UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

Transcription

1 UNDERSTANDING HIPAA & THE HITECH ACT Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP 1

2 Objectives of Presentation Learn what HIPAA is Learn the purpose of HIPAA Understand who HIPAA regulates Understand what information is protected by HIPAA Understand the penalties associated with noncompliance 2

3 What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) is the federal medical privacy law HIPAA was enacted to: Increase efficiency and effectiveness of the health care system Protect the privacy and provide for the security of PHI Establish standards for accessing, storing and transmitting medical data and ensuring the privacy and security of PHI MOST IMPORTANT TAKE HOME OF THE DAY: It s HIPAA, NOT HIPPA. 3

4 The HIPAA Legal Timeline HIPAA (Aug. 21, 1996) The Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) established baseline federal medical privacy and security standards. HIPAA Privacy Rule (Final Rule in Dec. 2000, modified in Aug. 2002): established rules to regulate the use or disclosure of PHI and provide individuals with certain rights with respect to such PHI. HIPAA Security Rule (Feb. 2003): established a system of reasonable and appropriate administrative, physical and technical safeguards for protecting PHI. The HITECH Act (Feb. 17, 2009): among other things, extended the reach of the HIPAA Privacy and Security Rules to business associates ( BAs ), imposed breach notification requirements on covered entities ( CE ) and BAs and created enhanced penalties. HIPAA Omnibus Final Rule ( HIPAA Final Rule ) (Jan. 25, 2013): amended the HIPAA Privacy and Security Rules and implemented requirements of the HITECH Act, extending certain HIPAA obligations to BAs and their subcontractors. - Compliance date for the HIPAA Final Rule is September 23, 2013.

5 What is the Purpose of the HIPAA Privacy and Security Rules? Individual Rights: To provide individuals with certain rights to their health information, including access to, and amendment of, such information. Restrict Uses and Disclosures of PHI To restrict how covered entities and business associates can use or disclose such information Security Safeguards To create a system of safeguards for securing such information 5

6 The HIPAA Privacy and Security Rules Privacy: refers to WHAT is protected health information about an individual, and restrictions placed on WHO may use, disclose or access the information Security: refers to HOW information is safeguarded system of administrative, physical and technical safeguards for electronic protected health information 6

7 What Information is Protected by HIPAA? Protected health information ( PHI ) is individually identifiable health information about an individual that is transmitted or maintained in any form (electronic, oral or written) where the information: Is created or received by a health care provider, health plan, employer or health care clearinghouse; Relates to: An individual s health or condition Provision of health care to an individual Payment for health care to an individual; and Identifies an individual, or there is a reasonable basis to believe it can be used to identify an individual But not de-identified information 7

8 PHI Individual Identifiers What are the individual identifiers? Names Geographic subdivisions smaller than a state: Street address City County Precinct Zip code, except for the initial 3 digits Dates, except year Birth date Admission date Discharge date Date of death Telephone numbers 8

9 PHI Individual Identifiers (cont d) What are the individual identifiers (cont d)? Fax numbers addresses SSN Social Security Numbers Medical Record Numbers Health plan beneficiary numbers Account numbers Certificate/license numbers VIN and serial numbers, including license plate numbers Device identifiers and serial numbers Web universal resource locations Internet protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images Any other unique identifying number, characteristic or code 9

10 Who is Regulated by HIPAA? Covered Entities Business Associates (Including Subcontractors) 10

11 What is a Covered Entity? Health plans (HMOs, employer group health plans) Health care clearinghouses Health care providers that engage in standard electronic transactions (hospitals, medical groups) 11

12 Who Is a Business Associate? A person or entity, other than a member of a covered entity s workforce, that creates, receives, maintains or transmits PHI on behalf of a covered entity for a function or activity regulated by HIPAA. Under the HIPAA Final Rule, the definition of business associate includes subcontractors of business associates. May be a covered entity. Billing Firms Clearinghouses Management Firms Lawyers, Actuaries Covered Entity Consultants, Vendors Outsourcing Vendors Accountants, Auditors Financial Services Accreditation Organizations 12

