The HITECH Act, the Security Rule and Meaningful Use. Rachel V.
43 Slides3.23 MB
The HITECH Act, the Security Rule and Meaningful Use. Rachel V. Rose, JD, MBA (Texas) Raymond F. Ribble (California) William J. McBorrough (Washington, DC) First Healthcare Compliance Presentation November 8, 2018
Disclosure THE INFORMATION PRESENTED IS NOT MEANT TO CONSTITUTE LEGAL ADVICE. CONSULT YOUR ATTORNEY FOR ADVICE ON A SPECIFIC SITUATION. Copyright - Rachel V. Rose - Attorney at Law, PLLC (2018). All Rights Reserved.
I. Laying the Legal Foundation Evolution from HIPAA to the Omnibus Rule, including Meaningful Use Specific Language that is often an issue in interpreting the Regulations (e.g., Standard, Required and Addressable) International Considerations (e.g., contract language, Overview other country laws, state laws prohibiting outsourcing) Recent actions regarding false attestations Specific Legal Requirements Under the Security Rule (TAP) II. Practical Side of Meaningful Use III. The Technical Side of the HITECH Act and Security Rule IV. Panel Discussion and Q&A
HIPAA and the HITECH Act The laws and the persons covered. Copyright - Rachel V. Rose - Attorney at Law, PLLC (2018). All Rights Reserved.
HIPAA Covered Entities - Health Care Providers, Health Plans and Health Care Clearinghouses Business Associates – contract w/ Covered Entities Who Is Under the Legal Umbrella? Subcontractors – contract w/ Business Associates TX House Bill 300 (TX HIPAA) Different definition of “covered entity” that encompasses anyone who creates, receives, maintains and transmits PHI. Federal Trade Commission Fills the “gap” of the Federal HIPAA definitions. anyone who creates, receives, maintains and transmits PHI. Copyright - Rachel V. Rose - Attorney at Law, PLLC (2018). All Rights Reserved.
Legislative History 1996 -HIPAA (Public Law 104-191) – need for consistent framework for transactions and other administrative items. 2002 – The Privacy Rule (Aug. 14, 2002) 2003 – The Security Rule (Feb. 20, 2003) 2009 - Health Information Technology for Economic and Clinical Health (“HITECH”) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 1115) (Feb. 17, 2009) 2009 – The Breach Notification Rule (Aug. 24, 2009) 2010 – Privacy and Security Proposed Regulations (Feb. 17, 2010) 2013 – Omnibus Rule (Effective March 26, 2013, Compliance Sept. 23, 2013). Copyright - Rachel V. Rose - Attorney at Law, PLLC (2018). All Rights Reserved.
The Health Information Technology for Economic and Clinical Health (HITECH) Act Enacted as part of the American Recovery and Reinvestment Act of 2009 The HITECH Act What the HITECH Act does: Conforms HIPAA’s enforcement regulations to these statutory revisions that are currently effective under section 13410(d) of the HITECH Increased penalties Copyright - Rachel V. Rose - Attorney at Law, PLLC (2018). All Rights Reserved.
Expressly stated business associate and subcontractor liability. Striking the previous bar on the imposition of HITECH Act (II) penalties if the covered entity did not know and with the exercise of reasonable diligence would not have known of the violation (such violations are now punishable under the lowest tier of penalties); and Providing a prohibition on the imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect. Copyright - Rachel V. Rose - Attorney at Law, PLLC (2018). All Rights Reserved.
Section 13410(c)(3), HITECH Act, Pub. L. 111-5 Areas of Update (Feb. 2009) requires HHS to established a methodology to provide a percentage of the civil monetary penalties (“CMPs”) collected to individuals who are harmed by HIPAA/HITECH Act violations. Although this was supposed to be accomplished three years after the enactment of the HITECH Act, recently, an advance notice of proposed rulemaking (“ANPRM”) was published by the Office of Information and Regulatory Affairs, Office of Management and Budget, Executive Office of the President. See, https://www.hhs.gov/sites/default/files/ocr/privacy/ hipaa/understanding/coveredentities/hitechact.pdf . Copyright - Rachel V. Rose - Attorney at Law, PLLC (2018). All Rights Reserved.
