Filed under Breach

HIPAA 2013 – Life’s A Breach and Then You…

HIPAA/HITECH 2009: Into the Breach

 Quick History

Breach notification requirements were first introduced into HIPAA requirements upon passage of HITECH in 2009

Beginning September 23, 2009, covered entities were obligated to notify the HHS Secretary of all breaches of protected health information occurring on or after that date. As of September 23, 2009, covered entities were required to report breaches affecting 500 or more individuals to the Secretary without unreasonable delay and in no case later than 60 days from discovery of the breach, while breaches affecting fewer individuals must be reported to the Secretary within 60 days of the end of the calendar year in which the breach occurred.

This year, the deadline for breach reporting  for 2012 breaches affecting fewer than 500 individuals is February 28!

 HIPAA 2013-Breaches Clarified

 

In HIPAA 2013, the rule includes final modifications to the Breach Notification Rule, which will replace an interim final rule originally published in 2009 as required by the HITECH Act.  HHS  estimates that they will receive approximately 19,000 breach notifications annually and that those breaches will affect approximately 6.71 million individuals.

 

HIPAA 2013: No harm, no foul? Not so much!

The Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants the interim final rule published on August 24, 2009.   It focuses more objectively on the risk that the protected health information has been compromised

This final rule modifies and clarifies the definition of breach and the risk assessment approach outlined in the interim final rule.  Language was added to the definition of breach to clarify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised.

HHS has clarified their position that breach notification is necessary in all situations except those in which the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised  The covered entity or business associate has the burden of proof!

HHS believes that this presumption in the final rule will help ensure that all covered entities and business associates interpret and apply the regulation in a uniform manner.

The new language is consistent with language in  § 164.414, which provides that covered entities and business associates have the burden of proof to demonstrate that all notifications were provided or that an impermissible use or disclosure did not constitute a breach.  This burden is met by demonstrating through a risk assessment that there was a low probability that the protected health information had been compromised   The covered entity or business associate  must maintain documentation sufficient to meet that burden of proof.

The final rule also identifies the more objective factors covered entities and business associates must consider when performing a risk assessment to determine if the protected health information has been compromised and breach notification is necessary.

HIPAA 2013: Encrypt Early and Often

Every time there is a HIPAA data breach penalty for a lost laptop or hard drive, Office for Civil Rights (OCR) Director Leon Rodriguez likes to emphasize that the penalty would have been avoided if the data was encrypted. The HITECH Act of 2009 modified the HIPAA data breach rule by stating that if a device is lost or stolen, the loss is not reportable as a HIPAA data breach if the data is encrypted in compliance with data encryption guidance from the National Institute of Standards and Technology (NIST.)

To avoid the hit to your organization’s reputation and bottom line if you have to ameliorate a breach, it’s strongly suggested that you encrypt data at rest and portable data such as laptops and flash drives.

 

HIPAA 2013-Timetables

 

The final rule is effective on March 26, 2013. Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule to come into compliance with most of the final rule’s provisions, including the modifications to the Breach Notification Rule.

 HIPAA 2013-Notice of Privacy Practices Must Change

The final rule also requires covered entities to include in their Notice of Privacy Practices  a statement of the right of affected individuals to be notified following a breach of unsecured protected health information. HHS believes that individuals should be informed of their right to receive and the obligations of covered entities to provide notification following a breach.

HHS indicated  that a simple statement in the Notice of Privacy Practice  that an individual has a right to or will receive notifications of breaches of his or her unsecured protected healht information will suffice for purposes of this requirement.

 

HIPAA 2013- Costs

HHS estimates that private entities will bear 93 percent of the costs of compliance with the breach notification
requirements, or about $13.5 million. This is because the majority of breach reports are filed by health care providers, all of whose costs were attributable to the private sector.

 

HIPAA 2013 is loaded with many challenges for covered entities and business associates   Hopefully, your organization has been preparing for these final rules since passage of HITECH.  If you have not, the time is NOW!

 

Subscribe!

Julie Meadows-Keefe

Julie Meadows-Keefe

 

 

 

 

 

Tagged , ,

Identity Theft Often Begins at the Workplace

The law is just a part of my identity

Julie Meadows-Keefe

Identity Theft and the Mythical Evil Hacker Across the World.

 

When we think about identity theft, maybe we tend to think about evil hackers in foreign countries trying to gain access to our data.

Or maybe we think about cerebral kids with nothing better to do than to try and gain access to confidential databases for the sheer love of doing it.

