HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Transcription

1 HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, marks a fundamental change in the federal government s approach to ensuring compliance with HIPAA privacy and security rules. 1 Under the HITECH Act, the federal government, in an effort to strengthen HIPAA, has enacted a rigorous enforcement strategy that includes stricter privacy and security standards, increased penalties for violations, and expanded federal and state enforcement authority, all of which are now directly applicable to Business Associates (BAs). In the past, BAs only had contractual liability under HIPAA. The HITECH Act changes BAs obligations and exposure under HIPAA from purely contractual to both contractual and statutory. This means that in addition to being liable under their business associate agreements (BAAs), BAs will now be subject to many of the legal requirements set forth in the HIPAA privacy and security rules, including civil and criminal penalties. Further, the HITECH Act has expanded the definition of BAs under HIPAA. This means that certain vendors of personal health records (PHR) systems and certain data transmission organizations, such as Regional Health Information Organizations (RHIOs), are now considered BAs and subject to HIPAA. The definition of BAs was further expanded to include subcontractors of BAs, pursuant to a Proposed Rule published on July 14, 2010 to implement the privacy, security, and enforcement provisions of the HITECH Act (the Proposed HITECH Rule). Foley s Health Care Industry Team has designed this roadmap (Roadmap) to assist BAs in their compliance efforts with the new HIPAA legal requirements by highlighting key provisions and outlining steps to aid in their quest for HIPAA compliance. To further aid the BAs in their compliance activities, a high-level checklist (Checklist) is included at the end of this Roadmap. Although most of the provisions discussed below technically became effective on February 17, 2010 under the HITECH statute, the Department of Health and Human Services (HHS) has indicated in the Proposed HITECH Rule that it will not enforce compliance until 180 days after the effective date of a final rule (the Final HITECH Rule) that will incorporate changes based on public comments to the Proposed HITECH Rule. Who Are BAs? Prior to enactment of the HITECH Act, BAs were generally defined to include entities engaged in certain administrative activities or services for or on behalf of covered 1 Throughout this document, the term HIPAA will be defined to include the provisions of the HITECH Act, unless otherwise specifically noted Foley & Lardner LLP Attorney Advertisement Prior results do not guarantee a similar outcome 321 North Clark Street, Chicago, IL

2 entities (CEs), which required access to protected health information (PHI), including claims processing, billing, benefit management, utilization review, management services, and consulting services. However, under HITECH, the definition of a BA has been expanded to include the following organizations: Organizations providing PHI data transmission to CEs such as Health Information Exchange Organizations, RHIOs, and e-prescribing gateways Vendors contracting with CEs to provide PHR systems to patients 2 The Proposed HITECH Rule further expanded the definition of a BA to include subcontractors of BAs who perform functions or provide services to a BA which involve access to PHI other than in the capacity of a work force member ( Subcontractors ). This expanded definition of what constitutes a BA now subjects many previously non-covered organizations to the HIPAA requirements governing the privacy of medical or health information. The expansion of BA status to Subcontractors, which is found in the Proposed HITECH Rule, is especially significant because, if included in the Final Rule, it will extend the requirements of HIPAA to a vast new class of vendors. What Can Happen to BAs That Fail to Comply With HIPAA? BAs will be subject to periodic audits by the Office for Civil Rights (OCR), the HHS agency responsible for monitoring and enforcing the HIPAA privacy and security rules. BAs found to be non-compliant will be considered to be in violation of the law and subject to the following: Civil monetary penalties (CMPs) of between $100 and $10,000 per violation, with maximum penalties of $1.5 million per calendar year Criminal penalties for HIPAA violations A mandatory HHS investigation and assessment of CMPs (in cases of willful HIPAA violations) Civil actions brought by state attorneys general for HIPAA violations that involve residents in their individual states 2 Vendors that provide PHR systems, but do not do so on behalf of CEs, will be subject to security breach notification under the HITECH Act, which will be enforced by the FTC, rather than HHS Foley & Lardner LLP 2