13 When Organizations May Act as a Business Associate Some examples of ways in which an organization may act as a business associate: Providing data management services to HIPAA covered entity customers (e.g., hospitals or health plans) Providing cloud storage services to business associates Providing legal services to a HIPAA covered entity 13

14 Privacy/Security Officer SECURITY OFFICER: Under the HIPAA Security Rule, covered entities and business associates are required to designate a Security Officer. PRIVACY OFFICER: Under the HIPAA Privacy Rule, covered entities are required to designate a Privacy Officer. While not required, it is highly recommended that business associates designate a Privacy Officer as well. 14

15 Minimum Necessary Covered entities and business associates shall request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request use or disclosure, in accordance with HIPAA s minimum necessary standard Internal Requirements External Requirements Identify workforce who need access to PHI For each class/category of person identified, limit access based on need-toknow Limit access to what is needed to accomplish the purpose for which the request was made Each request that is nonroutine should be reviewed by the Privacy Officer 15

16 Uses and Disclosures Use: employment, application, utilization, examination or analysis of PHI within the covered entity/business associate. Disclosure: release, transfer, provision of access to, or divulging in any other manner, information outside of the covered entity/business associate. 16

17 Uses and Disclosures The HIPAA Privacy Rule permits a covered entity to use or disclose PHI without an authorization for the following purposes: Treatment Payment Health Care Operations These are often referred to as TPO 17

18 How May a Business Associate Use PHI? A Business Associate is generally limited to using PHI to provide services for a covered entity. this means that the business associate can use PHI ONLY for the purposes for which it was engaged by the covered entity client who provided such PHI. A business associate may expressly be permitted to: Provide data aggregation services De-identify PHI 18

19 Security Rule Compliance Necessary steps for Security Rule compliance: Conducting a formal security risk assessment; Implementing written policies and procedures with respect to Security Rule standards; Providing security training to workforce members Appointing a Security Officer to oversee Security Rule compliance efforts 19

20 The Dreaded Security Breach 20

21 The HIPAA Breach Notification Rule Breach is defined as the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information. Unlike many state laws, applies to breaches involving both electronic and paper records. Risk analysis: HIPAA Final Rule: express presumption that incident is a breach UNLESS the covered entity/business associate can demonstrate that there is a low probability that the PHI has been compromised. 21

22 Four Factors of a Risk Analysis 1. Evaluate the nature and the extent of the PHI involved. 2. Who impermissibly used the PHI? To whom was the PHI disclosed? 3. Was PHI actually acquired or viewed or, did only the opportunity exist for the information to be acquired or viewed? 4. Consider the extent to which the risk to the PHI has been mitigated. 22

23 Covered Entity Reporting Obligations Covered Entities must notify: Individuals REPORTING TIMELINE: without unreasonable delay and no more than 60 days after discovery. Media (for breaches involving > 500 residents of a State or jurisdiction) REPORTING TIMELINE: without unreasonable delay and no more than 60 days after discovery. Secretary of HHS > 500 individuals: provide at same time as notice to indivs < 500 individuals: maintain a log, and provide annual notice to HHS 23

24 Business Associate Reporting Obligations Business Associates are required to notify covered entities whose unsecured PHI has been accessed, acquired or disclosed as a result of a breach. REPORTING TIMELINE: without unreasonable delay and no more than 60 days after discovery. Sometimes less depending upon the terms of the particular BAA. 24

25 Penalties Civil $100 to $50,000 per violation per person up to a maximum of $1,500,000 per person per year per standard violation Criminal Up to $50,000, 1 year in prison, or both, for inappropriate use of PHI Up to $100,000, 5 years in prison, or both for using PHI under false pretenses Up to $250,000, 10 years in prison or both, for the intent to sell or use PHI for commercial advantage, personal gain, or malicious harm 25

26 Drafting and Negotiating Business Associate Agreements DORIANN CAIN, ESQ. ASSOCIATE, BARNES & THORNBURG LLP

27 What is a Business Associate Agreement? A contract between a covered entity and business associate to ensure that the business associate will appropriately safeguard PHI. Also serves to clarify and limit the permissible uses and disclosures of PHI by the business associate A business associate may use or disclose PHI only as permitted or required by its business associate contract or as required by law.

