HIPAA Compliance Under the Magnifying Glass July 30, 2013 Stacy Harper, JD, MHSA, CPC A Webinar Provided by
Presenter Stacy Harper Lathrop & Gage, LLP sharper@lathropgage.com 913-451-5125 The information provided is for educational purposes only and is not intended to be considered legal advice or create an attorney-client relationship.
Basic Structure of HIPAA HIPAA Privacy Applies to all protected health information Determines when PHI can be used/disclosed Minimal Safeguard Requirements Provides Patients Rights to Information HIPAA Security Applies to electronic protected health information Additional layers of safeguards for ephi HIPAA Breach Notification Spans Privacy and Security Adds transparency to the process If state law differs from HIPAA, the more restrictive law applies
Who is a Covered Entity A health plan A health care clearinghouse A health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA. Transaction means the transmission of information between two parties to care out financial or administrative activities related to healthcare including claims or encounter information, healthcare payment or remittance advice, coordination of benefits, health care claims status, enrollment and disenrollment in a health plan, eligibility for a health plan, health plan premium payments, referral certification and authorization, first report of injury, health claim attachments, and other transactions prescribed by regulation.
Who is a Business Associate A person/entity who, with respect to a covered entity: On behalf of such covered entity or an organized health care arrangement, but other than as a member of the workforce of the covered entity, creates, receives maintains or transmits PHI for an activity regulated by HIPAA, including claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; patient safety activities; benefit management; practice management and repricing; or Provides, other than as a member of the workforce, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for the covered entity or organized health care arrangement where the performance of service involves the disclosure of PHI. BA includes a health information organization, e-prescribing gateway, or other person that provides data transmission services that requires access on a routine basis to such PHI; a person that offers a personal health record on behalf of a covered entity; and a subcontractor that receives, creates, maintains or transmits PHI on behalf of a BA. Certain exceptions
What is Protected Health Information Individually identifiable health information that is transmitted in electronic media, maintained in electronic media, or transmitted or maintained in any other form, but not including education records covered by FERPA, certain higher education records, employment records held by a covered entity in its role as employer, and regarding a person who has been deceased more than 50 years. Health information means any information, including genetic information, that is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse and relates to past, present, or future physical or mental health or condition of an individual, provision of health care, or past, present or future payment for the provision of health care. Individually identifiable means information that identifies an individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual
What Did the Omnibus Regulations Change? Application of HIPAA to Business Associates HIPAA Privacy Standards Notice of Privacy Practices Use of PHI for Marketing Sale of PHI Use of PHI for Fundraising Disclosure of PHI to Decedent s Family Members HIPAA/HITECH Breach Notification Standards Definition of Breach HIPAA Enforcement
Business Associates
Business Associates Definition revised to add Patient safety organizations Health information exchange, e-prescribing and other data transmission companies Personal health records offered by covered entities Subcontractors of Business Associates Business Associates required to implement HIPAA Security Policies Application of Minimum Necessary to Business Associates Agreements with Subcontractors
Revisions to Business Associate Agreements Model Business Associate Agreement from Office of Civil Rights New terms Written agreement with subcontractor Comply with HIPAA Security as if Cover Entity Notification of breaches If carry out Covered Entity obligation under HIPAA, comply with terms of HIPAA If Business Associate is considered an agent, knowledge of breach may be imputed to the Covered Entity
Enforcement- Liability for Business Associates Covered Entity is liable for violations of Business Associate IF Business Associate is considered an agent of the Covered Entity. Factors to determine scope of agency Time, place, and purpose of Business Associate conduct Whether Business Associate engaged in course of conduct subject to Covered Entity s control Whether Business Associate-agent s conduct is commonly done by a Business Associate to accomplish the service performed on behalf of the Covered Entity Whether or not the Covered Entity reasonably expected that a Business Associateagent would engage in the conduct in question Business Associate can be an agent Despite the fact that Covered Entity does not retain right or authority to control every aspect of Business Associate s activities Even if Covered Entity does not exercise right of control but evidence exists it holds the authority to exercise the right
HIPAA Privacy Standards
Notice of Privacy Practices Revised Notice of Privacy Practices must be available to patients and provided to new patients New notice must be posted in location where care provided Revisions include: Specific statement of need for authorization for use/disclosure of psychotherapy notes Specific statement of need for authorization to use/disclose PHI for marketing or for sale of PHI Specific statement regarding use/disclosure of PHI for fundraising Specific statement regarding use/disclosure of PHI to Plan Sponsor Specific statement that Health Plan may not use genetic information in connection with its underwriting activities (consistent with GINA) Specific statement regarding the requirement that a Covered Entity notify an individual in the event of breach with respect to his/her PHI
Other Changes Use of PHI for Marketing Sale of PHI Use of PHI for Fundraising Disclosure of PHI to Decedent s Family Members
HIPAA/HITECH Breach Notification Standards
Definition of Breach Breach means the acquisition, access, or use of PHI in a manner not permitted by the HIPAA Privacy Standard which compromises the security or privacy of the protected health information.
