Getting a Grip on HIPAA Privacy and Security of Health Information in the Post-HITECH Age Jean C. Hemphill hemphill@ballardspahr.com 215.864.8539 Edward I. Leeds leeds@ballardspahr.com 215.864.8419 Amy Mushahwar mushahwara@ballardspahr.com 202.661.7644 Dee Spagnuolo spagnuolod@ballardspahr.com 215.864.8312 February 20, 2013
Introductions Ballard s HIPAA Compliance Group Jean Hemphill, Health Care and Employee Benefits Edward Leeds, Employee Benefits and Executive Compensation Amy Mushahwar, Privacy and Data Security Dee Spagnuolo, White Collar/Investigations Group 2
HIPAA Health Insurance Portability and Accountability Act of 1996 ( HIPAA ), as amended in 2009 by the Health Information Technology for Economic and Clinical Health Act ( HITECH ) - Establishes individuals privacy rights for protected health information - Requires covered entities and business associates to implement procedures regarding the use, security and disclosure of protected health information. - U.S. Department of Health and Human Services (HHS) regulations establish the standards for the electronic exchange, privacy and security of health information On January 25, 2013, HHS released modifications to the HIPAA, HITECH and Genetic Information Nondiscrimination Act ( GINA ) in final rules Compliance begins September 23, 2013 PHL_A #1970699 v1 3
Final Rules Standards applicable to Business Associates New breach definition and related notification developments Stronger limitations on use and disclosure of PHI for marketing, fundraising; prohibitions on sale of PHI, and clarifications regarding research use GINA amendments to HIPAA rules Expanded individual rights relating to electronic records Enforcement rule enhancements increased audits, civil monetary and criminal penalties 4
HIPAA Origins 5
HIPAA Origins Privacy Rule A Covered Entity may use or disclose Protected Health Information only as HIPAA expressly Requires or Permits that use or disclosure 6
HIPAA Origins Security Rule Covered Entities must secure electronic Protected Health Information Preserve confidentiality, accessibility, and integrity 7
HIPAA Origins Protected Health Information (PHI) Any information in any form or medium that: Is created or received by a health care provider, health plan, employer, or health care clearinghouse; AND Relates to the past, present or future physical or mental health or condition of an individual, or the provision or payment for health care for an individual; AND Is individually identifiable 8
HIPAA Origins Covered Entity Health Plans Health Care Providers who engage in covered electronic transaction Health Care Clearinghouses 9
HIPAA Origins Business Associate Vendor of covered entity Obtains PHI in performing services on behalf of covered entity Covered entity must require it to enter into business associate agreement (BAA) imposing specified privacy and security requirements 10
HIPAA Origins Required Uses and Disclosures Individual Rights HHS request in assessing HIPAA compliance 11
HIPAA Origins Permitted Uses and Disclosures Treatment, payment, health care operations Specified activities, including - Compliance with other laws - Public health - Law enforcement - Judicial proceedings - Research Otherwise, obtain individual s authorization or de-identify information 12
HIPAA Origins Measures Required Physical, technical, and administrative safeguards Allocations of responsibility Training Documentation Ongoing responsibilities 13
Business Associates 14
Business Associates Modification of Business Associate Requirements Changes to Definition Changes to Business Associate Agreement Imposition of direct responsibility 15
Business Associates Changes to Definition of Business Associate Clarification of who is and who is not a BA Application to subcontractors that create, receive, maintain, or transmit PHI on behalf of BA 16
Business Associates Subcontractors as Business Associates BA s responsibilities transferred downstream BA s contract with its subcontractors must include appropriate BA provisions 17
Business Associates Business Associate Agreements must require BA to: Appropriately safeguard PHI and comply with applicable security requirements Report security incidents and inappropriate uses or disclosure, including breaches Pass security obligations on to subcontractors in written BAA Comply with privacy rules to the extent BA carries out Covered Entities obligations under privacy rules 18
Business Associates Other Considerations for Business Associate Agreements include Elaboration on responsibilities, particularly allocation of breach notification obligations BA s responsibility to act if it becomes aware of Covered Entity s material violations The obligation to report a BA s violations to HHS (if they cannot be corrected and relationship cannot be terminated). 19
Business Associates Transitional Rule Applies to BAAs in place before 1.25.13 where arrangement with BA is not modified between 3.26.13 and 9.23.13. May delay revising BAA for up to one year (or until BA arrangement is modified 20
