When it Comes to Nonprofits, What is HIPAA Compliance and How do We Get There? MCN 2013 - Comm & Tech Conference Presentation (Barker, J. & Forbes, J. A.)

Jennifer Forbes is a lawyer and partner with the law firm of Felhaber, Larson, Fenlon & Vogt, P.A.
Presenters
Joel Barker is president of Backpack Tactics,
a Minnesota-based IT support firm.
Jennifer Forbes
Joel Barker
When it Comes to Nonprofits, What is HIPAA Compliance?
How do we get there?
Jennifer has over 25 years of experience representing nonprofits on a local and national basis with respect to their business, intellectual property and regulatory matters. Jennifer has special expertise in health care regulatory matters including HIPAA and HITECH compliance. She is skilled in condensing complex legal and regulatory issues into straightforward, practical legal advice. Jennifer is a frequent lecturer on HIPAA, HITECH and healthcare reform. She is a graduate of the University of Minnesota Law School with honors.
About Jennifer's experience
He has over 10 years of experience in the nonprofit sector. He is passionate about using technology to help nonprofits achieve their mission and grow their constituency. Over the past five years his technology enhancement strategies have helped organizations to collectively reduce operation costs by over $200,000 annually. Joel stays directly connected with the nonprofit sector as the assistant director of development at the nonprofit Fraser (the largest autism provider in Minnesota) and he serves on a few local nonprofit boards.
About Joel's experience
Your challenges
What are your day-to-day challenges?
Presentation Overview
What we'll touch on today
Quick recap...what is HIPAA?
Overview of HIPAA & HITECH law
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) First federal law mandating privacy and security of protected health information for covered entities and their business associates.
Regulates “Covered Entities” + “Business Associates”
Protects against unauthorized use or disclosure of protected health information (PHI) & gives rights of access to patients.
Covered Entities = (1) Healthcare providers (2) Health plans; (3) Healthcare clearinghouses
Business Associates = someone who accesses PHI for purposes of providing services to covered entities.
What is HIPAA compliance?
Complying with the privacy rule and security rule:
Written Policies and Procedures and Forms consistent with the regulations
Training of Workforce
Technical security assessment and procedures
Physical security assessment and procedures
Administrative security assessment and procedures
Business Associate Agreements
Ongoing Audits
Notice of Privacy Practices & Privacy Officer
What is HITECH?
Health Information Technology for Economic and Clinical Health Act (2009) (“HITECH”) = HIPAA on steroids. It is an amendment to HIPAA that increases the risk and remedies and extends the reach of HIPAA.
Increased Statutory Penalties.
Right for State Attorneys General to bring private cause of action – you could be sued personally in state court.
Criminal Penalties for Individuals and Entities.
Business Associates and their business associates are now directly subject to HIPAA and may be sued directly.
OCR Audit Program
Requirement to notify individuals and government of Breaches of unsecured PHI.
HIPAA and Your IT System
Server
Workstation
Laptop
Tablet
Cell phones
USB storage devices
All other devices
Common Considerations
Personal Cell phones
Laptop
What challenges does your organization face with HIPAA and technology?
Q&A
What challenges does your organization face with HIPAA and technology?
jforbes@felhaber.com
(651) 312-6007
joel.barker@backpacktactics.com
(612) 460-0092
Jennifer Forbes
Joel Barker
Jennifer has over 25 years of experience representing nonprofits on a local and national basis with respect to their business, intellectual property and regulatory matters. Jennifer has special expertise in health care regulatory matters including HIPAA and HITECH compliance. She is skilled in condensing complex legal and regulatory issues into straightforward, practical legal advice. Jennifer is a frequent lecturer on HIPAA, HITECH and healthcare reform. She is a graduate of the University of Minnesota Law School with honors.
About Jennifer's experience
He has over 10 years of experience in the nonprofit sector. He is passionate about using technology to help nonprofits achieve their mission and grow their constituency. Over the past five years his technology enhancement strategies have helped organizations to collectively reduce operation costs by over $200,000 annually. Joel stays directly connected with the nonprofit sector as the assistant director of development at the nonprofit Fraser (the largest autism provider in Minnesota) and he serves on a few local nonprofit boards.
About Joel's experience
When it Comes to Nonprofits, What is HIPAA Compliance?
How do we get there?
HIPAA & HITECH overview
Compliance requirements
Audit considerations
Technology options available
System configuration options
Q&A
Recent office of civil rights settlements
$1.5 Million - Sept 15, 2012 – Massachusetts Eye and Ear Providers settles claims of violations of HIPAA.
$1.7 Million – June 26, 2012 - Alaska DHHS -
(loss of portable device
$1.5 Million – March 13, 2012 – BCBST - 57 unencrypted computer hard drives containing PHI of over 1 million stolen from leased facility in Tennessee.
Examples of findings in these cases
Alaska DHSS:
did not have adequate policies and procedures in place to safeguard ePHI,
had not completed a risk analysis,
had not implemented sufficient risk management measures,
had not completed security training for its workforce members,
had not implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.
UCLA Settlement (violations prior to HITECH)
$865,000 – UCLA
Employees accessing patient records without authorization
Resulted from complaints from celebrities who received care at UCLA
From 2005-2008 unauthorized employees repeatedly looked at electronic PHI of numerous patients
No restriction on access to records
Business Associates - What you need to know
UNDER HITECH- Business Associates are directly subject to HIPAA Privacy and Security rule.
Previously were only obligated through the Business Associate Agreement.
Now Business Associates may be directly liable.
Business Associates need to have all of the same policies, procedures, audits, privacy and security procedures in place.
Business Associates of Business Associates are also covered.
Audits
OCR contracted with KPMG for $9.2 million to pilot an audit program of up to 150 entities.
OCR’s has stated that the Audit Program will likely continue through 2014 and be expanded to include Business Associates.
Focus is on Privacy, Security and Breach Notification Rules.
Each audit will consist of a document review and an on-site visit. If an entity is selected for an audit, it will receive a written notice.
Audit Protocols are available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
Tracking and Reporting "Breaches"
Before HITECH, HIPAA did not require notice to individuals of an improper use or disclosure of their private patient information.
Now Providers must notify patients of “breaches” of their “unsecured PHI.”
For breaches involving over 500 patients, the notice must be published in the newspaper.
Reports must be made to HHS of all breaches.
This makes the issues public – increases risks.
Breach only applies to unsecured PHI
Encrypted or destroyed PHI can’t be subject to breach.
No breach for encrypted patient information sent via e-mail to the wrong person.
No breach if PHI Is destroyed, burned, shredded; it will be considered unusable, unreadable, or indecipherable (not subject to breach).
BYOD
File sharing
Dropbox, personal email, USB keys, etc.
Technology Policy