HIPAA Compliance Program to Survive Government Scrutiny

Presented by: Susan Clarke, Health Care Information Security and Privacy Practitioner

June 5 & 6, 2019

The presenter is not an attorney and the information provided is the presenter(s)’ opinion and should not be taken as legal advice. The information is presented for informational purposes only.

Compliance with regulations can involve legal subject matter with serious consequences. The information contained in the webinar(s) and related materials (including, but not limited to, recordings, handouts, and presentation documents) is not intended to constitute legal advice or the rendering of legal, consulting or other professional services of any kind. Users of the webinar(s) and webinar materials should not in any manner rely upon or construe the information as legal, or other professional advice. Users should seek the services of a competent legal or other professional before acting, or failing to act, based upon the information contained in the webinar(s) in order to ascertain what is may be best for the users individual needs.

Legal Disclaimer

2

• BA: Business Associate• CE: Covered Entity• CEHRT: Certified Electronic Health Record Technology• CMS: Centers for Medicare and Medicaid Services• EHR: Electronic Health Record• ePHI: Electronic Protected Health Information• HHS: Department of Health and Human Services• HIPAA: Health Insurance Portability and Accountability Act• HIT: Health Information Technology• IT: Information Technology• NIST: National Institute of Standards and Technology• OCR: Office for Civil Rights• PHI: Protected Health Information• SP: Special Publication• SRA: Security Risk Analysis

Acronyms…

3

Learning Objectives

Best Practices for managing risk and oversight of your HIPAA compliance program. Your responsibility for Business Associate to safeguard protected health information. How HIPAA fits into Social Media and importance of conducting a security risk analysis (SRA).

4

• BA: Business Associate• CE: Covered Entity• CEHRT: Certified Electronic Health Record Technology• CMS: Centers for Medicare and Medicaid Services• EHR: Electronic Health Record• ePHI: Electronic Protected Health Information• HHS: Department of Health and Human Services• HIPAA: Health Insurance Portability and Accountability Act• HIT: Health Information Technology• IT: Information Technology• NIST: National Institute of Standards and Technology• OCR: Office for Civil Rights• PHI: Protected Health Information• SP: Special Publication• SRA: Security Risk Analysis

Acronyms…

5

Privacy and Security Starts at the Top

• Designate a privacy and security officer• Make sure that each has a job description• Select a qualified professional to assist you

with the Security Risk Analysis• Promote a culture of protecting patient

privacy

6

Manage the Challenges Get Things Done

1. People Strategy - put people first

2. Process Strategy - then process

3. Technology Strategy - then technology. Select technology that will solve the problem, don’t find a problem to make use of the technology

Governance vs. Culture• Governance is how the organization says it makes decisions and gets things done• Culture is how the organization actually makes decisions and get thigs done• A large gap between Governance and Culture requires more communication• Effective Program Strategy must account for both: “Culture eats Strategy for

Breakfast”

7

Every organization faces risk

Clinical teams manage risk on a daily basis yet information risk management programs are often not as formal as needed.

8

9

Develop an Action Plan(Risk Management Plan)

• Use Security Risk Analysis to identify threats and vulnerabilities

• Focus on high priorities and low hanging fruit• Identify what needs to be done• Who is going to do it• When will it be done

10

Encryption versus Data Masking

Encrypted data prevents anyone who does not have the appropriate key from reading it. Under the HIPAA Security Rule an organization should encrypt data whenever possible. This is particularly true for devices such as laptops and thumb drives that are often stolen.

Data masking tools anonymize data such that it no longer qualifies as PHI. These tools are often used when wanting to repurpose data for research purposes. A subset of these are data masking tools that replace sensitive data with fictitious data such that relationships between the data are maintained facilitating the use of the data.

11

Examples of Documentation to Keep

• Completed checklists• Security Risk Analysis report(s)• Risk management action plan• Business associate (BA) agreements• Trainings for staff• System monitoring results• Policies and procedures• Meeting minutes

12

Business Associates

• Responsibilities are very similar to those of a covered entity (CE)

• CE is responsible for obtaining a BA agreement obligating the BA to safeguard protected health information

• Breach notification requirements must be met• A covered entity can be a business associate of another

covered entity. • If a covered entity enlists the help of a business associate,

then a written contract or other arrangement between the two must: 1) Detail the uses and disclosures of PHI the business associate may make; 2) Require that the business associate safeguard the PHI.

13

Refer to packet for Business Associate Agreement sample and checklist.

Organizations frequently underestimate the proliferation of ePHI within their environments.

14

Prevent with Education and Training

• Build your policies and procedures and train, train, train; including employees, volunteers, trainees and contractors

• Keep copies of your policies and procedures in an easy-to-find place

• Formally educate and train your workforce at least once a year or when changes happen

15

Burden of proof is on you…

• Policy and procedures are statements that you assert your intent to comply with regulations. Important--you must follow.