3 Key HIPAA BA Requirements What Must BAs Do Under the New Security Breach Notification Requirements? Perhaps the most significant provision in HITECH is a new breach notification requirement which applies to both covered entities (CEs) and BAs. This new requirement was implemented by a final interim rule (the Breach Notification Rule) published on August 24, 2009, effective September 23, Under this new requirement, BAs must notify the CEs with whom they contract of any breaches of unsecured PHI and, to the extent possible, identify the individuals whose information was compromised if the breach poses a significant risk for financial, reputational or other harm to the individual. Upon receiving notice of a reportable security breach, the CEs have the responsibility to notify the individuals whose information has been breached. In some circumstances, the CEs also will have to provide notice to HHS and to local media. Notification must take place without unreasonable delay and no later than 60 calendar days from discovery, as required by law. BAs will bear the burden of proof for demonstrating that any delay in notifying the CEs of a security breach was reasonable. Except as required by law enforcement officials, BAs must notify the CEs no later than 60-calendar days from the date of discovery. How do the new security breach notification requirements change a BA s obligations? BAs are currently obligated by their BAAs to notify CEs of unauthorized uses or disclosures of PHI, as well as security incidents. The HITECH Act expands this requirement and requires BAs notify CEs of any security breach of unsecured PHI discovered by the BAs. The HITECH Act defines security breach to include the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of such information, with certain exceptions for inadvertent acquisition, access, or use of PHI by employees and agents. an unauthorized acquisition, access, use, or disclosure of PHI compromises the privacy or security of PHI. The privacy or security of an individual s PHI is deemed compromised only if the unauthorized acquisition, access, use or disclosure poses a significant risk for financial, reputational or other harm to the individual It is important to note that unless an exception applies, inappropriate acquisition, access, or use of unsecured PHI by employees which meets this test is considered a reportable security breach. What information is covered by the new security breach notification requirements? Security breaches apply only to unsecured PHI. HHS has issued guidance (HHS Guidance) defining the technologies and methodologies to secure PHI, thus rendering the data unusable, unreadable, or indecipherable. Essentially, PHI must be either 2010 Foley & Lardner LLP 3

4 encrypted or destroyed as described in the HHS Guidance to be considered secured. If PHI is secured in accordance with the HHS Guidance, then unauthorized access to or use or disclosure of such information will not trigger the security breach notification requirements. However, such breaches may still be subject to state law notification requirements as discussed below. When must CEs and BAs provide notice? CEs are required to notify patients without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. The date of discovery may not necessarily be the date of actual discovery, but rather, the date that one should have discovered the breach using reasonable diligence. Therefore, CEs and BAs should make sure reasonable measures are in place to catch potential security breaches as well as properly train employees to be able to spot these potential breaches. BAs must timely report security breaches to CEs to enable them to notify the individuals within this deadline. It is likely that CEs will amend BAAs to impose tight deadlines on BAs to report security breaches to the CEs, so that the CEs will have time to meet their obligations. What information is required in the notification? BAs are required to include certain information about affected individuals in their reports to CEs to enable the CEs to properly notify affected individuals. The notification should include a brief description of the incident, including the date of the breach and date it was discovered, and the type of unsecured PHI that was breached. CEs will likely require BAs to include additional information regarding the breach as CEs may need additional information to satisfy their requirements in providing notification to the affected individuals. In some circumstances, CEs may look to contractually obligate BAs who are the subject of a security breach to make the required notifications on behalf of the CEs. The BAs will need ensure their notification is compliant with HIPAA requirements. How do the HIPAA security breach notification requirements affect BAs obligations under state security breach notification requirements? HIPAA does not preempt more stringent state laws. Essentially, this means that BAs subject to state security breach notification laws will continue to have to comply with those laws. BAs should consult with legal counsel for assistance with defining these obligations and conducting any necessary preemption analysis. What should BAs do to comply with the new HIPAA security breach notification requirements? BAs must develop policies and internal procedures to ensure a coordinated system for internal reporting of breaches of unsecured PHI, prompt internal investigation of alleged breaches, and reporting to the CEs with whom they contract. Please 2010 Foley & Lardner LLP 4

