1 / 32

Health Care Privacy and Security: An Update on Federal and State Enforcement and Overview of Policy Trends

Health Care Privacy and Security: An Update on Federal and State Enforcement and Overview of Policy Trends. Texas Health Law Conference October 10, 2011 Adam H. Greene, JD, MPH, Partner, Davis Wright Tremaine LLP Jessica L. Quinn, JD, Vice President & Chief Compliance Officer,

leann
Télécharger la présentation

Health Care Privacy and Security: An Update on Federal and State Enforcement and Overview of Policy Trends

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Health Care Privacy and Security: An Update on Federal and State Enforcement and Overview of Policy Trends Texas Health Law Conference October 10, 2011 Adam H. Greene, JD, MPH, Partner, Davis Wright Tremaine LLP Jessica L. Quinn, JD, Vice President & Chief Compliance Officer, Chief Privacy Officer, The University of Texas MD Anderson Cancer Center

  2. Agenda • Lessons Learned: Federal Enforcement Trends • A New Era of Enforcement: Texas HB 300 • On the Horizon: Privacy and Security Audits

  3. lessons Learned:federal Enforcement Trends

  4. Privacy Rule Resolutions(April 2003 to August 2011) Complaints Received: 63,443 Complaints Resolved: 57,748 (91%)

  5. Penalties Under HIPAA • Pre-HITECH: • Maximum $100 per violation • $25,000 for identical continuing violations • Post-HITECH: • Minimum $100, maximum $50,000 or more per violation • $1.5 million for identical continuing violations • Annual caps are per type of violation – rarely one violation • E.g., 42 Security Rule standards and implementation specifications - $63 million per year • State attorneys general are subject to $100/$25,000 limits and may seek injunctive relief

  6. Top Privacy Issues • Impermissible uses and disclosures • Lack of safeguards • Failure to provide access to individual • Use/disclosure of more than minimum necessary • Failure to provide notice of privacy practices

  7. Security Rule Closures(April 2005 to December 2010)

  8. Top Security Issues • Lack of security incident procedures • Lack of security awareness and training • Lack of access controls • Lack of information access management • Lack of workstation security

  9. Breach Reports – Type of BreachBy number of large breaches(Sept 2009 to September 2011)

  10. Breach Reports – Type of MediaBy number of large breaches(Sept 2009 to September 2011)

  11. Breach Reports – Type of MediaBy affected individuals(Sept 2009 to September 2011)

  12. Issues that Have Led to Settlements/CMPs* • Providence ($100,000, 3-year CAP, int. monitoring) • Loss of backup tapes/laptops (more than 350,000 affected) • Backup tapes/laptops left unattended/unsecured • Significant news story • OCR/CMS settlement • CVS/Rite Aid ($2.25 million/$1 million, ext. monitoring) • Improper disposal of prescriptions/pill bottle labels • Policy on proper disposal was not working • Several TV news stories • OCR/FTC settlement * Settlements represent allegations not formal findings

  13. Issues that Have Led to Settlements/CMPs* • Management Services Organization of Washington ($35,000, 2-year CAP, int. monitoring) • Improper disclosure to affiliate for marketing • Small provider • Part of a false claims action • Joint DOJ/OIG/OCR settlement • Cignet Health ($4.3 million CMP) • Failure to provide patients with records and failure to cooperate with OCR investigation * Settlements represent allegations not formal findings

  14. Issues that Have Led to Settlements/CMPs* • Health Net • Portable hard drive lost with 1.5M patient records • Six-month delay in notifying individuals (pre-HIPAA breach rule) • Significant news story • Connecticut & Vermont AGs settled • Massachusetts General ($1 million, 3-year CAP, int. monitoring) • Loss of 192 paper records • Included HIV information • Alleged overall issues with policies on transport of records offsite • Significant news coverage * Settlements represent allegations not formal findings

  15. Issues that Have Led to Settlements/CMPs* • UCLA ($865,500, 3-year CAP, ext. monitoring) • Impermissible viewing of PHI • Involved celebrity records • Significant news story • Also led to criminal convictions * Settlements represent allegations not formal findings

  16. Lessons Learned • Stay off the front page! • Breach reporting makes this impossible • High risks: • Large repositories of records • Sensitive records (including VIPs) • Potential for employees to create large repositories of records • Accidents happen, but are they inevitable? • Policies are not enough, they need to work • Internally audit effectiveness • Was a problem solely due to a lower-level employee, or was it because of a systematic problem?

