NEWSLETTER. Volume Nine - Number One January The Final HIPAA HITECH Regulations: Making the Business Case for ERM

Transcription

1 NEWSLETTER Volume Nine - Number One January 2013 The Final HIPAA HITECH Regulations: Making the Business Case for ERM A Special Expanded Edition of TRG enews When the proposed final rule was sent to the Office of Management and Budget for review in March 2012, no one anticipated that it would take nine months for it to receive final approval. That being said, the final rule was announced on February 17 and published in the Federal Register on January 25, The rule changes take effective on March 26, 2013 with compliance expected for covered entities and business associates by September 23, The revised regulations impact HIPAA privacy and security, data breach requirements under HITECH, PSOs, and human research. In fact, the document published in the Federal Register is an omnibus provision that encompasses four rule changes. Although not mentioned in the final rule, ACOs are also affected by the revisions to the HIPAA regulation. This is an expanded edition of TRG enews. Although discussed briefly in this edition, a future issue will examine the effect on ACOs in more depth. Similarly, the topic of another TRG enews will be the impact of the omnibus regulation on the implementation of the Genetic Information Nondiscrimination Act of 2008 or GINA and state genetics requirements. In this first issue of TRG enews for 2013, three broad questions are addressed. First, what are the key changes? Second, what are the key risk management issues stemming from the new requirements? And third, what steps can be taken to address these concerns from an enterprise risk perspective? RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 1

2 What are the Key Changes? The document published in the Federal Register encompasses four final rules: Modifications to the HIPAA Privacy, Security and Enforcement Rules as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act; HIPAA Enforcement Rule changes; Breach Notification for Unsecured Protected Health Information under HITECH; and, Modification of the HIPAA Privacy Rule as necessitated by the Genetic Information Nondiscrimination Act or GINA. 2 HHS made clear that in addition to the mandates that required the rule changes, it was using what it termed its general authority under HIPAA, to make other modifications that are intended to increase workability and flexibility, decrease burden, and better harmonize the requirements with those under other Departmental regulations. 3 In broad terms, HHS provided a Summary of Major Provisions that offers a good 30,000 foot view of the regulatory changes. It provides as follows: 1. Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the Rules, which were issued as a proposed rule on July 14, These modifications: Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules requirements. Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization. Expand individuals rights to receive electronic copies of their health information and to restrict disclosures to a health plan RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 2

3 concerning treatment for which the individual has paid out of pocket in full. Require modifications to, and redistribution of, a covered entity s notice of privacy practices. Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others. Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule (referenced immediately below), such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect. 2. Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule s harm threshold with a more objective standard and supplants an interim final rule published on August 24, Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October 7, The final rule takes effect on March 26, Covered entities and business associates must achieve regulatory compliance by September 23, Want to learn more about HIPAA, ERM, and more? See our online education series at RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 3

4 Key Risk Management Issues Stemming from the New Requirements. In enterprise risk management (ERM), healthcare organizations view a risk as a two-sided coin, one being a possible exposure and the other an opportunity. The changes found in the omnibus rule fit this characterization. Many of the changes outlined in the rules reinforce for many risk management professionals the concerns that started with the first set of HIPAA regulations in December For colleagues in states with longstanding requirements to safeguard patient information, HIPAA served to tightened the reins on such data. Although the risk exposure persists, the new regulations demonstrate an opportunity for change. For example, a modification to the definition of business associate helped to reinforce the point that a PSO under the Patient Safety Rule is in fact a business associate for purposes of HIPAA. 6 In another provision dealing with human research, the final rule change helps to eliminate the need for multiple authorizations to address conditioned and unconditioned research activities. 7 A preliminary step in ERM involves assembling a risk inventory. The Preamble to the final rule changes is filled with detailed responses to public comments received in response to proposed rule-making with regard to HIPAA Privacy, Security, Enforcement, HITECH, and GINA. Although it is at times tedious reading, it provides a valuable insight into the thinking and enforcement potential of the OCR. As such, the Preamble is a useful tool in developing a risk inventory of the regulatory changes. No doubt, the new requirements raise the prospect of numerous operational, hazard, and financial risk exposures as well as legal and regulatory enforcement concerns. That being said, what are some of the key concerns for healthcare risk management professionals? Consider the following: What should be in revised Business Associate Agreements? It would be prudent to work with attorneys with expertise in healthcare compliance and HIPAA HITECH issues to make certain that business associate agreements are modified to reflect regulatory changes. For example, the regulatory changes include a revised definition of business associate to includes a person who on behalf of a covered entity not only creates, receives, and transmits protected health information, but also one who maintains such RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 4

