1. Don’t Get Hit by the
HIPAA Omnibus:
Are You Ready for Sept 23?
2. Disclaimers
The material in this presentation and/or any
remarks made by HealthCare Too, LLC personnel
are NOT meant to provide legal advice or counsel.
We intend this session to provide you with
highlights of the new HIPAA Omnibus for your
edification and for your own use at your own
professional discretion.
8/6/13HealthCareToo,LLCProprietary
2
3. Scope
45 CFR Parts 160 and 164
Modifications to the HIPAA
Privacy, Security, Enforcement, and Breach
Notification Rules Under the Health Information
Technology for Economic and Clinical Health Act
and the Genetic Information Nondiscrimination Act
Or “The HIPAA Omnibus” was 138 pages when
released on Jan 25, 2013. This presentation
introduces several major changes at a high level
but does not present all changes.
8/6/13HealthCareToo,LLCProprietary
3
4. Your Presenters
• Tim Perry, MPA, CHTS-IS
• Chief Information Officer, HealthCare Too, LLC
• 25+ years of Health Information Technology and
Compliance experience
• Chief Technology Officer, Ecommerce, LLC (Cloud & Hosting)
• Senior Vice President of Infrastructure Services, Reed Elsevier
• Global IT Director, Johnson & Johnson
• Consulting engagements at SmithKline Beecham, Merck
• Education
• Master of Technology Management, Univ of Pennsylvania
• Master of Public Administration, The Ohio State University
• Bachelor of Arts, The Ohio State University
8/6/13HealthCareToo,LLCProprietary
4
6. What’s in
a Name?
• Mega Rule
• Omnibus
• Final Rule
8/6/13HealthCareToo,LLCProprietary
6
7. Protected Health Information
(PHI)
8/6/13HealthCareToo,LLCProprietary
Individually identifiable Health Information
List of 18 Identifiers
• Names
• All geographic subdivisions smaller than state
• All elements of dates except year
• Phone numbers
• Fax numbers
• Electronic mail addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers
• Device identifiers and serial numbers;
• Web Universal Resource Locators (URLs);
• Internet Protocol (IP) address numbers;
• Biometric identifiers
• Full face photographic images
• Any other unique identifying number
Health information means any information,
including genetic information, whether oral or
recorded in any form or medium, that:
(1) Is created or received by a health care
provider, health plan, public health authority,
employer, life insurer, school or university, or
health care clearinghouse;
and
(2) Relates to the past, present, or future
physical or mental health or condition of an
individual; the provision of health care to an
individual; or the past, present, or future
payment for the provision of health care to an
individual.
7
8. 8/6/13HealthCareToo,LLCProprietary
8
“Some
Incident”
Breach
[A]cquisition, access, use,
or disclosure of protected
health information in a
manner not permitted
Risk
Assessment
Document
& Done
No Breach
OCR Agreement for
Corrective
Action, Settlement, or
Formal Finding and
Fine
Breach
Verified
Complaint
A person who believes a covered
entity or business associate is not
complying with the administrative
simplification provisions may file a
complaint with the Secretary
OCR Intake /
Review
Document
& Done
No Violation
Possible
Violation
OCR
Investigation
Document
& Done
No
Violation
Violation
Found
[F]ailure to comply with an
administrative simplification
provision.
10. Leon Rodriguez
“I am the first Director of the
Office of Civil Rights to come to
the Office with
experience, extensive
experience, both in law
enforcement and a healthcare
provider lawyer and its my
commitment to ramp up the
enforcement of the Office.”
8/6/13HealthCareToo,LLCProprietary
Oral Testimony to Senate Judiciary Subcommittee on Privacy, Technology, and Law “Your
Health and Your Privacy: Protecting Health Information in a Digital World.”, Nov 2, 2011.
10
12. Reported 500+ Breaches in OH
8/6/13HealthCareToo,LLCProprietary
12
Patients
Affected
Date of
Breach Type of Breach Location of Breach
60998 3/27/10 Theft Laptop
1001 4/22/10 Unauthorized Access/Disclosure Email
1200 6/13/10 Improper Disposal Paper
1309 6/11/10 Loss Laptop
13867 6/7/10 Theft Laptop
2123 7/29/10 Improper Disposal Paper
1000 11/15/10 Improper Disposal Paper
501 11/5/10 Theft Laptop, Computer
78,042 6/3/11 Theft Laptop
500 10/1/10 Improper Disposal Other (X-ray film)
15,000
10/01/2010
- 03/21/2012 Unauthorized Access/Disclosure Other
15000
10/1/2010
- 03/21/2012 Unauthorized Access/Disclosure Other
850 12/2/12 Theft Laptop, Network Server
2500 3/19/13 Theft Other
500
04/14/2013
- 04/19/2013 Loss Laptop
2203 5/29/13 Other Paper
78542 TOTAL
13. Notable Settlements
Entity Amount Year
WellPoint, Inc.