Exclusions to Breach Workforce Use Unintentional acquisition, access or use of PHI by a workforce member if the PHI is not further used or disclosed in a manner that violates the Privacy Rule Workforce Disclosure - Unintentional disclosure of PHI by a workforce member if the PHI is not further used or disclosed in a manner that violates the Privacy Rule No Way to Retain Info Unauthorized disclosure to which the CE or BA has a good faith belief that the unauthorized person to whom the PHI is disclosed would not reasonably have been able to retain info.
Substantial Harm Element Replaced Unauthorized access/disclosure is presumed to be a breach Covered Entity has option of performing breach risk assessment Risk assessment must include analysis of: Nature and extent of PHI involved, including types of identifiers and likelihood of re-identification Unauthorized person who used/received the PHI Whether PHI was actually acquired or viewed Extent to which the risk to PHI has been mitigated If risk assessment determines low probability that the PHI was compromised, then no notification required.
Enforcement
Enforcement Tier 1 Tier 2 Tier 3 Tier 4 Violation not known or reasonably known Violation due to reasonable cause, but not willful neglect Violation due to willful neglect, if corrected Violation due to willful neglect, if not corrected Old HIPAA None $100 per violation, $25,000 max for identical violations in calendar year $100 per violation, $25,000 max for identical violations in calendar year $100 per violation, $25,000 max for identical violations in calendar year New HIPAA At least $100 per violation, $25,000 max for identical violations in calendar year At least $1,000 per violation, $100,000 max for identical violations in calendar year At least $10,000 per violation, $250,000 max for identical violations in calendar year At least $50,000 per violation, $1.5 million max for identical violations in calendar year
Factors to Determine Penalty Nature and extent of the violation Nature and extent of the harm History of compliance Financial condition of covered entity or business associate Other matters as justice may require
Results of OCR Audit Demonstration Program 60% of deficiencies identified were related to HIPAA Security 58 of 59 providers audited had at least one HIPAA Security deficiency 47 out of 59 providers; 20 out of 35 health plans; and 2 of 7 clearing houses had not conducted a complete and accurate risk assessment Top three deficiencies were related to contingency planning and back-ups; audit controls and monitoring; and access management Most common cause of deficiency: entity was unaware of the requirement Next round of audits are expected to affect business associates and be scheduled following the September 23, 2013 effective date
Enforcement Activities Settlements may originate with complaint or breach report Primary breaches include Stolen or lost laptops or media Unsecured firewall Employee s access of information Disclosure of information Business Associates were responsible for more breaches than Covered Entitites Most frequent deficiencies mentioned include: Failure to perform risk assessment Inadequate training Insufficient policies and procedures Incomplete security measures Failure to safeguard media Most involve corrective action plan with ongoing monitoring in addition to penalties
Strategy for Improvement
Development of a Robust Compliance Program Learn the rules Identification and control of PHI within the organization Performance of a Risk Assessment Develop a schedule to implement security measures to resolve identified risks Customize Privacy and Security Policies to guide workforce compliance Implement a training program Create an ongoing monitoring program Create a process for identification, investigation, and resolution of incidents Continually re-evaluate and improve
Questions? Stacy Harper Lathrop & Gage LLP sharper@lathropgage.com 913-451-5125