  17. A new era of enforcement:Texas HB 300

  18. Texas HB 300 SB 622 HB 300 RepresentativeLois Kolkhorst Senator Jane Nelson Senate Approved Conference Committee Report:31 Yeas - 0 Nays House Approved Conference Committee Report:145 Yeas - 0 Nays - 1 Present Not Voting Enrolled HB 300 Effective 09/01/2012

  19. Texas HB 300: Texas Laws Impacted • Texas Health & Safety Code • Chapter 181: Texas Medical Records Privacy • Chapter 182: Texas Health Services Authority • Texas Business & Commerce Code • Chapter 521: Identity Theft Enforcement & Protection Act (Breach Notification) • Chapter 522: Identity Theft by Electronic Device • Texas Insurance Code • Chapter 602: Privacy of Health Information • Texas Government Code • Chapter 531: Health & Human Services Commission

  20. Texas Medical Records Privacy • Covered Entity (CE) Defined: • Any person who assembles, collects, analyzes, uses, evaluates, stores, or transmits PHI for commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis • Any person who comes into possession of PHI • Any person who obtains or stores protected health information • Any person who is an employee, agent, or contractor of any of the above insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information • HB 300 Changes Effective September 1, 2012: • New prohibition on the sale of PHI • New notice and authorization requirements • New requirements on privacy training • New 15-business day response time for patient requests for electronic health records

  21. Texas Medical Records Privacy • Enforcement Tools: • Penalties for violations changed from not exceeding $3,000 for each violation to not exceeding: • $5,000 per year for violations committed negligently • $25,000 per year for each violation committed knowingly/intentionally • $250,000 for each violation committed knowingly/intentionally with intent for financial gain • Cap on a “pattern or practice” of violations increased from $250,000 to $1,500,000 • Limited exception for disclosures to other CEs • Future enforcement activity: • Additional disciplinary action regarding exclusion and licensure for egregious violations

  22. Texas Medical Records Privacy • New mitigating factors for penalties and disciplinary action imposed under the Medical Records Privacy Law or other law: • Nature of the Violation: • Seriousness • Whether it poses significant risk of financial, reputational, or other harm • CE’s Actions: • Certification status at the time of the violation • Compliance history • Efforts to correct the violation • Amount necessary to deter a future violation

  23. Identity Theft Enforcement & Protection Act (Breach Notification) • Who?: A person who conducts business in Texas and owns or licenses computerized data that includes sensitive personal information • What?: Any “breach of system security” where sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person • A "breach of system security" is the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information, including data that is encrypted if the person accessing the data has the key required to decrypt the data. • To Whom?: All impacted individuals (expanded under HB 300 from only Texas residents)

  24. Identity Theft Enforcement & Protection Act (Breach Notification) • How?: (A) Written notice, electronic notice (compliant with 15 U.S.C. § 7001); or (B) conspicuous posting on website, published in or broadcast on major statewide media (depending on the circumstances). HB 300: If the impacted individual is from a state with breach notification requirements, the notice requirements from that state will suffice • When?: As quickly as possible after discovering or receiving notification of the breach (unless a delay is requested by law enforcement or necessary to determine the scope of the breach and restore the reasonable integrity of the system)

  25. Identity Theft Enforcement & Protection Act (Breach Notification) • Penalties: • Existing penalty of $2,000 - $50,000 per violation remains • New civil penalty added of not more than $100 per individual per consecutive day for failure to take reasonable action to notify • New $250,000 cap for all individuals per breach

  26. Texas HB 300: Future Guidance • Texas Health Services Authority • Charged with developing privacy and security standards for adoption by the Health and Human Services Commission • Charged with developing certification process for CEs to obtain certification of “past compliance” with the new standards • Texas Health & Human Services Commission • Charged with exploring and evaluating “new developments” in safeguarding PHI and reporting annually with recommendations • Charged with reviewing issues for unsustainable CEs and making recommendations regarding the state’s receiving, securing, maintaining, and providing individuals with access to their PHI

  27. On the horizon:Privacy and Security Audits

  28. Upcoming Federal Privacy and Security Audits • KPMG will perform approximately 150 audits • Will begin with pilot audits (~ 20 audits) • First proactive compliance effort under Privacy Rule • Largest proactive compliance effort under Security Rule • Ends December 31, 2012 • Mostly CEs of varying size/scope • General compliance (rather than specific issues)

  29. Upcoming Federal Privacy and Security Audits • Audits will include site visits and audit reports • Likely to include notice beforehand (including document request) • Site visits expected to be 3-5 persons for 2-5 days • Significant noncompliance may lead to compliance review and enforcement action • OCR will evaluate success of audit program and then decide future (post-2012)

  30. Texas HB 300 Audits and Enforcement • Audits by Texas HHS • May request US HHS to perform an audit of CE • Shall periodically monitor and review the results of audits conducted in TX by US HHS • If there is evidence of a pattern of egregious violations: • Require CE to submit results of a risk analysis • Request the licensing agency to conduct an audit of standards

  31. Adam H. Greene, JD, MPH Jessica L. Quinn, JD adamgreene@dwt.com202.973.4213  jlquinn@mdanderson.org713.745.6636 For more information

  32. Questions

More Related