Getting a Grip on HIPAA

Similar documents
To: Our Clients and Friends January 25, 2013

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Highlights of the Omnibus HIPAA/HITECH Final Rule

Management Alert Final HIPAA Regulations Issued

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

ACC Compliance and Ethics Committee Presentation February 19, 2013

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

AFTER THE OMNIBUS RULE

HHS, Office for Civil Rights. IAPP October 11, 2012

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

Health Law Diagnosis

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HEALTH LAW ALERT January 21, 2013

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

Compliance Steps for the Final HIPAA Rule

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Fifth National HIPAA Summit West

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

New HIPAA-HITECH Proposed Regulations Issued

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

MEMORANDUM. Kirk J. Nahra, or

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HIPAA OMNIBUS FINAL RULE

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

HIPAA The Health Insurance Portability and Accountability Act of 1996

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

1.) The Privacy Rule (Part 164, Subpart E)

Compliance Steps for the Final HIPAA Rule

Changes to HIPAA Under the Omnibus Final Rule

"HIPAA RULES AND COMPLIANCE"

HIPAA & The Medical Practice

Omnibus HIPAA Rule: Impact on Covered Entities

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

HIPAA: Impact on Corporate Compliance

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

HIPAA Compliance Under the Magnifying Glass

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

HIPAA and Lawyers: Your stakes have just been raised

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

Highlights of the Final Omnibus HIPAA Rule

HIPAA Omnibus Rule Compliance

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule

OMNIBUS RULE ARRIVES

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

Managing Information Privacy & Security in Healthcare. When an Authorization is Required

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

HIPAA Omnibus Final Rule and Research

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report

The American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.

HIPAA Privacy Overview

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

ARRA s Amendments to HIPAA Privacy & Security Rules

HIPAA Final Omnibus Rule Playbook

Determining Whether You Are a Business Associate

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

H E A L T H C A R E L A W U P D A T E

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

HIPAA Special Considerations: Individual Right to Request Restriction of Uses and Disclosures of PHI Voluntary and Mandatory

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

Omnibus Rule: HIPAA 2.0 for Law Firms

Business Associate Agreement

Practical Guidance and Proposed Solutions in Response to the HIPAA Final Omnibus Rule

HIPAA Compliance Guide

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

ARE YOU HIP WITH HIPAA?

IT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW [OBER KALER]

Changes to HIPAA Privacy and Security Rules

The HIPAA Omnibus Rule

Effective Date: March 23, 2016

HIPAA PRIVACY AND SECURITY AWARENESS

VOL. 0, NO. 0 JANUARY 23, 2013

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

ARRA 2009: Privacy and Security Provisions. Deven McGraw

Port City Chiropractic. P.C. 11 Fourth Avenue Oswego, NY Fax HIPAA NOTICE OF PRIVACY PRACTICES

HIPAA Final Omnibus Rule Playbook for Business Associates

HIPAA Basic Training for Health & Welfare Plan Administrators

Transcription:

Getting a Grip on HIPAA Privacy and Security of Health Information in the Post-HITECH Age Jean C. Hemphill hemphill@ballardspahr.com 215.864.8539 Edward I. Leeds leeds@ballardspahr.com 215.864.8419 Amy Mushahwar mushahwara@ballardspahr.com 202.661.7644 Dee Spagnuolo spagnuolod@ballardspahr.com 215.864.8312 February 20, 2013

Introductions Ballard s HIPAA Compliance Group Jean Hemphill, Health Care and Employee Benefits Edward Leeds, Employee Benefits and Executive Compensation Amy Mushahwar, Privacy and Data Security Dee Spagnuolo, White Collar/Investigations Group 2

HIPAA Health Insurance Portability and Accountability Act of 1996 ( HIPAA ), as amended in 2009 by the Health Information Technology for Economic and Clinical Health Act ( HITECH ) - Establishes individuals privacy rights for protected health information - Requires covered entities and business associates to implement procedures regarding the use, security and disclosure of protected health information. - U.S. Department of Health and Human Services (HHS) regulations establish the standards for the electronic exchange, privacy and security of health information On January 25, 2013, HHS released modifications to the HIPAA, HITECH and Genetic Information Nondiscrimination Act ( GINA ) in final rules Compliance begins September 23, 2013 PHL_A #1970699 v1 3

Final Rules Standards applicable to Business Associates New breach definition and related notification developments Stronger limitations on use and disclosure of PHI for marketing, fundraising; prohibitions on sale of PHI, and clarifications regarding research use GINA amendments to HIPAA rules Expanded individual rights relating to electronic records Enforcement rule enhancements increased audits, civil monetary and criminal penalties 4

HIPAA Origins 5

HIPAA Origins Privacy Rule A Covered Entity may use or disclose Protected Health Information only as HIPAA expressly Requires or Permits that use or disclosure 6

