www.mcguirewoods.com

Click to edit Master title style

www.mcguirewoods.com

Key Legal Issues in EMR, EMR

Subsidy and HIPAA and Privacy

Issues

July 27, 2016

McGuireWoods | 2

CONFIDENTIAL

Introductions

Holly Carnell

McGuireWoods LLP

hcarnell@mcguirewoods.com

312-849-3687

Meggan Bushee

McGuireWoods LLP

mbushee@mcguirewoods.com

704-343-2360

McGuireWoods | 3

CONFIDENTIAL

Key Legal Issues in EMR, EMR Subsidy and

HIPAA and Privacy Issues: Part 1

McGuireWoods | 4

CONFIDENTIAL

Part 1 Agenda

• Review of HIPAA and the HITECH Act

– What are HIPAA and the HITECH Act?

– Who do these laws apply to?

• Business Associates

– What are Business Associates?

– Pitfalls of Business Associates

– Diligence of Business Associates

– Business Associate Agreements

• 2015/2016 HIPAA Enforcement Actions

McGuireWoods | 5

CONFIDENTIAL

“No, it's not a female Hippopotamus, anyone else know?”

Cartoon by Dave Harbaugh

Recap of HIPAA and the HITECH Act

McGuireWoods | 6

CONFIDENTIAL

What is HIPAA?

• HIPAA stands for the Health Insurance Portability &

Accountability Act of 1996.

• Provides a framework for the establishment of standards to

protect patient confidentiality, to ensure the security of

electronic systems, and to facilitate the secure electronic

transmission of health information.

• HIPAA creates federal privacy floor (minimum requirement)

– Must comply with the more restrictive of HIPAA or state

law

• Covered Entities and Business Associates are required to

comply with HIPAA.

McGuireWoods | 7

CONFIDENTIAL

Core Elements of HIPAA

HIPAA has four key parts:

• The Privacy Rule – establishes patients’ privacy rights and addresses the use and disclosure of protected health information (“PHI”) by covered entities and business associates.

• The Security Rule – requires the adoption of administrative, physical, and technical safeguards to protect electronic PHI (“ePHI”).

• The Breach Notification Rule – requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI.

• The Enforcement Rule – establishes both civil monetary penalties and federal criminal penalties for the knowing use or disclosure of PHI in violation of HIPAA.

McGuireWoods | 8

CONFIDENTIAL

What is the HITECH Act?

• The HITECH Act (“Health Information Technology for

Economic and Clinical Health Act of 2009”, part of the

“American Recovery and Reinvestment Act of 2009”) expanded

the scope of HIPAA

• HITECH made changes to HIPAA in these areas:

– Breach Notification Rules

– Increased Penalties

– Mandated Audits by Office of Civil Rights

– More rights for individual patients

– Directly applied the Security Rule and certain aspects of

Privacy Rule to Business Associates

McGuireWoods | 9

CONFIDENTIAL

Who Must Comply?

• Covered Entities

– Health Care Providers

• Hospitals

• Physician practices

• Laboratories

• Pharmacies

– Health Plans

• Health insurance issuers

• HMOs

• Group Health Plans

• Medicare, Parts A and B

• Medicare + Choice

• Medicaid

• Includes employer-sponsored health plans

– Health Care Clearinghouses

• Billing companies

• Business Associates

– Persons or organizations that perform certain functions or activities on behalf of, or provide certain

services to, a Covered Entity that involve the use or disclosure of protected health information or PHI

• Includes downstream contractors

McGuireWoods | 10

CONFIDENTIAL

Business Associates

McGuireWoods | 11

CONFIDENTIAL

Who is a Business Associate?

• An individual or entity that provides services on behalf of the Covered

Entity or another business associate that require the entity to create,

receive, maintain, or transmit protected health information (PHI).

– Includes downstream contractors

• Examples:

– Billing companies

– IT consultants

– Law firms

– PHI disposal companies

– Transcriptionists

– Hosting companies

McGuireWoods | 12

CONFIDENTIAL

Who is NOT a Business Associate?

