Download presentation
Presentation is loading. Please wait.
Published byRafael Jewett Modified over 9 years ago
1
Importance of the Information Risk Assessment
2
Compliance Programs are intended to proactively audit and assess an organization’s operations to detect and prevent improper or illegal activities. Effective Compliance Programs can support mitigation of fines and penalties, but it must be effective within the organization
3
HIPAA requires organizations that handle protected health information to regularly review: administrative, physical; and technical safeguards they have in place to protect the security of the information
4
On March 28, 2014, a new security risk assessment (SRA) tool to help guide health care providers in small to medium sized offices conduct risk assessments of their organizations was made available from HHS. http://www.HealthIT.gov/security-risk- assessment
5
The scope of risk analysis that the Security Rule encompasses includes the potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits. (45 C.F.R. § 164.306(a)
6
Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information
7
Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts and Other Arrangements
8
physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion
9
Facility Access Controls Device and Media Controls Workstation Use Workstation Security
10
the technology and the policy and procedures for its use that protect electronic protected health information and control access to it
11
Access Control Audit Controls Integrity Person or Entity Authentication Transmission Security
12
Business Associates Security Breach Notification
13
Certain entities now explicitly included in definition of “business associate” ◦ Health Information Organizations, E-prescribing Gateways and other persons that provide data transmission services to a covered entity that require access on a routine basis to PHI ◦ Patient Safety Organizations ◦ Any person offering PHRs on behalf of a covered entity Data transmission organization that acts as a mere conduit for the transport of PHI and does not access PHI other than on a random or infrequent basis is NOT a business associate (transient vs. persistent analysis) Subcontractors of BAs are considered BAs if they handle PHI 13
14
A “subcontractor” is any person to whom BA delegates a function, activity or service, other than as a member of BA’s workforce Subcontractor is a BA if it creates, receives, maintains or transmits PHI on behalf of a business associate Person who receives or accesses PHI to assist BA with BA’s own management and administration or legal responsibilities is not a subcontractor and therefore not a BA ◦ But BA must obtain “reasonable assurances” Status as business associate flows “down the chain” 14
15
Comply with applicable requirements of Security Rule Provide security breach notification to CE Use and disclose PHI only as permitted by BA Agreement Not use or disclose PHI in a way that would violate the HIPAA Privacy Rule if done by covered entity (subject to narrow exceptions) Execute BA Agreements with subcontractors that create, receive or maintain PHI on BA’s behalf If subcontractor engages in pattern or practice in material breach of its BA Agreement, take reasonable steps to cure breach or terminate if feasible Use reasonable efforts to limit PHI to minimum necessary Disclose PHI ◦ To covered entity, individual or individual’s designee when required to provide electronic copy of PHI ◦ To Secretary of HHS when required Provide accounting of disclosures 15
16
New elements ◦ BA must comply with applicable provisions of Security Rule ◦ BA must report any use or disclosure not in compliance with agreement (existing requirement), specifically including breaches of unsecured PHI ◦ BA must ensure that any subcontractor that creates, receives or maintains PHI on its behalf enters into BA Agreement ◦ To the extent BA is to carry out CE’s obligations under Privacy Rule, BA must comply with requirements of Privacy Rule that apply to CE in performing obligations Compliance deadlines ◦ BA Agreements must comply by 9/23/13 unless grandfathered ◦ Grandfathered agreements: If prior to 1/25/13, had BA or subcontractor agreement in place that was compliant with pre-HITECH standards, and agreement not renewed or modified between 3/26/13 and 9/23/13, agreement is deemed compliant until earlier of (i) renewed or modified or (ii) 9/22/14 Automatic or “evergreen” renewal does not end deemed compliance period 16
17
Breach Notification 17
18
Security provisions of HIPAA now apply to a Business Associate of a Covered Entity in the same manner that such sections apply to the Covered Entity. Business associates subject to same penalties as Covered Entities Also applies to vendors of personal health records Security and Notice Requirements 18
19
Security and Notice Requirements Applies to any Covered Entity or BA/vendor that: Accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses, or discloses unsecured protected health information Applies directly to vendors, regardless of whether a business associated agreement is executed 19