Business Associates BAs Directly Subject to HIPAA Almost all of the HIPAA Security Rule Use or disclosure that violates BAA or HIPAA Privacy Rule Non-compliance with HHS audit Failure to meet certain individual rights to access to own PHI Non-compliance with minimum necessary rule Failure to enter into a proper BAA with subcontractor 21
Business Associates Direct Application of HIPAA responsibility Previously BAs had only contractual liability Civil and criminal penalties may apply Subject to enforcement mechanisms Subcontractor BAs may also be sanctioned directly 22
Breaches 23
Old Rules: Defining a Breach Under the 2009 rules, an impermissible use or disclosure of unsecured PHI including electronic PHI was only a breach if it posed a significant risk of financial, reputational, or other harm to the individual. Known as the harm standard, this threshold focused on the individual and has been difficult to apply consistently to an array of business associates and uses and disclosures. 24
New Rules Signal A Shift in Notification Standard First, there is now a presumption that an impermissible use or disclosure of unsecured PHI is a breach subject to the HIPAA rules on breach notifications. Second, the harm standard is replaced with the requirement to demonstrate that there is a low probability that the protected health information has been compromised. 25
Demonstrating a Low Probability of PHI Compromise We will now need to perform risk assessments with the following factors: - The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; - The unauthorized person who used the PHI or to whom the disclosure was made; - Whether the PHI was actually acquired or viewed; and - The extent to which the risk to the PHI has been mitigated. 26
The Risk Analysis MUSTS Address all four factors (can address more). Evaluate the overall probability that PHI has been compromised. Without a low probability that PHI has been compromised, breach notification is required. 27
More Breaches Will Be Disclosed HHS says plans and business associates had misinterpreted its original guidance as setting a very high threshold for breach notification. HHS intends to produce more objective and consistent breach determinations than the old standards did. 28
Keep in Mind: State Law is Still Valid The Omnibus Rule (and current law) does not preempt most state breach reporting laws. The HIPAA Rules preempt conflicting state laws, there is no conflict if a covered entity or BA is able to comply with both federal and state law. The rat race continues expect to comply with a disparate collection of breach reporting laws in the case of data breaches impacting individuals residing in numerous states. 29
Consider the Encryption Safe Harbor In light of the breadth and burdens of the Final Rule s provisions on breach notification, consider the safe harbor under HIPAA for encryption. Encrypting data in accordance with the HIPAA safe harbor is arguably one of the smartest risk mitigation strategies an entity subject to HIPAA could employ. Encryption also helps the state data breach analysis! 30
Avoid the Breach to Begin With Companies that have effective compliance programs are less likely to experience a breach, and when they do it s less expensive. For CISO s on the line, make legal your best friend. For Legal and compliance officers, make CISOs and IT security your new ally. 31
Conduct Some Internal Security Socialization 32
Use the Omnibus Rule as a Funding Mandate Use this HIPAA Omnibus Ruling as a justification to review and shore up a number of areas that are routinely woefully underfunded. Consider examining your: - Log File Management and Alerting Protocols - Data Maps; - Access Controls; - Person / Entity Authentication; - Integrity Controls ; - Encryption and - Security Auditing Practices Everyone has IT funding headaches, use this opportunity to elevate the problems and resolve them. 33
New Limitations on Use of PHI for Fundraising, Research, Marketing, and the Sale of PHI 34
PHI for Fundraising Communications CE may use or disclose to a BA or an institutionally related foundation certain PHI for the purpose of raising money for its own benefit - Demographic information (name, address, age, gender, DOB) - Dates health care provided - Department of service involved - Treating physician - Outcome information - Health insurance status 35
PHI for Fundraising Communications CE s Notice of Privacy Practice must disclose that the organization may use PHI to contact the individual for fundraising and advise the individual that he or she has the right to opt out of receiving such communications. Each communication must include a clear and conspicuous opportunity to elect not to receive any further communications. - Including oral communications (telephone solicitations) CE may not send fundraising communications to any individual that elects to opt out. CE may provide information as to how to opt back in 36
