HIPAA Omnibus Rule Critical Changes for Providers Presented by Susan A. Miller, JD Hosted by
agenda What the Omnibus Rule includes + Effective and Compliance Dates Security Breach Notification Enforcement Access to ephi Right of Restriction Genetic Information Non-discrimination Act (GINA) Immunization Records Decedents Notice of Privacy Practices Business Associates
Dates + 4 Rules The Omnibus Final Rule is effective on March 26, 2013, and the compliance date is September 23, 2013: July 2010 Notice of Proposed Rule Making (NPRM) on HITECH privacy and security changes to HIPAA October 2009 Notice of Proposed Rule Making (NPRM) on Genetic Information Nondiscrimination Act (GINA) changes to HIPAA August 2009 Interim Final Rule (IFR) on HIPAA Breach Notification October 2009 Interim Final Rule (IFR) on HIPAA Enforcement Rule
Security The Omnibus Rule regulations all have security impacts: o Business Associates must implement all the Security Rule standards and implementation specifications o Subcontractors are now business associates and must implement all the Security Rule standards and implementation specifications o Business Associates have direct enforcement compliance with all requirements of the HIPAA Security Rule o The privacy updates for sale of PHI, right of restriction and GINA will require the segregation of special data from other ephi o A breach may be an act or omission of paper or to ephi
Security The HIPAA Security Rule now applies directly to business associates; they must comply with applicable standards, implementation specifications, and requirements with requirements to electronic protected health information 45 C.F.R. 164.302 Applicability At almost every provision in the Security Rule where it records covered entity it now also records and/or business associate!
Business Associate + the Security Rule Business Associate now responsible for: o 164.306 Security standards: General rules o 164.308 Administrative safeguards 164.308(a)(1)(ii)(A) Risk analysis (Required) o 164.310 Physical safeguards o 164.312 Technical safeguards o 164.314 Organizational requirements 164.314(a)(1) Standard: Business associate contracts or other arrangements o 164.316 Policies and procedures and documentation requirements
Breach Notification HITECH Act: First federal law mandating breach notification for the health care industry; applies to: Covered Entities Business Associates Personal Health Records (PHR) vendors, and PHR service providers Federal Trade Commission (FTC) regulates PHRs Health and Human Services (HHS) regulations CEs and BAs
Breach Notification Remember State Law 46 states (plus DC, Puerto Rico, and the Virgin Islands) have notification laws Evaluate state law as well as the Omnibus Rule requirements: Trigger Timing Content Recipients
Data Breach Notification Overview Upon discovery of a Breach of Unsecured Protected Health Information (PHI) Covered Entities and Business Associates must make notifications Subject to certain exceptions
Definition of Breach Breach of Unauthorized acquisition, access, use disclosure of unsecured PHI In a manner not permitted by the HIPAA Privacy Rule That compromises the security or privacy of PHI So far so good, but
Omnibus Final Rule Presumption An impermissible acquisition, access, use disclosure of unsecured PHI is Presumed to be a reportable breach UNLESS the entity demonstrates that there is a low probability that the PHI has been compromised (lo pro co) Compromise is not defined by the HIPAA Rules; from the preamble: inappropriately viewed, re-identified, re-disclosed, or otherwise misused
Breach Risk Assessment A documented risk assessment needs to demonstrate that there is a low probability that the PHI has been compromised Four mandatory factors: What PHI: Nature and extent of PHI involved Who: The unauthorized person who used the PHI or to whom the disclosure was made Acquired: Whether the PHI actually was acquired or viewed Mitigation: The extent to which the risk to the PHI has been mitigated Other factors may be considered Evaluation of overall probability
Breach Risk Assessment Risk Assessment must be: Thorough Completed in good faith Have reasonable conclusions Discretion to provide notification without performing risk assessment
Timing of Notice Notification must be made without unreasonable delay No more than 60 days after discovery Subject to law enforcement delay
Discovery Discovery of a breach occurs when: Entity has actual knowledge of a breach including through a workforce member or agent (but not person committing the breach) or Using reasonable diligence, entity would have known of the breach
Practical Steps Revise breach notification policies and procedures Security Risk Analysis revisit (or do) Develop or revisit Security Incident Response Plan Pay special attention to portable media and personal devices Train entire workforce Avoidance Alert to potential breaches Response to breach
Practical Steps Prepare incident response team Be ready to respond to news media attention have a designated spokesperson Consider tightening Business Associate Agreements, particularly for agents Encryption! Make the most of the encryption safe harbor, and Verify document destruction National Institute of Standards and Technology (NIST) Guidance specifying the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals Audit access to PHI and enforce policies
Increased Enforcement HITECH Act significantly strengthened HIPAA Enforcement Interim Final Rule of October 2009 Created 4 categories of culpability with corresponding penalties Took effect immediately Omnibus Rule = Final Enforcement Rule Enforcement Rule applies to Covered Entities and Business Associates
