1 / 54

Privacy and Security of PHI

Privacy and Security of PHI. In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center. Objectives. Understand our role in protecting the privacy of our patient’s information and ensuring the security of the systems

mandy
Télécharger la présentation

Privacy and Security of PHI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center

  2. Objectives • Understand our role in protecting the privacy of our patient’s information and ensuring the security of the systems • Identify the key standard to mitigate a breach • Understand the role of Meaningful Use in increased breach reports • Understand the legal and financial repercussions of a breach to both the patient and the covered entity

  3. Agenda • HIPAA Privacy – 2003 • HIPAA Security – 2005 • HITECH Privacy and Security – 2009 • Meaningful Use • Sample Cases - 2013 • Reported Breaches – Legal Outcomes

  4. HIPAA Privacy - 2003 • 1996 – Health Insurance Portability and Accountability Act (HIPAA) • HIPAA Privacy and Security outlined • Provided guidance to the Institute of Medicine’s goal for a paperless record by 2001 • 2003 – HIPAA Privacy in effect • Covers the information • Any format – paper, film/fiche, electronic, oral • Compliance date: 4/14/2003

  5. HIPAA Privacy - 2003 • Key Documents • The Code of Federal Regulations (C.F.R.) • 45 C.F.R. Parts 1 to 199 – revised October 1, 2007 • Key Definitions • Covered Entity: “health plan, health care clearinghouse, or a health care provider who transmits any health information in electronic form”

  6. HIPAA Privacy - 2003 • Key Definitions (Continued) • Health Care Clearinghouse: “entity that processes or facilitates the processing of health information received from another entity” or that “processes or facilitates the processing of health information for a receiving entity” • Business Associate: “performs a function or activity involving the use or disclosure of individually identifiable health informaton” for a covered entity.

  7. HIPAA Privacy - 2003 • 45 C.F.R. § 164.502 • Permitted uses and disclosures • With and without authorization • Minimum necessary “to accomplish the intended purpose of the use, disclosure, or request” • No need for patient authorization to release for “treatment, payment, or healthcare operations”

  8. HIPAA Privacy - 2003 • Accounting of Disclosures • Six years prior (if paper record) • Three years prior (if electronic record) • Exceptions: • Incidental to a permitted disclosure • Based on valid authorization • National security reasons • Correctional facilities or law enforcement • Limited data set requirements and • For Now…“treatment, payment, or healthcare operations”

  9. HIPAA Privacy - 2003 • Included in an Accounting: • The date of the disclosure • The name of the entity or person who received the PHI • The addresses of such entity or person (if known) • Brief description of the PHI • Brief statement of the purpose of the disclosure

  10. HIPAA Security 2005 • 1996 – Health Insurance Portability and Accountability Act (HIPAA) • HIPAA Privacy and Security outlined • Provided guidance to the Institute of Medicine’s goal for a paperless record by 2001 • 2005 – HIPAA Security in effect • Electronic information “created, received, retained, or transmitted by the covered entity” • Effective April 20, 2005

  11. HIPAA Security 2005 • Specific Security Safeguards • “Required” – the covered entity MUST implement as written • “Addressable” – the covered entity has the OPTION to implement as written or assess if there were reasonable • If not deemed “reasonable” – MUST • Implement an alternate “equivalent” specification AND • Document why the stated specification was deemed not to be reasonable

  12. HIPAA Security 2005 • Four REQUIRED implementation specifications • Security Risk Assessment: • Identify any risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI • Implement policies and procedures to mitigate identified risks and vulnerabilities • Focus on those with a “reasonable anticipation of threat”

  13. HIPAA Security 2005 • Assess current security measures • Technical: Access controls – firewalls, audit controls, and encryption • Non-Technical: Policies and procedures, standards and guildeines • Evaluate the potential impact of threat • Risk for that threat (human/environmental threats) • Identify security measures to mitigate risk

  14. HITECH - 2009 • ARRA: American Recovery and Reinvestment Act – includes: • HITECH: Health Information Technology for Economic and Clinical Health (HITECH)

  15. HITECH - 2009 • HITECH Act includes: • Improved guidance for the Security Rule • Increased penalties for a breach • Technical Safeguards include: • Encryption (Note – this is only an addressable standard – not required) • Defined: making ePHI “unusable, unreadable, or indecipherable” • Destruction (applies to unsecured data such as paper, film, fiche…

  16. HITECH - 2009 • Encryption: Addressable • Firewall may be an alternative - “reasonable and appropriate safeguard” • RISK: Breach of the firewall considered a reportable incident to the Office of Civil Rights as the information was not made “unusable, unreadable, or indecipherable”

