2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

Transcription

1 HIPAA Compliance: Privacy and Security Changes under HITECH Mary V. Bauman The materials and information have been prepared for informational purposes only. This is not legal advice, nor intended to create or constitute a lawyer-client relationship. Before acting on the basis of any information or material, readers who have specific questions or problems should consult their lawyer. 2 HITECH What is HITECH? HITECH is the Health Information Technology for Economic and Clinical Health Act HITECH was enacted in February 2009 and amends the HIPAA privacy and security rules 3 1

2 HITECH Key HITECH changes now in effect Covered entities required to notify individuals, HHS and in some cases, the media, in the event unsecured PHI is breached Increased regulation of business associates, generally applying the HIPAA privacy and security rules to business associates in a similar manner as they apply to covered entities Increased civil penalties for violations of the HIPAA privacy and security rules 4 Polling Question HIPAA applies to covered entities (employer health plans and health care providers) and business associates. How is your organization subject to HIPAA? As a health plan sponsor? As a health care provider? As a business associate? As a combination of the above? 5 6 2

3 Currently, if there is a breach of the privacy or security rules, the covered entity (employer health plan or health care provider) is required to mitigate any harm caused by the breach which may, in certain circumstances, include notification There is no other affirmative obligation to provide notice of a breach to the individual or to the federal government (i.e., the U.S. Department of Health and Human Services (HHS)) 7 HITECH expands the responsibilities of covered entities and business associates in the event of a breach Under HITECH if the security of unsecured PHI is breached, the covered entity must provide notice within 60 days after discovery of the breach to the individual, HHS and the media 8 Unsecured PHI is protected health information which is not secured through the use of HHS recognized technology or methodology Permissible technologies or methodologies are encryption (with respect to electronic PHI) and destruction (with respect to electronic or paper PHI) 9 3

4 HHS has issued guidance detailing what constitutes sufficient encryption or destruction for this purpose The guidance is expected to be updated annually to reflect developments in technology If PHI is secured through encryption or destruction, it is not considered unsecured and is not subject to the breach notification requirements even if compromised 10 Encryption and destruction are the exclusive methods of securing PHI Electronic PHI will not be considered secure through access control such as passwords or firewalls Paper PHI with identifiers redacted is not considered secure PHI to avoid the notification requirements in the event of a breach 11 However, HHS guidance indicates that even if the PHI is not secure for purposes of avoiding the notification requirements in the event of a breach, steps such as access controls, firewalls and redaction may evidence reasonable and appropriate safeguards to ensure compliance with the other HIPAA privacy and security rules 12 4

5 Breach means the unauthorized acquisition, access, use or destruction of PHI that compromises the privacy or security of the information However, notification of a breach is not required unless the use or disclosure poses a significant risk of financial, reputational or other harm to the individual 13 Covered entities should perform a risk assessment to determine if harm has occurred and review factors such as to whom the information was disclosed, the type of information disclosed and what steps were taken upon discovery of the use or disclosure For example, if the disclosed PHI merely identifies an individual and the fact that he received services from a hospital, that may not constitute significant harm 14 In contrast, if the disclosed PHI indicates the type of services the individual received (e.g., for substance abuse treatment) or if the disclosed PHI increases the risk of identity theft (such as a Social Security number) then there is a higher likelihood of harm 15 5

6 Exceptions: There are three exceptions to the breach notification requirements: First, the unintentional acquisition, access or use of PHI by a workforce member (employee, volunteer, trainee, etc.) of a covered entity or business associate if the action was in good faith and within the individual s authority and the action does not result in further use or disclosure in violation of the HIPAA privacy rules 16 Example: a co-worker mistakenly sends an with PHI to another co-worker who opens it in the normal course of business but then deletes it and notifies the first employee In contrast, a receptionist at a covered entity who is not authorized to access PHI decides to look through a co-worker s file in order to learn of her medical treatment would not fall within the exception Second, the inadvertent disclosure by an authorized person at a covered entity or business associate to another authorized person at the same covered entity or business associate and the disclosure does not result in further use or disclosure in violation of the HIPAA privacy rules Example: an employee of business associate for health plan A is working on-site at plan sponsor and plan sponsor s benefits manager inadvertently discloses PHI to the employee regarding health plan B 6