(unattended weaknesses in online database)
$1.7 million July 2013
Walgreens
(pharmacist looked up a woman’s history)
$1.44 million July 2013
MN AG & Accretive Health
(started from July 2011 lost laptop)
$2.5 million July 2013
Shasta Regional Med Center
(disclosure of patient info to Media)
$275,000 June 2013
Idaho State University
(left a firewall down for 10 mos after maint)
$400,000 May 2013
Goldthwait Associates & 4 Pathology Groups
MA Attorney General
(disposed of patient data at dump)
$140,000 January 2013
8/6/13HealthCareToo,LLCProprietary
13
14. Compliance Deadline
Omnibus HIPAA Final Rule
• Published in Federal Register – January 25, 2013
• Effective Date – March 26, 2013
• Compliance Date – September 23, 2013
• Transition Period to Conform BA Contracts – Up
to September 22, 2014, for Qualifying Contracts
8/6/13HealthCareToo,LLCProprietary
14
16. “Covered Entity”
• (1) A health plan.
• (2) A health care clearinghouse.
• (3) A health care provider who transmits any
health information in electronic form in
connection with a transaction covered by this
subchapter.
• Note: if an electronic transaction is made on a
provider’s behalf… it is considered the provider’s
8/6/13HealthCareToo,LLCProprietary
16
17. “Business Associate”
What it says What it means
“functions, activities or services on
behalf of covered entities”
“Create, receive, maintain, or transmit
PHI”
An employee of a CE is NOT a BA.
Clarifies definition of BA to include:
• Patient Safety Organizations,
• Health Information Exchanges,
• Personal Health Records
Must have BAA in place
Clarification that BAs are liable whether
or not they have an agreement in place
with the CE .
(Marissa Gordon-Nguyen, JD, MPH Office for Civil Rights)
8/6/13HealthCareToo,LLCProprietary
17
18. “Subcontractors”
What it says What it means
"a person to whom a business associate
delegates a function, activity, or service,
other than in the capacity of a member
of the workforce of such business
associate." (45 CFR 160.103)
"under the final rule, covered entities
must ensure that they obtain
satisfactory assurances required by the
Rules from their BAs, and BAs must do
the same with regard to subcontractors,
and so on, no matter how far 'down the
chain' the information flows."
Subcontractors are BAs:
• Subject to HIPAA provisions
• Directly liable for HIPAA violations
• BA must have BAA with every
subcontractor
• Subcontractor must have BAA with its
subcontractors, who are also BAs
8/6/13HealthCareToo,LLCProprietary
18
19. Agency
• Covered Entities can be held liable for the
violations caused by their Business Associates.
• Business Associates can be held liable for the
violations caused by their sub-contractors.
• Federal common law of Agency will govern
whether an agency relationship exists between
the parties - regardless of what the contract
actually says.
(WEDI presentation by Joseph R. McClure, Esq. Legal Counsel, Siemens Medical Solutions USA WEDI
Privacy & Security Co-Chair)
8/6/13HealthCareToo,LLCProprietary
19
24. Typical BA Functions (Again)
• Claims processing or
administration
• Data analysis, processing
or administration
• Utilization review
• Quality assurance billing
• Benefit management
• Practice management
• Repricing
8/6/13HealthCareToo,LLCProprietary
• Data Storage / Hosting
• Legal
• Actuarial
• Accounting
• Consulting
• Data aggregation
• Management
• Administrative
• Accreditation
• Financial
24
25. Business Associates Must:
1. Comply with the HIPAA Security Rule
2. Report to Covered Entity any breach of
unsecured PHI
3. Enter into BAAs with subcontractors imposing
the same obligations that apply to the Business
Associate
4. Comply with the HIPAA Privacy Rule to the
extent Business Associate is carrying out a
Covered Entity’s Privacy Rule obligations
8/6/13HealthCareToo,LLCProprietary
(WEDI presentation by Joseph R. McClure, Esq. Legal Counsel, Siemens Medical
Solutions USA WEDI Privacy & Security Co-Chair)
25
26. Breach
Unauthorized acquisition, access, use or disclosure
that compromises the security or privacy of the
protected health information such that the use or
disclosure poses a significant risk of financial,
reputational, or other harm to the affected
individual.
8/6/13HealthCareToo,LLCProprietary
26
27. Four-Factor PHI Breach
Assessment
1. Nature and extent of PHI involved
2. Unauthorized person who used PHI or to
whom disclosure was made
3. Whether PHI was actually acquired or viewed
4. Extent to which risk to PHI has been mitigated
8/6/13HealthCareToo,LLCProprietary
“Guilty until proven innocent”
Breach is now presumed
27
28. Breach Notification
Less Than 500 Patient Records 500+ Patient Records
Individual notifications must be
provided without unreasonable delay
and in no case later than 60 days
following the discovery of a breach
Notify HHS on an annual basis.