5 see the Checklist below for guidance on compliance with the security breach notification requirements. What if BAs use subcontractors to provide services requiring access to PHI? BAs that use Subcontractors will have to ensure that they contractually bind their Subcontractors to report security breaches in sufficient time to allow the BAs to report back to the CEs. BAs must also contractually bind their Subcontractors to all additional terms required of BAs by HIPAA, since the Subcontractors themselves are now deemed BAs. This includes, but is not limited to, requiring Subcontractors to develop similar policies, procedures, and processes for investigating and reporting breaches. HIPAA Security Rule: What Must BAs Do to Comply With the HIPAA Security Rule? Pursuant to the HITECH Act, BAs (including Subcontractors) must also be in full compliance with the HIPAA Security Rule standards and implementation specifications for administrative, physical, and technical safeguards. How does application of the HIPAA Security Rule to BAs change a BA s obligations? Compliance means that many BAs will need to do more than they have previously done in terms of securing electronic PHI. Even though BAs have been contractually required under HIPAA prior to HITECH to implement appropriate administrative, physical and technical safeguards to protect electronic PHI, the measures, policies, and procedures that a BA previously had in place may be insufficient for HIPAA compliance after HITECH. The HIPAA Security Rule contains a series of very specific standards and implementation specifications. BAs must now comply with each of the specific standards and implementation specifications under HIPAA to the same extent as CEs. What is the first step BAs should take to become compliant with the HIPAA Security Rule? The first step in compliance is understanding the HIPAA Security Rule requirements and conducting a gap analysis to identify the areas where the BAs information security systems and programs fall short of meeting the HIPAA Security Rule requirements. To aid in this process, see the Checklist at the end of this Roadmap. This Checklist should also help guide the BAs in compliance efforts under the HIPAA security breach notification requirements. If BAs use subcontractors that will have access to the BAs electronic systems, including electronic PHI, what should the BAs do to cover themselves? As noted above, Subcontractors are now included within the definition of BAs. This means that BAs are, in effect, required to enter into a BAA with their Subcontractors incorporating all of the requirements that the BAs themselves must 2010 Foley & Lardner LLP 5

6 satisfy. Without limiting the foregoing, BAs should ensure that contracts with Subcontractors contain appropriate language to address information security and protect BAs from costs and liabilities associated with Subcontractors security breaches or other violations of contract terms related to information security. BAs should consider development of an information security due diligence questionnaire to be provided to potential Subcontractors in order to evaluate their ability to protect PHI and other valuable data. Statutory Liability for Business Associate Agreement Terms: What Else Must BAs Do to Comply With Other HIPAA Requirements? Under the HITECH Act, BAs will have direct statutory as well as contractual liability for violations of HIPAA or the terms of their BAAs. What are the initial steps BAs should take? BAs should evaluate their current policies, procedures, and processes applicable to their ability to comply with HIPAA as now required by statute as well as by their BAAs to ensure they are robust and will facilitate compliance. What other steps should BAs take in light of these new requirements? Training of personnel will be even more critical, and existing policies and procedures should be evaluated. Policies on employee sanctions for violations of HIPAA and requirements in BAAs should be evaluated and strengthened. Amendment to BAAs: What Should BAs Expect, and What Proactive Steps Should They Take? In the Proposed HITECH Rule, HHS indicated that CEs and BAs will have up to a year after the effective date of the Final HITECH Rule to amend their BAAs to conform to HITECH s new requirements. Nevertheless, some CEs and BAs may choose to implement amendments sooner rather than later. In addition, CEs and BAs may want to develop new templates to use in contracting with any new BAs or Subcontractors. While additional amendments may be necessary once the Final HITECH Rule is issued, this will permit the parties to have agreements in place that are as up to date and protective as possible. What new terms should BAs expect to find CEs inserting into BAAs? With the increased public exposure that may result from breaches of unsecured PHI and the implications for their businesses, CEs are likely to require renegotiation of a broad range of business issues associated with the new HIPAA security breach notification requirements. BAAs can be expected to become more complex. Responsibility for costs associated with security breaches as well as risk mitigation strategies in the event of a security breach are likely to be key issues in BAAs. CEs will likely press for broad indemnification from BAs. Certain CEs may require BAs who are the subject of a security breach to make the required notifications on 2010 Foley & Lardner LLP 6