7 Third, the recipient would not reasonably have been able to retain the information Example: An explanation of benefits ( EOB ) is sent to the wrong individual and the EOB envelope is returned unopened Example: An HR employee mistakenly gives out another employee s enrollment form to a requesting individual but immediately discovers the error and takes back the enrollment form 19 Discovery occurs: As of the first day that it is known or reasonably should have been known to the covered entity or business associate; or If earlier, the day on which any employee, officer or other agent has knowledge of the breach (except for the individual who committed the breach) 20 Individual Notice Notice should generally be provided by the covered entity to the impacted individual in writing by first-class mail to the last known address There are special delivery rules where the address is unknown or where there is a possibility of imminent use of the unsecured PHI 21 7

8 The notification to the individual must: Describe the circumstances of the breach, including the date of the breach and the date of discovery Describe the type of unsecured PHI involved Summarize the steps the individual should take to protect himself/herself against potential harm due to the breach 22 Briefly explain the steps the covered entity has taken to investigate the breach, to mitigate harm and to protect against further breaches Include covered entity contact information 23 HHS Notice If the breach involves less than 500 individuals, the covered entity must log the breach and provide the log to HHS on an annual basis The log must be filed within 60 days after the end of the calendar year 24 8

9 If the breach involves 500 or more individuals, the covered entity must notify HHS immediately and HHS will identify the covered entity on its website Immediately means contemporaneously with the individual notices 25 Media Notice Notification also must be made by the covered entity to prominent media outlets if a breach of unsecured PHI is reasonably believed to affect more than 500 individuals in a state The same content as the individual notice must be provided and within the same time frame The notice can be in the form of a press release HHS says what constitutes a prominent media outlet may differ depending on the state 26 Business Associates If a business associate discovers the breach, it must notify the covered entity and identify each individual involved 27 9

10 It appears that the business associate is not required to notify the individual. Rather, the business associate is required to notify the covered entity who notifies the individual However, the business associate agreement can be amended to require the business associate to provide the breach notification on the covered entity s behalf 28 Increased Regulation of Business Associates 29 Increased Regulation of Business Associates HIPAA regulates covered entities (employer health plans and health care providers) HIPAA requires covered entities to enter into privacy/security agreements with their business associates 30 10

11 Increased Regulation of Business Associates So while a business associate may be contractually obligated to comply with HIPAA, HIPAA did not previously directly regulate business associates Business associates are entities that perform a function on behalf of the covered entity which involves the use or disclosure of PHI 31 Increased Regulation of Business Associates 32 Examples of business associates: Third party administrators ( TPAs ) Prescription drug benefit managers ( PBMs ) Utilization review providers Subrogation providers COBRA TPAs Insurance agents and consultants Accountants Attorneys Actuaries Increased Regulation of Business Associates Examples of third parties that are not business associates: Janitorial services Shredding services unless the entity routinely shreds PHI and performs the shredding services offsite Plumbers Electricians Photocopy repair technicians 33 11

12 Increased Regulation of Business Associates U.S. Mail, UPS and other delivery services Banks and financial institutions that process batch claims and premium payment information Software vendors unless they host PHI on their servers or access PHI when troubleshooting for the group health plan Health insurers and HMOs however, they are covered entities in their own right 34 Increased Regulation of Business Associates HITECH generally applies the HIPAA privacy and security rules to business associates in a similar manner as they apply to covered entities 35 Increased Regulation of Business Associates Business associate agreements will need to be amended to comply with the new privacy and security requirements of HITECH Formerly, the burden to enter into business associate agreements was on the covered entity 36 12

13 Increased Regulation of Business Associates Business associates typically would only initiate as a service, to be proactive with the covered entity, or to ensure that its version rather than the covered entity s version of the agreement was used Now, both parties have the responsibility to make sure a business associate agreement is in place 37 Increased Enforcement 38 Increased Enforcement Old Rules HIPAA allowed HHS to impose civil penalties of up to $100 per violation of the HIPAA privacy and security rules, with a maximum of $25,000 for violations of a single standard within a single calendar year. There were exceptions where the covered entity did not know of the violation or the failure was due to reasonable cause and corrected within 30 days 39 13