• When accountable but can’t control, consider cyber-insurance (might not cover BA breach).

• Have employees become your biggest asset not your biggest liability.

• Strong safeguards=evidence of compliance.• Engaged and supportive leadership.

16

Document Your Process, Findings and Actions

• Records will be essential if you are audited• Good faith effort can be the difference

between a corrective action plan (CAP) and a fine

• Maintain records for six years

17

Business Associate

18

Business Associates

• This term has broad applicability and includes, other than a health care provider’s employees, “partners” that may provide legal, actuarial, accounting, consulting, data aggregation, management, administration or financial services wherein the services require the disclosure of individually identifiable health information.

19

Business Associates

• Business associates (BAs) are directly liable under the Omnibus Final Rule of 2013 for uses and disclosures that violate the Privacy Rule (PR) or are in breach of the Business Associate Agreement.

• Their failure may result in harm to your reputation.

20

Business Associates

• BAs are not permitted to use or disclose protected health information (PHI) if it would be a Privacy Rule violation for a covered entity (CE) to do so, except that a BA may use PHI for its own management and administration.

21

Business Associates

• A person/entity becomes a BA by definition, and NOT because there happens to be a BA contract in place; therefore liability attaches immediately when a person “creates, receives, maintains or transmits PHI on behalf of a CE.”

22

Business Associates

BAs are now directly liable under the HIPAA rules:

(1) For impermissible uses and disclosures

(2) For failure to provide breach notification to the CE

(3) For failure to provide access of ePHI to the individual or the CE

(4) For failure to disclose PHI to the Secretary

(5) For failure to provide an accounting of disclosures

(6) For failure to comply with the requirements of the Security Rule

23

Business Associates

• BAs must comply with the “Minimum Necessary” principle.

• BAs are required to have business associate agreements with their subcontractors who use PHI on their behalf.

• Requirements in business associate agreements “cascade down” to subcontractors and subcontractors of subcontractors (i.e. to ALL downstream sub-contractors).

24

What Do You Need to Know?

• Do you have a BA management program in place to ensure documentation of and compliance with the requirements of HIPAA's Privacy and Security Rules by your Business Associates as required by 45 CFR §164.502(e) and 45 CFR §164.308(b)?

• Have you identified all of your BA arrangements to establish an action plan to address any deficiencies in documentation or compliance?

• Have you developed new BA agreements to strengthen the language in accordance with the Omnibus Final Rule?

25

Maybe not a BA?

Questions: Could it cause issues if a CE has a BAA with someone who isn't actually a BA?

26

Maybe not a BA--Answer

Generally, we do not suggest that HIPAA covered entities or business associates enter into business associate agreements with entities that are not, in fact, their business associates, given that such agreements create at least the presumption of both privity of contract, and that the information does not belong to the first HIPAA covered entity or business associate. In other words, there is a presumption of liability, given the requirements outlined in the agreement.

27

Is imaging vendor a BA?

Do you need a BAA with Software vendors like Imagine where their software "uses" ePHI?

28

Is imaging vendor a BA?

A vendor is a business associate if you disclose information to it, keeping in mind that "disclosure" under HIPAA includes access to PHI. As such, any vendor who has or could have access to your PHI is generally considered a business associate.

If they also create, receive, maintain, or transmit PHI for or on your behalf, they are also your business associate.

29

30

Some material and format provided for educational purposes by:U.S. Department of Health and Human ServicesOffice for Civil Rights1961 Stout Street, Room 08-148Denver, CO 80294

See links below slides for additional sources as applicable.

Sources

Employees Must be Trained on HIPAA Social Media Rules

According to published statistics, 81 % of the U.S. population has a social media account. The popularity of social media networks combined with the ease of sharing information means if employees are not specifically trained on HIPAA social media rules it is highly likely that violations will occur.

Policies and procedures should be documented and updated year after year in order to account for changes to your organization. It’s essential that staff members are trained on these policies and procedures as well in order to protect your practice from liability in the event of a breach. These policies and procedures should be unique to the needs of your organization–which is why HIPAA policy binders often aren’t enough.

Benefits of Social Media

There are many benefits to be gained from using social media: Social media channels allow healthcare providers to

interact with patients and get them more involved in their own care.

Providers can quickly and easily communicate important messages or provide information about new services.

Providers can attract new patients via social media websites.

