Date post: | 02-Jan-2016 |
Category: |
Documents |
Upload: | bertina-fields |
View: | 214 times |
Download: | 0 times |
Privacy and Security of PHI
In The Era of Meaningful Use
Alison Nicklas, MJ, RHIA, CCSDirector HIM, Privacy Officer
St. Francis Hospital and Medical Center
Objectives• Understand our role in protecting the privacy
of our patient’s information and ensuring the security of the systems
• Identify the key standard to mitigate a breach• Understand the role of Meaningful Use in
increased breach reports• Understand the legal and financial
repercussions of a breach to both the patient and the covered entity
Agenda• HIPAA Privacy – 2003• HIPAA Security – 2005• HITECH Privacy and Security – 2009• Meaningful Use• Sample Cases - 2013• Reported Breaches – Legal Outcomes
HIPAA Privacy - 2003• 1996 – Health Insurance Portability and
Accountability Act (HIPAA)– HIPAA Privacy and Security outlined• Provided guidance to the Institute of Medicine’s
goal for a paperless record by 2001– 2003 – HIPAA Privacy in effect• Covers the information• Any format – paper, film/fiche, electronic, oral• Compliance date: 4/14/2003
HIPAA Privacy - 2003• Key Documents– The Code of Federal Regulations (C.F.R.)• 45 C.F.R. Parts 1 to 199 – revised October 1,
2007
• Key Definitions– Covered Entity: “health plan, health care
clearinghouse, or a health care provider who transmits any health information in electronic form”
HIPAA Privacy - 2003• Key Definitions (Continued)– Health Care Clearinghouse: “entity that
processes or facilitates the processing of health information received from another entity” or that “processes or facilitates the processing of health information for a receiving entity”
– Business Associate: “performs a function or activity involving the use or disclosure of individually identifiable health informaton” for a covered entity.
HIPAA Privacy - 2003• 45 C.F.R. § 164.502 – Permitted uses and disclosures– With and without authorization– Minimum necessary “to accomplish the
intended purpose of the use, disclosure, or request”
• No need for patient authorization to release for “treatment, payment, or healthcare operations”
HIPAA Privacy - 2003• Accounting of Disclosures– Six years prior (if paper record)– Three years prior (if electronic record)– Exceptions:
• Incidental to a permitted disclosure• Based on valid authorization• National security reasons• Correctional facilities or law enforcement• Limited data set requirements and• For Now…“treatment, payment, or healthcare
operations”
HIPAA Privacy - 2003• Included in an Accounting:– The date of the disclosure– The name of the entity or person who
received the PHI– The addresses of such entity or person (if
known)– Brief description of the PHI– Brief statement of the purpose of the
disclosure
HIPAA Security 2005• 1996 – Health Insurance Portability and
Accountability Act (HIPAA)– HIPAA Privacy and Security outlined• Provided guidance to the Institute of Medicine’s
goal for a paperless record by 2001– 2005 – HIPAA Security in effect• Electronic information “created, received,
retained, or transmitted by the covered entity”• Effective April 20, 2005
HIPAA Security 2005• Specific Security Safeguards – “Required” – the covered entity MUST
implement as written– “Addressable” – the covered entity has the
OPTION to implement as written or assess if there were reasonable• If not deemed “reasonable” – MUST
– Implement an alternate “equivalent” specification AND
– Document why the stated specification was deemed not to be reasonable
HIPAA Security 2005• Four REQUIRED implementation
specifications– Security Risk Assessment: • Identify any risks and vulnerabilities to the
confidentiality, integrity, and availability of ePHI• Implement policies and procedures to mitigate
identified risks and vulnerabilities• Focus on those with a “reasonable anticipation
of threat”
HIPAA Security 2005– Assess current security measures• Technical: Access controls – firewalls, audit
controls, and encryption• Non-Technical: Policies and procedures,
standards and guildeines
– Evaluate the potential impact of threat• Risk for that threat (human/environmental
threats)
– Identify security measures to mitigate risk
HITECH - 2009• ARRA: American Recovery and
Reinvestment Act – includes:• HITECH: Health Information Technology
for Economic and Clinical Health (HITECH)
HITECH - 2009• HITECH Act includes:– Improved guidance for the Security Rule – Increased penalties for a breach
• Technical Safeguards include:– Encryption (Note – this is only an addressable
standard – not required)• Defined: making ePHI “unusable, unreadable,
or indecipherable”– Destruction (applies to unsecured data such as
paper, film, fiche…
HITECH - 2009• Encryption: Addressable – Firewall may be an alternative -
“reasonable and appropriate safeguard”• RISK: Breach of the firewall considered a
reportable incident to the Office of Civil Rights as the information was not made “unusable, unreadable, or indecipherable”
HITECH - 2009• New Penalties– Prior to HITECH – no monetary penalty if the
covered entity “did not know or could not have reasonably known of the breach”