14 Increased Enforcement Criminal penalties (fines of up to $50,000 and/or imprisonment of up to one year) were authorized with additional criminal penalties being available for egregious situations Private causes of action by individuals for wrongful disclosure were not available under HIPAA. However, individuals could report violations to HHS and HHS could investigate 40 Increased Enforcement HHS s prior emphasis was on voluntary compliance Largely a complaint-driven approach Before 2011, there were some high profile settlements for alleged HIPAA violations but no civil monetary penalties were assessed Probably the most noteworthy settlements involved CVS and Rite Aid pharmacies (paying $2.25 million and $1 million respectively) for alleged improper disposal of PHI 41 Increased Enforcement This year, HHS imposed its first civil monetary penalty under HIPAA and HITECH The $4.3 million civil penalty was imposed against Cignet Health, a group of clinics, for refusal to provide patients with access to their medical records 42 14

15 Increased Enforcement HITECH significantly increases the government s enforcement tools and the potential adverse consequences of noncompliance For this reason, more enforcement activity is expected to occur 43 Increased Enforcement HITECH significantly increases the ability to enforce HIPAA as follows: Business associates can now be held directly accountable for failure to comply with the HIPAA privacy and security rules Previously, business associates were only liable for a breach of contract claim for failure to comply with a business associate agreement 44 Increased Enforcement Civil penalty amounts now vary depending on the type of violation: Innocent Breach Where a covered entity or business associate does not know of the violation (and would not have known exercising by reasonable diligence), the minimum penalty is $100 per violation with a maximum cap of $25,000 for all violations of a single standard during a calendar year 45 15

16 Increased Enforcement Reasonable Cause Where a violation is due to reasonable cause, the minimum penalty is $1,000 per violation with a maximum cap of $100,000 for all violations of a single standard during a calendar year Penalty can be avoided if violation is corrected within 30 days of date covered entity or business associate knew of the violation or should have known by exercising reasonable diligence 46 Increased Enforcement Willful Neglect Where a violation is due to willful neglect, the minimum penalty is $10,000 per violation with a maximum cap of $250,000 for all violations of a single standard during a calendar year Where a violation is due to willful neglect and is not corrected within 30 days, the minimum penalty is $50,000 per violation, with a maximum of $1.5 million for all violations of a single standard during a calendar year 47 Increased Enforcement An HHS audit is required where a preliminary investigation indicates the violation is due to willful neglect If a violation is found to be due to willful neglect, the imposition of a civil penalty is required (not discretionary) 48 16

17 Increased Enforcement HITECH authorizes state attorneys general to bring a civil action in federal district court against covered entities and business associates who violate the HIPAA privacy and security rules. The state attorneys general may enjoin violations and seek damages of up to $100 for each violation and $25,000 for all similar violations within a calendar year 49 Increased Enforcement HITECH provides a mechanism for individuals to obtain a portion of any HHS civil monetary penalty or monetary settlement which is recovered. Regulations are required to be issued by February 2012 to provide this right There is still no private cause of action available under HIPAA 50 Increased Enforcement HITECH clarifies that criminal penalties may be enforced against individuals, including employees of a covered entity HITECH requires HHS to conduct periodic audits of covered entities and business associates to ensure compliance with the privacy and security rules 51 17

18 HITECH Action Items 52 HITECH Action Items Review current HIPAA privacy and security policies and procedures and update Review any current use of encryption and consider expansion in use and level of technology Procedure regarding destruction of electronic and paper PHI 53 HITECH Action Items 54 Develop procedures for notification of breach to: Individuals Develop sample letter Media HHS Develop log Develop procedures to better monitor for breaches to facilitate prompt correction and avoidance of penalties 18

19 HITECH Action Items Business associate agreement Amend to add new requirements for business associate Require business associate to provide prompt notification to the covered entity of a breach of unsecured PHI 55 HITECH Action Items Communicate with business associates to verify they are adopting their own privacy and security policies and procedures and taking the same steps as a covered entity to ensure compliance with HIPAA privacy and security rules under HITECH 56 HITECH Action Items Training Provide training to employees with access to PHI regarding new requirements of HITECH Determine whether any additional employees should be added to training group (e.g., who may be in a position to learn of a breach of unsecured PHI) 57 19

20 Polling Question Has your organization taken the necessary steps to comply with HITECH? We ve taken all the necessary steps We ve taken some but not all of the steps We haven t taken any steps yet 58 Ongoing Compliance for HIPAA Privacy and Security Rules 59 Ongoing Compliance for HIPAA The HIPAA privacy rules have been in effect since 2003 for large health plans and 2004 for small health plans The HIPAA security rules which are designed to safeguard PHI which is maintained or used in electronic form took effect in 2005 for large health plans and in 2006 for smaller health plans 60 20

