8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

Transcription

1 HIPAA Privacy & Security 2013 Omnibus Final Rule update Dan Taylor, Infinisource Copyright 2013 All rights reserved. Highlights from Final Rules January 25, 2013 Made business associates directly liable Increased civil monetary penalties Updated privacy rule to include GINA requirements Strengthened PHI use and disclosure limitations Prohibited sale of PHI without consent Highlights from Final Rules January 25, 2013 Expanded individual rights to electronic records Required updates and redistribution of NPP Created more objective standard for determination of harm Compliance date September 23,

2 HIPAA Overview Health Insurance Portability & Accountability Act (HIPAA) Title I Portability Title II Administrative Simplification Privacy Security Breaches of unsecured PHI (HITECH Act) Genetic Information Nondiscrimination Act (GINA) Health Information Technology for Economic and Clinical Health Act (HITECH) Who s responsible? HIPAA applies to Covered entities Health plans (including insurers) Health care clearinghouses Health care providers (that transmit information electronically) Business associates of covered entities Subcontractors of business associates Business Associates Business associates are certain people and groups that work with covered entities on health related issues and have access to PHI. Business associates must comply with the terms of a business associate s contract and according to HITECH and Final Rules are now viewed equally liable as covered entities for Privacy, Security and HITECH. 2

3 Business Associates Business associates can include: Other covered entities, including insurers Third party administrators Lawyers Consultants, actuaries and accountants Insurance agents/brokers Vendors that use/access PHI Other professional and outsourcing relationships: Pharmacy Benefit Managers (PBM) Payroll service vendors HRA and FSA administrators ASPs and other data warehouses Enforcement changes Increased civil money penalties Investigation required if willful neglect is possible Prohibits penalties if violation corrected timely and due to reasonable cause, unless violation is due to willful neglect Secretary has discretion to conduct compliance reviews if no indication of willful neglect Consequences for noncompliance Updated violations and respective penalties Violation Category Each violation Calendar year maximum Did not know $100 to $50,000 $1,500,000 Reasonable cause $1,000 to $50,000 $1,500,000 Willful neglect, $10,000 to $50,000 $1,500,000 corrected Willful neglect, not corrected $50,000 $1,500,000 3

4 OCR Enforcement July 11, 2013 WellPoint pays HHS $1.7 million for leaving information accessible over Internet Wellpoint filed breach report indicating security weaknesses in an online application database made ephi accessible for over 612,000 individuals HHS concluded Wellpoint did not implement appropriate administrative and technical safeguards OCR Enforcement January 2, 2013 Hospice of North Idaho (HONI) agrees to pay $50,000 due to stolen laptop First settlement involving breach affecting fewer than 500 HONI reported stolen laptop to HHS Laptop was unencrypted and included ephi for 441 individuals HHS concluded HONI did not conduct risk analysis to safeguard PHI and did not have policies and procedures to address mobile device security as required The Privacy Rule Establishes national standards to protect individuals medical records personal health information Requires appropriate safeguards to protect the privacy of personal health information Sets limits and conditions on the uses/disclosures that may be made without patient authorization 4

5 The Privacy Rule (continued) Gives individuals rights related to their PHI: Request restrictions to PHI Receive confidential communications Access to PHI, including electronic records Amend PHI Accounting of disclosures Paper copy of Notice of Privacy Practices Protected Health Information (PHI) What is PHI? Health information relating to past, present or future physical or mental health of any employee (active or terminated) Includes genetic information (GINA) Health information that identifies an individual (individually identifiable) Created or used by covered entity or business associate PHI and its Proper Care PHI includes Reports Claim forms Substantiation documents Some communication notes Account information Data at rest and data in transmission Paper based and electronic data 5

6 Written Authorization Uses and disclosures of PHI that require written authorization Most uses and disclosures of psychotherapy notes Uses and disclosures for marketing purposes Sale of PHI Authorization must state that disclosure will result in remuneration to the covered entity Or, for any other reason than: (TPO) Treatment, Payment or Health Care Operations Compliance investigations (federal, state, DHHS/OCR) Public health issues Notice of Privacy Practices (NPP) Notify participants of their HIPAA Privacy rights HHS Office for Civil Rights (OCR) requires All enrolled employees receive it In writing and on benefits website (if applicable) At enrollment, upon request, within 60 days of material change to notice Final Rule requirement to resend NPP Notice of Privacy Practices must be re sent with updates pertaining to: Prohibition for health plans to disclose PHI that is genetic information for underwriting purposes Prohibition of sale of PHI without written consent Duty of covered entity to notify affected individuals id of a breach of unsecured PHI If entity previously stated intent to fundraise in NPP, let individual know of right to opt out Right to restrict disclosure of PHI to health plan when health care is paid out of pocket in full 6

7 Breach of unsecured PHI Breach defined as the acquisition, access, use or disclosure of protected health information in a manner not permitted (under subpart E) which compromises the security or privacy of the protected health information. Unsecured PHI Not encrypted Not destroyed Breach exceptions Exceptions to breaches of unsecured PHI Unintentional acquisition, access or use by workforce member or authorized individual Inadvertent disclosure to authorized individual Good faith belief that unauthorized person would not reasonably retain ti PHI Risk assessment Final rules eliminate harm standard Aside from exceptions, breach is presumed unless low probability of compromise based on risk assessment of The nature and extent of the PHI involved including types of identifiers and likelihood of re identification The unauthorized person who used the PHI or to whom the disclosure was made Whether the PHI was actually acquired or viewed The extent to which the risk to the PHI has been mitigated 7

8 Breach requirements If breach occurs, you must Notify affected individuals in writing Report breach to HHS Within 60 days if more than 500 affected Within 60 days of end of calendar year if under 500 Notify media with 60 days if 500 or more residents affected Action Plan Review business associate agreements Update privacy policies and procedures Genetic information is PHI Sale of PHI prohibited without written consent Rights to electronic records Update & resend HIPAA Notice of Privacy Practices Train (or re train) workforce members Update process/criteria for determining if a breach has occurred Available Resources Federal Register Office for Civil Rights (HHS enforcement agency) Breaches affecting 500 or more achnotificationrule/breachtool.html 8

9 Additional Resources HHS Omnibus Final Rule /pdf/ pdf HHS news release Mobile Devices: Know the RISKS Final Thoughts Final Rules up the ante on HIPAA compliance Notification requirements are detailed and specific Penalty/publicity scheme make HIPAA compliance more important than ever Privacy and security are growingconcernin public, insecure world HIPAA enforcement is increasing Penalties are higher, more prevalent Stay alert and educate your workforce Thank you for viewing!