– HITECH: • Minimum $100 - $50,000
– Did Not Know $100 - $50,000– Reasonable Cause $1,000 - $50,000– Willful Neglect – Corrected $10,000 - $50,000– Willful Neglect – Not Corrected $50,000
• Maximum $1,500,000
Meaningful Use• HITECH – Meaningful Use– “Voluntary”– Failure results in penalties• 1% Medicare payment reduction in 2015• 2% Medicare payment reduction in 2016• 3% Medicare payment reduction 2017 +
Meaningful Use• Defined: Using certified electronic
health record (EHR) technology to:– Improve quality, safety, efficiency, and
reduce health disparities– Engage patients and family– Improve care coordination, and population
and public health– Maintain privacy and security of patient
health information
Meaningful Use• Objectives: meaningful use compliance
will result in:– Better clinical outcomes– Improved population health outcomes– Increased transparency and efficiency– Empowered individuals– More robust research data on health
systems
Meaningful Use• Eligible Hospitals and Critical Access
Hospitals– Can apply for Medicare AND Medicaid
financial incentives
• Eligible Professionals– Can apply for Medicare OR Medicaid
financial incentives
Meaningful Use• Eligible Hospital – Medicare Incentive– Start value: $2,000,000– Add
• $200 per discharged patient (no payment for first 1,150) to a maximum of 23,000 patients
– Multiplied by both:• Medicare Share – Based on number of inpatient Part
A bed days + number of inpatient Part C days x (total charges – charges related to charity care)
• Transition Factor – Based on the year the hospital first attests to meaningful Use
Meaningful Use• Certified technology must be used• Meet Core and Menu Set Objectives– INCLUDES PRIVACY AND SECURITY OF DATA
• Electronic Data Security– Encryption – only an “addressable”
standard– Firewalls – “reasonable and appropriate”
but FAILS to meet “breach” standards
Outcome of “Voluntary” EHR• HHS Secretary – Kathleen Sebelius– May 22, 2013:– “Doctors and hospitals’ use of health IT
more than doubled since 2012”
• Data from the Office of Civil Rights has demonstrated that more than 29,000,000 patient records have been breached since 2009 (only includes breaches of 500 or more!)
Sample Cases - 2013• Advocate Medical Group– Largest Chicago physician group – more than
1,000 doctors, 200 locations– Administrative building broken into– 4 unencrypted personal computers stolen July 15,
2013– Over 4 million patient records stored – 2nd largest
ever reported to HHS
Sample Cases - 2013– Only password protected – a “first line of defense”
– it is NOT encryption– Data:
• SSN, DOB, patient names, addresses
– NOT the FIRST breach reported by Advocate• 2009 – employee reported theft of a personal
laptop with 812 patient records - unencrypted
Sample Cases - 2013• AHMC Healthcare– Administrative Office Break-in– Two password protected laptops stolen
October 12, 2013• SSN, name, MCR/Ins. ID number, dx/proc
codes, Ins./Patient payments
– 729,000 Patient Records– Will now expedite the encryption policy for
laptops
Sample Cases - 2013• Horizon Blue Cross and Blue Shield of NJ– Headquarters Break-in– Two password protected and cable-locked laptops
stolen November 4, 2013• Data: SSN, Names, Addresses, DOB, Clinical
Information– 840,000 Patient Records– Plan: Review staff education, policies and
encryption– Not the first breach – 2008 lost laptop with
300,000 individuals notified
Sample Cases - 2013• 5.5 million patient records included in just
3 breach reports for 2013• All included SSNs and patient names• All involved unencrypted devices – even
with two organizations already having had similar breach reports in the past
• Since 2009 – 29,000,000 million patient records have been compromised through breaches
Breach Outcomes• Lawsuits– HIPAA “Breach” not a cause of action for
individuals– March 8, 2013 – Polanco v. Omnicell• Laptop stolen from employee vehicle• Not encrypted• Vendor managed medications for several
healthcare organizations• Mother of patient sued – “Omnicall violated her
privacy” – information included her insurance
Breach Outcomes• Polanco v. Omnicell– Omnicell had policies requiring encryption –
but employee only had password protection security
– Case dismissed: Polanco “failed to demonstrate and injury”• Loss of confidence of patients• Cost of defending lawsuit• Failure to REQUIRE encryption as a security
measure
Breach Outcomes• Historically– Failure to file suit under HIPAA Privacy and
Security – no “private right of action”– HHS – can directly enforce and impose
penalties (maximum of $1.5 million)– Penalties – paid to HHS – NOT TO
PATIENT(s)
Breach Outcomes• Recent Case – May Set Precedence– Curry v. AvMed • AvMed (Health Plan): Two unencrypted laptops
stolen December 2009 from a locked conference room• 1.2 million patient records compromised• Juana Curry and William Moore – victims of
identify theft
Breach Outcomes• Curry v. Avmed– Lawsuit:• Avmed failed to “adequately secure and
encrypt the laptops” and it was “negligent and failed to discharge its obligation to protect sensitive personal information of its customers”
– Dismissed in July 2011 – “with prejudice”– Appealed in August 2011