HHS Report – Health Information Privacy Beyond HIPAA: A 2018 Environmental Scan of Major Trends and Challenges 42 CFR Part is a federal law designed to protect individuals’ Areas of Update Part II confidentiality when seeking treatment for substance disorders from federally assisted programs. In 2018, the Substance Abuse and Mental Health Services Administration (“SAMHSA”), building on the March 21, 2017 final rule that modernized the Confidentiality of Alcohol and Drug Abuse Patient Records (now the Confidentiality of Substance Use Disorder Patient Records) and the supplemental notice of proposed rulemaking (“SNPRM”), issued a final rule. SAMHSA, https://www.samhsa.gov/health-information-technology/laws-regulation s-guidelines (last visited June 3, 2018). See, https://www.regulations.gov/document?D HHS-OS-2016-0005-0377 (Feb. 17, 2017). RIN: 0930-AA21, https://www.regulations.gov/document?D HHS-OS-2016-0005-0378 (last visited June 3, 2018). 83 Fed. Reg. 239 (Jan. 3, 2018), https://www.gpo.gov/fdsys/pkg/FR-2018-01-03/pdf/2017-284 Copyright - Rachel V. Rose - Attorney at Law, PLLC (2018). All Rights Reserved.
Specific Language Standard, Required and Addressable Certain Phrases
Required Compulsory Three Key Words Standard Compulsory Addressable Does not mean optional
International Considerations Business Associate Agreement Language, Other Country Laws, GDPR
General Data Protection Regulation Effective May 25, 2018 Relevant Laws and Regulations & Common Areas of Concern Individual Country Laws Treaties between another country and the US Caliber of the other country’s laws and regulations Areas of Concern When Outsourcing Overseas Business Associate Agreements – arbitration clauses, choice of law and coice of venue Due diligence State law requirements that do not allow the outsourcing of PHI (Arizona for example) Copyright - Rachel V. Rose - Attorney at Law, PLLC (2018). All Rights Reserved.
Legal Consequences for HIPAA and HITECH Act Violations Negligence, False Claims Act and Government Authority to Reclaim Meaningful Use Dollars
WV Cases R.K. vs. St. Mary’s Medical Center, Inc. 2012 WL 5834577 Hospital employee illegally accessed the plaintiff’s medical records, which included psychiatric records and sent them to the plaintiff’s estranged wife and her divorce attorney. WV Supreme Court held that “State common law Negligencebased claims for the wrongful disclosure of medical or personal health information are not inconsistent with HIPAA. Rather, such state law claims complement HIPAA by enhancing the penalties for its violation and thereby encouraging HIPAA compliance.” State ex rel. State Farm Mut. Aut. Insurance Co. v. Marx., 2012 WL 5834584 Medical records, which are the subject of discovery, can be controlled by the trial courts. Hence, State Farm did not have a “carte blanche” right to share information with National Databases. Copyright - Rachel V. Rose - Attorney at Law, PLLC (2018). All Rights Reserved.
CT Case Byrne v. Avery Center for Obstetrics and Gynecology SC 18904 (Nov. 11, 2014). A patient advised her physician not to provide Negligencebased information to her significant other. The significant other filed a paternity suit and issued a subpeona to the physician‘s office. The health center, instead of alerting the patient or fighting the subpeona, simply gave the records over. The CT Supreme Court held that HIPAA does not preempt against negligence claims for a breach of privacy. Regulations of HHS implementing HIPAA may inform the applicable standard of care in certain circumstances. Copyright - Rachel V. Rose - Attorney at Law, PLLC (2018). All Rights Reserved.
NC Case Acosta v. Byrum, 638 S.E.2d 246 (N.C. Ct. App. 2006) The patient was treated by Dr. Faber, who gave his Negligencebased (cont.) access code to a third party, who, in turn, viewed his records. Take aways: (1) not a malpractice claim, so no expert certification; (2) while HIPAA does not provide a private right of action, the it may be used to establish an appropriate standard of care in a negligence claim. 2014 Tenet settlement – class action filed in 1997, which settled for 32.5 million for records left in a parking lot in April 1996. Copyright - Rachel V. Rose - Attorney at Law, PLLC (2018). All Rights Reserved.
Case No. 03-17-00552-CV (Tex. Ct. App. Oct. 18, 2018) Facts Dentistry practices applied in 2011 to the Texas Health Dentistry of Brownville v. Texas Health and Human Services Commission and Human Services Commission (HHSC) to receive funds from the EHR incentive program. Plaintiffs were paid more than 3 million as incentives to make their health records EHR compliant. 2012 HHSC retained an auditor to ensure that providers properly spent the grants. 2014 and 2015, HHSC issued letters to the providers that the dental practices had not qualified for the EHR incentives and would have to repay. Ruling: All acts were either within the discretion of HHSC or were authorized by applicable statutes or rules.
