Privacy and Security of PHI

In The Era of Meaningful Use

Alison Nicklas, MJ, RHIA, CCSDirector HIM, Privacy Officer

St. Francis Hospital and Medical Center

Objectives• Understand our role in protecting the privacy

of our patient’s information and ensuring the security of the systems

• Identify the key standard to mitigate a breach• Understand the role of Meaningful Use in

increased breach reports• Understand the legal and financial

repercussions of a breach to both the patient and the covered entity

Agenda• HIPAA Privacy – 2003• HIPAA Security – 2005• HITECH Privacy and Security – 2009• Meaningful Use• Sample Cases - 2013• Reported Breaches – Legal Outcomes

HIPAA Privacy - 2003• 1996 – Health Insurance Portability and

Accountability Act (HIPAA)– HIPAA Privacy and Security outlined• Provided guidance to the Institute of Medicine’s

goal for a paperless record by 2001– 2003 – HIPAA Privacy in effect• Covers the information• Any format – paper, film/fiche, electronic, oral• Compliance date: 4/14/2003

HIPAA Privacy - 2003• Key Documents– The Code of Federal Regulations (C.F.R.)• 45 C.F.R. Parts 1 to 199 – revised October 1,

2007

• Key Definitions– Covered Entity: “health plan, health care

clearinghouse, or a health care provider who transmits any health information in electronic form”

HIPAA Privacy - 2003• Key Definitions (Continued)– Health Care Clearinghouse: “entity that

processes or facilitates the processing of health information received from another entity” or that “processes or facilitates the processing of health information for a receiving entity”

– Business Associate: “performs a function or activity involving the use or disclosure of individually identifiable health informaton” for a covered entity.

HIPAA Privacy - 2003• 45 C.F.R. § 164.502 – Permitted uses and disclosures– With and without authorization– Minimum necessary “to accomplish the

intended purpose of the use, disclosure, or request”

• No need for patient authorization to release for “treatment, payment, or healthcare operations”

HIPAA Privacy - 2003• Accounting of Disclosures– Six years prior (if paper record)– Three years prior (if electronic record)– Exceptions:

• Incidental to a permitted disclosure• Based on valid authorization• National security reasons• Correctional facilities or law enforcement• Limited data set requirements and• For Now…“treatment, payment, or healthcare

operations”

HIPAA Privacy - 2003• Included in an Accounting:– The date of the disclosure– The name of the entity or person who

received the PHI– The addresses of such entity or person (if

known)– Brief description of the PHI– Brief statement of the purpose of the

disclosure

HIPAA Security 2005• 1996 – Health Insurance Portability and

Accountability Act (HIPAA)– HIPAA Privacy and Security outlined• Provided guidance to the Institute of Medicine’s

goal for a paperless record by 2001– 2005 – HIPAA Security in effect• Electronic information “created, received,

retained, or transmitted by the covered entity”• Effective April 20, 2005

HIPAA Security 2005• Specific Security Safeguards – “Required” – the covered entity MUST

implement as written– “Addressable” – the covered entity has the

OPTION to implement as written or assess if there were reasonable• If not deemed “reasonable” – MUST

– Implement an alternate “equivalent” specification AND

– Document why the stated specification was deemed not to be reasonable

HIPAA Security 2005• Four REQUIRED implementation

specifications– Security Risk Assessment: • Identify any risks and vulnerabilities to the

confidentiality, integrity, and availability of ePHI• Implement policies and procedures to mitigate

identified risks and vulnerabilities• Focus on those with a “reasonable anticipation

of threat”

HIPAA Security 2005– Assess current security measures• Technical: Access controls – firewalls, audit

controls, and encryption• Non-Technical: Policies and procedures,

standards and guildeines

– Evaluate the potential impact of threat• Risk for that threat (human/environmental

threats)

– Identify security measures to mitigate risk

HITECH - 2009• ARRA: American Recovery and

Reinvestment Act – includes:• HITECH: Health Information Technology

for Economic and Clinical Health (HITECH)

HITECH - 2009• HITECH Act includes:– Improved guidance for the Security Rule – Increased penalties for a breach

• Technical Safeguards include:– Encryption (Note – this is only an addressable

standard – not required)• Defined: making ePHI “unusable, unreadable,

or indecipherable”– Destruction (applies to unsecured data such as

paper, film, fiche…

HITECH - 2009• Encryption: Addressable – Firewall may be an alternative -

“reasonable and appropriate safeguard”• RISK: Breach of the firewall considered a

reportable incident to the Office of Civil Rights as the information was not made “unusable, unreadable, or indecipherable”

HITECH - 2009• New Penalties– Prior to HITECH – no monetary penalty if the

covered entity “did not know or could not have reasonably known of the breach”

– HITECH: • Minimum $100 - $50,000

– Did Not Know $100 - $50,000– Reasonable Cause $1,000 - $50,000– Willful Neglect – Corrected $10,000 - $50,000– Willful Neglect – Not Corrected $50,000