Individual notifications must be
provided without unreasonable delay
and in no case later than 60 days
following the discovery of a breach
Notify the Secretary without
unreasonable delay and in no case
later than 60 days following a breach.
Provide notice to prominent media
outlets serving the State or jurisdiction
8/6/13HealthCareToo,LLCProprietary
HHS provides “safe harbor” for PHI that is encrypted or properly disposed of
in keeping with early guidance.
Note: When you notify of a breach, you are self-reporting a HIPAA violation
and should make your counsel aware as well as conduct a new risk analysis
with corrective actions.
28
29. 8/6/13HealthCareToo,LLCProprietary
Breach
Discovered
Risk
Assessment
1. Nature and extent of PHI involved
2. Unauthorized person who used PHI or to
whom disclosure was made
3. Whether PHI was actually acquired or
viewed
4. Extent to which risk to PHI has been
mitigated
Document
& Done
No
Breach
Less Than
500?
Notify Individuals
Notify HHS Annually
Notify Individuals
Notify HHS w/i 60 days
Notify Media
Breach
Yes
No
29
30. Where?
• Privacy Rule applies to any form of PHI
• It’s about disclosures
• Security Rule applies to electronic forms of PHI
• Desktop
• Laptop
• Tablet Computer
• Smart Phone
• Cloud
• USB “thumb drive”
• CD / DVD
• Floppy disk (if those even still exist)
• ….
8/6/13HealthCareToo,LLCProprietary
30
31. Greater Use of Health
Information Technology
8/6/13HealthCareToo,LLCProprietary
31
33. 8/6/13HealthCareToo,LLCProprietary
The Size of the Issue….
2 Kilobytes: A Typewritten page
1 Megabyte: A small novel
1 Gigabyte: A pickup truck filled with paper
1 Terabyte is 50,000 trees made into paper and printed
1 Petabyte of music would take ~2,000 years to play
1 Exabyte: 100,000X the printed material in the Lib of Congress
1 Zettabyte: ~62 Billion iPhones (stacked would pass the moon)
http://highscalability.com/blog/2012/9/11/how-big-is-a-petabyte-exabyte-zettabyte-or-a-yottabyte.html
To store a Yottabyte on terabyte sized hard drives would
require a million city block size data-centers… as big as the
states of Delaware and Rhode Island
http://en.wikipedia.org/
34. Privacy Rule
Privacy Rule
Covered Entity • Marketing & Fundraising
• Sale of protected health information (PHI)
• Right to request restrictions
• Electronic access for patient
• Delegates
• Genetic info for underwriting prohibited
• Immunization records with parent approval
• Decedent PHI protected for 50 years
Business Associate BAA at least as strict as CE
Subcontractor BAA at least as strict as BA
8/6/13HealthCareToo,LLCProprietary
34
36. Security Rule: Phys Safeguards
Required Addressable
Workstation Use (R)
Workstation Security (R)
Disposal (R)
Media Re-use (R)
Contingency Operations (A)
Facility Security Plan (A)
Access Control and Validation
Procedures (A)
Maintenance Records (A)
Accountability (A)
Data Backup and Storage (A)
8/6/13HealthCareToo,LLCProprietary
36
Applies to: Covered Entity, Business Associates, and Subcontractors
37. Security Rule: Admin Safeguards
Required Addressable
Risk Analysis (R)
Risk Management (R)
Sanction Policy (R)
Information System Activity Review (R)
Assigned Security Responsibility (R)
Isolating Health Care Clearinghouse
Function (R)
Response and Reporting (R)
Data Backup Plan (R)
Disaster Recovery Plan (R)
Emergency Mode Operation Plan (R)
Evaluation (R)
Written Contract or Other
Arrangement (R)
Authorization and/or Supervision (A)
Workforce Clearance Procedure (A)
Termination Procedures (A)
Access Authorization (A)
Access Establishment and
Modification (A)
Security Reminders (A)
Protection from Malicious Software (A)
Log-in Monitoring (A)
Password Management (A)
Testing and Revision Procedure (A)
Applications and Data Criticality
Analysis (A)
8/6/13HealthCareToo,LLCProprietary
37
Applies to: Covered Entity, Business Associates, and Subcontractors
38. Security Rule: Tech Safeguards
Required Addressable
Unique User Identification (R)
Emergency Access Procedure (R)
Audit Controls (R)
Person or Entity Authentication (R)
Automatic Logoff (A)
Encryption and Decryption (A)
Mechanism to Authenticate Electronic
PHI (A)
Integrity Controls (A)
Encryption (A)
8/6/13HealthCareToo,LLCProprietary
38
Applies to: Covered Entity, Business Associates, and Subcontractors
39. Security Rule: Org Reqmnts
Required Addressable
Business Associate Contracts (R)
Group Health Plans (R)
Documentation
Time Limit (R)
Availability (R)
Updates (R)
8/6/13HealthCareToo,LLCProprietary
39
Applies to: Covered Entity, Business Associates, and Subcontractors
41. 8/6/13HealthCareToo,LLCProprietary
41
For example, a data storage company
that has access to protected health
information (whether digital or hard
copy) qualifies as a business associate,
even if the entity does not view the
information or only does so on a
random or infrequent basis.