  17. HITECH - 2009 • New Penalties • Prior to HITECH – no monetary penalty if the covered entity “did not know or could not have reasonably known of the breach” • HITECH: • Minimum $100 - $50,000 • Did Not Know $100 - $50,000 • Reasonable Cause $1,000 - $50,000 • Willful Neglect – Corrected $10,000 - $50,000 • Willful Neglect – Not Corrected $50,000 • Maximum $1,500,000

  18. Meaningful Use • HITECH – Meaningful Use • “Voluntary” • Failure results in penalties • 1% Medicare payment reduction in 2015 • 2% Medicare payment reduction in 2016 • 3% Medicare payment reduction 2017 +

  19. Meaningful Use • Defined: Using certified electronic health record (EHR) technology to: • Improve quality, safety, efficiency, and reduce health disparities • Engage patients and family • Improve care coordination, and population and public health • Maintain privacy and security of patient health information

  20. Meaningful Use • Objectives: meaningful use compliance will result in: • Better clinical outcomes • Improved population health outcomes • Increased transparency and efficiency • Empowered individuals • More robust research data on health systems

  21. Meaningful Use • Eligible Hospitals and Critical Access Hospitals • Can apply for Medicare AND Medicaid financial incentives • Eligible Professionals • Can apply for Medicare OR Medicaid financial incentives

  22. Meaningful Use • Eligible Hospital – Medicare Incentive • Start value: $2,000,000 • Add • $200 per discharged patient (no payment for first 1,150) to a maximum of 23,000 patients • Multiplied by both: • Medicare Share – Based on number of inpatient Part A bed days + number of inpatient Part C days x (total charges – charges related to charity care) • Transition Factor – Based on the year the hospital first attests to meaningful Use

  23. Meaningful Use • Certified technology must be used • Meet Core and Menu Set Objectives • INCLUDES PRIVACY AND SECURITY OF DATA • Electronic Data Security • Encryption – only an “addressable” standard • Firewalls – “reasonable and appropriate” but FAILS to meet “breach” standards

  24. Outcome of “Voluntary” EHR • HHS Secretary – Kathleen Sebelius • May 22, 2013: • “Doctors and hospitals’ use of health IT more than doubled since 2012” • Data from the Office of Civil Rights has demonstrated that more than 29,000,000 patient records have been breached since 2009 (only includes breaches of 500 or more!)

  25. Sample Cases - 2013 • Advocate Medical Group • Largest Chicago physician group – more than 1,000 doctors, 200 locations • Administrative building broken into • 4 unencrypted personal computers stolen July 15, 2013 • Over 4 million patient records stored – 2nd largest ever reported to HHS

  26. Sample Cases - 2013 • Only password protected – a “first line of defense” – it is NOT encryption • Data: • SSN, DOB, patient names, addresses • NOT the FIRST breach reported by Advocate • 2009 – employee reported theft of a personal laptop with 812 patient records - unencrypted

  27. Sample Cases - 2013 • AHMC Healthcare • Administrative Office Break-in • Two password protected laptops stolen October 12, 2013 • SSN, name, MCR/Ins. ID number, dx/proc codes, Ins./Patient payments • 729,000 Patient Records • Will now expedite the encryption policy for laptops

  28. Sample Cases - 2013 • Horizon Blue Cross and Blue Shield of NJ • Headquarters Break-in • Two password protected and cable-locked laptops stolen November 4, 2013 • Data: SSN, Names, Addresses, DOB, Clinical Information • 840,000 Patient Records • Plan: Review staff education, policies and encryption • Not the first breach – 2008 lost laptop with 300,000 individuals notified

  29. Sample Cases - 2013 • 5.5 million patient records included in just 3 breach reports for 2013 • All included SSNs and patient names • All involved unencrypted devices – even with two organizations already having had similar breach reports in the past • Since 2009 – 29,000,000 million patient records have been compromised through breaches

  30. Breach Outcomes • Lawsuits • HIPAA “Breach” not a cause of action for individuals • March 8, 2013 – Polanco v. Omnicell • Laptop stolen from employee vehicle • Not encrypted • Vendor managed medications for several healthcare organizations • Mother of patient sued – “Omnicall violated her privacy” – information included her insurance

  31. Breach Outcomes • Polanco v. Omnicell • Omnicell had policies requiring encryption – but employee only had password protection security • Case dismissed: Polanco “failed to demonstrate and injury” • Loss of confidence of patients • Cost of defending lawsuit • Failure to REQUIRE encryption as a security measure

  32. Breach Outcomes • Historically • Failure to file suit under HIPAA Privacy and Security – no “private right of action” • HHS – can directly enforce and impose penalties (maximum of $1.5 million) • Penalties – paid to HHS – NOT TO PATIENT(s)

