Posts

Data breach still compliance concern for health care providers

cyber breach artworkHIPAA concerns, established in 1996 and evolving ever since, continue to be a very real compliance concern for healthcare providers. As an example, last year HHS collected $28.7 million from providers of healthcare services and payors for responses to data breaches that HHS considered inadequate.

According to Modern Healthcare, this is $5.2 million over the prior high for settlement and penalties reported in 2016.  The data for 2018 may be skewed by the $16 million settlement by Anthem for a breach involving approximately 79 million people. That breach occurred in 2015, and the settlement was record-setting for the Office of Civil Rights.

Changes being discussed by HHS include the possibility of sharing a percentage of civil monetary penalties or monetary settlements with affected individuals; revisions to HIPAA rules that facilitate the additional information demanded by coordinated care, outcome-focused care and value-based payments; and reconciliation of behavioral health care’s 42 CFR Part 2 rules with HIPAA.


Mary Holloway Richard portrait

Mary Holloway Richard

If you are concerned about how this issue affects your business or practice, contact Mary Holloway Richard, who represents and counsels clients on issues including healthcare compliance, health services contracting, reimbursement audits and appeals, OIG investigations, and regulatory and corporate matters. 

Mary can be reached at 405.552.2403 or at mhrichard@phillipsmurrah.com.

Click here to view Mary’s Attorney Profile page.

NewsOK Q&A: U.S. businesses react to newly enforced EU privacy law

oklahoma city health care attorney mary richard

Mary Richard is recognized as one of pioneers in Oklahoma healthcare law. She has represented institutional and non-institutional providers of health services, as well as patients and their families. She also has significant experience in representing providers in regulatory matters.

In this article, Oklahoma City healthcare attorney Mary Holloway Richard discusses GDPR, a newly enforced EU privacy law.

Q: What is the General Data Protection Regulation (GDPR)?

A: It’s a law regulating data protection and privacy for all individuals within the European Union (EU). It gives control to individuals over their personally identifiable information. It both standardizes the requirements throughout the EU and bolsters protections available to individuals amid well-publicized, costly data breaches in Europe. It’s a regulation rather than a directive, which means national governments within the EU don’t have to pass enabling legislation for these requirements to be effective. Rather, the regulation is directly binding on the members of the EU. The spirit of the General Data Protection Regulation also is embodied in recent legislation in the United Kingdom, providing consistency across Europe even though the U.K. withdrew from the EU effective in March. The regulation, passed two years ago, became effective May 22. Because of the length of time between passage and enforcement, there’s no transitional or grace period before compliance is required.

Q: How is this relevant to American businesses?

A: In certain circumstances the General Data Protection Regulation also applies to organizations and other businesses based outside of the EU if they collect and/or process personally identifiable information located within the EU. For example, U.S. companies offering a website to market their products or services to individuals within the European Community or scientific concerns actively engaged in recruiting individuals within the European Community to be subjects in clinical trials are required to comply. It’s important for such commercial concerns to act quickly to determine if they are covered by the General Data Protection Regulation as processors of data or collectors of such data from individuals within the EU. Concerned about the potential burden of compliance on foreign businesses, some international websites have taken steps to block EU users on the effective date, thereby removing the need to comply and ensuring against potential liability under the regulation. USA Today’s international website redirected users to simplified sites limited in scope. Other U.S. newspapers with European editions made them temporarily unavailable to readers in the EU. In another example of responses by U.S. companies, Instapaper, a read-it-later app, temporarily shut off access to European users to allow sufficient time for compliance.

Q: What type of data is protected by the General Data Protection Regulation and how’s it protected?

A: Personally identifiable information is anything that allows a living person to be identified directly or indirectly. Such data elements include name, email and home addresses, medical information, bank or other financial information, computer IP address and photos. A data processing officer must be appointed by businesses involved in processing or collecting data who is similar to a compliance officer with special information technology proficiency in managing and securing personal and sensitive data as well as a local representative for the company. Individuals have the right to the portability (access) of their stored data, erasure of data in certain circumstances, the right to file complaints with the data processing authority and the right to contract automated decision-making made on a solely algorithmic basis. Data breaches must be reported in a manner similar to the Health Information Portability and Accountability Act of 1996 and its amendments (HIPAA).