PHI for Fundraising Communications Opt out method must not cause individual to bear undue burden or incur more than a nominal cost. - Flexible and not prescriptive standard - CE can adopt a single or multiple opt-out methods as long as they are reasonably accessible to all individuals wishing to opt out - Use of toll-free number, email address, pre-printed, pre-paid return postcard are acceptable - Requiring a written letter is considered an undue burden. Opt-out may be applied on a campaign-specific or all fundraising basis 37
Use of PHI in Research New rules eliminate multiple, redundant authorization forms and allows for a combined authorization addressing both - Research for which participation in the clinical protocol is conditioned upon agreement to authorize the use of PHI for research purposes ( conditioned research ) - Research where clinical treatment is not conditioned upon the authorization ( unconditioned research ) (e.g. tissue banking authorization) Must clearly differentiate research activities Provide opt-in option for unconditioned research 38
Authorizing Use in Future Research Authorization s purpose section must adequately describe uses and disclosures for future research purposes such that it would be reasonable for the individual to expect that PHI could be used for future research. Authorization may cover PHI collected beyond the time of the original study Authorization may designate a class of persons as the recipients of PHI to cover sharing of PHI in future research 39
Marketing HIPAA privacy rule requires a CE to obtain individual authorizations to use or disclose PHI for marketing purposes. - If marketing involves financial remuneration from a third party, the authorization must disclose that it such remuneration is involved. 40
Sale of PHI HITECH added a specific prohibition on the sale of PHI without an individual s authorization. Sale of PHI means a disclosure by CE or BA where CE or BA directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI. Applies to a change in title of owner as well as access, license or lease agreements. Numerous exceptions to the definition of sale of PHI 41
Sale of PHI - Exceptions Exceptions to the definition of sale of PHI - Public health activities (in limited data set form or under 164.512(b)) - Research purposes - Treatment - Sale, transfer, merger or consolidation of CE and related due diligence (provided that the successor is or will be a CE) 42
Sale of PHI Grants, contracts to CE to perform programs or research not considered a sale Health information exchange fees are not a sale of PHI For research uses, not a sale if remuneration limited to a reasonable cost-based charge to collect and transmit data Based on direct and indirect costs. Indirect costs include labor, materials, supplies as well as related capital and overhead charges, but not a profit margin 43
Sale of PHI Authorization form must advise individual that the disclosure will result in remuneration to the CE Use of the term remuneration means financial and nonfinancial (in kind) benefits - This is a broader definition than the marketing provision, where the statute uses the term payment and the regulation refers only to financial benefits 44
GINA 45
Genetic Information Nondiscrimination Act Other laws require privacy of health information, including GINA New HIPAA regulations include provisions designed to coordinate with particular requirement in GINA rules Health plan may not use or disclose PHI that is genetic information for purposes of underwriting - Rule applies even if individual provides authorization - Exception for long term care insurers - Genetic information includes family medical history 46
Individual Rights 47
Individual Rights Individuals have the following rights under HIPAA's privacy rules Right to Restrict Uses and Disclosures of PHI Right to Access PHI in Designated Record Set Right to Amend Designated Record Set Right to Obtain Accounting of Disclosures Right to Receive Notice of Privacy Practices 48
Individual Rights Restrictions on Use and Disclosure Individual may restrict disclosure for PHI relating to item or services paid for completely out-of-pocket, for purposes of payment or health care operations Exception to meet legal requirements 49
Individual Rights Right to access PHI in Designated Record Set Provide in form requested if readily producible If not, readily producible in requested form: - For electronic PHI that is requested electronically, provide in agreed-upon electronic form - Otherwise, provide in agreed-upon form or as a readable hard copy Also must provide to individual s designee if designation is made clearly. 50