  33. Breach Outcomes • Recent Case – May Set Precedence • Curry v. AvMed • AvMed (Health Plan): Two unencrypted laptops stolen December 2009 from a locked conference room • 1.2 million patient records compromised • Juana Curry and William Moore – victims of identify theft

  34. Breach Outcomes • Curry v. Avmed • Lawsuit: • Avmed failed to “adequately secure and encrypt the laptops” and it was “negligent and failed to discharge its obligation to protect sensitive personal information of its customers” • Dismissed in July 2011 – “with prejudice” • Appealed in August 2011

  35. Breach Outcomes • Curry v. AvMed • Affirmed Dismissals of: • “Negligence per se” and • “Breach of implied covenant of good faith and fair dealing”

  36. Breach Outcomes • Reversed Dissmissals of remaining 5 counts: • Negligence, Breach of Contract, Breach of Implied Contract, Breach of Fiduciary Duty, and Restitution/Unjust Enrichment • Negligence: Failure to encrypt • Unjust enrichment: AvMed received remuneration for the purpose of securing PHI • Meet and Confer: Reviewed allegations and engaged in preliminary settlement discussions – resolved through private mediation

  37. Breach Outcomes • AvMed: • Denies any wrongdoing or liability • Each and all claims • Concluded further defense would be “risky, burdensome, and expensive” • Agreed to terms and conditions of settlement

  38. Breach Outcomes • Plaintiffs • Believe claims asserted have merit • Recognize and acknowledge risk of delays and that they might not prevail • Concluded that the terms and conditions are fail and reasonable

  39. Breach Outcomes • Settlement • Identity Theft Settlement • Submitted timely, actual, documented, unreimbursed losses accompanied by proof • Premium Overpayment Claim • Submitted timely, number of years for which the Defendant was paid for insurance premiums • Maximum of $30 per person • $3,000,000 minimum payment to be covered by AvMed (Additional for Identify Theft Coverage)

  40. Breach Outcomes • Advocate – July, 2013 Breach • 3 Class Action Lawsuits filed • Compromise of over 4,000,000 patient records • Compare with AvMed of 1,200,000 patient records - $3,000,000 minimum cost

  41. Identity Theft v. Medical Identity Theft • January 2014 Survey • Medical-related identity theft accounted for 43% of all identity thefts reported in 2013 • Far greater than Banking and Finance, Government and Military, or Education • U.S. Dept. of Health and Human Services • Medical Records of between 27.8 and 67.7 million people have been breached since 2009

  42. Identity Theft v. Medical Identity Theft • Medical Identity Theft • “The fraudulent acquisition of someone’s personal information – name, SSN, Health Insurance Number – for the purpose of illegally obtaiing medical services or devices, insurance reimbursements or prescription drugs.”

  43. Identity Theft v. Medical Identity Theft • Medical Identity Theft • Victims • Little to no recourse for recovery • Financial repercussions • Erroneous information added to personal medical files

  44. Identity Theft v. Medical Identity Theft • Edward Snowden, the former National Security Agency contractor who has disclosed the agency’s activities to the media, says the NSA has cracked the encryption used to protect the medical records of millions of Americans.

  45. Use of Medical Information • Psychiatrist in MA: False diagnoses –submit medical insurance claims for psychiatric sessions that never occurred • Identity Thief in MO: False Driver’s License to obtain Medical Records and a prescription belonging to another woman • Dental Office in OH: Obtain prescription drugs

  46. Use of Medical Information • Methods Used to Obtain Information • Stealing laptops / electronic device – more than 50% of medical-related breaches • Hacking into computer networks (St. Joseph’s Hospital in Texas – 429,000 patient records) – 14% of breaches • Gaining unauthorized Access – 20% of breaches • Lucrative - $10 to $20 for each bit of information

  47. Medical Identity Theft • Discovery – does not correct the “mischief” done • Corrected information may be placed in file BUT difficult to get information removed – fear of medical liability • Information from the “theif” gets mixed with the information of the real patient – very difficult to segregate especially in the electronic environment

  48. Medical Identity Theft • Can result in patient death • Inaccurate medication allergies • Inaccurate medication lists – interactions/failure of medications being prescribed • Delays in treatment • Appendicitis following Appendectomy?

  49. Electronic Health Records • Compromised by Medical Identity Theft • Difficult to make corrections • Difficult to address insurance fraud • Deductibles • Maximum coverage exceeded

  50. Prevention • ENCRYPT • Laptops • Personal Computers • Portable Electronic Devices • iPhones / Smart Phones • iPads / Notepads • Use software tracking that allows remote erasing of portable device if stolen

More Related