITECH exception applies • When the privacy or security of the data is not compromised

  9. Step 1: Is the information unsecured PHI?

  10. Step 1: Unsecured PHI • PHI is secured: • Encrypted (for approved encryption methods, see 74 Fed. Reg. 42742 list of National Institute of Standards and Technology publications, available at http://www.csrc.nist.gov) • Destroyed (shredded, burned, purged, cut – proper destruction method depends on the medium)

  11. Step 1: Unsecured PHI • Also not a breach if: • Individually identifiable health information held by covered entity or business associate in its capacity as an employer • De-identified in accordance with HIPAA guidelines

  12. Step 1: Unsecured PHI • Also not a breach if the PHI: • Is de-identified pursuant to 45 C.F.R. § 164.514(e)(2); and • Does not include the patient’s zip code; and • Does not include the patient’s date of birth.

  13. Step 2: Is the acquisition, access, use or disclosure permitted under HIPAA?

  14. Step 2: Permissible Use/Disclosure (HIPAA) • A breach is an impermissible use or disclosure; if HIPAA permits or requires the use/disclosure, not a breach • If use/disclosure not permitted under HIPAA, must still ask: • Does the use/disclosure compromise the security or privacy of the PHI? • Not every impermissible disclosure = breach, but may be a violation of the privacy rule!)

  15. Step 3: Does the acquisition, access, use or disclosure fit within one of the exceptions to HITECH?

  16. Step 3: HITECH Exceptions • HITECH contains three narrowly construed exceptions • If an acquisition, access, use, or disclosure fits within an exception, it is not a breach, even if information was unsecured PHI and the disclosure is not permitted under HIPAA • This is a departure from the order set forth in the regulation

  17. Step 3: HITECH Exceptions

  18. Step 3: HITECH Exceptions • Exception 1: Unintentional access to, or acquisition or use of, PHI: • By a workforce member for the covered entity or BA • Acting in good faith • Within the course and scope of duties • If the access, acquisition, or use does not result in any further use or disclosure in a manner not permitted by HIPAA

  19. Step 3: HITECH Exceptions • Example: Billing employee receives and opens an e-mail containing patient’s PHI that was mistakenly sent to her. Billing employee notifies the sender of the error, and then deletes the e-mail without further using or disclosing the information. Exception applies – no breach.

  20. Step 3: HITECH Exceptions • Example: Receptionist, who is not authorized to access PHI, decides to browse through patient files to find out information about a friend’s treatment. Exception does not apply –breach.

  21. Step 3: HITECH Exceptions • Example: A physician on the medical staff, who is authorized to access PHI, looks through the medical records of patients she has not treated and whose cases she has not been asked to consult. Exception does not apply –breach.

  22. Step 3: HITECH Exceptions • Exception 2: Inadvertent disclosure of PHI • From one workforce member at the covered entity or BA to another at the same covered entity or BA • Where both workforce members are authorized to access the information • If the access, acquisition, or use does not result in any further use or disclosure in a manner not permitted by HIPAA

  23. Step 3: HITECH Exceptions • Example: Inadvertent disclosure by a member of the hospital medical staff, even if she is not a hospital employee, to a hospital employee who is authorized to receive PHI, provided that the employee does not subsequently inappropriately use or disclose the information. Exception applies – no breach.

  24. Step 3: HITECH Exceptions • Example: A member of the medical staff deliberately discloses information to another member of the medical staff regarding a patient for whom the receiving medical staff member has no treatment or consultation responsibilities. Exception does not apply –breach.

  25. Step 3: HITECH Exceptions • Exception 3: Unauthorized disclosure to an unauthorized person of PHI: • Where there is a reasonable good faith belief • That the unauthorized recipient would not reasonably have been able to retain the information

  26. Step 3: HITECH Exceptions • Example: A nurse mistakenly hands Patient A the discharge instructions for Patient B. The nurse immediately recognizes his error and retrieves the document before Patient A has a chance to review the information. Exception applies – no breach.

  27. Step 3: HITECH Exceptions • Example: The billing office, due to a lack of reasonable safeguards, send a number of patient statements to the wrong individuals. Some of the statements are returned unopened, marked “undeliverable.” Exception applies – no breach. The other statements that were sent to the wrong addresses, however, are not returned. Exception does not apply – breach.

