Protecting Health Information: Health Data Security Training

Similar documents
Fraud and Abuse in the Sale and Marketing of Drugs ACI 10 th National Forum

FCSRMC 2017 HIPAA PRESENTATION

A self-assessment for GxP and HIPAA concerns

Patient Privacy Requirements Beyond HIPAA

R. Gregory Cochran, MD, JD

A general review of HIPAA standards and privacy practices 2016

CAPITAL SURGEONS GROUP, PLLC

AGENDA. 10:45 a.m. CT Attendees Sign On 11:00 a.m. CT Webinar 11:50 a.m. CT Questions and Answers

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

Physician Payments Disclosure and Aggregate Spend:

HIPAA THE PRIVACY RULE

Health Information Privacy Policies and Procedures

2018 HCCA Compliance Institute HIPAA Update: Policy & Enforcement. Policy Update: Marissa Gordon-Nguyen HHS OCR Senior Advisor

NOTICE OF PRIVACY PRACTICES

SUMMARY OF NOTICE OF PRIVACY PRACTICES

Meaningful Use Achieving Core Objective #14 Montana HIMMS 2012 Spring Convention

MITIGATING BREACH RISK IN AN ERA OF EXPANDING PHI DISCLOSURE POINTS AND REQUESTS FOR HEALTH INFORMATION

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY

WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS

HIPAA Notice of Privacy Practices

OREGON HIPAA NOTICE FORM

Slide 1 WHO IS THE CLIENT? WHO CONTROLS THE RECORD? ETHICS AND HIPAA. Slide 2. Slide 3. The Four As of Ethical Practice

Breach Risk in Release of Information. Don t Leave Risk to Chance Key trends impacting healthcare providers

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

Notice of Privacy Practices

HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology

Forward-thinking healthcare solutions It s what we do. Healthcare Law

Advanced HIPAA Communications and University Relations

The Privacy & Security of Protected Health Information

Notice of Privacy Practices

Healthcare Privacy Officer on Evaluating Breach Incidents A look at tools and processes for monitoring compliance and preserving your reputation

PEDIATRIC HEALTH ASSOCIATES HIPAA NOTICE OF PRIVACY PRACTICES

DO ASK BUT DON T TELL HIPAA PRIVACY RULE

HCCA Institute Privacy Officer Round Table Discussion

CLINICIAN S GUIDE TO HIPAA PRIVACY

Release of Medical Records in Ohio OHIMA. Ohio Revised Code (ORC) HIPAA

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

If you have any questions about this notice, please contact our privacy officer Dr. Jev Sikes at

HIPAA PRIVACY NOTICE

2018 Employee HIPAA Orientation (EHO) Handbook

MEMPHIS LUNG PHYSICIANS FOUNDATION AN OFFICE OF BAPTIST MEDICAL GROUP NOTICE OF PRIVACY PRACTICES

This notice describes Florida Hospital DeLand s practices and that of: All departments and units of Florida Hospital DeLand.

REPORT OF THE BOARD OF TRUSTEES. Protection of Clinician-Patient Privilege (Resolution 237-A-17)

42 CFR Part 2: Improvements and New Challenges with the Use and Disclosure of Substance Use Disorder Treatment Records

HITECH Act. Overview and Estimated Timeline

Preparing for the upcoming 2016 HIPAA audits: Lessons and examples from past breaches and fines

HIPAA Breach Policy & Procedures Handbook

POTENTIAL LIABILITY: PATIENT HEALTH INFORMATION PORTALS

CHI Mercy Health. Definitions

HIPAA Training

If you have any questions about this notice, please contact the SSHS Privacy Officer at:

TAKING CARE OF LIABILITY:

HIPAA and HITECH: Privacy and Security of Protected Health Information

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

HH Health System-Shoals, LLC dba Helen Keller Hospital Notice of Privacy Practices

MURRAY MEDICAL CENTER HIPAA NOTICE OF PRIVACY PRACTICES

Southwest Acupuncture College /PWFNCFS

The Impact of PSO Confidentiality and Privilege Protections on the Peer Review Process: What you need to know

GRAVES-GILBERT CLINIC NOTICE OF CURRENT PRIVACY PRACTICES

OVERVIEW OF THE USES AND DISCLOSURES OF PHI

Understanding the Privacy and Security Regulations

MSK Group, PC NOTICE O F PRIVACY PRACTICES Effective Date: December 30, 2015

Notice of Privacy Practices for Protected Health Information (PHI)

Notice of HIPAA Privacy Practices Updates

East Carolina University 2010 Annual HIPAA Privacy Training

HIPAA Privacy Rule and Sharing Information Related to Mental Health

2013 AHLA Physicians and Physicians Organization Law Institute. Presented by Judd Harwood & Lori Foley. Agenda

HIPAA Privacy Training for Non-Clinical Workforce

NOTICE OF PRIVACY PRACTICES Mid-Atlantic Women s Care, PLC Effective Date: September 23, 2013 Last Revised: February 15, 2018

RECEIPT OF NOTICE OF PRIVACY PRACTICES WRITTEN ACKNOWLEDGEMENT FORM. I,, have received a copy of Dr. Andy Hand s Notice of Privacy Practice.