-HIPAA Omnibus
If I Store Data Online Does
HIPAA Apply to the Hoster?
42. What’s Your Hosting Service?
8/6/13HealthCareToo,LLCProprietary
42
Shared Dedicated Medical-grade
Cloud
Price ~$7.95/month ~$50+ / month ~$300+ / month
BA Agreement Violation? Violation?
Risk Analysis Violation? Violation?
24 X 7 Monitoring Violation? Violation?
Encryption Violation? Violation?
Audit Logs Violation? Violation?
Monthly Report Violation? Violation?
DR Plan Violation? Violation?
Data Backup Violation? Violation?
Disposal Policy Violation? Violation?
Unique User ID Violation? Violation?
AND MUCH, MUCH, MUCH MORE
43. Fine Structure
8/6/13HealthCareToo,LLCProprietary
Violation Category Per Violation Per Calendar Year
Did Not Know $100 - $50,000 $1,500,000
Reasonable Cause $1,000 - $50,000 $1,500,000
Willful Neglect –
Corrected
$10,000 - $50,000 $1,500,000
Willful Neglect –
Not Corrected
$50,000 $1,500,000
43
44. Last year we had a $1.5M settlement with BCBS TN
that had 57 hard drives stolen from a storage facility.
The citation that drove the penalty was NOT the
breach. Rather, the penalty was applied because of
the failure to implement appropriate administrative
safeguards, not performing a risk assessment, and
failure to implement access controls for physical
safeguards. They could have turned that storage
facility into Fort Knox, and it might have still been
breached. But the problem was they didn’t implement
any preventive policies or procedures or appropriate
administrative or physical safeguards. This is a great
example of the lack of ongoing attention to
compliance.
8/6/13HealthCareToo,LLCProprietary
HIPAA in a HITECH World: HIPAA Violations on the Rise, According to Director of OCR
Posted on March 22, 2013 by April Sage
Leon Rodriguez, Director Office for Civil Rights
44
45. Another Real Life Example
Breach of less than 500 patients' PHI
• Hospice of North Idaho fined $50,000
• Unencrypted laptop was stolen from an
employee's car.
• OCR found that HONI (1) did not conduct a risk
analysis to safeguard ePHI and (2) did not have
policies/procedures in place to address mobile
device security.
8/6/13HealthCareToo,LLCProprietary
45
46. Patient Rights over PHI
What it says What it means
In this final rule, we strengthen an
individual’s right to receive an
electronic copy of his or her protected
health information.
The final rule requires that a covered
health care provider agree in most cases
to an individual’s request to restrict
disclosure to a health plan of the
individual’s protected health
information that pertains to a health
care service for which the individual
has paid the health care provider in full
out of pocket.
If you use an EHR, you must provide an
e-copy of PHI to patients upon request,
within timeframe and costs of Final Rule.
Patients may pay for treatment and ask
provider to withhold PHI from insurer.
8/6/13HealthCareToo,LLCProprietary
46
47. Street Value of Medical Records
A thief downloading and stealing data can get $50
on the street for a medical identification number
compared to just $1 for a Social Security number.
For those receiving the medical ID number and
using it to defraud a health care organization, the
average payout is more than $20,000,” according
to Pam Dixon, executive director of the World
Privacy Forum. "Compare that to just $2,000 for
the average payout for regular ID theft.
8/6/13HealthCareToo,LLCProprietary
“Protected Health Information (PHI): High Value to Hackers: Medical Facilities at
Risk”, http://www.prweb.com/releases/2013/2/prweb10412883.htm
47
49. Resources
• Jan 17, 2013 New Release on Omnibus
http://www.hhs.gov/news/press/2013pres/01/20130117
b.html
• Poyner Spruill Summary of HIPAA Omnibus
http://www.poynerspruill.com/publications/Pages/sum
maryofNewHIPAARules.aspx
• Health Information Privacy
http://www.hhs.gov/ocr/privacy/hipaa/understanding/in
dex.html
• Enforcement Examples
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/exa
mples/index.html
• HHS “Wall of Shame”
http://www.hhs.gov/ocr/privacy/hipaa/administrative/br
eachnotificationrule/breachtool.html
8/6/13HealthCareToo,LLCProprietary
49