Q: You mentioned HIPAA. Is informed consent required for American businesses engaged in business in Europe similar to that required for HIPAA?

A: Personally identifiable information may be lawfully processed under the General Data Protection Regulation with informed consent or with a legal basis for doing so which ranges from legitimate interests of the entity collecting the data or a third party performing a task under official authority in the public’s interest, in compliance with the controller’s legal obligation, in fulfillment of a contract with a data subject, and to protect vital interests of a data subject or another person. There are some similarities to the HIPAA informed consent and the various exceptions to the consent requirement including the requirements of clarity and the opportunity to withdraw consent. As with HIPAA, individuals must be apprised of their privacy rights and their ability to withdraw consent at any time under the General Data Protection Regulation.

Q: Are there exceptions or limitations to an individual’s right of access to information?

A: Limitations to disclosure and the individual’s right of access to protected data exist for overriding interests such as national security. Further, in recognition of the importance of providing health care across country boundaries and clinical research to fight disease, the General Data Protection Regulation doesn’t apply to statistical and scientific analyses. A recognition of the need to maintain the integrity of clinical research resulted in the limitation of the erasure right of the individual. The strengthened data protections of the General Data Protection Regulation are limited in the face of requirements of good science although companies engaging in clinical research, including patient recruitment in the EU, will need to evaluate their data compliance plans considering the requirements of the newly enforced law. In addition, the General Data Protection Regulation doesn’t apply to data related to employer-employee relationships.

 

Published: 7/20/18; by Paula Burkes
Original article: https://newsok.com/article/5601938/qa-with-mary-holloway-richard-u.s.-businesses-react-to-newly-enforced-eu-privacy-law

NewsOK Q&A: For health care providers, safeguarding patients’ electronic health information is also an employment matter

oklahoma city health care attorney mary richard

Mary Richard is recognized as one of pioneers in Oklahoma healthcare law. She has represented institutional and non-institutional providers of health services, as well as patients and their families. She also has significant experience in representing providers in regulatory matters.

In this article, Oklahoma City healthcare attorney Mary Holloway Richard discusses how safeguarding patients’ electronic health information is an employment matter with the Oklahoman newspaper.

Q: In preparation for an employee or other members of a health care company’s workforce quitting, what preventive steps can be taken to ensure that patients’ health information is protected?

A: Two particular measures are critical to health care providers, in their role as employers, to protect the private patient information. Those are preparation and training. First, advance preparation is essential. Administrative, technical and physical safeguards are mandated by HIPAA (the Health Insurance Portability and Accountability Act) and its amendments, and just as we recommend with regard to all types of health care compliance and regulations, a compliance plan should be in place to provide security for protected health information electronically maintained. The person responsible for a health care practice or company’s IT should perform periodic risk assessments, and sufficient access termination procedures should also be in place. Second, an important part of prevention is proper training. Just as we recommend preparation to respond to identity theft, employers must identify the individuals responsible for safeguarding electronically maintained protected health information and responding to a breach, and provide them with appropriate training. Since health care is such a labor-intensive industry, a high rate of personnel turnover requires proportionate re-training and monitoring of employees regarding compliance with privacy and other regulatory requirements.

Q: You mentioned termination procedures — what procedures provide effective deterrents to unauthorized use or access to electronically maintained protected health information in such situations?

A: As a part of an overall separation procedure, there are some critical checkpoints along the way. Health care providers/employers are advised to standardize the process and create a checklist of steps to be taken when an individual leaves. Document that these steps have been taken, including the return of any company equipment. Next, if the company or practice is large enough to have departments, it is important to quickly alert the department or staff members responsible for changing access to electronically maintained protected health information, deactivating or deleting user accounts and monitoring access. Also, after these and other important steps are carried out, I recommend a post-termination audit to verify that all necessary steps to cut off access to electronically maintained protected health information have been taken.

Q: What steps must be taken to terminate access to electronically maintained protected health information?

A: Such steps, in addition to terminating user accounts and reclaiming computers, laptops, iPads and cellphones, should include terminating access to the physical space, which may require changing locks, access codes, and authorized individuals lists. Obviously, keys, fobs, ID badges, card keys and other items by which the former employee gained access to the physician space must be reclaimed or reprogrammed so that access by the former employee or other former member of your company’s workforce to secure areas with electronically maintained protected health information is no longer possible. For all former employees, and particularly for those with remote access, deactivation of any remote accounts and accessibility should reach all levels of access so that portals, web access and email services are no longer accessible.