21 Ongoing Compliance for HIPAA Did the employer take the initial steps to comply with both the HIPAA privacy rules and the HIPAA security rules with respect to all of the employer s health plans? While there is a fully-insured exception to the privacy rules which effectively shifts most of the responsibility for compliance to the insurer, there is no similar exception to the security rules for fully-insured plans 61 Ongoing Compliance for HIPAA Initial compliance steps for the privacy rules Identify all health plans and whether any are subject to the fully-insured exception Appoint privacy officer Establish policies and procedures 62 Ongoing Compliance for HIPAA 63 Prepare notice of privacy practices and distribute to participants (generally means enrolled employees and does not include dependents) Train workforce Amend all health plans for privacy rules and prepare written certification Identify all business associates and enter into business associate agreements with each for privacy rules 21

22 Ongoing Compliance for HIPAA Initial compliance steps for the security rules Identify all health plans subject to the security rules (remember there is no fully-insured exception) Appoint security officer (this can be the same person or a different person than the privacy officer) 64 Ongoing Compliance for HIPAA Establish security policies and procedures (this can be part of or separate from the privacy policies and procedures) Conduct a written security risk analysis Train workforce Amend all health plans for security rules Amend all business associates agreements for security rules 65 Ongoing Compliance for HIPAA Ongoing HIPAA privacy and security compliance Covered entities should review their HIPAA privacy and security compliance efforts on an annual basis to ensure compliance. Steps should include the following: Have any new health plans been established? If so, amend them for the privacy and security rules 66 22

23 Ongoing Compliance for HIPAA Is the privacy officer still employed and working in that position or does a replacement privacy officer need to be named? Similarly, is the security officer still employed and working in that position or does a replacement security officer need to be named? Does the group of employees or classes of employees who may use or disclose PHI need to be updated? If so, this may require a change to the employer s policies and procedures and potentially, an amendment to the health plans 67 Ongoing Compliance for HIPAA You should periodically review your privacy policies and procedures. Are they working and do they fit your needs? Should any provisions be changed or expanded? Have there been any changes in your technology which require a change to your HIPAA security policies and procedures or for which you should conduct an updated security risk analysis? The security risk analysis should not be a one time occurrence; it should be conducted on a periodic basis 68 Ongoing Compliance for HIPAA Notice of participant notice of privacy practices Is the notice being provided to all new participants at the time of enrollment? Are participants receiving a new copy of the notice at least once every three years or alternatively, receiving notice at least once every three years that they may receive a copy of the notice? (Note: an easy way to comply with this requirement is simply to notify participants each year at open enrollment that they have the right to a new copy of the notice.) 69 23

24 Ongoing Compliance for HIPAA Is all the identifying information in the notice still accurate or does it need to be changed? Are there any other substantive changes which should be made to the notice? The notice will need to be updated to incorporate the requirements of HITECH. A new notice must be delivered to all participants within 60 days after a material change 70 Ongoing Compliance for HIPAA Training Do you have a procedure in place to train new employees who are hired or transferred into the group of employees with rights to use or disclose PHI? For those individuals who continue to be in the group, what is your procedure regarding refresher training? Additional training will be required as a result of the HITECH changes 71 Ongoing Compliance for HIPAA Review current business associate relationships Make sure existing contracts with all current business associates are up-to-date and in order Make sure there is a business associate agreement in place with each new business associate which is identified For all business associates, make sure the business agreement incorporates the HITECH changes 72 24

25 Polling Question Has your organization taken the necessary steps to comply with the HIPAA privacy and security rules, including ongoing compliance? We complied initially and review our compliance at least annually We took steps to comply initially but haven t done much since We ve never taken significant steps to comply with the HIPAA privacy and security rules 73 Helpful Link The HHS website has a link to Health Information Privacy (HIPAA) which provides additional information on the following topics: Understanding HIPAA Privacy How to File a Health Privacy Rule Complaint HIPAA Frequently Asked Questions For Small Providers, Small Health Plans and Other Small Businesses HIPAA: Overview of General Information 74 Mary V. Bauman Phone: BaumanM@millerjohnson.com Calder Plaza Building 250 Monroe Ave. NW, Suite 800 Grand Rapids, MI Rose Street Market Building 303 North Rose Street, Suite 600 Kalamazoo, MI