5 data. 8 Also, revised business associate agreements (BAAs) would require the business associate to have with all its subcontractors either a written contract or another type of arrangement whereby the subcontractors agree to conform to HIPAA Privacy and HIPAA Security requirements. From a risk management standpoint, additional requirements may be added - when, how and to whom subcontractors should report HITECH data breach situations. Recognizing that the regulations set a minimum threshold, much more can be added to these agreements and those between the business associate and their subcontractors. Such measures might include specifications for training, drills testing data system integrity and secure back-up systems, and requirements with respect to the types and limits of insurance coverage. As noted in the strategies section, it is useful to include input from the content experts in areas such as compliance, IT, and HIM in developing business associate agreements that work for the covered entity. Do medical liability insurers or risk management activities require a BAA? In the Preamble, HHS was quite clear about when a BAA is not required in the insurance arena. If a covered entity buys insurance, such as medical liability coverage, a BAA is not required. 9 A different answer results when the insurer provides the covered entity with a function or service that is not directly related to insurance. Thus, conducting a risk management assessment or providing legal services to the covered entity that involves access to PHI does require a BAA. 10 From an insurance and risk management standpoint, the Preamble draws an important distinction about when a BAA is required, namely when the service or product is not directly related to the provision of insurance benefits. As such, covered entities should require a BAA in such instances. What should be included in the revised HIPAA Notification of Privacy Practices (NPP)? The HIPAA Privacy currently includes requirements applicable to most covered entities requiring them to have and distribute a Notice of Privacy Practices (NPP). The notice must describe permitted uses and disclosures of protected health information made by a covered entity. Additionally, the notice must describe the RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 5

6 legal duties and privacy practices of the covered entity toward protected health information. The rights of individuals with regard to their PHI must also be addressed in the notice. 11 The recent rule change requires inclusion in the NPP of a statement that indicates certain uses and disclosure of information require an authorization 12. Although there had been such a requirement in place previously, the rule modification addresses use and disclosure of psychotherapy notes, PHI for marketing purposes (discussed later), and the sale of PHI. Providing further clarity for individuals, the modified rule calls for inclusion of a statement that other uses and disclosures not described in the NPP will only be accomplished with an authorization from the individual. Moreover, the NPP should include a statement that an individual has a right to, or will receive breach notification regarding his or her unsecured protected health information. 13 Another important component of the NPP is the individual s newly added right to restrict some disclosures of PHI in instances in which the individual pays out of pocket for healthcare services or items. Here, the newly created right applies to what would otherwise be disclosures of protected health information to a health plan. The rule change makes it clear that it is only health care providers who are required to include a statement about the out of pocket provision in the NPP. 14 No doubt there is standard language that should be included in the NPP. Legal counsel and the corporate compliance officer can provide guidance on what to incorporate in the NPP. From a risk management standpoint there are important points to consider regarding health literacy and physical challenges for individuals presented with an NPP. The Preamble refers to the regulatory basis for some covered entities taking steps to ensure effective communication under the Americans with Disabilities Act and Section 504 of the Rehabilitation Act of It also mentions those covered entities that must comply with Title VI of the 1964 Civil Rights Act and providing access to translated versions of the NPP for those with Limited English Proficiency. 16 In practical terms, this means having available for individuals who require it, NPPs in Braille, large print tools and audio formats for the sight-impaired. It also means having language and terminology in the NPP that can be readily understood by individuals. As with consent forms, discharge instructions, and other patient-oriented information, the NPP should be made suitable to RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 6

7 individuals who require such assistance. When is an authorization required? Generally speaking, a written authorization is needed when the use or disclosure of PHI is not otherwise permitted under the Rule. Additionally, there are three situations in which an authorization is required with respect to the use and disclosure of PHI. The first involves use and disclosure of psychotherapy notes. The second involves use and disclosure for marketing purposes. 17 The third situation is found in HITECH dealing with the need for an authorization for sale of PHI. 18 Even within these authorization-required situations there are specific provisions to understand and implement in a covered entity. There are also exceptions under HITECH. 19 From a risk management perspective, it is important to identify all relevant exceptions and when and how these provisions apply under the Privacy Rule and HITECH. For this purpose it would be useful to develop a matrix or grid that identifies when authorizations are required, each exception, and the criteria for applying an exception. What should be the process for compound authorizations in human research? Under the previous formulation of the Privacy Rule, covered entities were prevented from conditioning or basing treatment, payment, enrollment in a health plan, or benefits eligibility on an authorization from the individual. The rationale for this approach was to make certain that an authorization for the use of or disclosure of PHI was obtained in a voluntary manner. Even under the previous regulatory construct exceptions existed for a covered entity basing (conditioning) research-related treatment on securing an individual s authorization for the use or disclosure of PHI in such research activity. 20 Previously, the Privacy Rule precluded the use of so-called compound authorizations, meaning an authorization for the use and disclosure of protected health information is combined with any other legal permission. 21 RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 7