  28. Step 4: Does the disclosure result in a significant risk of harm to the patient?

  29. Step 4: Risk Assessment • Must determine whether the patient is at significant risk of financial, reputational, or other harm as a result of the use or disclosure • Involves a fact-specific weighing of various factors

  30. Step 4: Risk Assessment • Who impermissibly used the information / to whom was the information impermissibly disclosed? • Disclosure to another entity subject to HIPAA: likely small risk of harm • Disclosure to member of the general public: likely high risk of harm

  31. Step 4: Risk Assessment • What steps were taken to mitigate the impermissible use or disclosure? • Obtain recipient’s satisfactory assurance that information will be destroyed and not used: likely small risk of harm • Information is returned before it is accessed (laptop analysis reveals no access): likely small risk of harm

  32. Step 4: Risk Assessment • What information was the subject of the impermissible use or disclosure? • Information concerning STDs and abuse: deemed to be significant risk of reputational harm • Information concerning fact of treatment: depends on nature of treatment (“General Hospital” – likely small risk of harm; “Communicable Disease Clinic” – likely high risk of harm) • Information that is vulnerable to identity theft (social security number, etc.): likely high risk of harm

  33. If a significant risk of harm to the patient exists, the breach notification requirements must be followed

  34. Breach Notification • Breaches Involving Fewer than 500 Individuals: Notice must be provided: • To the individuals whose information was breached • To the Secretary of HHS using the online form at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html

  35. Breach Notification • Breaches Involving More than 500 Individuals: Notice must be provided: • To the individuals whose information was breached • To the Secretary of HHS using the online form at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html • To the local media

  36. Breach Notification • Business associates now have an affirmative duty to notify the covered entity of a breach • Business associate agreements, as well as agreements with subcontractors, should be revised to explicitly memorialize this duty to report

  37. Breach Notification • Notifications to individuals must be written in plain language and include: • A brief description of the incident (date of breach and date of discovery, if known) • A description of the types of information breached (names, social security numbers, diagnoses); no actual PHI should be disclosed in the notice

  38. Breach Notification • Steps the individual should take to protect himself or herself from potential harm resulting from the breach • A brief description of the steps being taken to investigate, mitigate, and prevent future breaches • Contact procedures by which the individual can contact the covered entity about the breach (toll-free number, e-mail, web site)

  39. Breach Notification • Notifications to the media must be written in plain language and include: • A brief description of the incident (date of breach and date of discovery, if known) • A description of the types of information breached (names, social security numbers, diagnoses); no actual PHI should be disclosed in the notice

  40. Breach Notification • Steps individuals should take to protect themselves from potential harm resulting from the breach • A brief description of the steps being taken to investigate, mitigate, and prevent future breaches • Contact procedures by which individuals can contact the covered entity about the breach (toll-free number, e-mail, web site)

  41. Breach Notification • Notification to individuals must be sent via first-class mail or, if the person agreed to electronic notice, by e-mail • Where the individual is deceased, notice should be sent to the next-of-kin

  42. Breach Notification • Substitute notice may be provided if no valid contact information: • Fewer than 10 individuals: By telephone, alternate form of written notice, or other means • More than 10 individuals: By conspicuous notice on the entity’s web site or in local print or broadcast media; must include a toll-free information number valid for at least 90 days

  43. Breach Notification • Deadlines for notice key off date the breach was discovered • Breach is “discovered” as of the first day on which the entity knew or should have known through the exercise of reasonable diligence that a breach occurred.

  44. Breach Notification • Notice to Individuals: “Without unreasonable delay,” and no later than 60 calendar days after discovery of the breach • Notice to the Media: “Without unreasonable delay,” and no later than 60 calendar days after discovery of a breach involving 500 or more individuals

  45. Breach Notification • Notice to the Secretary: • Fewer than 500 individuals: Covered entity must maintain a log and submit the log within 60 calendar days after the end of the calendar year • More than 500 individuals: Notice must be provided contemporaneously with that provided to the individuals • Reporting is to be done electronically

  46. Breach Notification • Notice by a Business Associate: A business associate must provide notice to the covered entity “without unreasonable delay,” and no later than 60 calendar days after discovery of the breach

  47. Breach Notification • HITECH permits covered entities and business associates to delay notification if law enforcement states that notification would impede a criminal investigation or damage national security • Length of delay depends on manner in which law enforcement requests the delay

  48. Breach Notification • If the law enforcement statement is in writing and specifies the time for which delay is required, follow the written notification • If the statement is made orally, document the statement and identity of the law enforcement official, then delay no more than 30 days from the date of the oral statement, unless a subsequent written statement is provided

  49. Breach Penalties • Four new penalty tiers have been implemented, effective November 30, 2009 • For violations occurring on or after February 18, 2010: • CMPs ranging from $100 to $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the entity did not and, by exercising reasonable diligence, would not have known that a violation occurred;

  50. Breach Penalties • CMPs ranging from $1,000 to $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the violation was due to “reasonable cause” and not willful neglect (reasonable cause = “circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply”);

More Related