Increased Enforcement Focus on Willful Neglect Willful Neglect: conscious, intentional failure or reckless indifference to the obligation to comply with HIPAA OCR will investigate all cases of possible neglect OCR will impose penalty on all violations due to willful neglect
Increased Enforcement Violation Category Each Valuation All Identical Violations for Calendar Year Did Not Know $100 - $50,000 $1,500,000 Reasonable Cause $1000 - $50,000 $1,500,000 Willful Neglect corrected in 30 days Willful Neglect not corrected $10,000 - $50,000 $1,500,000 $50,000 $1,500,000 Limits are per type of violation, e.g., four types of continuous violations over three years could equal $18 million
What to Do Now! Create a Culture of Compliance OCR aggressively enforcing the HIPAA Privacy, Breach and Security Rules OCR suggests that Covered Entities and Business Associates should have a robust HIPAA Privacy and Security Compliance Program, including: Employee Training Vigilant implementation of policies and procedures A prompt plan to respond to incidents and breaches Regular internal audits
Sample Fines CVS: Privacy, $2.25M, 2009: Complaint Cignet: Privacy, $4.3 M, 2011: CMP, Complaint Phoenix Cardiac Surgery: Privacy & Security $100K, 2012: OCR Audit MEEI: Security, $1.5M, 2012: Self Reported Breach BCBS Tennessee, $1.5M, 2012: Self Reported Breach Alaska Medicaid, Security, $1.7 M, 2012: Self Reported Breach Hospice of North Idaho, Security, $50,000, 2013: Self Reported Breach of less than 500 PLUS Onerous Corrective Action Plans
Right of Access Under the Omnibus Rule the Right of Access: Required the Covered Entity to provide a copy of the electronic protected healthcare information (ephi), that is maintained in one or more data sets, to the individual electronically or in the format agreed upon The individual may direct the Covered Entity to send the ephi to a third party Covered Entity needs a new policy and procedures to verify the request
Right of Restriction Under the Omnibus Rule the Right of Restriction: Individual may request their healthcare provider covered entity to not share information with their health plan if the individual, or a family member, pay in full for the service or care This restriction is only to health plans and their business associates The provider is required to grant this request Providers are not required to notify other providers of restrictions
GINA Genetic Information: broadly defined to include manifestation of a disease or disorder in a family member of an individual in addition of genetic tests of individuals and family members and receipt if genetic services A Health Plan that uses or discloses PHI for underwriting purposes must revise its NPP stating that it will not use or disclose genetic information for such purposes Health Plan definition has also been revised; HHS has exercised its authority to expand GINA to include all Health Plans except for Long Term Care Health Plans
Student Immunization Records Covered entity may release student immunization records to school without authorization o If state law requires school to have immunization record o Written or oral agreement (must be documented)
Decedent Information No longer PHI 50 years after death (specific exclusion from definition of PHI) Covered entity may disclose PHI to persons involved in decedent s care or payment if not contrary to prior expressed preference
Notice of Privacy Practices Notice of Privacy Practices for Protected Healthcare Information The NPP first required information including: When an authorization is needed Psychotherapy notes Marketing Fundraising Sale of PHI Right to request a restriction No guarantee of a restriction Breach Notification
Notice of Privacy Practices Under the Omnibus Rule the NPP is required information including: When an authorization is needed Psychotherapy notes Marketing Fundraising Sale of PHI Right to request a restriction No guarantee of a restriction Breach Notification Fundraising
Business Associates Under HITECH Who is a Business Associate? Omnibus Final Rule: An entity that creates, receives, maintains, or transmits [PHI] for a function or activity regulated by [HIPAA] on behalf of a Covered Entity Omnibus Final Rule expanded the definition of Business Associates to include: Health Information Organizations E-prescribing Gateways Personal Health Records (PHR) providers on behalf of a Covered Entity Patient Safety Organizations Subcontractors that create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of Business Associates Sub-contractor means a person whom a Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such Business Associate
New Business Associate Obligations Summary of BA Obligations Under Omnibus Final Rule Direct compliance with all requirements of the HIPAA Security Rule Directly liable for impermissible uses and disclosures of PHI under HIPAA Provide CE with notice of breach in accordance with the Breach Notification Rule Required to provide access to a copy of electronic PHI to the CE (or the individual) Provide PHI where required by the Secretary to investigate the BA s compliance with HIPAA Provide an accounting of disclosures as required by HITECH (Final Rule Pending)
New Business Associate Obligations BA Privacy Rule Limited to HITECH Changes The HITECH Act does not impose ALL Privacy Rule obligations upon a BA BAs are subject to direct enforcement of HIPAA Privacy obligations and penalties in the same manner as a CE, BUT only to the extent required under HITECH not all the HIPAA Privacy Rule obligations
QUESTIONS Susan A. Miller, JD TMSAM@aol.com (O) 978-3692092 (C) 978-505-5660 Thank You!