Upsurge in Privacy, HIPAA and HITECH Risks

John R. WrightAttorney at Law

Rogers Mantese & Associates, P.C.

Lisa ShumpertCorporate Compliance Officer

Genesee Health System

2

Topics to be Covered HIPAA Enforcement Data Breaches Patient Identity Theft Audits and Investigations Bring Your Own Device (BYOD) Electronic Health Records Minors

OVERVIEW

3

The Health Insurance Portability and Accountability Act of 1996

Administrative Simplification Privacy Rule

Protected Health Information (PHI) Security Rule

Electronic Protected Health Information (ePHI) Enforcement Rule

HIPAA

4

Enforced by U.S. Department of Health & Human Services, Office of Civil Rights (OCR)

OCR has received 94,445 complaints and resolved 89,005 since April 2003

Closed 56,595 Investigated, found no violation in 10,057 cases Investigated 22,353 cases resulting in a change in

privacy practices or other corrective action So, a quarter of all complaints since April 2003

resulted in some sort of corrective action. 526 Referrals to the Department of Justice

HIPAA ENFORCEMENT

5

Data Breach Results in $4.8 Million HIPAA Settlements - May 7, 2014 Concentra Settles HIPAA Case for $1,725,220 - April 22, 2014 QCA Settles HIPAA Case for $250,000 – April 22, 2014 County Government Settles Potential HIPAA Violations (for $215,000 - March 7, 2014) Resolution Agreement with Adult & Pediatric Dermatology, P.C. of Massachusetts (for

$150,000) – Dec. 20, 2013 HHS Settles with Health Plan in Photocopier Breach Case (for $1,215,780) - August 14, 2013 WellPoint Settles HIPAA Security Case for $1,700,000 - July 11, 2013 Shasta Regional Medical Center Settles HIPAA Privacy Case for $275,000 - June 13, 2013 Idaho State University Settles HIPAA Security Case for $400,000 - May 21, 2013 HHS announces first HIPAA breach settlement involving less than 500 patients (for $50,000) -

December 31, 2012 Massachusetts Provider Settles HIPAA Case for $1.5 Million – September 17, 2012 Alaska DHSS Settles HIPAA Security Case for $1,700,000 – June 26, 2012 HHS Settles Case with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards (for $100,000) -

April 13, 2012 HHS settles HIPAA case with BCBST for $1.5 million - March 13, 2012 Resolution Agreement with the University of California at Los Angeles Health System (for

$865,500)  - July 6, 2011 Resolution Agreement with General Hospital Corp. & Massachusetts General Physicians

Organization, Inc. (for $1,000,000) - February 14, 2011 Civil Money Penalty issued to Cignet Health of Prince George's County, MD (for $4.3 Million) -

February 4, 2011 Resolution Agreement with Management Services Organization Washington, Inc. (for $35,000)

- December 13, 2010 Resolution Agreement with Rite Aid Corporation (for $1 Million) - July 27, 2010 Resolution Agreement with CVS Pharmacy, Inc. (for $2.5 Million) - January 16, 2009 Resolution Agreement with Providence Health & Services (for $100,000) - July 16, 2008

HIPAA Resolutions

$25,381,500

6

Health Plan settles for photocopier breach Affinity Health Plan, Inc. August 2013 CBS Evening News purchased photocopier previously

leased by Affinity that contained medical information on the hard drive

Analysis of risks and vulnerabilities required under HIPAA did not include this information

Over 300,000 patients affected Corrective action plan in addition to settlement

$1.2 Million Settlement for Breach

7

Hinchy v Walgreen Co., et al Indiana, Marion County Superior Court, 2013 Pharmacist accessed customer’s prescription history

in violation of company policy Pharmacist divulged information to her husband

(who used to date the customer) Summary judgment in favor of plaintiff Pharmacy violated a “duty” to patient HIPAA has created a standard of practice for covered

entities Jury awarded $1.44 Million verdict to plaintiff

HIPAA Does not create private right of action, but…

8

Hurley Medical Center in Flint, Michigan Fired employee for looking up information about a

family member who had been admitted to the hospital

Lawsuit claimed that the hospital should have used progressive discipline instead of firing her

Jury agreed and awarded her $183,000 verdict Plaintiff’s attorney: "The jury verdict illustrates that

HIPAA, while laudable in principle, can sometimes be used by hospitals to unfairly fire employees."