Individual disclosure. Example: University of Rochester Medical Center nurse practitioner Gave a list of 3,403 patient names, addresses and diagnoses to a future employer without obtaining permission from the patients. Types of Violations. Hospital employee or contractor looks at medical records when not part of the care team and not authorized to do so. Examples: VUMC, University of California Irvine Med. Ctr. External Security Breach. Ransomware Examples: Medstar, Hollywood Presbyterian Medical Center Failing to Update Patches: CHS (notable because there is a reporting requirement under HIPAA and under SEC regs). Copyright - Rachel V. Rose - Attorney at Law, PLLC (2018). All Rights Reserved.
“Pharmaceutical company Warner Chilcott was sentenced today in U.S. District Court in Boston to pay 125 million to resolve criminal and civil liability arising from the illegal promotion of various drugs.” https://www.justice.gov/usao-ma/pr/warner-chilcott-sentenc ed-pay-125-million-health-care-fraud-scheme Warner Chilcott & Physician HIPAA Violations Brought Under the False Claims Act Warner Chilcott cooperated with the government’s investigation into culpable individuals, which has led to several individual prosecutions. Among them are: Former district manager Jeffrey Podolsky pleaded guilty to health care fraud in connection with manipulating prior authorizations; Former district manager Timothy Garcia pleaded guilty to health care fraud in connection with manipulating prior authorizations; and Former district manager Landon Eckles pleaded guilty to wrongful disclosure of individual identifiable health information, a criminal violation of the HIPAA law. Copyright - Rachel V. Rose - Attorney at Law, PLLC (2018). All Rights Reserved.
Rita Luthra, a Springfield, MA-based gynecologist, was sentenced Sept. 19 to one-year probation for a criminal HIPAA violation and obstruction of a criminal healthcare investigation. In April, a jury convicted her of allowing a Warner Chilcott Part 2 pharmaceutical sales representative to access patient records and lying to federal investigators. In May, US District Judge Mark G. Mastroianni denied a motion by Luthra’s attorney to reverse the conviction. In the original compliant, the Department of Justice (DoJ) alleged that Luthra allowed a Warner Chilcott sales representative to access her patients’ PHI and then provided false information to HHS agents about her dealings with the drug company. https://healthitsecurity.com/news/ma-physician-gets-1-year-p robation-for-criminal-hipaa-violation Copyright - Rachel V. Rose - Attorney at Law, PLLC (2018). All Rights Reserved.
EClinicalWorks (US District Court – Vermont) (2017) Settled for 155 million ECW falsely obtained that certification for its EHR software when it concealed from its certifying entity that its software did not comply with the requirements for certification. Meaningful Use Cases & The False Claims Act https://www.justice.gov/opa/pr/electronic-health-recordsvendor-pay-155-million-settle-false-claims-act-allegations 21st Century Oncology (US District Court – MDFL) (2017) Settled for 26 million Under the Medicare EHR Incentive Program, physicians who attest to their meaningful use of certified EHR technology may receive incentive payments and avoid downward adjustments to certain Medicare claims. As part of its self-disclosure, 21st Century Oncology reported that it knowingly submitted, or caused the submission of, false attestations to CMS concerning employed physicians’ use of EHR software. https://www.justice.gov/opa/pr/21st-century-oncology-pay-26-millionsettle-false-claims-act-allegations
Technical, Administrative and Physical Safeguards
Through the federal civil rights laws and Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, OCR protects your fundamental nondiscrimination and health information privacy rights by: HHS - Office for Civil Rights (OCR) Teaching health and social service workers about civil rights, health information privacy, and patient safety confidentiality laws Educating communities about civil rights and health information privacy rights Investigating civil rights, health information privacy, and patient safety confidentiality complaints to identify discrimination or violation of the law and take action to correct problems. http://www.hhs.gov/ocr/about-us/index.html Copyright - Rachel V. Rose - Attorney at Law, PLLC (2018). All Rights Reserved.
According to an HHS Fact Sheet: “The Security Management Process standard of the Security Rule includes requirements for all covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the ePHI the entities create, receive, maintain, or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level.” Copyright - Rachel V. Rose - Attorney at Law, PLLC (2018). All Rights Reserved.
Acts related to PHI that fall under the purview and the subsequent enforcement of the HITECH Act: PHI & The HITECH Act - “accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses or discloses unsecured protected health information” Copyright - Rachel V. Rose - Attorney at Law, PLLC (2018). All Rights Reserved.
Unsecured Protected Health Information: “PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of the HITECH Act.” Copyright - Rachel V. Rose - Attorney at Law, PLLC (2018). All Rights Reserved.