 

Published: 5/9/18; by Paula Burkes
Original article: http://newsok.com/for-health-care-providers-safeguarding-patients-electronic-health-information-is-also-an-employment-matter/article/5593919

NewsOK Q&A: Laptop losses, misdirected faxes and phishing scams can lead to health information breaches

From NewsOK / by Paula Burkes
Published: May 1, 2015
Click to see full story – Laptop losses, misdirected faxes and phishing scams can lead to health information breaches

Click to see Mary Holloway Richard’s attorney profile

Phillips Murrah’s Mary Holloway Richard provides medical providers tips for minimizing risk and damages related to health information breaches.

Mary Richard is recognized as one of pioneers in health care law in Oklahoma. She has represented institutional and non-institutional providers of health services, as well as patients and their families. She also has significant experience in representing providers in regulatory matters.

Mary Richard is recognized as one of pioneers in health care law in Oklahoma. She has represented institutional and non-institutional providers of health services, as well as patients and their families. She also has significant experience in representing providers in regulatory matters.

Q: What do you recommend to hospitals, physicians and other providers to minimize the risk of a breach of confidential patient information and to lessen the degree of harm in the event of a breach?

A: I recommend creation in advance of a response process to enable a rapid, sensible response. The goals in such a plan (“Incident Response Plan” or “IRP”) are to demonstrate compliance with HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health) regulations and to mitigate any harm that may result from the breach.

Q: What specific steps should be taken to prepare for a breach?

A: The first step is to create an IRP that includes all appropriate parties and to appoint someone in the practice or facility who is knowledgeable about HIPAA and HITECH requirements. The second step is to make certain that the process created is a quick, sensible one. In addition, information technology (IT) components, such as encryption throughout the process, are imperative. The safe harbor provision of the breach notification rule establishes a certain standard of encryption and relieves the provider from breach notification responsibilities if the protected patient information has been properly encrypted. Most breaches result from lost IT assets such as phones, laptops and iPads. Fourth, the IRP must be supported by sufficient employee and staff training. I also recommend that you adequately document that this training took place. Finally, insurance should be in place to provide for risk transfer as needed. Cyberliability is a continually developing area along with a range of products that foresee types of breaches and predict costs that may be incurred.

Q: How do such losses occur?

A: Along with loss of IT assets, misdirected faxes, disposal of nonshredded records, inappropriate disposal or destruction of paper, such as placing material in a dumpster without shredding and mailing patient information to incorrect address. Intentional loss or compromise of data can occur through a combination of IT and social engineering, such as where a person is tricked into clicking on a hyperlink or revealing a password. This occurs with Spear phishing or false emails inserting malware in a system and is very difficult to control. In the case of Cryptolocker, the perpetrator makes a threat and requires payment to restore prevention. This also is called ransomware and can make the system and information completely inaccessible to everyone in your organization, effectively stymieing patient care and business operations.

(UPDATE) A look at the controversial Affordable Care Act on its fifth anniversary

By Mary Holloway Richard. View her attorney profile here.


Mary Richard is recognized as one of pioneers in health care law in Oklahoma. She has represented institutional and non-institutional providers of health services, as well as patients and their families. She also has significant experience in representing providers in regulatory matters.

Mary Richard is recognized as one of pioneers in health care law in Oklahoma. She has represented institutional and non-institutional providers of health services, as well as patients and their families. She also has significant experience in representing providers in regulatory matters.

(Updated 4/7/15)
President Obama has taken the occasion of the fifth anniversary of the signing of the Affordable Care Act (“ACA”) to characterize continued activities on the Hill to repeal it as renegade special interest activities. The ACA continues to be a subject of debate both in terms of its accomplishments—how many are newly covered and how much will be saved—and in terms of its public support.

While the Associated Press reported on March 23, 2015, that public support was down 5% since its passage, as one who daily writes and advises health care clients on matters related to the ACA, I can say with certainty that the depth and breadth of increased regulation spawned by the ACA are changing the nature of the system.

