NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

Transcription

1 NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

2 Speakers Lisa A. Gallagher, BSEE, CISM, CPHIMS Senior Director, Privacy and Security HIMSS Amy S. Leopard Walter and Haverfield, LLP

3 Topic Overview Terminology Legislative/Regulatory History of HIPAA ARRA/HITECH What changes did it make to HIPAA? NPRM Background and Public Feedback Parameters NPRM Content Changes required by HITECH Additional changes to HIPAA beyond what is required by HITECH

4 Regulation Terminology After Congressional bills become laws, federal agencies are responsible for putting those laws into action through regulations. The types of regulations include: Notices from the Federal Register; Proposed Rules; Final Rules. Documents such as public comments and supporting materials are often associated with these regulations. (Rule and) Rulemaking A type of regulation that establishes a rule, the means by which congressional laws are implemented Rulemaking Process The process federal agencies use to formulate, amend or repeal a regulation. This process often contains a proposed rule and a final rule, and may accept public comments during specified time periods. Statute - Law a. an enactment made by a legislature and expressed in a formal document b. the document in which such an enactment is expressed 1 Federal Rulemaking Glossary accessed at: 2

5 Legislative History of HIPAA HIPAA Statute Required: Establishment of national standards for the electronic transmission of certain health information, Creation of standards for certain health care transactions conducted electronically and code sets and unique health care identifiers for health care providers and employers, Establishment of national standards to protect the privacy and security of personal health information, and Establishment of civil money and criminal penalties for violations of the Administrative Simplification provisions

6 HIPAA Regulations Requirements for Covered Entities Privacy Rule Protect individuals electronic health information by regulating the circumstances under which covered Have contracts or other arrangements in place with business associates Security Rule Applies only to protected health information in electronic form Implement certain administrative, physical, and technical safeguards to protect this electronic information

7 HIPAA Regulations Requirements for HHS Enforcement Enforcement Rule Establishes rules governing the compliance responsibilities of covered entities with respect to cooperation in the enforcement process Provides rules governing the investigation by HHS Provides rules for establishing the amount of a civil money penalty Establishes rules governing the procedures for hearings and appeals

8 ARRA/HITECH What changes did it make to HIPAA? Applied HIPAA to Business Associates - Priv & Sec Rule Created New/Updated Privacy Statutes Privacy Rule Breach Notification Accounting of Disclosures Marketing/Sale of PHI Patient Access/Disclosure Restrictions Limited Data Set/Minimum Necessary Modified Enforcement/Penalties - Enforcement Rule

9 Notice of Proposed Rule Making Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act RIN: 0991-AB57 eve 60 day comment period from date of publication in Federal Register Publication date: July 14, 2010 Comment due date: September 13, 2010

10 Modifications to the HIPAA Privacy Rule

11 Modifications to the HIPAA Privacy Rule in this NPRM Applies Privacy Rule to BAs, provides transition provisions Modifies definitions of Healthcare Operations, Marketing Modifies definition of Minimum Necessary and discusses applicability to BAs Strengthens patient options to opt out of fundraising communications Modifies authorizations required for Sale of PHI Research - discusses Compound Authorizations and Authorizing Future Research Use or Disclosure Discusses PHI about Deceased individuals Discusses Disclosure of Student Immunization Records

12 HITECH for Business Associates New definition of BAs May not use or disclose PHI in violation of Privacy Rule Directly comply with all HIPAA Security Rule administrative, physical, and technical safeguards and documentation requirements Now subject to HIPAA civil and criminal enforcement and penalties in addition to contractual liability New duties under NPRM

13 Business Associate Definition Patient Safety Organizations (PSOs) HIOs and E-Rx Gateways Or person providing data transmission services with respect to PHI to CE and require access on a routine basis to that PHI Not: mere conduits for transport of PHI that do not access PHI on other than a random or infrequent basis Vendors offering PHR to individuals on behalf of a CE BA Subcontractors that create, receive, maintain or transmit PHI on BA s behalf All definitions apply even if CE/BA fails to enter required BAA

14 Business Associate Definition Not a BA and no BAA required clarifications Mere conduits for transport of PHI that do not access PHI on other than a random or infrequent basis CE PHI disclosures to a healthcare provider re: treatment Vendors offering PHR to individuals on their own behalf and not on behalf of CE But will be a PHR vendor subject to FTC Temporary PHR Breach Notification ( 13407) rules Proper health plan disclosures to plan sponsors under HIPAA Eligibility, enrollment and PHI collections between Govt. health and another government agency to extent authorized by law CE participating in an organized health care arrangement performing certain function or activity on behalf of OHCA involving PHI