28 Required Terms Establish the permitted and required uses and disclosures of PHI by the business associate; Provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law; Implement appropriate privacy and security safeguards;

29 Required Terms Report unauthorized disclosures to the covered entity; Make available PHI under access, amendment and account of disclosures rights; Incorporate any amendments; To the extent the business associate is to carry out a covered entity s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation;

30 Required Terms Make available its practices, books and records to HHS for determining the covered entity s compliance; Return/destroy PHI upon termination of arrangement, if feasible; If not feasible, extend BAA protections Ensure subcontractors comply with the same BAA requirements as the business associate; and Authorize termination by covered entities.

31 Business Associate Agreement Form Templates HHS released a template in January of last year es/contractprov.html Beware of particular biases in the forms Language should be changed to more accurately reflect the services being provided by the business associate

32 HIPAA Omnibus Final Rule & BAAs Old Rule BA not directly liable for violations Contractually liable CE must have a written contract with BA that requires BA to safeguard PHI and not use or disclose PHI other than as provided by the contract BA must ensure that any subcontractors agree to the same restrictions New Rule BA directly liable for violations of applicable provisions of HIPAA Contract between CE and BA still necessary Now BA must comply with the Security Rule requirements Report to CE any breach of unsecured PHI If CE delegates Privacy Rule obligation to BA, BAA must require BA to perform in compliance with the Rule BAA between BA and subcontractor mandated Must be as stringent as the CE-BA contract

33 Business Associates and the Security Rule Business associates now mandated to comply with the Security Rule s requirements and implement policies and procedures in the same manner as a covered entity Requires business associates to implement safeguards in compliance with the Security Rule Business associates must conduct risk assessment and be more proactive and diligent to monitor new rules, regulations and guidance

34 Subcontractors and Business Associate Agreements Subcontractors now defined as business associates Obligation to enter into a BAA with a subcontractor will rest solely with the business associate, not the covered entity Business associate liability flows downstream Does not change parties to the BAAs Covered entity must have BAA with its business associate Business associate must have BAA with its subcontractor Downstream contract must be as stringent as the one above

35 Amending Business Associate Agreements Evaluate entities identity Business Associate? Covered Entity? Assess how PHI is being used Does the entity already have a BAA in place?

36 Compliance Dates For any BAA entered into on or after 1/25/13, compliance date was 9/23/13 If was BAA was in effect prior to 1/25/13 and HIPAA compliant at the time Compliance date is 9/23/14 if BAA was not renewed or modified between 3/26/13 and 9/23/13

37 Covered Entities & Negotiation of BAAs Manage risk and avoid liability Business associate held to a higher level of accountability Indemnification, insurance and other assurances from business associate beyond what is mandated under HIPAA for BAAs Business associate responsible for all costs associated with breach Review underlying agreement

38 Covered Entities & Negotiation of BAAs Assistance from business associate in event of breach Automatic termination of BAA for material breach Small timeframe for reporting a breach Right to review BAAs between business associates and subcontractors Right to inspect/audit/investigate

39 Business Associates & Negotiation of BAAs Provide notice to business associate of any limitation in NPP that may effect its use or disclosure of PHI Notify business associate of changes/revocation of individual permissions Notify business associate of restrictions to which covered entity has agreed No covered entity requests for business associate to act in a non-permissible manner

40 Business Associates & Negotiation of BAAs Contract limited to terms required under HIPAA Least restrictions on its use and disclosure of PHI obtained from the covered entity Minimize liability; no indemnification Chance to cure material breach Review underlying agreement

41 Questions?