• Maximum $1,500,000

Meaningful Use• HITECH – Meaningful Use– “Voluntary”– Failure results in penalties• 1% Medicare payment reduction in 2015• 2% Medicare payment reduction in 2016• 3% Medicare payment reduction 2017 +

Meaningful Use• Defined: Using certified electronic

health record (EHR) technology to:– Improve quality, safety, efficiency, and

reduce health disparities– Engage patients and family– Improve care coordination, and population

and public health– Maintain privacy and security of patient

health information

Meaningful Use• Objectives: meaningful use compliance

will result in:– Better clinical outcomes– Improved population health outcomes– Increased transparency and efficiency– Empowered individuals– More robust research data on health

systems

Meaningful Use• Eligible Hospitals and Critical Access

Hospitals– Can apply for Medicare AND Medicaid

financial incentives

• Eligible Professionals– Can apply for Medicare OR Medicaid

financial incentives

Meaningful Use• Eligible Hospital – Medicare Incentive– Start value: $2,000,000– Add

• $200 per discharged patient (no payment for first 1,150) to a maximum of 23,000 patients

– Multiplied by both:• Medicare Share – Based on number of inpatient Part

A bed days + number of inpatient Part C days x (total charges – charges related to charity care)

• Transition Factor – Based on the year the hospital first attests to meaningful Use

Meaningful Use• Certified technology must be used• Meet Core and Menu Set Objectives– INCLUDES PRIVACY AND SECURITY OF DATA

• Electronic Data Security– Encryption – only an “addressable”

standard– Firewalls – “reasonable and appropriate”

but FAILS to meet “breach” standards

Outcome of “Voluntary” EHR• HHS Secretary – Kathleen Sebelius– May 22, 2013:– “Doctors and hospitals’ use of health IT

more than doubled since 2012”

• Data from the Office of Civil Rights has demonstrated that more than 29,000,000 patient records have been breached since 2009 (only includes breaches of 500 or more!)

Sample Cases - 2013• Advocate Medical Group– Largest Chicago physician group – more than

1,000 doctors, 200 locations– Administrative building broken into– 4 unencrypted personal computers stolen July 15,

2013– Over 4 million patient records stored – 2nd largest

ever reported to HHS

Sample Cases - 2013– Only password protected – a “first line of defense”

– it is NOT encryption– Data:

• SSN, DOB, patient names, addresses

– NOT the FIRST breach reported by Advocate• 2009 – employee reported theft of a personal

laptop with 812 patient records - unencrypted

Sample Cases - 2013• AHMC Healthcare– Administrative Office Break-in– Two password protected laptops stolen

October 12, 2013• SSN, name, MCR/Ins. ID number, dx/proc

codes, Ins./Patient payments

– 729,000 Patient Records– Will now expedite the encryption policy for

laptops

Sample Cases - 2013• Horizon Blue Cross and Blue Shield of NJ– Headquarters Break-in– Two password protected and cable-locked laptops

stolen November 4, 2013• Data: SSN, Names, Addresses, DOB, Clinical

Information– 840,000 Patient Records– Plan: Review staff education, policies and

encryption– Not the first breach – 2008 lost laptop with

300,000 individuals notified

Sample Cases - 2013• 5.5 million patient records included in just

3 breach reports for 2013• All included SSNs and patient names• All involved unencrypted devices – even

with two organizations already having had similar breach reports in the past

• Since 2009 – 29,000,000 million patient records have been compromised through breaches

Breach Outcomes• Lawsuits– HIPAA “Breach” not a cause of action for

individuals– March 8, 2013 – Polanco v. Omnicell• Laptop stolen from employee vehicle• Not encrypted• Vendor managed medications for several

healthcare organizations• Mother of patient sued – “Omnicall violated her

privacy” – information included her insurance

Breach Outcomes• Polanco v. Omnicell– Omnicell had policies requiring encryption –

but employee only had password protection security

– Case dismissed: Polanco “failed to demonstrate and injury”• Loss of confidence of patients• Cost of defending lawsuit• Failure to REQUIRE encryption as a security

measure

Breach Outcomes• Historically– Failure to file suit under HIPAA Privacy and

Security – no “private right of action”– HHS – can directly enforce and impose

penalties (maximum of $1.5 million)– Penalties – paid to HHS – NOT TO

PATIENT(s)

Breach Outcomes• Recent Case – May Set Precedence– Curry v. AvMed • AvMed (Health Plan): Two unencrypted laptops

stolen December 2009 from a locked conference room• 1.2 million patient records compromised• Juana Curry and William Moore – victims of

identify theft

Breach Outcomes• Curry v. Avmed– Lawsuit:• Avmed failed to “adequately secure and

encrypt the laptops” and it was “negligent and failed to discharge its obligation to protect sensitive personal information of its customers”