8 An exception did exist which permitted combining an authorization for a research study with any other written permission for the same study, including another authorization or informed consent to participate in the research. 22 As was noted in the Preamble to the revised regulations about the prior rule formulation, it prohibited combining an authorization that conditions treatment, payment, enrollment in a health plan, or eligibility for benefits (conditioned authorization) with an authorization for another purpose for which treatment, payment, enrollment, or eligibility may not be conditioned (unconditioned authorization). 23 [Emphasis added] Concerns about the effect of these limitations requirement extended to corollary research activities that is when protected health information is used or disclosed to create or to contribute to a central research database or repository. 24 As a result, covered entities had to obtain separate authorizations from research participants for a clinical trial that also collected specimens with associated protected health information for a central repository. As was noted in the Preamble there was a concern that these multiple authorization forms had the potential to confuse research subjects and/or dissuade them altogether from participating in a clinical trial. 25 To address these concerns, HHS modified the existing Privacy Rule, permitting a covered entity to combined conditioned and unconditioned authorizations for research as long as there is a clear differentiation in authorizations between conditioned and unconditioned components of the research. A key aspect too, is that individuals have the option to opt into unconditioned research activities. This new approach applies to any type of research except that activity that involves the use or disclosure of psychotherapy notes. 26 There are some important risk management considerations on compound authorizations. First, there is no room for an opt out provision. Instead, participation in research using a compound authorization requires an affirmative step, an opt in by the individual. Second, the compound authorization does not eliminate the need to comply with the informed consent requirements for clinical research found under applicable regulations. Third, with regard to future research, HHS has modified its interpretation of the Privacy Rule and will no longer required insist that an authorization for uses and disclosures of PHI must RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 8

9 be study-specific. In other words, such an authorization may cover future research. As suggested in the Preamble: an authorization for uses and disclosures of protected health information for future research purposes must adequately describe such purposes such that it would be reasonable for the individual to expect that his or her protected health information could be used or disclosed for such future research. This could include specific statements with respect to sensitive research to the extent such research is contemplated. 27 There is ample opportunity for a cooperative response to the modified rule and interpretation on compound authorizations. This change merits the attention of risk management professionals, legal counsel, members of the IRB, research office, and principal investigators. What process will be put in place to address the revised HIPAA Marketing Rule? The final rule considers subsidized treatment communications as marketing communications. As such, the individual must sign an authorization for this purpose. The individual may revoke the authorization to receive marketing communication. 28 The Privacy Rule change brings the regulation into alignment with the HITECH Act on this point. 29 In practical terms, when marketing communications involve financial remuneration the covered entity must secure a valid authorization from an individual prior to using or disclosing PHI for such purposes. Moreover, the covered entity must disclose that a third party is providing financial remuneration from a third party. 30 Business associates that receive financial remuneration from a third party in exchange for making a communication about either a product or service also requires a prior authorization from the individual. 31 Marketing is defined in the final rule as making a communication about a product or service that encourages recipients of the communication to purchase or use to product or service. 32 There are also exceptions that do not constitute marketing for purposes of the final rule. 33 What constitutes financial remuneration? As defined in the Final Rule, it means direct or indirect payment from or on behalf of a third party whose product RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 9

10 or service is being described. Direct or indirect payment does not include any payment for treatment of an individual. 34 In practical terms the final rule does not prevent health promotion efforts such as consuming healthy foods or getting routine health screens. Moreover, since there is no commercial component to government or government-sponsored programs, communications about Medicare, Medicaid or the CHIP program does not require an authorization from an individual. 35 Risk management and marketing professionals are apt to receive many inquiries about when an authorization is necessary for marketing purposes. Anticipating these concerns, it will be important to offer practical in-service programs and to work with legal counsel in developing appropriate contract language for business associates with regarding to marketing activities. What process will be in place to address fundraising activities under HIPAA? The existing Privacy Rule allows a covered entity to use or to disclose to a business associate or an institutionally-related foundation some aspects of an individual s PHI for fundraising purposes. The current rule does not require the covered entity to first obtain an authorization from the individual. Thus an authorization is not required for an individual s demographic information and the dates on which health care was provided to the individual. 36 The HITECH Act necessitated a change in the Privacy Rule provision on fundraising. According to the HITECH Act the recipient of any fundraising communication must be provided with a clear and conspicuous opportunity to opt out of additional fundraising information. It is the obligation of the covered entity to provide this notice. 37 If the individual does opt out of receiving additional fundraising communications, that choice has to be treated as revocation of authorization under the Privacy Act. 38 There are other key points about the Final Rule and fundraising: Beyond individual demographic information such as names, addresses, age, gender, and dates of birth, it may now include dates of health care provided to an individual, the department of service, treating physician, and outcome information as well as health insurance status. 39 RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 10