Individual Rights Right to accounting of disclosures Generally Covered Entity required to account for limited range of disclosures of PHI on request for up to 6 years HITECH Act required Covered Entity to report broader range of disclosures of EHR on request for up to 3 years Proposed regulations extended requirement to all electronic records in Designated Record Set Final regulations do not address 51
Individual Rights Notice of Privacy Practices must be amended to state that authorization is required for: Most uses and disclosures of psychotherapy notes (where applicable) Marketing and sale of PHI Other uses and disclosures not described in the notice 52
Individual Rights The New Regulations also require that the Notice of Privacy Practices be amended to state: PHI may be used to contact individuals for fundraising, but individual may opt out Individual may restrict use or disclosure for expenses paid outof-pocket Notice will be provided of a breach of unsecured PHI Genetic information may not be used or disclosed for underwriting purposes 53
Individual Rights Health Plan - Distribution of Notice of Privacy Practices Post restated notice or notice of material changes on website by compliance date and distribute restated notice of notice of material changes in next annual mailing to enrollees If no website, distribute restated notice or notice of material changes within 60 days of material change 54
Individual Rights Health Care Provider - Distribution of Notice of Privacy Practices Make restated notice available when individual requests Make copies of restated notice available at site where services are delivered Post restated notice in clear and prominent location at delivery site Give notice to new patients and try in good faith to obtain acknowledgment of receipt 55
Enforcement/Penalties 56
Enforcement, OCR Audits & Penalties OCR enforces privacy and security rules by: - Investigating complaints - Conducting compliance reviews - Performing education and outreach to promote compliance 57
Complaints http://www.hhs.gov/ocr/privacy/hipaa/enforcement/process/index.html 58
The Audit Process What is an OCR Audit? - HHS s method of ensuring compliance - Compliance improvement tool - Comprehensive audit protocol to assess processes, control, and policies relating to: Privacy Rule requirements Security Rules requirements Breach Notification Rule requirements 59
The Audit Process Protocols consider: - Existence of formal or informal policies? - Have policies been communicated to employees? Pilot phase November 2011- December 2012-115 audits Audit selection - At random - As the result of a breach - In response to a complaint to OCR 60
The Audit Process The audit process: - Introductory letter - Commence 30 to 90 days from the date of letter - Onsite visits for 3-10 business days - After fieldwork, the auditor provides a draft final report 10 days to respond in writing - Auditor completes final report within 30 days after receiving written comments - Submission to OCR 61
Resolution If showing of noncompliance, OCR attempts to resolve through: - Voluntary compliance - Corrective action - Resolution agreement OCR may impose civil monetary penalties 62
Civil Monetary Penalties Did not know and by exercising reasonable diligence would not have known of violation Violation due to reasonable cause Willful neglect but corrected problem Willful neglect but did not correct problem $100 to $50,000 per violation $1.5 million per type per year $1,000 to $50,000 per violation $1.5 million per type per year $10,000 to $50,000 per violation $1.5 million per type per year $50,000 per violation $1.5 million per type per year 63
Statistics and Trends 12000 Add complaints received by calendar year chart 10000 8000 6000 4000 2000 10347 9579 9032 9158 8770 8370 8071 7587 4412 4429 3898 3336 3391 2595 2703 2140 1303 1526 1010 1199 2012 2011 2010 2009 0 Received Resolved Investigated No Violation CAO 64
Risks Loss of contracts Criminal and civil investigation Federal penalties, state fines Public harm and reputational risk Legal costs Cost of notification 65
Compliance Measures 66
Compliance Measures Considerations New Requirements and a Deadline Changes in the Privacy/Security Environment Internal and External Experience 67
Compliance Measures To Do List Security Risk Assessment (BAs and CEs) Security Policies and Procedures (BAs and CEs) Privacy Policies and Procedures (CEs) Breach Response Readiness (BAs and CEs) Training (BAs and CEs) Notice of Privacy Practices (CEs) Business Associate Agreements (BAs and CEs) Effect on other HIPAA Documents and Practices (BAs and CEs) 68
Compliance Measures What to Watch For Accounting of Disclosure Rules Electronic Distribution of Notice of Privacy Practice Minimum Necessary Rules Technical Guidance Further Information about Enforcement/Penalties 69
Thank you Jean C. Hemphill hemphill@ballardspahr.com 215.864.8539 Edward I. Leeds leeds@ballardspahr.com 215.864.8419 Amy Mushahwar mushahwara@ballardspahr.com 202.661.7644 Dee Spagnuolo spagnuolod@ballardspahr.com 215.864.8312 70
Questions? 71