7 behalf of the CEs, and/or to be responsible for all costs associated with a security breach. The attached Checklist contains some additional information on preparing to renegotiate BAAs with CEs. What can BAs do to proactively address the required amendment to BAAs? BAs should consider drafting their own form amendments and should create or revise their existing template BAAs to incorporate the changes required under the HITECH Act. This will allow the BAs to create BAAs that contain the provisions required by law, and yet are drafted to be more favorable and less burdensome to the BAs. This may help to minimize negotiation of terms that are not required by law, but that CEs will insert into form agreements to benefit the CEs and to reallocate risk to the BAs. What should BAs do about existing subcontract agreements? These agreements should be amended to reflect the new applicable obligations of the BAs, and to address the fact that the Subcontractors themselves are now deemed BAs. BAs should insert appropriate language to address information security and protect the BAs from costs and liabilities associated with subcontractors security breaches or other violations of contract terms related to information security. The agreement between the BA and the Subcontractor may look much like the BAA between the CE and the BA. Other New HIPAA Requirements: What Other New HIPAA Requirements Will Now Be Applicable to BAs? Pursuant to the HITECH Act, both BAs and their CEs will be required to comply with a series of additional HIPAA requirements, including changes to the rules governing accounting of disclosures made from an electronic records, prohibition on sale of PHI or an EHR, and new conditions on marketing communications. These and other requirements are addressed in the Proposed HITECH Rule and may be subject to change when the Final HITECH Rule is issued. As noted above, HHS has indicated that it will not enforce most of these requirements until 180 days after the enforcement date of the Final Rule Foley & Lardner LLP 7

8 CHECKLIST FOR BUSINESS ASSOCIATES To assist BAs in complying with the changes to HIPAA under the HITECH Act, we have created the Checklist below. This document is intended to provide general, high-level guidance only and is not intended to provide or be a substitute for legal advice. BAs should consult legal counsel to understand their obligations under HIPAA and the HITECH Act. The following Checklist highlights key provisions in the HITECH Act that apply to BAs and provides a high-level outline of some important steps to aid a BA to achieve HIPAA compliance. Compliance With the HIPAA Breach Notification Requirements On August 24, 2009, HHS issued the Breach Notification Rule, which implements the security breach notification requirements found in the HITECH Act. The security breach notification requirements became effective for security breaches occurring on or after September 23, BAs which have not already done so should take the following steps to bring their organizations into compliance. Review existing policies and procedures to determine if they address security breach notification and identify modifications required for compliance with the Breach Notification Rule. Determine whether the organization is also subject to state breach notification requirements. If so, assess state law preemption and compliance issues as they relate to the HIPAA security breach notification requirements. Develop or refine security breach notification procedures to ensure that a centralized, coordinated security breach reporting system is in place. Consider the following: The procedures should designate the individual responsible for ensuring that breaches involving PHI are investigated fully. This individual also should have the ultimate decision-making authority for determining whether there has been a reportable breach. Procedures should provide for consultation with outside legal counsel as necessary for assistance with determining whether a reportable breach has occurred and, if so, when it was discovered. The procedures should ensure that breaches are reported to the CEs without unreasonable delay. The procedures must ensure that individuals whose information has been compromised are appropriately identified, if possible, and reported to the CEs. The procedures should require that employees be trained on the reporting procedures and the requirements for handling PHI Foley & Lardner LLP 8

9 The procedures should include appropriate sanctions for employees who mishandle PHI. Evaluate the PHI that the BA s organization controls and determine whether that PHI can be encrypted or destroyed so that it will be considered secured and not subject to the HIPAA security breach notification requirements. Modify and update any existing security breach notification policies as necessary to comply with HIPAA and state law. Obtain outside legal review of this policy to ensure that it complies with the HIPAA and state law requirements. Consider risk prevention and mitigation strategies for security breaches. Consider how the organization can enhance its security system to decrease the risk of breach of unsecured PHI. Evaluate the organization s insurance coverage to determine if it covers costs associated with security breaches of PHI. Compliance With the HIPAA Security Rule BAs should take the following steps to assure compliance with the HIPAA Security Rule: Conduct an organizational risk analysis to identify whether the HIPAA security standards and implementation requirements are met. An audit tool should be used to assist with the initial risk assessment or gap analysis. The gap analysis should address each of the following implementation standards: Administrative safeguards: HIPAA requires that BAs have certain administrative safeguards, including the following: (i) a security management process, (ii) an individual with assigned security responsibility, (iii) appropriate workforce security policies and procedures, (iv) policies and procedures for information access management, (v) a program of security awareness and training, (vi) security incident procedures, (vii) a contingency plan, and (viii) periodic evaluations of compliance with the HIPAA Security Rule. Physical safeguards: HIPAA requires that BAs have certain physical safeguards, including implementation and maintenance of policies and procedures on facility access controls, policies and procedures on workstation use, workstation security, and device and media controls. Technical safeguards: HIPAA requires that BAs implement certain technical safeguards, including access controls, audit controls, integrity policies, person or entity authentication procedures, and transmission security procedures for PHI Foley & Lardner LLP 9

10 Develop written policies and procedures for each HIPAA standard listed above. Please note that each of the implementation standards above has numerous requirements. HIPAA requires that written policies and procedures be created that address each standard and each of the specific implementation specifications in the HIPAA Security Rule. These written policies and procedures are subject to record retention requirements of six years. Obtain review of policies and procedures to ensure legal compliance. Train staff on HIPAA privacy and security rule requirements and the consequences of violation. Amendment of BAAs Though not required for up to one year following the effective date of the Final HITECH Rule, consideration should be given to amending BAAs to incorporate applicable changes to HIPAA under the HITECH Act. BAs should consider the following: Draft template amendments and revise (or create) new template BAAs to incorporate the changes required under the HITECH Act. Proactively provide such templates to CEs. Be prepared for increasing complexity in negotiating BAAs with CEs, including the following: CEs may conduct due diligence prior to contracting to determine whether BAs are HIPAA-compliant and whether a BA s security profile provides sufficient protection for PHI. CEs may negotiate broad indemnification or cost-allocation provisions with their BAs to cover the CEs exposure to costs associated with security breach notification requirements, potential reputational damage, and civil liability arising from BAs breaches of unsecured PHI. Check underlying services agreements for provisions addressing data privacy, security, and confidentiality to identify terms that conflict with the BAAs or place additional obligations on the BA. Amend subcontract agreements to address new obligations that have been imposed on the BA and its Subcontractors under the HITECH Act. Consider inserting appropriate language to address information security and to protect the BA from costs and liabilities associated with Subcontractors security breaches or other violations of contract terms related to information security. Inventory HIPAA-Related Policies BAs are directly liable under HIPAA for violations of the Privacy, Security and Breach Notification Rules. BAs should consider the following: 2010 Foley & Lardner LLP 10

11 Evaluate current policies, procedures, and processes applicable to compliance with these rules to ensure they are robust and will facilitate compliance. Evaluate training procedures for personnel. Review and strengthen policies on employee sanctions for violations of HIPAA, the HITECH Act, or requirements in BAAs Foley & Lardner LLP 11