11 Covered entities are not required to send pre-solicitation opt outs to individuals before the first fundraising communication. Fundraising activities covered by the Final Privacy include telephone communications. [As noted in the Preamble to the omnibus regulation, HITECH applies to written communication.] Thus covered entities that use phone-based fundraising communications must clearly inform individuals of their right to opt out of further solicitations. The notice of privacy practices or NPP must inform individuals that a covered entity may contact them to raise funds for the covered entity and an individual has a right to opt out of receiving fundraising communications. The notice and opt out requirements are inapplicable if the covered entity does not use protected health information to send fundraising materials, For example, using a public directory to mail fundraising communications to all individuals residing in a geographic service area, the notice and opt out requirements are not applicable. 40 For risk management professionals, these changes offer an opportunity to work collaboratively with colleagues in law, compliance, and fundraising efforts to develop clear policies and protocols on for fundraising activities. Knowing when the opt out mechanism applies and when a notice is required is important as well. Clear messaging in the Notice of Privacy Protection is essential if individuals are to understand the opt out provision. What steps will be followed to comply with an individual s expanded right to receive electronic health information? Under the Final Rule a covered entity must provide readily producible electronic copies of PHI to an individual. 41 This does not mean, however, that the covered entity must acquire either new software or a new computer system to furnish an electronic copy in a format requested by the individual. The key point is that the covered entity provides an electronic copy that encompasses all electronic protected health information held by the covered entity in a designated record set, or the subset of electronic protected health information specifically requested by the individual, at the time the request is fulfilled. 42 The Final Rule makes clear that a covered entity may send to an individual protected health information using unencrypted . HHS dismissed the idea RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 11

12 that it would be unduly burdensome for covered entities to warn individuals about the risks of transmitting PHI using an unencrypted . On this point HHS said: We merely expect the covered entity to notify the individual that there may be some level of risk that the information in the could be read by a third party. If individuals are notified of the risks and still prefer unencrypted , the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual's request. Further, covered entities are not responsible for safeguarding information once delivered to the individual. 43 Interestingly, HHS rejected the idea that covered entities must educate individuals about encryption technology and information security, yet it created a duty to warn or notify the individual that there could be some level of risk that the could be read by a third party. 44 From a risk management standpoint, how does one warn if the person receiving the information does not understand the context for the risk? Is it really an informed decision? Interestingly, the Preamble discussion on the subject was silent about how a covered entity should go about warning the individual about the risk. Although HHS might not expect covered entities to educate or determine if individuals understand the risks associated with transmission of PHI via unencrypted , it does not prevent covered entities from taking such measures. This is an area ripe for risk mitigation. Developing and using health literacy-tested information to explain the risk and then documenting the completion of the duty to warn are well within the scope of risk management activities that would benefit from input from colleagues in patient relations and law. Particular attention might be paid to those with physical challenges for whom it is difficult to read or hear an explanation as well as those who require language translation. What measures will be used to implement the child immunization disclosure provision? The Final Rule permits a parent or a guardian to give an oral, or written agreement to a covered entity to disclose a child s proof of immunization to schools that require such information for entry. The net effect of the rule eliminates the need for a formal HIPAA authorization for this purpose. 45 RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 12

13 An important consideration from a risk management perspective is how to document such a transaction. The regulators did not set a rigid structure for documentation. Instead, it is left up to the covered entity to decide what is appropriate. Hence, a covered entity may decide to retain a copy of the written agreement or ed agreement in the patient s record. HHS went so far as to suggest that in the case of a telephone request, a notation could be made in the patient s medical record. 46 There are some risk management issues that should be considered when using any or verbal authorization. How would one know that the request is coming from a parent or guardian? How would one know in a divorce situation whether or not the parent who makes the request is authorized to do so? This is not a matter of speculation. Recording a simple note to the effect that Parent gave authorization to send immunization record to child s school is not sufficient from a risk management standpoint. Rather, any notation should be timed, dated, and signed. The content of the note should include the name of the person giving the authorization and his or her relationship to the child, such as parent or guardian. As with all documentation practices, the covered entity should have a process in place to capture relevant information. Personnel handling such requests should know how to handle unusual requests, such as when a grandparent or a child s aunt calls and asks to have the immunization record sent to a patient s school. 47 Exceptional cases are apt to occur and covered entity personnel should have readily available guidance to help them in handling such matters. Finally, the interplay of the HIPAA Privacy Rule and FERPA, the Family Educational Rights and Privacy Act, should be factored into the directions given to covered entity personnel. 48 What should be understood about Federal agency law and liability exposure under the revised regulations? The Civil Monetary Penalty (CMP) section in the omnibus regulation reinforces the point that just as there is in state law agency liability, the same is true under Federal law. Going forward, under covered entities and business associates alike are liable for the acts of their business associate agents, in accordance with the Federal common law of agency. This is true even if the covered entity has in place a regulatory-compliant business associate RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 13

14 agreement. 49 The rationale for the regulatory change was to make certain that when a covered entity or business associate has delegated out an obligation under the HIPAA Rules, that a covered entity or business associate would remain liable for penalties for the failure of its business associate agent to perform the obligation on the covered entity or business associate's behalf. 50 Similar to state agency law principles, the presence of an agency relationship comes down to the right of the covered entity to exert control over the business associate s conduct during the course of completing work for the covered entity. A similar analysis is used with regard to the existence of an agency relationship between a business associate and its subcontractor. Each situation is fact-specific, taking into consideration under Federal agency common law when determining the scope of an agency relationship: (1) The time, place, and purpose of a business associate agent's conduct; (2) whether a business associate agent engaged in a course of conduct subject to a covered entity's control; (3) whether a business associate agent's conduct is commonly done by a business associate to accomplish the service performed on behalf of a covered entity; and (4) whether or not the covered entity reasonably expected that a business associate agent would engage in the conduct in question. 51 Further, simply using a phrase or label such as independent contractor in an attempt to set apart the relationship will not work for purposes of Federal common law agency principles: Rather, the manner and method in which a covered entity actually controls the service provided decides the analysis whether a business associate is an agent and consider the totality of the circumstances involved in the ongoing relationship between the parties. 52 The Federal common law agency concept is important due to the Civil Monetary Penalty provisions in the Final Rule. The degree of the penalty 53 is impressive, RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 14

15 especially when put into context: (1) A covered entity is liable, in accordance with the Federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the covered entity, including a workforce member or business associate, acting within the scope of the agency. (2) A business associate is liable, in accordance with the Federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the business associate, including a workforce member or subcontractor, acting within the scope of the agency. 54 What is the take-away here? For risk management professionals and legal counsel it goes beyond careful drafting of BAAs and subcontractor agreements. To avoiding agency liability it means adhering to terms and conditions and avoiding steps that could trigger such liability. Education will be essential on this point for those responsible for making business associate and subcontractor relationships. Adoption of the HITECH Civil Monetary Tiered Penalty Provisions in the HIPAA Enforcement Rule. One of the major concerns under HIPAA and HIPAA is the matter of the penalty provisions. HHS had issued an interim final rule in response to a provision found in the HITECH Act. 55 HHS moved to a tiered penalty provision to align with the HITECH Act. The tiered approach allows for an increased amount of a penalty based on the degree of culpability associated with each tier. The new approach under the interim final rule applied to violations after February 18, The Final Rule retained the tiered penalty provision as described in the Preamble. 57 Violation category- Each Violation All such violations of an identical Section1176(a)(1) provision in a calendar year (A) Did Not Now $100-$50,000 $1,500,000 (B) Reasonable Cause $1,000-$50,000 $1,500,000 (C) (i) Willful Neglect -Corrected $10,000-$50,000 $1,500,000 (C) (ii) Willful Neglect Not Corrected $ $1,500,000 RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 15

16 It was made clear in the Preamble that HHS will refrain from imposing the maximum penalty in all cases. Instead, action on a case-by-case basis it will take into consideration the nature and extent of the violation and the nature and extent of the resulting harm, as required by the HITECH Act. HHS will also take into consideration the financial condition and size of the covered entity or business associate. 58 Indeed, describes in detail how HHS weighs various factors when determining a CMP. 59 The penalty aspect of the regulation also addresses the use of affirmative defenses 60 and a thirty-day cure period for willful neglect violations. 61 The Preamble discussion on both defenses and the 30-day cure period should be useful for risk management, compliance, and legal services professionals. Knowing the imposition of penalties involves a case-by-case analysis, suggests the importance of a prompt response to and substantiated efforts to address violations under the regulation. HIPAA Security Rule Changes. The omnibus regulation made changes to the HIPAA Security Rule that were required as a result of the HITECH Act. There were also some technical changes made to the Security Act. These modifications include implementing the HITECH Act requirement that extends direct liability for compliance with the Security Rule to business associates, 62 and clarifying that it is the responsibility of a business associate not the covered entity to secure what are described as satisfactory assurances from the subcontractor to protect the security of electronic protected health information. 63 It was recognized that smaller and less sophisticated business associates may not have addressed the formal administrative safeguard requirements found under the Security Rule, including the performance of a risk analysis or putting in a risk management program, implementing written policies and procedures, designating a security official or providing employee training in accordance legislation and the regulation. However, the Preamble pointed out that the both covered entities and business associates should choose security measures appropriate for their size, resources, and the nature of the security risks they face, enabling them to reasonably implement any given Security Rule standard. In deciding which security measures to use, a covered entity or business associate should take into RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 16

17 account its size, capabilities, the costs of the specific security measures, and the operational impact. 64 From a risk management perspective, there is a clear inference that can be drawn here: there is no excuse for not putting in place an appropriate process to achieve compliance with the Security Rule. Indeed, business associates were encouraged to access education material and regulatory compliance guidance on the topic at the OCR website. 65 Other changes to the Rule addressed definitions, agreements between business associates and subcontractors that create, receive, maintain or transmit electronic PHI, and the responsibility of the subcontractor to notify the business associate about any security incident, including breaches of unsecured PHI. The latter is particularly relevant on the issue of breach notification and merits careful operational review by those overseeing and enforcing the Security Rule provisions. 66 What needs to be known about breach notification? To implement the breach notification provisions of the HITECH Act, 67 a new subpart D was added to Part 164, title 45 of the Code of Regulations. HHS worked closely with the Federal Trade Commission (FTC) on breach notification as the latter was given the responsibility for enforcing rules on the subject for vendors of personal health records or PHRs. 68 A major change in the final rule replaces the harm threshold for breach notification in the interim final rule published in August 2009 with an objective standard. The definition for breach is also modified in the final rule, now providing that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised. 69 [Emphasis added] The effect of this change is to create a breach presumption necessitating notification unless covered entity or business associate can demonstrate that a low probability exists that protected health information has been compromised. Also, the breach presumption does not apply in the exceptions RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 17

18 identified in the HITECH Act: (1) Unintentional acquisition, access, or use of protected health information by an employee or other person acting under the authority of a covered entity or business associate if such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such person with the covered entity or business associate and such information is not further acquired, accessed, used, or disclosed by any person (section 13400(1)(B)(i)); (2) inadvertent disclosure of protected health information from one person authorized to access protected health information at a facility operated by a covered entity or business associate to another person similarly situated at the same facility and the information received is not further acquired, accessed, used or disclosed without authorization by any person (section 13400(1)(B)(ii) and (iii)); and (3) unauthorized disclosures in which an unauthorized person to whom protected health information is disclosed would not reasonably have been able to retain the information (section 13400(1)(A)). 70 When invoking one of the exceptions, a covered entity or business associate has the burden of proof to demonstrate why breach notification is not required. 71 This is a major departure from the interim final rule. HHS indicated that the change was made to achieve more uniform assessments. Thus, breach notification is not required under the final rule if a covered entity or business associate, as applicable, demonstrates through a risk assessment that there is a low probability that the protected health information has been compromised, rather than demonstrate that there is no significant risk of harm to the individual as was provided under the interim final rule. 72 To implement this new approach, the Final Rule includes several objective factors to consider when conducting a risk assessment to determine the need for breach notification. These factors include: (1)The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification - RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 18

19 consider the type of protected health information involved in the impermissible use or disclosure, such as whether the disclosure involved information that is of a more sensitive nature. Think about financial information such as credit card numbers or social security number that may increase the opportunity for identify theft and fraud. Consider too, detailed clinical information such as an individual s treatment plan, diagnosis, medication, medical history information and test results. Determine if there is a likelihood that released PHI could be linked to other available data making the breach more harmful or making the de-identified information re-identifiable. 73 (2) The unauthorized person who used the protected health information or to whom the disclosure was made determine if the unauthorized recipient of the information has obligations to protect the privacy and security of the data. If released to a another entity obliged to follow the HIPAA Privacy and Security Rules, the Privacy Act of 1974 and the Federal Information Security Management Act of 2002 (FISMA) a lower probability may exist for compromise of the PHI since the recipient understands the importance of protecting similar information. Also, to the extent the impermissibly used or disclosed data is not immediately identifiable, it is important to determine if the unauthorized recipient has the ability to re-identify the information. 74 (3) Whether the protected health information was actually acquired or viewed, or alternatively, if only the opportunity existed for the information to be acquired or viewed if a laptop that had been stolen is recovered and it is determined through a forensic review that the PHI on the hard drive had not been accessed, viewed, transferred or compromised in any way, the risk investigation could conclude that despite the opportunity to do so, an unauthorized individual did not acquire the PHI on the laptop. 75 (4) The extent to which the risk to the protected health information has been mitigated Covered entities and business associates should attempt to mitigate the risks to the protected health information following any impermissible use or disclosure, such as by obtaining the recipient's satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 19

20 similar means) or will be destroyed, and should consider the extent and efficacy of the mitigation when determining the probability that the protected health information has been compromised. For example, a covered entity may be able to obtain and rely on the assurances of an employee, affiliated entity, business associate, or another covered entity that the entity or person destroyed information it received in error, while such assurances from certain third parties may not be sufficient. 76 It was noted in the Preamble that covered entities and business associates are obliged to evaluate all of these risk factors in combination. The assessments are expected to be thorough, done in good faith, and to reach reasonable conclusions. If it is determined that there is not a low probability that PHI has been compromised, a breach notification is required. 77 From a practical standpoint a covered entity or business associate may proceed with a different course of action. Since the final regulation has a built in presumption that a breach has taken place, rather than go through a detailed analysis each time, it may be easier to proceed with a breach notification. 78 There are other important aspects to the Breach Notification Rule that HIM, risk management practitioners, legal counsel and compliance should evaluate in honing policies, procedures, and processes on the topic. These topics include: Time of discovery of the breach. 79 Timeliness of notification. 80 Content of Notification, as adopted from the Interim Final Rule to include: (1) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; (2) a description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); (3) any steps individuals should take to protect themselves from potential harm resulting from the breach; (4) a brief description of what the covered entity involved is doing to investigate the breach, mitigate the harm to individuals, and to RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 20

21 protect against any further breaches; and (5) contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an address, Web site, or postal address. 81 Methods of Notification for affected Individuals in written format using first-class mail to the individual s last known address or if the individual has agreed to it, to receive written notice in the form of electronic mail. 82 Provision is also made for substitute notice. This includes a process when confronted with 10 or more individuals for whom the entity has out-f-date contact information. This mechanism includes using a posting on a Web site or a conspicuous notice in major print or broadcast media. 83 Provision is also made for a telephone notice where there is possible imminent misuse of unsecured protected health information. 84 Interestingly, the Preamble notes a process for handling cases in which a health care provider believes that the provision of written breach notification to an individual may cause extreme anguish or distress, based on the individual's mental state or other circumstances, the provider may telephone the individual prior to the time the breach notice is mailed or have them come into the provider's office to discuss the situation. Where a provider is aware that an individual has a personal representative due to incapacity or other health condition, the breach notification may be sent to the personal representative. 85 Notification to the Secretary of HHS. 86 Source of Notification ultimately it is the obligation of the covered entity to provide affected individuals with notification of a breach. A covered entity can delegate this duty to the business associate that suffered the breach. The Preamble notes that the covered entity and business associate give thought to which one is in the best position to provide notice to the individual, which may depend on various circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual. Similarly, when multiple covered entities participate in electronic health information exchange and there is a breach of unsecured protected health information at a Health Information Organization (HIO), the obligation to notify RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 21

22 individuals of the breach falls to the covered entities. 87 What mechanisms will be put in place to manage individual opt out requirements for care provided on a private payer basis? In the modifications to the regulation for the Notice of Privacy Protection (NPP), one change involved the right of individuals to restrict or opt out of certain disclosures of PHI. The restriction applies to disclosures that would otherwise be to a health plan. When, however, an individual pays out of pocket in full for a healthcare item or service, a restriction can be placed on disclosing this information to the health plan. It is incumbent upon health care providers to incorporate into their NPPs a statement regarding the individual s ability to place such a restriction or opt out on disclosures to health plans. 88 One can foresee situations in which a systems glitch occurs and an out of pocket item or service is disclosed to an individual s health plan. To reduce such a risk, documentation practices should include a mechanism for clearly identifying health plan disclosure opt out restrictions made by the individual who has paid in full for an item or service. In an electronic record system programming should set a default for managing such opt out restrictions separately from service disclosures routinely made to the individual s health plan. What process will be used to review and revise processes in a Shared Savings Program ACO under a Data Use Agreement (DUA) with CMS? Surprisingly, the omnibus regulation is silent on Accountable Care Organizations (ACOs) under the Medicare Shared Savings Program. 89 The ACO makes it clear that CMS cannot disclose beneficiary identifiable information to an ACO absent required BAAs between the ACO and its participants and provider/suppliers and there is a signed data use agreement (DUA) with CMS. These BAAs must be in accordance with HIPAA. 90 Noncompliance with HIPAA has consequences under the terms of the Data User Agreement regulation: If the ACO misuses or discloses data in a manner that violates any applicable statutory or regulatory requirements or that is otherwise noncompliant with the provisions of the DUA, it will no longer be eligible to receive data under subpart H of this part, may be terminated from the RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 22

23 Shared Savings Program under , and may be subject to additional sanctions and penalties available under the law. 91 [Emphasis added] The HIPAA modifications found in the omnibus rule should set the stage for a reexamination of the BAAs between ACOs, their participants and their provider/suppliers. Those completing the review process -legal counsel, compliance, risk management and others should keep in mind the timeframe for making revisions as discussed in the omnibus rule. 92 What about the GINA requirements? In a future edition of TRG enews, the focal point will be genetics and the application of the HIPAA Privacy Rule with regard to the Genetic Information Nondiscrimination Act (GINA). 93 State law on genetic testing and uses of such information will also be examined at that time. For present purposes, the key point to keep in mind is that the omnibus rule prohibits a health plan from using or disclosing PHI that is genetic information for underwriting purposes. 94 Unlike the proposed rule, this provision does not apply to health plans that issue long-term care policies. Going forward, a regulation may be promulgated for this purpose when and if HSS obtains sufficient information to do so. 95 Those responsible for managing genetic testing or the use of genetic information should become familiar with the GINA requirements and applicable state law. Since a change may be forthcoming on the use of genetic information for underwriting long term care policies, it would be prudent to ask legal counsel to provide regulatory updates on the subject. Risk Management Strategies to Address the Omnibus Regulatory Changes. The size and complexity of the omnibus regulation could prove intimidating. Using a team effort, the regulatory changes can be divided into manageable parts. Doing a before and after comparison would be useful. Literally cutting and pasting electronically the base regulations with inserts of the changes helps to provide a clear picture of exact modifications. Other strategies include the following: RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 23

24 1. Use a Team Approach to Develop a HIPAA-HITECH and GINA ERM Vulnerability Risk Map. Recognize that a team of content experts can help develop and complete an enterprise risk management map that highlights the vulnerabilities of the covered entity or business associate under the changes found in the omnibus regulation. As the team to divide their work along the lines of the domains of risk including personnel, technology, legal/regulatory concerns, hazards, operations and financial risk. 2. Use the Vulnerability Risk Map to Identify and Rank Opportunities for Improvement. Take advantage of the risk vulnerability map to determine what systems, policies, procedures and educational programming remains unchanged. Set ranked priorities for making improvements, including milestone dates for completion, delineated resource requirements, and champions or leaders to manage the process. 3. Develop an Updated HIPAA Business Associate Agreement. Take advantage of the updated BAA models now found on the OCR website. Use the sample language and incorporate additional terms considered important by the content expert team. Recognize that from an ERM perspective, clauses may be added including provisions to address reputational risk, use of subcontractors, merger and acquisitions notices from business associates, a right of first refusal for successor business associates and insurance provisions. 4. Develop a Marketing and Fundraising Review Process. Consider a team approach for reviewing proposed marketing and fundraising procedures to make certain that there is compliance with the revisions found in the omnibus rule on both subjects. 5. Education for Everyone. Make certain that HIPAA-HITECH, Breach Notification and GINA are the subject of well-developed, adult learner-oriented programs. DO NOT attempt to complete orientation or in-service programs for associates, providers, and others. Make certain that the requirements for training are consistent for business associates and subcontractors, too. Offer training or focused sessions on a regular basis, emphasizing key points or vulnerable areas for compliance. During the training encourage everyone RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 24

25 to ask when in doubt, providing them with contact information for a resource for assistance. 6. Implement an Individual-Friendly Privacy Notification Process. Ask the content experts to assist in developing a user-friendly process for the NPP process. Seek input from those on the front line of engagement with individuals such as reception personnel. Consider the need for assistive devices and large print or Braille messaging. Remember too, the needs of those individuals who meet the threshold of Limited English Proficiency. Examine carefully health literacy factors that could have a negative impact on a successful NPP process. 7. Implement HIPAA-HITECH Rounds. Recognize the value of having content experts conduct HIPAA-HITECH rounds to make certain that there is adherence to the revised regulatory compliance. Offer one-to-one counseling or group huddles to overcome gaps in compliance with the omnibus regulatory changes. 8. Identify a Go To Team for Assistance. Assemble a team of experts who can address questions that come up regarding the omnibus rule changes. Make certain that there is an expert available on all shifts and in all settings or provide a hotline to a central location where someone can provide a prompt response. Capture the question or concern and use the information in a review of HIPAA-HITECH policies, procedures, and tools. Take the same approach when reviewing the content of HIPAA-HITECH orientation and in-service training material. 9. Use Appropriate Measures to Address Breach and Non-Compliant Situations. Handle all breach situations in a manner consistent with the revised rule. Be certain that there is appropriate documentation of the investigation, risk mitigation, and resolution. 10. Involve the Board and Senior Leadership. Make it clear from the outset that the omnibus rule change impacts the entire enterprise, including those on the board, senior management and frontline personnel. Demonstrate to senior leadership the return on investment or ROI of taking an enterprise approach to HIPAA-HITECH. Provide leadership with the enterprise risks and projected losses RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 25

26 associated with non-adherence. Help them understand the value proposition for the enterprise, business associates, and individuals when there is regulatory compliance in this arena. Conclusion. From an ERM perspective the omnibus rule changes signal the need for healthcare organizations and providers to work diligently to identify not only risk exposures and opportunities, but more importantly, practical solutions. Content experts can help drive the solution. However, much can be done with board level and senior management, especially if leadership can see the return on investment of developing, implementing and maintaining a consistent approach when complying with the regulatory changes encompassed in the omnibus rule changes. If would like risk management assistance with HIPAA HITECH policies and procedures, please contact us at: or (860) Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule, Fed Reg. 78(17): , January 25, Id. RMS NEWSLETTER ALL RIGHTS RESERVED 2013 PAGE 26