15 BAA BAA Covered Entity Bus. Associate Subcontractor Downstream entities also must comply with Privacy and Security standards to same extent as BAs Subcontractor acts on behalf of BA, other than in the capacity of BA workforce member Create receive, maintain, or transmit PHI on behalf of a BA BA must obtain satisfactory assurances from subcontractor on privacy and security protections in the form of a BAA CEs not required to obtain BAA from subcontractor If BA knows of sub-ba pattern of activity or practice constituting breach of sub-ba s obligations under BAA, may need to either terminate BAA or report problem to HHS if termination not feasible NPRM new Business Associate proposed Chain of Trust concept 15

16 HIPAA/HITECH BA and Sub-BA Administrative Requirements Compliance Policies and Procedures Training Individual Rights Infrastructure for oversight HIPAA Privacy and Security P&P Functional training of workforce members E-access, e-copy and accounting for disclosures Designate Privacy & Security Officials Security Risk Assessment and procedures Workforce sanctions and non-retaliation Authorization for sale of PHI Compliance reporting and documentation, complaints, reviews and investigations Mitigate harmful effects of HIPAA violations Breach of Unsecured PHI notice Health plan disclosure restriction Right to amend 16

17 Amending BA Agreements NPRM Compliance deadlines and transition periods for BA agreements General Rule = must comply with final Rule no later than 180 days following the effective date Transition Period = 240 days (from the publication of final Rule) PLUS 1 year Conditions Must have compliant BAA or other agreement in place prior to the publication date of final Rule No renewal or modification between the effective date and the compliance date of final Rule.

18 Amending BA Agreements Regulatory issues See NPRM (e)(2) (e)(4) Pattern or practice, e-phi safeguards, unsecured PHI breach, HIPAA compliance, sub-baas and BA duty to maintain BAA with sub-ba under NPRM (e)(5) Consider timing, data use agreement issues when using a limited data set risk assessment of BA activities is critical issue Note: NPP and Authorizations will change as well under final rule

19 BAAs and Sub BAA Analysis More Sophisticated under HITECH BA is agent Full-blown PHI Sensitive Data Data Repository Confirmatory diligence LDS only BA High Level of Sophistication All Encryption + strong privacy LDS, No zip Or DOB Use of Sub-BA? Business Associate Agreements

20 Breach Notification HITECH Statutory Requirements Establishes a federal security breach notification requirement for breach of protected health information Requires each individual be notified if their unsecured PHI is accessed, acquired or disclosed as a result of the breach Requires notification to Sec HHS and prominent media outlets if more than 500 individuals impacted Applies to PHR vendors Interim Final Rule published effective Sept. 23, 2009 NPRM Specifications NOT ADDRESSED IN THIS NPRM Reference IFR, already in effect: ationifr.html

21 Accounting of Disclosures HITECH Statutory Requirements Gives patients the right to request an accounting of disclosures of their health information made through an EHR Secretary of HHS to promulgate regulations that take into account the interests of individuals in learning when and to whom their information is disclosed, the usefulness of the information to the individual, and the cost burden for such accounting NPRM Specifications NOT ADDRESSED IN THIS NPRM Subject of future rulemaking by HHS/OCR

22 Healthcare Operations NPRM Specifications Modifies the definition of health care operations to include a reference to patient safety activities Related to Marketing of PHI a communication by a covered entity or business associate that is about a product or service and that encourages recipients of the communication to purchase or use the product or service shall not be considered a health care operation and will now be considered marketing CEs/BAs may no longer receive payment in any for any communication now considered to be marketing, which is a change from HIPAA

23 Marketing/Sale of PHI HITECH Statutory Requirements Provides new restrictions on marketing using PHI Marketing Communications are not Health Care Operations (with some exceptions) Provides new restrictions on payment for PHI prohibits a CE/BA from receiving remuneration in exchange for any PHI without a valid authorization from the individual (with some exceptions)

24 Marketing Modify definition as follows: Sale Marketing/Sale of PHI NPRM Specifications revise the exceptions to marketing to better distinguish the exceptions for treatment communications from those communications made for health care operations; add a definition of financial remuneration provide that health care operations communications for which financial remuneration is received are marketing and require individual authorization; provide that written treatment communications for which financial remuneration is received are subject to certain notice and opt out conditions provide a limited exception from the remuneration prohibition for refill reminders; and remove the paragraph regarding an arrangement between a covered entity and another entity in which the covered entity receives remuneration in exchange for protected health information. Require a covered entity to obtain an authorization for any disclosure of protected health information in exchange for direct or indirect remuneration. This authorization must state that the disclosure will result in remuneration to the covered entity Exceptions generally follow statutory requirements Prohibits downstream disclosure for remuneration unless separate authorization in place

25 Research NPRM Specifications Compound Authorizations Discusses concerns with Compound Authorizations Discusses circumstances where they are allowed Authorizing Future Research Use or Disclosure Discusses allowing authorizations that include future research Makes clear it would not alter an individual s right to revoke the authorization for the use or disclosure of protected health information for future research at any time Specifically request comment on proposed changes