We may also picture paper medical records being thrown into the trash and being retrieved by someone who uses them to take out credit cards, loans or apply for benefits.

Sometimes the last thing we think of is malicious data theft by employees we hire to serve our patients.

Identity Theft Under Our Noses!

This recently occurred at a clinic serving low income patients in Palm Beach County, Florida.  Here, the individual had been collecting the data to sell as part of a fraud scheme.  Fortunately, a delivery truck driver who grew suspicious of the woman who ostensibly wanted to spend $36.00 to ship a card overnight.  The driver  opened the package and discovered lists with clients’ information.  Information included client’s social security numbers.  The employee was fired and has been arrested on several counts of fraud.

Additionally, in Texas there have been several reports of similar identity thefts.

A former Texas Department of Health and Human Service worker in Mount Pleasant assumed the identity of clients receiving immunizations and other services at the Texas Department of Health and Human Services. She then used this client information and applied for credit cards online and – once approved – made as many purchases as the credit card would allow.  The former employee was arrested and several hundreds of patient names and social security numbers were retrieved from her residence.

The former employee has been charged with Fraudulent Use or Possession of Identifying information, a 2nd Degree Felony, and Credit Card Abuse, a State Jail Felony.

What Can Be Done to Prevent Identity Theft By Trusted Employees?

Unfortunately, it is impossible to filter all bad apples out of the barrel of potential job applicants.  Perhaps employees fall on hard times and feel that stealing confidential information is a quick way out of financial difficulty.  They may not seek employment involving confidential data with the intent to steal it.  They may also think there is a low likelihood they will be caught.  This is where there logic falls apart.

Most employers storing and utilizing confidential data electronically are deploying tracking software.  This allows them to see what employees are accessing what data and when it’s being accessed.  Assuming that the employer has someone assigned to check those logs, it can be easy to detect unauthorized access-thereby decreasing the likelihood that improperly accessed patient data can be used for identity theft purposes.  If you have not deployed tracking software, this should be a top priority to accomplish in 2013.

Next, employers should be consistently training on HIPAA Privacy and Secutiy Policies. This training should contain ample “scare tactics” of what happens to people who violate the policies.  I’ve included two examples in this post.  Jobs are lost, arrests are made, lives are ruined.

It is gratifying to see that both employers in the above example appear to have acted appropriately in terminating the employees, communicating with authorities and potentially affected patients and reflecting transparently on what other measures they are taking to assure these incidents do not occur again.

If you are cultivating a culture of compliance in your organization, it goes a long way towards making sure that identity thieves do not feel welcomed as employees.

 

 

HHS Is Serious About Privacy and Security!

HHS is Serious About Privacy & Security

HHS is serious about privacy and security! Last week, HHS again demonstrated this on January 2, 2013, when HHS announced the first HIPAA breach settlement involving less than 500 patients. The provider, Hospice of North Idaho, (HONI) settled with HHS for $50,000.

This is the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals.

The HHS Office for Civil Rights (OCR) began its investigation after HONI reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June 2010. Laptops containing ePHI are regularly used by the organization as part of their field work. Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI. Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

HONI entered into a 2 year CAP (corrective action plan) with HHS which included the following findings related that demonstrate that HHS is serious about privacy and security

  1. HONI did not conduct an accurate and thorough analysis of the risk to the confidentiality of ePHI on an on-going basis as part of its security management process from the compliance date of the Security Rule to January 17, 2012. In particular, HONI did not evaluate the likelihood and impact of potential risks to the confidentiality of electronic PHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks, document the chosen security measures and the rationale for adopting those measures, and maintain on an on-going basis reasonable and appropriate security measures.
  2. HONI did not adequately adopt or implement security measures sufficient to ensure the confidentiality of ePHI that it created, maintained, and transmitted using portable devices to a reasonable and appropriate level from the compliance date of the Security Rule to May 1, 2011
  3. HONI was required to designate an authorized representative to be the point of contact with HHS throughout the 2 year corrective action plan.
  4. HONI has to report to HHS any violations of its Privacy and Security policies and detail remedial actions they have taken to respond to the violation.
  5. Any further HIPAA violations can result in additional civil money penalties.

The Resolution Agreement can be found here.

You should know that the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals must be reported to the Secretary on an annual basis.

So many problems can be averted through diligent and consistent usage of encryption and common-sense measures that staff may use when traveling with computers and other mobile devices.

HHS is serious about Privacy and Security.  You and your practice should be too.


Tagged , , ,