Gina Ginn Greenwood, CIPP/US

PARAGOULD DOCTORS CLINIC PRIVACY NOTICE

Sandra V Heinsz, Ph.D. Informed Consent Services Agreement

Privacy Toolkit for Social Workers and Social Service Workers Guide to the Personal Health Information Protection Act, 2004 (PHIPA)

physicians, nurses, and technicians and other Facility personnel for review and learning purposes. We may also combine the medical information we

HIPAA Policies and Procedures Manual

The Arizona HIO Statute

Privacy and Consent Primer

Your Role in Protecting Patient Privacy 2018

Information Privacy and Security

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

HIPAA & PRIVACY TRAINING FOR HEALTH PROFESSIONALS: Part 1 Denise M. Hill, JD, MPA

Data Breach Notification Guide Policies and Procedures

Mental Health. Notice of Privacy Practices

PATIENT NOTICE OF PRIVACY PRACTICES Effective Date: June 1, 2012 Updated: May 9, 2017

The University of Toledo. Corporate Compliance and HIPAA Training. Presented by: The Compliance and Privacy Office

NOTICE OF PRIVACY PRACTICES

PRMS Risk Management Educational Offerings

Compliance Program Updated August 2017

Mandatory Reporting and Breach Notification Changes to PHIPA and what you need to know

HIPAA-HITECH HELPBOOK NJ Physician Practices

Notice of Health Information Privacy Practices Acknowledgement

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

NOTICE OF PRIVACY PRACTICES

David Behinfar, JD, LLM, CHC, CIPP University of Florida College of Medicine Jacksonville UF Privacy Manager (904)

MCCP Online Orientation

Orthopedic Specialty Clinic, Ltd. Updated 05/2014

NOTICE OF PRIVACY PRACTICES

PRIVACY BREACH MANAGEMENT POLICY

Transcription:

Protecting Health Information: Health Data Security Training How to secure patient information and manage your obligations under HIPAA, the HITECH Act and other federal and state data privacy and security laws October 25, 2012 Colin J. Zick Foley Hoag LLP (617) 832-1275 czick@foleyhoag.com www.securityprivacyandthelaw.com 2012 Foley Hoag LLP. All Rights Reserved. 1

Health Information Privacy and Security: Why Should It Be a Priority? More federal and state laws, increasing penalties Theft of consumer information increasing, resulting in: Attorney General investigations and settlements; private consumer litigation; harm to patients; and harm to businesses and their reputations. Recent enforcement actions of note: South Shore Hospital by the Massachusetts Attorney General s Office; and MEEI by HHS Office of Civil Rights. Presentation Title 2

Overview: What are the issues? Changing regulatory and technological environment Old issues: Subpoenas Patient requests for information New Technologies and Issues: EHRs Mobile devices Cloud computing Government audits and enforcement actions Presentation Title 3

Release of Information Can Be Complicated! Presentation Title 4

Basic Questions: What is the patient record? Who owns/controls the patient record? Does it matter it is paper or EHR When do you have to consider releasing or providing access to the patient record? What parts of the record should you release? What requires higher level authorization to release? Who should you tell before you release the record? Where can the record go? How should it get there? Presentation Title 5 5

What is the Record? Medical record is poorly or not defined under state law (e.g., correspondence, films, etc.) Designated record set includes the following information regarding care decisions: Medical records Billing records Claims information These may be kept in different places, on different media. Presentation Title 6 6

Categories of Record Requests Civil versus criminal requests for information: Subpoenas versus Summonses Attorney-issued versus Court-issued Constitutional rights of the accused versus privacy rights. Requests for production of documents Requests with patient authorization Civil investigative demands In all of these types of requests: HIPAA applies State confidentiality and privilege rules apply Read the request and provide only what is requested. Presentation Title 7

Subpoena Basics: Subpoenas come in many shapes and sizes. The response analysis changes based upon the type of subpoena: Federal/State Civil/Criminal Investigative/Administrative HIPAA is a set of minimum privacy standards. As such, it generally pre-empts state law and state subpoena rules. However, where state law privacy protections for health information are more stringent than a HIPAA protection, the state protection should still govern. 45 C.F.R. 160.203(b). Presentation Title 8 8