Plaintiff fired for violating HIPAA wins $183,000 wrongful termination lawsuit

9

Breach Notification Rule: 45 CFR 164.400-414 §164.400 Applicability §164.402 Definitions §164.404 Notification to individuals §164.406 Notification to the media §164.408 Notification to the Secretary §164.410 Notification by a business associate §164.412 Law enforcement delay §164.414 Administrative requirements and burden of proof

Also: Temporary breach notification requirement for vendors of personal health records and other non-HIPAA covered entities (to the Federal Trade Commission (FTC)) 42 USC § 17937.

HITECH DATA BREACH NOTIFICATION

10

First enforcement action resulting from HITECH Breach Notification Rule March 2012 Blue Cross Blue Shield of Tennessee 57 unencrypted computer hard drives Protected Health Information of 1 million people Inadequate administrative safeguards Did not perform required security evaluation Inadequate facility access controls Corrective action plan in addition to settlement

$1.5 Million Settlement for Breach

11

State Attorneys General are authorized to enforce HIPAA

Health Net, Inc. (Health Net of Connecticut, Inc.; Health Net of the Northeast, Inc.)

Missing hard drive not reported for six months. Connecticut Attorney General - July 2010

$250,000 Fine and corrective action plan First State AG to enforce HIPAA

Vermont Attorney General - January 2011 $55,000 Fine and corrective action plan Raised HIPAA, VT Data Breach and Consumer Protection

Laws

State-Level Enforcement of HIPAA

12

A list is available from the National Conference of State Legislatures (NCSL.org)

Example: Michigan Identity Theft Protection Act, 2004 PA 452 Creates notice requirements when there is a “security breach.”  Excludes circumstances when all of the following are true:

the employee or other individual acted in good faith in accessing the data;

the access was related to the activities of the agency or person, and; the employee or other individual did not misuse any personal

information or disclose any personal information to an unauthorized person.  MCL 445.63(b)(i)-(iii). 

Doesn’t apply if disclosed data is encrypted and the person who accessed the data does not have an unauthorized copy of the encryption key.  MCL 445.72(1)(a)-(b).

Does not apply if the breach has not or is not likely to cause substantial loss or injury to, or result in identity theft of the person whose information has been disclosed.  MCL 445.72(1).  In making this determination, use the same level of care as that of a

ordinarily prudent person in similar circumstances.  MCL 445.72(3). Doesn’t apply to entities covered by, in compliance with HIPAA. 

MCL 445.72(10). 

State Specific Data Breach Laws

13

Types: Patient sharing information with family and friends Theft from the outside by hackers and thieves Theft from within by employees or contractors

The patient has a right to: A copy of the patient’s medical record Amend the patient’s medical or billing records An accounting of disclosures File a complaint

Patients should notify health plans, credit bureaus and the Federal Trade Commission (FTC)

Should patients be offered free credit monitoring? Note: A medical provider does not violate an identity thief's privacy

rights by providing complete records to an identity theft victim.

PATIENT IDENTITY THEFT

14

Staten Island, NY Press release in July 2013 Amanda Zieminski, former-LPN, stole 80 patients’

data from South Shore Physicians in 2008 Her boyfriend and his brother used the data from

elderly patients to file false tax returns, have the money from returns sent to internet bank accounts and would then link credit cards to the accounts

The couple flaunted wealth and spending on social media

Patient Identity Theft: Example

15

“Fullz” = Files with personal identifying information such as health insurance credentials, bank account numbers, family names, phone numbers and addresses Can sell for about $500

“Kitz” = Files with personal identifying information and copies of original or counterfeit documents (“dox”) Can sell upwards of $1,000

Whereas simple credit card information goes for $2

Underground Marketplace

16

The Government offered the testimony of a medical provider’s office manager during the time of the investigation of the medical provider’s billings. The office manager cooperated with the Government's investigation by obtaining audio and video recordings inside the medical provider’s office and providing documents to the Government. The provider argues that the office manager violated his privacy rights.