26 PHI about Deceased individuals NPRM Specifications Codifies Period of Protection 50 years Requests comments on this timeframe Discusses Disclosures About a Decedent to Family Members and Others Involved In Care

27 Disclosure of Student Immunizations to Schools NPRM Specifications HHS now regards disclosure of immunization records to schools to be a public health disclosure Once disclosed to school, information is protected by FERPA rather than HIPAA

28 Limited Data Set/Minimum Necessary NPRM Specifications Requires that covered entities to consider a limited data set as the minimum necessary for a particular use, disclosure, or request of protected health information, and requires the Secretary to issue guidance to address what constitutes minimum necessary under the Privacy Rule Requires that a covered entity or business associate that discloses protected health information for public health activities or research in limited data set form is also excepted from the authorization requirement Requesting comment on guidance needed

29 Fundraising NPRM Specifications Requires CEs to provide individuals with a clear and conspicuous opportunity to opt out of receiving fundraising communications and by requiring that an opt out be treated as a revocation of authorization under the Privacy Rule Requires CEs to inform individuals in its notice of privacy practices that it may contact them to raise funds for the covered entity Requires that fundraising materials sent contain a description of how the individual may opt out of receiving future fundraising communications Requires that a CE may not condition treatment or payment on an individual s choice with respect to receiving fundraising communications

30 Notice of Privacy Practices NPRM Specifications Requires statement(s) that: Describes the uses and disclosures of protected health information that require an authorization that other uses and disclosures not described in the notice will be made only with the individual s authorization Requires specific statement that most uses and disclosures of psychotherapy notes and for marketing purposes require an authorization Explains that authorizations are required for marketing and fundraising Clarifies that CEs must accept restriction requests and removes statement from NPP that CEs are not required to comply Request comment on whether NPP should contain discussion of CEs obligations with respect to Breach Notification Discusses/request input on how to reduce the burden to organizations of notifying individuals when there are material changes to NPP

31 Patient Access/Disclosure Restrictions HITECH Statutory Requirements Access - Gives individuals the right to receive an electronic copy of their PHI, if it is maintained in an electronic health record, for which the provider may charge a fee Disclosure describes the circumstances under which a CE must implement a request for restrictions of disclosures

32 Patient Access/Disclosure Restrictions NPRM Specifications Patient Access to Electronic Health Record Patient Right to Restrict Disclosures Requires a covered entity to agree to a restriction on disclosure to a health plan if: (A) the disclosure is for the purposes of carrying out payment or healthcare operations and is not otherwise required by law; and (B) the protected health information pertains solely to a health care item or service for which the individual, or person on behalf of the individual other than the health plan, has paid the covered entity in full. Clarifies that if a restriction placed on a disclosure to a health plan, the covered entity is also prohibited from making such disclosure to a business associate of the health plan.

33 Other Changes to Privacy Rule Other Technical and Conforming Changes Regulatory Analyses Includes regulatory impact statement Discusses cost and administrative burden of new provisions Discusses benefits to individuals

34 Modifications to Security Rule Applies all provisions of Security Rule to BAs Hybrid Organizations requesting comments Organizational - remove BAA contract requirements from Security Rule that are duplicative of those in Privacy Rule

35 Enforcement/Penalties HITECH Statutory Requirements Requires HHS to conduct periodic audits of covered entities and business associates Imposes direct civil money penalty liability on business associates for violations of the HITECH Act and certain Privacy and Security Rule provisions Allows criminal penalties to apply to individuals Provides new system of civil monetary penalties Modifies distribution of certain civil monetary penalties collected Requires HHS to investigate all complaints Allows State Attorneys General to bring a civil action in federal court on behalf of the residents of their state

36 Enforcement/Transition/Penalties NPRM Specifications Discusses HHS proposed approach to compliance monitoring, investigations Discusses principles of cooperation and assistance Clarifies definitions of terms such as reasonable cause, knowledge, reasonable diligence and willful neglect and provides illustrative examples Discusses basis for and determination of a civil money penalty Discusses transition period for BAs

37 Additional changes to HIPAA in NPRM to improve the workability and effectiveness of all three HIPAA Rules Changes term individually identifiable health information in the definition of business associate to protected health information Revises the definition of electronic media Discusses and clarifies preemption of state law

38 Meaningful Use Final Rules Webinar Series July 21 11:00 AM-12:00 PM Central Overview of Meaningful Use C. Martin Harris, MD, MBA, FHIMSS HIMSS Chairman of the Board July 28 12:00-1:00 PM Central Implications of Meaningful Use for Hospitals August 4 12:00-1:00 PM Central Implication of Meaningful Use for Eligible Professionals August 11 12:00-1:00 PM Central Meaningful Use and Quality Measures August 18 12:00-1:00 PM Central Regulatory Impact for Business Associates August 25 12:00-1:00 PM Central Overview of Standards, Implementation Specifications and Certification Criteria

39 Questions??