Breach Outcomes• Curry v. AvMed– Affirmed Dismissals of:• “Negligence per se” and• “Breach of implied covenant of good faith and
fair dealing”
Breach Outcomes– Reversed Dissmissals of remaining 5 counts:
• Negligence, Breach of Contract, Breach of Implied Contract, Breach of Fiduciary Duty, and Restitution/Unjust Enrichment
• Negligence: Failure to encrypt• Unjust enrichment: AvMed received
remuneration for the purpose of securing PHI
– Meet and Confer: Reviewed allegations and engaged in preliminary settlement discussions – resolved through private mediation
Breach Outcomes• AvMed:– Denies any wrongdoing or liability– Each and all claims– Concluded further defense would be “risky,
burdensome, and expensive”– Agreed to terms and conditions of
settlement
Breach Outcomes• Plaintiffs– Believe claims asserted have merit– Recognize and acknowledge risk of delays
and that they might not prevail– Concluded that the terms and conditions
are fail and reasonable
Breach Outcomes• Settlement– Identity Theft Settlement
• Submitted timely, actual, documented, unreimbursed losses accompanied by proof
– Premium Overpayment Claim• Submitted timely, number of years for which the
Defendant was paid for insurance premiums• Maximum of $30 per person• $3,000,000 minimum payment to be covered by
AvMed (Additional for Identify Theft Coverage)
Breach Outcomes• Advocate – July, 2013 Breach– 3 Class Action Lawsuits filed– Compromise of over 4,000,000 patient
records• Compare with AvMed of 1,200,000 patient
records - $3,000,000 minimum cost
Identity Theft v. Medical Identity Theft
• January 2014 Survey– Medical-related identity theft accounted for
43% of all identity thefts reported in 2013• Far greater than Banking and Finance,
Government and Military, or Education
– U.S. Dept. of Health and Human Services• Medical Records of between 27.8 and 67.7
million people have been breached since 2009
Identity Theft v. Medical Identity Theft
• Medical Identity Theft– “The fraudulent acquisition of someone’s
personal information – name, SSN, Health Insurance Number – for the purpose of illegally obtaiing medical services or devices, insurance reimbursements or prescription drugs.”
Identity Theft v. Medical Identity Theft
• Medical Identity Theft– Victims • Little to no recourse for recovery• Financial repercussions• Erroneous information added to personal
medical files
Identity Theft v. Medical Identity Theft
• Edward Snowden, the former National Security Agency contractor who has disclosed the agency’s activities to the media, says the NSA has cracked the encryption used to protect the medical records of millions of Americans.
Use of Medical Information• Psychiatrist in MA: False diagnoses –
submit medical insurance claims for psychiatric sessions that never occurred
• Identity Thief in MO: False Driver’s License to obtain Medical Records and a prescription belonging to another woman
• Dental Office in OH: Obtain prescription drugs
Use of Medical Information• Methods Used to Obtain Information– Stealing laptops / electronic device – more
than 50% of medical-related breaches– Hacking into computer networks (St. Joseph’s
Hospital in Texas – 429,000 patient records) – 14% of breaches
– Gaining unauthorized Access – 20% of breaches
• Lucrative - $10 to $20 for each bit of information
Medical Identity Theft• Discovery – does not correct the
“mischief” done– Corrected information may be placed in file
BUT difficult to get information removed – fear of medical liability
– Information from the “theif” gets mixed with the information of the real patient – very difficult to segregate especially in the electronic environment
Medical Identity Theft• Can result in patient death– Inaccurate medication allergies– Inaccurate medication lists –
interactions/failure of medications being prescribed
– Delays in treatment• Appendicitis following Appendectomy?
Electronic Health Records• Compromised by Medical Identity Theft– Difficult to make corrections– Difficult to address insurance fraud• Deductibles• Maximum coverage exceeded
Prevention• ENCRYPT– Laptops– Personal Computers– Portable Electronic Devices• iPhones / Smart Phones• iPads / Notepads
– Use software tracking that allows remote erasing of portable device if stolen
Prevention
• ENCRYPT–Financial Impact•HHS Fines•Credit Monitor Protection• Loss of Patients (and their
confidence)• Loss of Business
Prevention
•ENCRYPT– There is no other real option• Firewalls do not protect the data• Passwords do not protect the data• Secure Servers do not protect the data
Prevention• Personal Steps to Prevent Medical Identity
Theft– Do not carry your insurance card– Beware of “Free” services when required to
provide insurance information– Request health provider ask for you ID– Check statement of benefits– Request an annual / semiannual summary of
benefits – compare with actual visits– Check credit reports for unpaid medical bills
Open Discussion• Who has experienced a breach?• What steps were taken following that
incident?• Do you think that your organization has
secured its PHI?• Do you think that your patients are
confident in the security of their PHI?