web hipaa hitech and privacy
TRANSCRIPT
![Page 1: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/1.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. ebglaw.com
HIPAA, HITECH and Privacy
How to Manage Privacy and Security Risks and Considerations
![Page 2: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/2.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Presented by
Patricia Wagner
Member of the Firm
202-861-4182
2
![Page 3: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/3.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Privacy and Security Considerations
Privacy• Who has access to the data?• What can be done with the data?• How is data protected from misuse?
Security• How is data secured?• How is security monitored?o Auditso Logso Other?
3
![Page 4: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/4.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Enforcement
Department of Health & Human Services, Office for Civil Rights
State AGs
Federal Trade Commission
Private Plaintiffs
4
![Page 5: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/5.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Privacy in State of Union Address
Reported that the State of the Union Address will include new initiatives related to privacy
• Setting a national data breach reporting standard
• Student Digital Privacy Act (restrict sale of student data)
• Consumer Privacy Bill of Rights (reportedly would ensure more control over personal data for individuals, more closely in line with the rules in place in the European Union).
5
![Page 6: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/6.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
The HIPAA Privacy Rule
The HIPAA Privacy Rule (the “Privacy Rule”) is a set of regulations that requires certain entities to maintain and protect the privacy and security of individually identifiable health information (also known as “protected health information” or “PHI”).
6
![Page 7: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/7.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Mantra of HIPAA Privacy Rule
The HIPAA Privacy Standards establish a fundamental presumption that all “Protected Health Information” is confidential, and can only be disclosed with appropriate authorization from the individual
Exceptions to this presumption are limited
7
![Page 8: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/8.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
HIPAA Security Rule
Requires protection of electronic PHI• Physical Safeguards
• Administrative Safeguards
• Technical Safeguards
8
![Page 9: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/9.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
HITECH
Increased penalties for violation of the Privacy and Security Rules
Directly obligates business associates to certain requirements of the Privacy and Security Rules
Requires notification in the event of a breach of PHI
9
![Page 10: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/10.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
What is PHI?
PHI is information:• in any form of medium, oral or recorded (not just electronic)• that relates to the individual’s health, healthcare, treatment, or
payment• that identifies the individual in any way
That means PHI includes:• Name, address, birth date, phone and fax numbers, email address,
social security numbers, and other unique identifiers• Type of doctor being visited (when added to something that could
identify the patient)• Prescription information, other claims submission data
10
![Page 11: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/11.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Examples of PHI for Group Health Plans
Group Health Plans may have PHI in:
• Complaints from beneficiaries about whether service is being paid
• Claim submissions• Appeals for denied services• Beneficiary support services• EAP documentation• Flexible Spending plan documentation• On-site medical clinics? (not always part of plan but may
have special considerations)
11
![Page 12: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/12.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Vendors May Have Access to PHI
Vendors• Third party administrator• IT service vendors• Storage facilities• Cloud vendors• On-site medical clinics
12
![Page 13: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/13.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Privacy Risks
The “rogue employee”• Someone accesses and using information in a way not
permitted under the Privacy Rule, or other laws.
A Vendor’s rogue employee
A Vendor’s use of the data • what contractual rights did they reserve?
13
![Page 14: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/14.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Rogue Employee
Walgreen Case (in Indiana)
• Pharmacist viewed prescription records of a customer
• Customer’s ex-boyfriend tells customer he has a print out of her records
• Two years later customer finds out the ex-boyfriend is now married to Walgreen pharmacist
• Pharmacist maintains she looked at customer’s record but never shared it
• Customer files litigation
• Trial ensues and jury delivers verdict $1.4 million for plaintiff
14
![Page 15: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/15.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Rogue employee
Court held, and appellate court upheld• Employer responsible for acts of employee when
conduct is within scope of employmento Within scope -- “incidental to job duties or
originated in activities closely associated with job
• As a result Walgreen and individual defendants are jointly liable for $1.4 million
15
![Page 16: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/16.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Privacy Gaining More Interest
Recent Letter from Senator Al Franken related to employees use of information provided to organization• Letter request asks for information related too Steps taken to limit access to data by employeeso Training provided to employeeso Monitoring processeso Disciplinary policies
16
![Page 17: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/17.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Other Employee Situations
The helper (shares information to “help”)
The deflector (uses privacy to deflect from the other issue)
The criminal (steals information to sell)
The case builder (takes information to “bolster” claims)
17
![Page 18: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/18.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Managing Employee Risk?