U.S. v. DesFosses, Not Reported in F.Supp.2d, 2011 WL 4104702 (D.Idaho 2011).

AUDITS AND INVESTIGATONS

17

“[T]he Fourth Amendment protects people, not places. What a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection . . .. But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected.”

DesFosses citing Katz v. United States, 389 US 347, 351; 88 S Ct 507 (1967) (emphasis added).

AUDITS AND INVESTIGATONS

18

U.S. DHHS OCR Is sending surveys out to 800 covered entities and 400 business associates.

To assess size, complexity and fitness for an audit.

Number of patients/insured lives, use of electronic information, revenue and location of business.

Survey should take 30 minutes. Date to be announced, but expected in FY

2014. Receiving a survey does not guarantee an

audit. An audit does not guarantee an

investigation.

HIPAA AUDIT SURVEYS

19

Policies and procedures over Uses and Disclosures of PHI, to include: Deceased individuals Personal Representatives Confidential Communications Business Associate Contract Requirements Health Plan Documentation Requirements Treatment, Payment or Operations Consent and authorization requirements Judicial or administrative proceeding requirements Research requirements Approval or waiver requirements De-identification/Re-identification of PHI procedures Restriction of PHI Minimum Necessary requirements Limited information provided for fund raising purposes Health care underwriting requirements Identity verification procedures for individuals requesting PHI

OCR Random Audit Documentation Request List

20

Employer has the opportunity to access an employee's personal e-mail accounts through the use of employee’s personal mobile phone used for work assignments. Keystroke logging installed on corporate computers can capture an employee's every keystroke, including the log-in credentials for the employee's personal e-mail account. Log-in credentials are also stored on the local hard drive of a company-owned computer, which permit direct access to a personal account without having to enter log-in credentials. Employer wants to access such information because Employer believes employee may have stolen company property.  Pure Power Boot Camp v Warrior Fitness Boot Camp, 587

F.Supp.2d 548 (S.D.N.Y. 2008).

BRING YOUR OWN DEVICE (BYOD)

21

“The Stored Communications Act, 18 U.S.C. § 2701, et seq. (“SCA”), part of the Wiretap Act, provides in part: (a) Offense.—Except as provided in subsection (c) of this

section whoever— (1) intentionally accesses without authorization a facility

through which an electronic communication service is provided; or

(2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section. [18 U.S.C.A. § 2701 (emphasis added). ]”

Pure Power v Warrior Fitness, 587 F. Supp. 2d at 555.

The Stored Communications Act

22

“The Electronic Communications Privacy Act, 18 U.S.C. §§ 2510–2511 (“ECPA”), creates criminal sanctions and a civil cause of action against persons who “intercept” electronic communications.” Pure Power v Warrior Fitness, 587 F Supp 2d at 556. “Whenever any wire or oral communication has been

intercepted, no part of the contents of such communication and no evidence derived therefrom may be received in evidence in any trial, hearing, or other proceeding in or before any court, grand jury, department, officer, agency, regulatory body, legislative committee, or other authority of the United States, a State, or a political subdivision thereof if the disclosure of that information would be in violation of this chapter.” 18 U.S.C.A. § 2515.

The Electronic Communications Privacy Act

23

A medical provider intends to voluntarily use electronic health records (“EHRs”) under the HITECH Act. The HITECH Act requires the federal government to adopt standards for EHRs but expressly states that such standards are voluntary for private entities. The HITECH Act also provides financial incentives for Medicare- and Medicaid-participating providers to adopt EHR standards but does not mandate it. A patient does not use any federally provided health care, such as, Medicare or Medicaid. The patient believes that the use of electronic health records will threaten his right to privacy. Can the patient prevent the use of EHR by the health care provider?  Heghmann v Sebelius, Not Reported in F.Supp.2d, 2010 WL

2643301 (S.D.N.Y. 2010).

ELECTRONIC HEALTH RECORDS

24

“The HITECH Act requires the federal government to adopt standards for EHRs but expressly states that such standards are voluntary for private entities. 42 U .S.C. §§ 300jj–15, 300jj–16, 300jj–17(d).”

“The HITECH Act also provides financial incentives for Medicare- and Medicaid-participating providers to adopt EHR standards but does not mandate it. Id. §§ 4101–02, 4201.”

Heghmann v Sebelius.

ELECTRONIC HEALTH RECORDS

25

Libertyville, IL Surgeons of Lake County June 2012 Hackers infiltrated the practice server, encrypted

all e-mails and electronic health records of 7,000 patients

Demanded $3,000 in ransom to be paid in bitcoins Doctors shut down the server and reported the

incident to law enforcement

ELECTRONIC HEALTH RECORDS

26

Health Information Exchanges Treatment for Substance Use Disorders

Special confidentiality considerations 42 CFR Part 2 Medical records have to be kept separate from

substance abuse treatment records When can you “break the glass”? Qualified Service Organization Agreement One-way or two-way sharing

Electronic Health Records

27

Generally, HIPAA allows parents to have access to the protected health information of their unemancipated minor children

However, a more stringent state law permitting or prohibiting access to health records will take precedent over HIPAA

State laws may address: Abortion Birth Control Emergency Care Immunizations Mental health services – inpatient/outpatient Prenatal/Pregnancy Care (for minors and children of minors) STD Treatment Substance Abuse Treatment

Requirements regarding access to records may be different than requirements pertaining to parental consent for medical care.

Special considerations under other laws such as the Indian Child Welfare Act -- Michigan Indian Family Preservation Act.

MINORS

28

Child was murdered as a result of a trauma to the head. At the time of the child’s death, she resided with her five under-aged half-brothers and sisters. The surviving children were removed from the custody of the parents based upon allegations of child abuse, and placed in emergency foster care. The surviving children have been appointed a guardian. The media wants to attend the Family Court hearing on protective custody.

Matter of Ruben R., 219 A.D.2d 117, 641 N.Y.S.2d 621 (N.Y.A.D. 1 Dept. 1996).

MINORS

29

“This appeal concerns the sensitive balance which must be struck between the potential trauma to the mental and physical well-being of the children in question which would result from the public dissemination of certain personal aspects of their lives, and whether those concerns outweigh the interests of the press in having free access to judicial proceedings.”

Matter of Ruben R., 219 A.D.2d 117, 641 N.Y.S.2d 621, 622 (N.Y.A.D. 1 Dept. 1996).

MINORS

30

“In Globe Newspaper Co. v. Superior Court, (supra, at 607, 102 S.Ct. at 2620), the United States Supreme Court recognized two interests favoring disclosure, [1]the protection of minor victims of sex crimes from further

trauma and embarrassment, and [2]the encouragement of those victims to come forward and testify

truthfully and credibly. The court further agreed that the State's interest in

safeguarding the well-being of a minor is a compelling one, but concluded that the determination of whether closure of any particular proceeding is necessary be made on a case-by-case basis (Id. at 608, 102 S.Ct. at 2621).”

Matter of Ruben R., 219 AD2d 117, 123, 641 NYS2d 621, 625 (1996) (emphasis added).

MINORS

31

Covered Topics HIPAA Enforcement Data Breaches Patient Identity Theft Audits and Investigations Bring Your Own Device (BYOD) Electronic Health Records Minors

CONCLUSION

32

QUESTIONS?

33

THANK YOU!

John R. WrightRogers Mantese & Associates,

P.C.jwright@healthlex.com

Metro Detroit: (248) 702-6350Great Lakes Bay: (989) 272-

4434

Lisa ShumpertCorporate Compliance Officer

Genesee Health Systemlshumpert@genhs.org

(810) 424-6061