HIPAA & Cyber Training “[T]he Security Rule simply establishes a floor, or minimum requirements, for the security of ePHI; entities are permitted (and encouraged) to implement additional and/or more stringent security measures above what they determine to be required by Security Rule standards.” Copyright - Rachel V. Rose - Attorney at Law, PLLC (2018). All Rights Reserved.
TAP Technical, Administrative and Physical Requirements as set forth in CFR 164.302 Administrative safeguards are administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information. Technical safeguards means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. TAP and Safeguards Copyright - Rachel V. Rose - Attorney at Law, PLLC (2018). All Rights Reserved.
CFR 164.302) TAP - Physical Safeguards v. Security Measures Physical safeguards are physical measures, policies, and procedures to protect a covered entity's or business associate's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. Security or Security Measures encompass all of the administrative, physical, and technical safeguards in an information system. Copyright - Rachel V. Rose - Attorney at Law, PLLC (2018). All Rights Reserved.
Rachel V. Rose - Attorney at Law, PLLC. Copyright 2018. All rights reserved.
Remember the Following: TAP CIA PDC Wrap-Up & Panel Panel Discussion and Q&A Practical Side of Meaningful Use The Technical Side of the HITECH Act and Security Rule
Rachel V. Rose – Attorney at Law, PLLC (Houston, Texas) Thank you & Panelists [email protected] Raymond F. Ribble – President, Spher, Inc. [email protected] William J. McBorrough – Co-Founder, MCGlobal Tech [email protected]
The Practical Side of Meaningful Use: What we learned from a Security Perspective Presented Presented to: to: HIPAA HIPAA Privacy Privacy and and Security Security Summit Summit 2018 2018 Raymond Raymond Ribble Ribble Founder Founder & & President President SPHER SPHER Inc. Inc. CONFIDENTIAL This document may not be reproduced, transmitted, or distributed without the prior permission of SPHER Inc.
SoCal RECs – Certified Service Partner 1500 Providers 800 Providers From Paper to Digital 2100 Attestations 91% Success Rate
The Early Stages: How Meaningful was it? STAGE 1 STAGE 2 STAGE 3 2011-2012 2014 2016 Data Capture & Sharing Adv. Clinical Processes Improved Outcomes Meaningful Use Security Focused On: Meaningful Use Security Focused On: Meaningful Use Security Focused On: Electronic capture of patient PHI in standard format More rigorous Health Information Exchange (HIE) Technology solutions tied to improved health outcomes for patients Conduct Initial Security Risk Assessment to address ePHI safety Regular & Appropriate Updates to SRAs and Review Processes System Audit Controls Monitoring application audit logs 164.312 (b) TeleHealth solutions start to expand Knowing who is logging in and looking at the data More patient access to Electronic transmission of patient Self-management tools ePHI across multiple settings, increased exposure to data breach risk Increased monitoring obligations Patient-controlled data portals Information System Activity Review Reviewing all records in the application 164.308(a)(1)(ii)(D) Access to ePHI through patient-centered HIE. Monitoring access to the HIE 2300 Provider engagements over 5.5 years
Major Problems & Concerns 2011 - Now Strong network Monitoring Some network Monitoring No network Monitoring No network Monitoring 75% 50% Regional Health 0% 0% Clinic Private Practice Clinic No-SRA, No-SRA, Yes-SRA, Some-SRA, User Activity Monitoring User Activity Monitoring User Activity Monitoring User Activity Monitoring None None Low None Enterprise Hospital *ePHI Security was not and continues to be a Low Priority
Security Rule - Risk Assessment Policies & Procedures People Administrative Safeguards Information Assets Security Management Process Assigned Security Personnel Information Access Management CE & BA Facility Access and Control Physical Safeguards Technical Safeguards CE & BA Workstation Security Device and Media control Access Controls Audit Controls Integrity Controls Workforce Training & Evaluation Measures, Policies, and Procedures to protect ePHI ePHI Transmissio n Security *MIPS requirements and heightened awareness are driving adherence
The Cyber-Security Landscape Cybersecurity awareness and audit processes are lacking Continuing convergence of EMR/EHR solutions Unsecured health systems - remain vulnerable Influx of personal/device IoT solutions Insider threats are increasing Phishing attacks increasingly sophisticated Healthcare reform impacting change/upgrades Breaches are accelerating: 171 million records in ‘17 Copyright 2018 SPHER Inc.
Find the PHI here Desktops Laptops Tablets Paperwork/Files Printer Copier Physician’s BYOD Medical Devices
Or here as well
Layers of Security: Required Policies & Procedures Physical Perimeter Hosting Applicati on ePHI Copyright 2018 SPHER Inc.