– Dismissed in July 2011 – “with prejudice”– Appealed in August 2011

Breach Outcomes• Curry v. AvMed– Affirmed Dismissals of:• “Negligence per se” and• “Breach of implied covenant of good faith and

fair dealing”

Breach Outcomes– Reversed Dissmissals of remaining 5 counts:

• Negligence, Breach of Contract, Breach of Implied Contract, Breach of Fiduciary Duty, and Restitution/Unjust Enrichment

• Negligence: Failure to encrypt• Unjust enrichment: AvMed received

remuneration for the purpose of securing PHI

– Meet and Confer: Reviewed allegations and engaged in preliminary settlement discussions – resolved through private mediation

Breach Outcomes• AvMed:– Denies any wrongdoing or liability– Each and all claims– Concluded further defense would be “risky,

burdensome, and expensive”– Agreed to terms and conditions of

settlement

Breach Outcomes• Plaintiffs– Believe claims asserted have merit– Recognize and acknowledge risk of delays

and that they might not prevail– Concluded that the terms and conditions

are fail and reasonable

Breach Outcomes• Settlement– Identity Theft Settlement

• Submitted timely, actual, documented, unreimbursed losses accompanied by proof

– Premium Overpayment Claim• Submitted timely, number of years for which the

Defendant was paid for insurance premiums• Maximum of $30 per person• $3,000,000 minimum payment to be covered by

AvMed (Additional for Identify Theft Coverage)

Breach Outcomes• Advocate – July, 2013 Breach– 3 Class Action Lawsuits filed– Compromise of over 4,000,000 patient

records• Compare with AvMed of 1,200,000 patient

records - $3,000,000 minimum cost

Identity Theft v. Medical Identity Theft

• January 2014 Survey– Medical-related identity theft accounted for

43% of all identity thefts reported in 2013• Far greater than Banking and Finance,

Government and Military, or Education

– U.S. Dept. of Health and Human Services• Medical Records of between 27.8 and 67.7

million people have been breached since 2009

Identity Theft v. Medical Identity Theft

• Medical Identity Theft– “The fraudulent acquisition of someone’s

personal information – name, SSN, Health Insurance Number – for the purpose of illegally obtaiing medical services or devices, insurance reimbursements or prescription drugs.”

Identity Theft v. Medical Identity Theft

• Medical Identity Theft– Victims • Little to no recourse for recovery• Financial repercussions• Erroneous information added to personal

medical files

Identity Theft v. Medical Identity Theft

• Edward Snowden, the former National Security Agency contractor who has disclosed the agency’s activities to the media, says the NSA has cracked the encryption used to protect the medical records of millions of Americans.

Use of Medical Information• Psychiatrist in MA: False diagnoses –

submit medical insurance claims for psychiatric sessions that never occurred

• Identity Thief in MO: False Driver’s License to obtain Medical Records and a prescription belonging to another woman

• Dental Office in OH: Obtain prescription drugs

Use of Medical Information• Methods Used to Obtain Information– Stealing laptops / electronic device – more

than 50% of medical-related breaches– Hacking into computer networks (St. Joseph’s

Hospital in Texas – 429,000 patient records) – 14% of breaches

– Gaining unauthorized Access – 20% of breaches

• Lucrative - $10 to $20 for each bit of information

Medical Identity Theft• Discovery – does not correct the

“mischief” done– Corrected information may be placed in file

BUT difficult to get information removed – fear of medical liability

– Information from the “theif” gets mixed with the information of the real patient – very difficult to segregate especially in the electronic environment

Medical Identity Theft• Can result in patient death– Inaccurate medication allergies– Inaccurate medication lists –

interactions/failure of medications being prescribed

– Delays in treatment• Appendicitis following Appendectomy?

Electronic Health Records• Compromised by Medical Identity Theft– Difficult to make corrections– Difficult to address insurance fraud• Deductibles• Maximum coverage exceeded

Prevention• ENCRYPT– Laptops– Personal Computers– Portable Electronic Devices• iPhones / Smart Phones• iPads / Notepads

– Use software tracking that allows remote erasing of portable device if stolen

Prevention

• ENCRYPT–Financial Impact•HHS Fines•Credit Monitor Protection• Loss of Patients (and their

confidence)• Loss of Business

Prevention

•ENCRYPT– There is no other real option• Firewalls do not protect the data• Passwords do not protect the data• Secure Servers do not protect the data

Prevention• Personal Steps to Prevent Medical Identity

Theft– Do not carry your insurance card– Beware of “Free” services when required to

provide insurance information– Request health provider ask for you ID– Check statement of benefits– Request an annual / semiannual summary of

benefits – compare with actual visits– Check credit reports for unpaid medical bills

Open Discussion• Who has experienced a breach?• What steps were taken following that

incident?• Do you think that your organization has

secured its PHI?• Do you think that your patients are

confident in the security of their PHI?