What Else Does HIPAA Say About Subpoenas? HIPAA permits disclosure without patient authorization: pursuant to a subpoena, discovery request, or other lawful process provided the covered entity receives certain satisfactory assurances from the requesting party (either that efforts have been made to notify the subject individual or to obtain a protective order meeting certain criteria); or on the order of court or administrative tribunal, provided that the covered entity discloses only the PHI expressly authorized by such order. 45 C.F.R. 164.512(e). Presentation Title 9 9

The New World: EHRs Increase of amount of access exponentially and therefore the risk of improper access. You and your staff have more access to other records; and Others have access to your records. Look for/impose levels of access tied to job responsibilities Maintain audit trails and periodic reviews of use. Do not share/loan passwords Change passwords frequently Use strong passwords (and don t write them down where they are easily found) Presentation Title 10

The New World: Mobile Devices and Laptops Increase ease of access, but also risk of loss. Familiarity breeds contempt. Need to know what s on what and in what form. Need to know who has what and that use is authorized. Protect the devices against loss or improper access: password protected; data encrypted; and Lojack or other means of retrieval/securing if lost or stolen. Presentation Title 11

The New World: The Cloud What do we mean by the Cloud? Elements of cloud computing: Cheap storage Easy access Too easy? Security: the cloud could itself is relatively secure The issue is how you use it and for what. It is not for most practices to do-it-yourself with health information. Contracts are complicated, can be difficult to negotiate. Presentation Title 12

Practices in Transition A generation of physicians is retiring and practices are consolidating. Their records are primarily paper records. Professional obligations require that physicians find a home for some of their records, others can be destroyed. No one wants to pay for this. Need to plan now for this eventuality. Some practices are willing to take records as a means of securing new patients. This creates transition issues, as acquiring practices often have EHRs; Who pays the cost of bringing paper records into the EHR? Presentation Title 13

The Number and Size of Breaches Continues to Rise OCR posts on its website a list of HIPAA covered entities that have reported breaches of unsecured health information affecting more than 500 individuals. OCR s posting showed 500 health data breaches that impacted over millions of individuals. This posting by OCR was required by the August 2009 Interim Final Rule, which was issued pursuant to the HITECH Act. In particular, 164.408 of this breach notification interim final rule implements 13402(e)(3) of the HITECH Act. The rule became effective September 23, 2009. Under this rule, breaches that affected 500 or more individuals must be reported to OCR within 60 days, via an OCR online notification form. Training materials and related guidance on breach notification can be found on the OCR web site. Presentation Title 14

Common Data Breach Scenarios Unintentional Breaches Faithless Employee/Ex-Employee Hackers & Thieves / Organized Crime Competitive Espionage Presentation Title 15

Preparing for and Responding to a Breach Compliance / developing information security programs Incident response and investigation Breach notification and resolution Litigation Government Investigation Presentation Title 16

Federal HIPAA Settlements and Penalties Resolution Agreement with Providence Health & Services--July 16, 2008: $100,000 Resolution Agreement with CVS Pharmacy, Inc.--January 16, 2009: $2.25 million Resolution Agreement with Rite Aid Corporation--July 27, 2010: $1 million Resolution Agreement with Management Services Organization Washington, Inc.--December 13, 2010: $35,000 Civil Money Penalty issued to Cignet Health of Prince George's County, MD--February 4, 2011: $4.3 million Resolution Agreement with General Hospital Corp. & Massachusetts General Physicians Organization, Inc.--February 14, 2011: $1 million Resolution Agreement with Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. October 2012: $1.5 million Presentation Title 17

Colin J. Zick is a partner in Foley Hoag LLP s Administrative and Litigation practice groups. His work has had a particular emphasis on compliance issues related to pharmaceutical and medical device companies. This compliance work includes helping clients establish and maintain effective compliance programs. He counsels clients on issues involving information privacy and security including HIPAA, state and federal data security laws, and the FTC Red Flag Rules and blogs on these issues at www.securityprivacyandthelaw.com. Colin also defends clients in disputes alleging kickbacks, overpayments, and billing and coding problems, and represents clients before various state health care licensing and regulatory entities. Colin serves as the North America Regional Vice-Chair of the Lex Mundi Health Care Industries Practice Group and Co-Chair of the Boston Bar Association s Health Law Section. He has been ranked by CHAMBERS USA as one of Massachusetts' leading health care lawyers and selected by his peers as a Massachusetts Super Lawyer from 2004 through 2012. He can be reached at (617) 832-1275, czick@foleyhoag.com. Presentation Title 18

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback