HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

Transcription

1 HITECH/HIPAA Omnibus Final Rule: Implications for Hospices Elizabeth S. Warren May 3, 2013

2 Final Rule is Finally Here Published January 25, 2013 (78 Fed. Reg. 5566) Effective March 26, 2013 Compliance required by September 23, 2013 except for certain existing business associate agreements (which have up to an extra year) Implements most HITECH requirements

3 Breach notification: the burden is on you Significant harm standard is gone Presumption of breach/burden to demonstrate low probability of compromise Impact: more incidents will result in notifications

4 Breach notification: mandatory risk assessment factors Must document 4 step risk assessment Nature and extent of PHI involved (including identifiers and likelihood of reidentification) The unauthorized person who used or received the PHI Whether the PHI was actually acquired or viewed Extent to which the risk to the PHI has been mitigated

5 Breach notification: practical steps Revise policies for breaches after September 22, 2013 Train those who handle breach notifications (are risk assessments properly documented and retained for at least 6 years?) Consider further training for others (does your workforce understand what needs to be reported, how to report and the importance of immediately reporting?)

6 Business Associate Agreements New wording requirements Must require breaches to be reported Must require the BA to comply with the standards applicable to the CE to the extent the BA is delegated an obligation of the CE under the Privacy Rule Must require the BA to comply with the applicable provisions of the Security Rule Other tweaks to the BAA requirement

7 Business Associate Agreements: practical tips Revise your templates ASAP any BAAs signed after 1/25/13 must be amended by 9/23/13 Determine whether your old template complies with existing law. If not, all BAAs signed on old template must be amended ASAP (and by 9/23/13 for 2013 rule changes) common errors include failure to require security incidents to be reported How confident are you that BAAs are in place with all vendors? Now is a good time to confirm

8 Privacy Notices Must revise to address: Breach notification Authorization requirement Restriction requests (paid in full/health plan) Fundraising Can delete appointment reminders/treatment alternatives wording

9 Privacy Notices: Practical Tips Good time to take a 2 nd look at entire notice Often notices are overly restrictive Make sure the revised notice is distributed in compliance with the rule Web site Available at physical delivery site Posted in prominent location

10 Privacy Notice: practical tips Consider providing refresher training on the need to provide the notice to new patients Consider adding wording to address any common uses or disclosures that have resulted in patient complaints in the past (even though permissible) Wording on electronic storage/ehr/electronic disclosure Insurance eligibility checks

11 Marketing Defined: to make a communication about a product or services that encourages recipients to purchase (unless exception applies) Exceptions: Refill reminders or other communications about drugs current prescribed if $$ received are related to cost of making the communication Treatment and HCO if no $$ is exchanged for making the communication Face to face or nominal gifts

12 Marketing Treatment and HCO that are not marketing if no $$ is exchanged include: Care coordination Recommending alternative treatments, therapies or providers Describing a health-related product or services provided by the covered entity making the communication Case management

13 Marketing Whether financial remuneration is received for the communication is key (for communications that would otherwise be treatment or HCO) Defined as direct or indirect payment from a 3 rd party whose product/service is being described Does not include payments for treatment Does not include payments in kind (but use caution)

14 Marketing An authorization is required to use or disclose PHI for marketing If the marketing involves financial remuneration from a 3 rd party, the authorization must include a statement to this effect

15 Marketing: practical tips Revise policies Provide detailed training to workforce members involved in promotional efforts the fact that HIPAA regulates uses as well as disclosures is often overlooked Implement procedure for focused training for new hires in this area

16 Sale of PHI Sale is not allowed unless an authorization is in place that states the disclosure will result in remuneration to the covered entity Defined as when the CE or BA receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI, unless an exception applies Exceptions include disclosures for payment and treatment purposes disclosures to a BA for its services other disclosures permitted by HIPAA if payments are cost-based to cover preparation/transmission

17 Sale of PHI: practical tips Update policies to address restriction Consider existing relationships to confirm none appear to involve payments in exchange for PHI (or meet an exception) Train development and other personnel on restriction

18 Fundraising More types of PHI may be used or disclosed for fundraising A clear opt out must be included in each communication Opt out must not cause an undue burden Opt outs must be honored CEs may not condition treatment/payment on decision to opt out Is permissible to provide opt-in method to those who opt-out

19 Fundraising: practical tips Update policies Implement opt out and confirm it is clear and not burdensome Consider methods of publicizing ways to opt back in (website notice? Pamphlets in physical locations?)

20 Patient Rights: Access Must provide PHI in electronic form and format requested if readily producible No extended response time if have difficulty agreeing on format Electronic requirements apply to all PHI held electronically in a designated record set (not just EHR) Extra 30 days to respond to requests if PHI is stored offsite is gone Must provide directly to designee (written, signed, request that clearly IDs designee and where)

21 Access: Practical Tips Update policies and provide training Consider ability to provide electronic copies and how to address security concerns Allow copying onto thumb drive provided by individual? Consider interaction with meaningful use requirements Consider how will handle designee requests (versus when an authorization is required)

22 Restriction Requests CEs must comply with an individuals request not to use/disclose PHI when: Disclosure is to health plan for carrying out payment or health care operations (not treatment); AND The provider is paid out of pocket in full CE may not terminate self-pay restriction unilaterally CE not required, but encouraged, to assist in passing it down (discussions with patients, notifying others)

23 Restriction Requests Permissible to request payment in full at the time of the restriction request No violation if patient submits request after stay has started and PHI has already been disclosed If services cannot be unbundled, the entire bundle must be paid for out of pocket

24 Restriction Requests: Practical Tips Update policies and forms Revise wording stating we are not obligated to agree or any statement that we deny all restriction requests Provide training and consider how to implement requests How to avoid future disclosures such as in an audit

25 Other Changes Some definition changes, such as Business associates Genetic information (part of PHI and other impacted definitions) Health care operations (includes patient safety activities) Deceased individuals Family and friends clarification 50 year limitation (following death---not last treatment!) Exceptions School immunization disclosures Minor revisions Compound authorizations (research)

26 Enforcement: it s not getting better HITECH authorized state attorneys general to enforce HIPAA violations on behalf of the state s residents Mandatory formal investigation of any complaint if the violation was due to possible willful neglect Greater responsibility for acts of BAs (if deemed to be an agent) Higher penalties

27 Civil Penalties Did not know (even with diligence)- minimum of $100 per violation Reasonable Cause- minimum of $1,000 per violation Willful Neglect; violation cured- minimum of $10,000 per violation (if corrected; if not, $50,000) For all types: Up to $1,500,000 per year for multiple violations of the same part of HIPAA

28 Criminal Enforcement Criminal penalties can be imposed not only on CEs and BAs but also on individual employees who obtain or disclose PHI without authorization Range of penalties from $50,000 plus one year imprisonment for knowingly violating HIPAA; to $250,000 plus ten years imprisonment for doing so with intent to profit by or do harm with the information

29 Example OCR Investigations Feb. 2011: Massachusetts General Hospital agreed to pay $1 million to resolve a privacy rule violation when an employee lost records containing medical information of 192 patients on a subway train Feb. 2011: HHS imposed a $4.3 million civil monetary penalty on Cignet Health for violating 41 patients individual rights by denying them access to their medical records and for failing to cooperate with OCR s investigation

30 Criminal Cases On July 20, 2009, a physician and 2 former hospital employees each plead guilty to a misdemeanor violation of HIPAA for accessing a patient s record without legitimate purpose Accessed records of newsreporter Probation/fines Civil lawsuit

31 Additional Considerations Does your facility also act as a BA at times? Do you have policies that address acting as a BA? You will need to update your downstream BAAs Is your Security Rule risk analysis up to date? How robust is your HIPAA training? Does the training include real world hypotheticals? Or is it a canned HIPAA basics presentation? Does it focus on practical issues that clinical and administrative staff encounter?

32 QUESTIONS? Elizabeth Warren