HIPAA Origins Security Rule Covered Entities must secure electronic Protected Health Information Preserve confidentiality, accessibility, and integrity 7

HIPAA Origins Protected Health Information (PHI) Any information in any form or medium that: Is created or received by a health care provider, health plan, employer, or health care clearinghouse; AND Relates to the past, present or future physical or mental health or condition of an individual, or the provision or payment for health care for an individual; AND Is individually identifiable 8

HIPAA Origins Covered Entity Health Plans Health Care Providers who engage in covered electronic transaction Health Care Clearinghouses 9

HIPAA Origins Business Associate Vendor of covered entity Obtains PHI in performing services on behalf of covered entity Covered entity must require it to enter into business associate agreement (BAA) imposing specified privacy and security requirements 10

HIPAA Origins Required Uses and Disclosures Individual Rights HHS request in assessing HIPAA compliance 11

HIPAA Origins Permitted Uses and Disclosures Treatment, payment, health care operations Specified activities, including - Compliance with other laws - Public health - Law enforcement - Judicial proceedings - Research Otherwise, obtain individual s authorization or de-identify information 12

HIPAA Origins Measures Required Physical, technical, and administrative safeguards Allocations of responsibility Training Documentation Ongoing responsibilities 13

Business Associates 14

Business Associates Modification of Business Associate Requirements Changes to Definition Changes to Business Associate Agreement Imposition of direct responsibility 15

Business Associates Changes to Definition of Business Associate Clarification of who is and who is not a BA Application to subcontractors that create, receive, maintain, or transmit PHI on behalf of BA 16

Business Associates Subcontractors as Business Associates BA s responsibilities transferred downstream BA s contract with its subcontractors must include appropriate BA provisions 17

Business Associates Business Associate Agreements must require BA to: Appropriately safeguard PHI and comply with applicable security requirements Report security incidents and inappropriate uses or disclosure, including breaches Pass security obligations on to subcontractors in written BAA Comply with privacy rules to the extent BA carries out Covered Entities obligations under privacy rules 18

Business Associates Other Considerations for Business Associate Agreements include Elaboration on responsibilities, particularly allocation of breach notification obligations BA s responsibility to act if it becomes aware of Covered Entity s material violations The obligation to report a BA s violations to HHS (if they cannot be corrected and relationship cannot be terminated). 19

Business Associates Transitional Rule Applies to BAAs in place before 1.25.13 where arrangement with BA is not modified between 3.26.13 and 9.23.13. May delay revising BAA for up to one year (or until BA arrangement is modified 20

Business Associates BAs Directly Subject to HIPAA Almost all of the HIPAA Security Rule Use or disclosure that violates BAA or HIPAA Privacy Rule Non-compliance with HHS audit Failure to meet certain individual rights to access to own PHI Non-compliance with minimum necessary rule Failure to enter into a proper BAA with subcontractor 21

Business Associates Direct Application of HIPAA responsibility Previously BAs had only contractual liability Civil and criminal penalties may apply Subject to enforcement mechanisms Subcontractor BAs may also be sanctioned directly 22

Breaches 23

Old Rules: Defining a Breach Under the 2009 rules, an impermissible use or disclosure of unsecured PHI including electronic PHI was only a breach if it posed a significant risk of financial, reputational, or other harm to the individual. Known as the harm standard, this threshold focused on the individual and has been difficult to apply consistently to an array of business associates and uses and disclosures. 24

New Rules Signal A Shift in Notification Standard First, there is now a presumption that an impermissible use or disclosure of unsecured PHI is a breach subject to the HIPAA rules on breach notifications. Second, the harm standard is replaced with the requirement to demonstrate that there is a low probability that the protected health information has been compromised. 25

Demonstrating a Low Probability of PHI Compromise We will now need to perform risk assessments with the following factors: - The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; - The unauthorized person who used the PHI or to whom the disclosure was made; - Whether the PHI was actually acquired or viewed; and - The extent to which the risk to the PHI has been mitigated. 26

The Risk Analysis MUSTS Address all four factors (can address more). Evaluate the overall probability that PHI has been compromised. Without a low probability that PHI has been compromised, breach notification is required. 27

More Breaches Will Be Disclosed HHS says plans and business associates had misinterpreted its original guidance as setting a very high threshold for breach notification. HHS intends to produce more objective and consistent breach determinations than the old standards did. 28

Keep in Mind: State Law is Still Valid The Omnibus Rule (and current law) does not preempt most state breach reporting laws. The HIPAA Rules preempt conflicting state laws, there is no conflict if a covered entity or BA is able to comply with both federal and state law. The rat race continues expect to comply with a disparate collection of breach reporting laws in the case of data breaches impacting individuals residing in numerous states. 29

Consider the Encryption Safe Harbor In light of the breadth and burdens of the Final Rule s provisions on breach notification, consider the safe harbor under HIPAA for encryption. Encrypting data in accordance with the HIPAA safe harbor is arguably one of the smartest risk mitigation strategies an entity subject to HIPAA could employ. Encryption also helps the state data breach analysis! 30