Training Auditing Disciplinary actions Top down focus on privacy and security Clear policies
18
![Page 19: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/19.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Privacy Risks
The “rogue employee”• Someone accesses and using information in a way not
permitted under the Privacy Rule, or other laws.
A Vendor’s rogue employee
A Vendor’s use of the data • what contractual rights did they reserve?
19
![Page 20: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/20.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Managing Vendor Risk
Dealing with reputable vendors
Strong contract language that • Protects data rights (may even want to protect
data rights of de-identified data)• Limits use of data by vendor
20
![Page 21: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/21.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Security Risks
Breach of information Breach can occur through
• Hacking• Lost device• Errant email• Lost mail or package
21
![Page 22: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/22.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Sample of Security Breach Affecting Employees
Sony Breach - Class Action Suit already filed
• Plaintiffs (former employees) allege that the following information was affected by the breach:
o A Microsoft Excel document that contains the name, location, employee ID, network username, base salary and date of birth for more than 6,800 people;
o A status report from April 2014 listing the names, dates of birth, Social Security numbers and health savings account data on more than 700 Sony employees; and
o A file that appears to be the product of an internal audit from PriceWaterhouseCoopers, made up of screen shots of dozens of employees’ federal tax records and other compensation data.
22
![Page 23: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/23.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Managing Security Risks
Strong IT and Security Controls Audits Scans Risk Assessments “Dummy” calls
23
![Page 24: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/24.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Managing Vendor Risk?
Strong contracts
• Responsibility for breaches
• What happens to data when contract is terminated
Diligence on vendors
• How do you safeguard employee information?
• Have you had any reportable breaches?
• Do you have an incident response policy?
• Do you store information or do you use a vendor to do so?
How do you assess the responses?
24
![Page 25: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/25.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Cloud Vendor Special Issues
Limited negotiation power (“we don’t negotiate our agreements”)
May be reluctant to impart details related to security posture (which may be a good sign)
May charge “a la carte” fees for additional security measures (e.g., pay for meeting obligations of BA agreement)
25
![Page 26: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/26.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Business Associate Agreements
Vendors that use, disclose, or maintain PHI should have a business associate agreement with the plan
Business Associate Agreement should have provisions required by regulation
Other provisions
• De-identification (some vendors include data rights provisions in de-identification provisions)
• Data aggregation (some vendors craft broad aggregation rights into this provision)
• Protection in the event of a security breach (indemnification, insurance, other language)
• Disclaimer of agency
26
![Page 27: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/27.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Compliance Tips
Training
Monitoring
Have a Fulsome Complaint Process
Don’t ignore issues (mitigate)
Get the full story
27
![Page 28: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/28.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Other Areas of Focus for Privacy/Security
Mobile Devices
• Phones, Tablets, Laptops
o Screen locks
o Encryption
o Selected Models
o Limit Storage
o Limit activities?
Social Media (Twitter, Facebook, etc. etc)
Strong policy, but aware of laws
28
![Page 29: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/29.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
HIPAA Civil Penalties
29
Violation Category Each violation All such violations of an identical provision in a calendar year
(A) Did Not Know $100–$50,000 $1,500,000
(B) Reasonable Cause $1,000–50,000 $1,500,000
(C)(i) Willful Neglect-Corrected $10,000–50,000 $1,500,000
(C)(ii) Willful Neglect-Not Corrected
$50,000 1,500,000 $1,500,000
Criminal Penalties Can Also Apply
![Page 30: Web hipaa hitech and privacy](https://reader035.vdocuments.net/reader035/viewer/2022062710/55a5ae921a28abd2578b4599/html5/thumbnails/30.jpg)
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Questions?
30