• When the services performed are not for or on behalf

of a Covered Entity

• The postal service or wireless carrier where PHI is

transferred across the country or the network, as

applicable

– Deemed “mere courier” of PHI

• Payors, where a provider sends PHI for purposes of

receiving reimbursement

• Persons receiving PHI inadvertently, i.e., a person or

vendor that overhears PHI while on-site at a client’s

health care facility

• A provider, where another provider sends PHI for

treatment of an individual

McGuireWoods | 13

CONFIDENTIAL

Pitfalls with Business Associates

• When a Business Associate violates a material term of a BAA,

covered entities still must take reasonable steps to cure breach

• If unsuccessful in curing breach, covered entity must terminate

the BAA

• Business associates may have less concern with the privacy and

security of a covered entity’s PHI because they are further

removed

• It is the covered entity’s reputation and patient relationships on

the line

McGuireWoods | 14

CONFIDENTIAL

Importance of Protecting ePHI

• The principal goal of every health care provider and every health

insurer, from a privacy and security perspective, is to avoid a

data breach.

• In turn, this becomes the goal of every business associate, and

every downstream contractor, that creates, receives, maintains or

transmits PHI on behalf of a covered entity.

• Despite these objectives, CEs and BAs often know very little

about the downstream entities to whom they are entrusting data.

– What security safeguards have they implemented?

– What is the company’s operating history?

– Are they passing on data to subcontractors?

– Are they housing data offshore?

McGuireWoods | 15

CONFIDENTIAL

Proper Diligence of Business Associates

• Often see Business Associates that have taken no steps towards

HIPAA Compliance

• Start by conducting diligence on the Business Associate’s

compliance

• Seek references from other clients

• Ask questions of leadership

• Consider a third-party review of Business Associate’s

compliance with HIPAA

• Need to assess vendor’s compliance in light of the work they will

be doing and the extent of PHI involved

McGuireWoods | 16

CONFIDENTIAL

Conducting Effective Vendor Due Diligence

• Key Administrative Safeguards and Requirements (45 CFR

164.308; 45 CFR 164.530)

– Does the vendor have a HIPAA Privacy Officer and a Security

Official to implement and oversee HIPAA-related policies and

procedures?

– Does the vendor have policies and procedures that comply with the

Privacy Rule and Security Rule?

– The CE should ask for either a copy of the policies and procedures

or a narrative description of their contents.

McGuireWoods | 17

CONFIDENTIAL

Conducting Effective Vendor Due Diligence

Security Risk Assessments (45 CFR

164.308(a)(1)(ii))

– Has the vendor conducted a risk

assessment in accordance with the

HIPAA Security Rule?

– The CE or BA should request

information regarding the vendor’s

most recent risk assessment and ensure

that the vendor has a policy requiring

the periodic performance of risk

assessments.

McGuireWoods | 18

CONFIDENTIAL

Conducting Effective Vendor Due Diligence

• Security Training (45 CFR 164.308(a)(5); 45 CFR

164.530(b)(1))

– Does the vendor conduct HIPAA compliance training for its

workforce, and in particular for workforce members who have

access to ePHI?

• The Security Rule requires CEs and BAs to implement security

awareness and training programs for all members of their workforce

(including management).

– How often does the vendor conduct training and who is required to

participate?

McGuireWoods | 19

CONFIDENTIAL

Conducting Effective Vendor Due Diligence

• Data Security Implementation Specifications (45 CFR 164.308-312)

– What is the vendor’s password management policy?

– What is the vendor’s data encryption policy?

– What is the vendor’s policy regarding portable media?

– Does the vendor have a data backup plan and a disaster recovery

plan?

McGuireWoods | 20

CONFIDENTIAL

Conducting Effective Vendor Due Diligence

• Response and Reporting (45 CFR 164.308(a)(6))

– Does the vendor have a protocol for investigating and responding to

actual or potential breaches of ePHI?

• The Security Rule requires the implementation of policies and

procedures to “identify and respond to suspected or known security

incidents; mitigate, to the extent practicable, harmful effects of security

incidents that are known to the [CE or BA]; and document security

incidents and their outcomes.”