Those changes include responsive movement toward integrated health systems, mergers and affiliations; transition from quantity- to quality-based reimbursement; the relaxation of HIPAA standards in some respects and its tightening in others in the context of EHR transformation; and increased direct and indirect costs to employers as a result of new responsibilities.

Nearly fifty changes have been made to the ACA as of March 2, 2015, and this suggests a continuing need for providers, employers and business owners to remain informed and responsive to the moving regulatory compliance target.

On Monday, March 30 the Supreme Court rejected a new challenge to the Affordable Care Act (“ACA”)  that targeted the Independent Payment Advisory Board (“IPAB”), a 15-member government panel which has been characterized as a “death panel” because of its intended role in cutting Medicare costs.   The IPAB was to convene when the target growth rate for Medicare (3.03%) is exceeded.  However, the growth rate is 1.15% according to CMS, and so the administration has not nominated any panel members.  In declining to take up the case, the Supreme Court left undisturbed the 9th US Circuit Court of Appeals in San Francisco dismissal of the lawsuit. The proponents of the ACA are calling this a win.  Coons v. Lew, No. 14-525.   Certiorari was denied by the United States Supreme Court on March 30, 2015.

NewsOK Q&A: Healthcare data hacking likely to require new state laws

From NewsOK / by Paula Burkes
Published: March 9, 2015
Click to see full story – Across the U.S., more state laws are likely for mandated encryption of health data

Phillips Murrah’s Joshua Edwards discusses healthcare data hacking

Hacking may bring more state laws, encryption of health data

Josh_Edwards-copy-300x300

Josh Edwards is a Director at Phillips Murrah law firm.

Q: How serious of a problem are healthcare data hacks for insurance companies, employer health plans and others in the healthcare industry?

A: Last month Anthem Inc., the second-largest health insurer in the U.S., announced hackers had stolen personal information, including names, dates of birth, member ID/Social Security numbers, addresses, phone numbers, email addresses and employment information of up to 80 million individuals covered under its health plans. The Anthem breach alone affects one out of every four Americans. This data can be sold on the black market and then used by identity thieves to commit financial crimes, as well as fraudulently obtain medical services and prescriptions. The FBI previously warned insurers and other companies in the healthcare industry that their data security systems lagged behind those of the financial and retail sectors and that they were particularly susceptible to cyberattacks given the value of such data to cybercriminals.

Q: What federal and state laws govern the security of healthcare data and a company’s obligations after discovery of a breach?

A: The primary federal law is the Health Insurance Portability and Accountability Act (HIPAA), which was amended in 2009 by the Health Information Technology for Economic and Clinical Health Act specifically to address electronic transmission and storage of protected health information (PHI). HIPAA governs the privacy and security of an individual’s PHI and requires certain kinds of technological safeguards to protect against unauthorized use and disclosure. In addition to HIPAA, earlier this year New Jersey passed a law requiring health insurers to encrypt all electronically-stored personally identifiable information of New Jersey residents, and it seems likely we will see similar laws passed by other states as well. HIPAA also requires a company to notify affected individuals after discovering a breach of PHI. Forty-seven states also have their own breach notification laws, each of which have their own unique content and timing requirements.

Q: How does an insurer’s data breach impact employers who use the insurer for their health plans?

A: Events such as the Anthem breach affect not only the insurer, but also companies that partner with the insurer to provide health coverage to their employees. For companies with a fully-insured health plan, the insurer will be a “covered entity” under HIPAA and have primary responsibility for protection of PHI and compliance with the breach notification requirements. However, for self-insured health plans, an insurer serving as a third-party administrator will be considered a “business associate” under HIPAA, meaning primary responsibility for protecting PHI and notifying affected individuals and government agencies would fall to the employer. Regardless, employers should have a plan to address such concerns and keep employees informed.

Q: What should insurers and employers do upon discovery of a breach of healthcare data?

A: After a breach, both insurers and employers should review their contracts, including any business associate agreements, to determine their relative responsibilities as well as any indemnification rights and obligations. It’s also essential for both parties to know their duties under HIPAA and state breach notification laws so that compliant and timely notifications can be crafted and delivered to affected individuals and applicable federal and state agencies. Finally, a plan should be implemented for keeping affected individuals informed of the ongoing investigation, as well as strategies for protecting against identity theft and credit monitoring options that may be available.