Uses for Social Media

Social media channels can be used for posting health tips, details of events, new medical research, bios of staff, and for marketing messages. Remember: No PROTECTED HEALTH INFORMATION can be included in the posts

• Health tips that patients might find useful• Upcoming events patients might like to attend• New research or findings related to your field• Honors or awards your organization has received• Profiles or bios of your staff• Advertisements of your services• Discounts or special offers on services you provide

HIPAA Violations on Social Media

In 2015, ProPublica published the results of an investigation into HIPAA social media violations by nurses and care home workers. The investigation primarily centered on photographs and videos of patients in compromising positions and patients being abused.

In some cases, images and videos were widely shared, in others photographs and videos were shared in private groups. ProPublica uncovered 47 HIPAA violations on social media since 2012, although is it suspected that there are many more that were not discovered and were never reported.

A nursing assistant who shared a video of a patient in underwear on Snapchat was fired and served 30 days in jail.

Important: It is not only employees that can be punished for violating HIPAA Rules. There are also severe penalties for HIPAA violations for healthcare providers.

HIPAA violations with Social Media

Today, news reports of health care professionals being fired for taking photographs of patients and posting the photographs on social networking sites are not uncommon.

Posting any protected health information on social media websites, even in closed Facebook groups, is a serious HIPAA violation. The same applies to sharing PHI including photographs and videos of patients via messaging apps such as WhatsApp, Skype, and Facebook Messenger.

Unless prior authorization has been received from a patient, in writing, health care professionals should avoid sharing photographs and videos of patients (or any PHI) on social media sites.

Source=https://thecaregiverspace.org/nursing-home-workers-share-explicit-photos-of-residents-on-snapchat/

Common Social Media HIPAA Violations

Posting of images and videos of patients without written consent

Posting of gossip about patientsPosting of any information that could allow an

individual to be identifiedSharing of photographs or images taken inside a

healthcare facility in which patients or PHI are visibleSharing of photos, videos, or text on social media

platforms within a private group

HIPAA Specific to Photographs

Recommend facilities include a provision in their general privacy notice stating that the facility may take photographs for treatment purposes. Providers should adopt a policy clarifying that any authorized photographs or videos are the sole property of the facility.

Before taking photographs of a patient for educational, publicity, putting on website, or research purposes, a healthcare provider needs to obtain the patient's written consent.

Source= https://www.medscape.com/viewarticle/761874?src=trendmd_pilot

HIPAA Social Media Checklist

Here are some basic HIPAA social media guidelines to follow in your organization, together to further information to help ensure compliance with HIPAA Regulations:

Develop clear policies covering social media use and ensure all employees are aware of how HIPAA relates to social media platforms

Train all staff on acceptable social media use as part of HIPAA training and conduct refresher training sessions annually

Provide examples to staff on what is acceptable – and what is not – to improve understanding

Communicate the possible penalties for social media HIPAA violations –termination, loss of license, and criminal penalties

Ensure all new uses of social media sites are approved by your compliance department

Review and update your policies on social media annually Develop policies and procedures on use of social media for marketing,

including standardizing how marketing takes place on social media accounts (see link to HHS Social Media Policies)

HIPAA Social Media Guidelines

Develop a policy that requires personal and corporate accounts to be totally separated

Create a policy that requires all social media posts to be approved by your legal or compliance department prior to posting

Monitor your organization’s social media accounts and communications and implement controls that can flag potential HIPAA violations

Maintain a record of social media posts using your organization’s official accounts that preserves posts, edits, and the format of social media messages

Do not enter into social media discussions with patients who have disclosed PHI on social media

Encourage staff to report any potential HIPAA violation. Training if staff observe, in violation of policy, to stop photographic or video recording activity

Ensure social media accounts are included in your organization’s risk assessments Ensure appropriate access controls are in place to prevent unauthorized use of

corporate social media accounts Moderate all comments on social media platforms

PHI on vendor’s website

Source=https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ach/index.html

Perform a Security Risk Analysis• Conducting a security risk analysis is a process of identifying,

estimating, and prioritizing information security risks that could compromise the Confidentiality, Integrity and Availability of protected health information in a health care facility. See 45 C.F.R. § 164.308(a)(1)(ii)(A).

• Organizations frequently underestimate the proliferation of ePHI within their environments. When conducting a risk analysis, an organization must identify all of the ePHI created, maintained, received or transmitted by the organization.

• Examples: EHR, billing systems; documents and spreadsheets; database systems and web servers; fax servers, backup servers; Cloud based servers; Medical Devices Messaging Apps (email, texting, ftp); removable media.

41

It’s Not Easy

42

The Risk Management Plan

To meet the Risk Management requirement of this measure you must:

• know what is wrong,• how you will fix it, • when you will fix it, • and who will fix it.

43

Keep Up With the Changes

• Join the OCR Privacy and Security Listservshttp://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/listserv.html

44

For assistance please contact:

Susan Clarke: sclarke@mpqhf.org, (307) 248-8179

Please let me know how I can help?

45

Questions

46