– The CE or BA should review a copy of the vendor’s breach protocol

or obtain a description of their breach identification and response

processes.

McGuireWoods | 21

CONFIDENTIAL

Conducting Effective Vendor Due Diligence

• Subcontractors

– Does the vendor use one or more subcontractors in connection with

the services provided to the CE?

– If so, the CE should determine whether these subcontractors will

have access to ePHI and request information as to how the BA will

evaluate the security and privacy practices of each subcontractor

prior to retention.

– In general, BAs and BA subcontractors that store or transmit ePHI

outside of the CE’s own IT infrastructure present more risk than

BAs or subcontractors that simply access data on the premises of

the CE or within the CE’s information systems (cloud provider vs.

software vendor).

McGuireWoods | 22

CONFIDENTIAL

Business Associate Agreements

• A covered entity and a business associate are required to enter into a

written agreement referred to as a “Business Associate Agreement.”

• The Business Associate Agreement provides that the business associate

will safeguard individuals’ PHI when it is in the business associate’s

possession.

• The Business Associate Agreement must provide for termination by the

non-breaching party in the event of a violation that is not cured.

• This is different from an NDA or other confidentiality agreement.

• Any use or disclosure of an individuals’ PHI by the business associate

must be within the scope of the Business Associate Agreement and the

HIPAA Privacy Rule.

• Includes regulatory requirements and negotiated provisions

McGuireWoods | 23

CONFIDENTIAL

Negotiating with Business Associates

• Covered Entities can protect themselves against breach by a

Business Associate with certain strategies

– Pre-contract diligence

– Audit Rights; annual review of vendors

– Require consent for downstream subcontractors

– Indemnification

– Insurance

– Covenant to encrypt PHI

– Return or destruction of PHI; Certifications

– Restrictions on off shore Use/Access/Disclosure of PHI

McGuireWoods | 24

CONFIDENTIAL

HIPAA and Business Associate Enforcement Actions

McGuireWoods | 25

CONFIDENTIAL

Raleigh Orthopaedic Clinic, P.A. (April 2016)

• Raleigh Orthopaedic Clinic, P.A.– April 20, 2016

– Agreed to settle potential violations for $750,000

– The practice had released x-ray films and related PHI of

17,300 patients to a vendor for them to transfer the images

to electronic media.

– Failed to execute a business associate agreement with the

vendor!

– “HIPAA’s obligations on covered entities to obtain business

associate agreements is more than a mere check-the-box

paperwork exercise. It is critical for entities to know to

whom they are handling PHI and to obtain assurances that

the information will be protected.” said OCR Director

Jocelyn Samuels.

McGuireWoods LLP | 26

North Memorial Healthcare (March 2016)

• North Memorial Healthcare of Minnesota – March 2016

– Agreed to settle potential violations of HIPAA for $1.55 million

– Theft of unencrypted laptop from a business associate’s locked

vehicle

– No business associate agreement with a vendor that had access to

North Memorial’s patient database!

McGuireWoods LLP | 27

Triple-S Management Corp. (November 2015)

• Triple-S Management Corp.– November 30, 2015

– Triple-S (formerly American Health Medicare, Inc.) agreed

to settle potential violations of HIPAA for $3,500,000.

– Triple-S made multiple breach notifications to OCR resulted

in investigation.

– Failure to conduct an accurate and thorough risk analysis.

– Failure to have appropriate BAAs in place with vendors.

– Failure to implement appropriate security safeguards.

– “OCR remains committed to strong enforcement of the

HIPAA Rules,” said OCR Director Jocelyn Samuels. “This

case sends an important message for HIPAA Covered

Entities not only about compliance with the requirements of

the Security Rule, including risk analysis, but compliance

with the requirements of the Privacy Rule, including those

addressing business associate agreements and the minimum

necessary use of protected health information.”

McGuireWoods | 28

CONFIDENTIAL

Senior Health Partners Business Associate Breach

(January 2015)

• Senior Health Partners’

business associate Premier

Home Health caused the breach

• Registered Nurse working for

Premier Home Health had her

laptop and smart phone stolen

• Laptop was encrypted, but

encryption key was stolen with

laptop, and phone was not

password protected or

encrypted

– Contained “potentially

accessible” e-mail

containing ePHI

• Result:

– 2,700 Members of Senior

Health Partners affected

– Senior Health Partners

forced to contact all health

plan members who were

affected

McGuireWoods | 29

CONFIDENTIAL

Questions or Comments?

www.mcguirewoods.com

McGuireWoods | 30

CONFIDENTIAL

Key Legal Issues in EMR, HIPAA and Privacy

Issues: Part 2

McGuireWoods | 31

CONFIDENTIAL

Part 2 Agenda

• EMR/IT System Enforcement Actions

– EMR Data Security Risks

• Other Data Security Hot Topics

– Text Messaging

– Social Media

McGuireWoods | 32

CONFIDENTIAL

EMR/IT System Enforcement Actions

McGuireWoods | 33

CONFIDENTIAL

EMR Data Security Risks

• Open workstations/EMR terminals

– Workstations left unattended

and station does not log the

user out

– Users not informed or forget to

log out immediately after use

• Improper deletion of information

on previously used equipment

• Data governance issues

• Personal Devices (laptops, tablets, and

smartphones)

– Devices containing PHI are stolen

– Failure to destroy or delete all

information before disposal/ re-use

of device

– One of most common ways for

ePHI breach

• Lack of Encryption

– Use encryption so that even if

ePHI is lost on something like a

device, it is undecipherable and

unusable

• Malicious Software

McGuireWoods LLP | 34

Security Rule Compliance

• University of Washington Medicine– December 14,

2015

– UWM agreed to settle potential violations of HIPAA for

$750,000.

– Potential violations of the Security Rule were discovered

after UWM breach report that ePHI of 90,000 patients was

accessed after an employee downloaded an email attachment

containing malware that compromised the UWM IT system.

– “All too often we see covered entities with a limited risk

analysis that focuses on a specific system such as the

electronic medical record or that fails to provide appropriate

oversight and accountability for all parts of the enterprise,”

said OCR Director Jocelyn Samuels. “An effective risk

analysis is one that is comprehensive in scope and is

conducted across the organization to sufficiently address the

risks and vulnerabilities to patient data.”

McGuireWoods LLP | 35

Encryption

• Cancer Care Group PC– September 2, 2015

– Cancer Care Group agreed to settle potential violations of

HIPAA for $750,000.

– An employee’s laptop was stolen and accessed; contained

PHI for 55,000 patients.

– Failure to conduct a company wide risk analysis following

the breach.

– No policies dealing with the removal of hardware and

electronic media.

– "Proper encryption of mobile devices and electronic media

reduces the likelihood of a breach of protected health

information.“ said OCR Director Jocelyn Samuels.

McGuireWoods | 36

CONFIDENTIAL

UCLA Health Breach (July 17, 2015)

• Four-hospital UCLA health

was attacked by cyber

criminals potentially starting

as early as September 2014

• Suspicious activity on the

network was discovered in

October 2014, but not until

May 5, 2015 did UCLA

realize attackers had access

to its system

• UCLA can not yet tell if

information was physically

moved from the system

• Result:

– The medical records of an

estimated 4.5 million

people were potentially

exposed

– Hackers had access to part

of system where records

could be accessed

McGuireWoods | 37

CONFIDENTIAL

St. Elizabeth’s Medical Center Enforcement Action

(settled July, 2015)

• SEMC is a tertiary care hospital

offering inpatient and outpatient

services

• OCR received complaint alleging

workforce members used internet-

based document sharing application

to store documents containing ePHI

of 498 individuals

– SEMC did not analyze the

risks associated with such

practice

• SEMC failed to timely identify and

respond to the incident, mitigate its

harmful effects, and document it

and its outcome

• Resolution:

– Settlement of $218,400

with HHS

– SEMC must also institute a

corrective action plan to

cure gaps in the

organization’s HIPAA

compliance program

McGuireWoods | 38

CONFIDENTIAL

Other Data Security Hot Topics

McGuireWoods | 39

CONFIDENTIAL

Three Principles

1. All it takes is a phone and the press of a button to

cause a HIPAA Breach

2. News travels in an instant

3. Retrieval of PHI is almost always impossible

McGuireWoods | 40

CONFIDENTIAL

• Unable to verify identity of sender or receiver

• Unable to keep original message to verify order

• No assurance of delivery – dependent on phone

service

• Important to complete a risk assessment to determine

whether texting fits into overall security profile

• Telling doctors not to text will probably not resolve

the issue – need to evaluate alternatives

Texting Issues

McGuireWoods | 41

CONFIDENTIAL

• Joint Commission:

“not acceptable for physicians or licensed

independent practitioners to text orders for

patients to the hospital or other healthcare

provider setting.”

• Need to consider how this fits into electronic

medical record

• Patient may be entitled to accounting of

disclosures

Texting Issues

McGuireWoods | 42

CONFIDENTIAL

Patients are making Healthcare decisions based

upon Social Media Information

In a survey of more than a thousand consumers, more

than two-fifths of individuals said social media

affected their choice of a provider or organization.

Forty-five percent said it impacted their decision to

seek a second opinion; 34 percent said it influenced

their decisions regarding medication selection and 32

percent said it would impact their choice of a health

insurance plan.

Source: PWC and HRI Social Media Consumer Survey, 2012

McGuireWoods | 43

CONFIDENTIAL

Benefits of Social Networking in Healthcare

• Single biggest risk is failure to participate

• Era of accountable care will require new strategies

to engage patient populations and to manage

population health

• Tools for collaboration and support with key

internal and external customers

• Opportunities to build and support your brand

McGuireWoods | 44

CONFIDENTIAL

Risks of Social Media

• Safety and security of

patient information

• Discoverability and

liability

• Patient consent issues

• Employment issues

including administrative

bullying

• Physician credentialing

and licensing issues

• Boundary violations

• Ethical issues regarding

the use of social media

McGuireWoods | 45

CONFIDENTIAL

• Comments about patient care or clinical situations on

FACEBOOK

• BLOGS about patient safety in hospitals

• TWEETS about cutting edge procedure in OR

• VIDEO of consent process, postoperative instructions or

procedure on YOUTUBE

• EMAILS between providers regarding patient care or

incident

• VIDEO of patient taken by family member on YOUTUBE

• PHOTOS that intentionally or inadvertently disclose patient

information

Current Privacy Issues Caused by New Technology

McGuireWoods | 46

CONFIDENTIAL

Dr. Tran

• Physician posted information about a patient on

Facebook – no name, but enough information to

identify the patient

• OUTCOME:

Fired by hospital

Reprimanded by licensure board for

“unprofessional conduct”

McGuireWoods | 47

CONFIDENTIAL

Do I “Need” a Social Media Policy?

• Purposes of social media policy:

– Educate on proper uses of social media

– Establish guidelines to protect patient rights

– Reduce liability for provider organization and its

employees

– Reduce risk of “willful neglect”

• However, a social media policy will not absolve all liability

in the event of a significant breach

• Who should be involved in creating and maintaining

policy?

McGuireWoods | 48

CONFIDENTIAL

Elements of a Social Media Policy

• Definition of “social media”

• Guidelines for use of social media

• Penalties for HIPAA violations

• Address “rogue employee” conduct

• Provide for appropriate training at regular intervals

• Review of existing HIPAA-compliant communications

policies & procedures

• Consistency and strict enforcement

• NLRB Guidance

• Review and revision of policy periodically

McGuireWoods | 49

CONFIDENTIAL

Strategies to reduce liability

• Block access to social networking sites

• Develop policies and procedures

• Educate staff on policy and implications

• Routinely monitor the online presence of staff

• Define and disseminate information regarding disciplinary action

for inappropriate use

– On hospital network; or

– From PDA

• Enforcement of policies

McGuireWoods | 50

CONFIDENTIAL

Questions or Comments?

www.mcguirewoods.com

McGuireWoods | 51

CONFIDENTIAL

Document Number 79305578 v. 1