20
Security and Notice Requirements Unsecured Protected Health Information means (Section 13402(h)) ◦ protected health information that is not secured through the use of a technology or methodology specified by the Secretary in the guidance issued under this section 20
21
Security and Notice Requirements Obligation to notify triggers upon discovery of a breach ◦ Discovery determined to be the first day on which such breach is known or should reasonably have been known to such entity or associate to have occurred ◦ Knowledge by any person that is an employee, officer or other agent of the entity or associate 21
22
Security and Notice Requirements Notice to Individual must include: ◦ Identification of each individual whose unsecured protected health information has been, or is reasonably believed to have been accessed, acquired, or disclosed during such breach ◦ Brief description of what happened, including the date of the breach and the date of discovery of the breach ◦ Description of the types of unsecured protected health information that were involved 22
23
Security and Notice Requirements Steps the individual should take to protect themselves from potential harm resulting from the breach Description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches Contact procedures for individuals to ask question or learn additional information
24
Security and Notice Requirements Notice to the Secretary by Covered Entities: For breaches impacting 500 or more individuals, notify the Secretary immediately For breaches impacting fewer than 500 individuals, maintain a log and notify the Secretary annually submit such log 24
25
Security and Notice Requirements Notice Process Notice Timing: Notice must be made without unreasonable delay and in no case later than 60 calendar days after discovery of a breach Delay allowed if a law enforcement official determines that a notification, notice or posting would impede a criminal investigation or cause damage to national security Methods of Notice: Written notification by first class mail to individual Substitute notice process for insufficient or out of date contact information Media notice information for 500 individuals or more 25
26
“Safe Harbor” Safe Harbor from Notification Requirement is to ensure the data is maintained in a “secure” manner. June 2009 --Requested comments on the proposed form of “secure” data. ◦ Encryption ◦ De-Identification 26
28
Of the 90,000 complaints investigated most are, compiled cumulatively, in order of frequency: Impermissible uses and disclosures of protected health information; Lack of safeguards of protected health information; Lack of patient access to their protected health information; Uses or disclosures of more than the minimum necessary protected health information; and Lack of administrative safeguards of electronic protected health information. 28
29
The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency: PRIVATE PRACTICES; General Hospitals; Outpatient Facilities; Health Plans (group health plans and health insurance issuers); and, Pharmacies. 29
30
$800,000 HIPAA Settlement in Medical Records Dumping Case - June 23, 2014 $800,000 HIPAA Settlement in Medical Records Dumping Case Data Breach Results in $4.8 Million HIPAA Settlements - May 7, 2014 Data Breach Results in $4.8 Million HIPAA Settlements Concentra Settles HIPAA Case for $1,725,220 - April 22, 2014 Concentra Settles HIPAA Case for $1,725,220
31
QCA Settles HIPAA Case for $250,000 – April 22, 2014 QCA Settles HIPAA Case for $250,000 County Government Settles Potential HIPAA Violations - March 7, 2014 County Government Settles Potential HIPAA Violations
32
Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts (APDerm) -$150,000.00 Affinity Health Plan, Inc. will settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for $1,215,780. WellPoint Inc. has agreed to pay the U.S. Department of Health and Human Services $1.7 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules 32
33
33 Michele Madison, Partner, Morris, Manning & Martin, LLP Healthcare & Healthcare IT Practices mmadison@mmmlaw.com Direct: 404-504-7621
34
The materials and information presented and contained within this document are provided by MMM as general information only, and do not, and are not intended to constitute legal advice. Any opinions expressed within this document are solely the opinion of the individual author(s) and may not reflect the opinions of MMM, individual attorneys, or personnel, or the opinions of MMM clients. The materials and information are for the sole use of their recipient and should not be distributed or repurposed without the approval of the individual author(s) and Morris, Manning & Martin LLP. This document is Copyright ©2011 Morris, Manning & Martin, LLP. All Rights Reserved worldwide. 34
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.