Avoid the Breach to Begin With Companies that have effective compliance programs are less likely to experience a breach, and when they do it s less expensive. For CISO s on the line, make legal your best friend. For Legal and compliance officers, make CISOs and IT security your new ally. 31

Conduct Some Internal Security Socialization 32

Use the Omnibus Rule as a Funding Mandate Use this HIPAA Omnibus Ruling as a justification to review and shore up a number of areas that are routinely woefully underfunded. Consider examining your: - Log File Management and Alerting Protocols - Data Maps; - Access Controls; - Person / Entity Authentication; - Integrity Controls ; - Encryption and - Security Auditing Practices Everyone has IT funding headaches, use this opportunity to elevate the problems and resolve them. 33

New Limitations on Use of PHI for Fundraising, Research, Marketing, and the Sale of PHI 34

PHI for Fundraising Communications CE may use or disclose to a BA or an institutionally related foundation certain PHI for the purpose of raising money for its own benefit - Demographic information (name, address, age, gender, DOB) - Dates health care provided - Department of service involved - Treating physician - Outcome information - Health insurance status 35

PHI for Fundraising Communications CE s Notice of Privacy Practice must disclose that the organization may use PHI to contact the individual for fundraising and advise the individual that he or she has the right to opt out of receiving such communications. Each communication must include a clear and conspicuous opportunity to elect not to receive any further communications. - Including oral communications (telephone solicitations) CE may not send fundraising communications to any individual that elects to opt out. CE may provide information as to how to opt back in 36

PHI for Fundraising Communications Opt out method must not cause individual to bear undue burden or incur more than a nominal cost. - Flexible and not prescriptive standard - CE can adopt a single or multiple opt-out methods as long as they are reasonably accessible to all individuals wishing to opt out - Use of toll-free number, email address, pre-printed, pre-paid return postcard are acceptable - Requiring a written letter is considered an undue burden. Opt-out may be applied on a campaign-specific or all fundraising basis 37

Use of PHI in Research New rules eliminate multiple, redundant authorization forms and allows for a combined authorization addressing both - Research for which participation in the clinical protocol is conditioned upon agreement to authorize the use of PHI for research purposes ( conditioned research ) - Research where clinical treatment is not conditioned upon the authorization ( unconditioned research ) (e.g. tissue banking authorization) Must clearly differentiate research activities Provide opt-in option for unconditioned research 38

Authorizing Use in Future Research Authorization s purpose section must adequately describe uses and disclosures for future research purposes such that it would be reasonable for the individual to expect that PHI could be used for future research. Authorization may cover PHI collected beyond the time of the original study Authorization may designate a class of persons as the recipients of PHI to cover sharing of PHI in future research 39

Marketing HIPAA privacy rule requires a CE to obtain individual authorizations to use or disclose PHI for marketing purposes. - If marketing involves financial remuneration from a third party, the authorization must disclose that it such remuneration is involved. 40

Sale of PHI HITECH added a specific prohibition on the sale of PHI without an individual s authorization. Sale of PHI means a disclosure by CE or BA where CE or BA directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI. Applies to a change in title of owner as well as access, license or lease agreements. Numerous exceptions to the definition of sale of PHI 41

Sale of PHI - Exceptions Exceptions to the definition of sale of PHI - Public health activities (in limited data set form or under 164.512(b)) - Research purposes - Treatment - Sale, transfer, merger or consolidation of CE and related due diligence (provided that the successor is or will be a CE) 42

Sale of PHI Grants, contracts to CE to perform programs or research not considered a sale Health information exchange fees are not a sale of PHI For research uses, not a sale if remuneration limited to a reasonable cost-based charge to collect and transmit data Based on direct and indirect costs. Indirect costs include labor, materials, supplies as well as related capital and overhead charges, but not a profit margin 43

Sale of PHI Authorization form must advise individual that the disclosure will result in remuneration to the CE Use of the term remuneration means financial and nonfinancial (in kind) benefits - This is a broader definition than the marketing provision, where the statute uses the term payment and the regulation refers only to financial benefits 44

GINA 45

Genetic Information Nondiscrimination Act Other laws require privacy of health information, including GINA New HIPAA regulations include provisions designed to coordinate with particular requirement in GINA rules Health plan may not use or disclose PHI that is genetic information for purposes of underwriting - Rule applies even if individual provides authorization - Exception for long term care insurers - Genetic information includes family medical history 46

Individual Rights 47

Individual Rights Individuals have the following rights under HIPAA's privacy rules Right to Restrict Uses and Disclosures of PHI Right to Access PHI in Designated Record Set Right to Amend Designated Record Set Right to Obtain Accounting of Disclosures Right to Receive Notice of Privacy Practices 48

Individual Rights Restrictions on Use and Disclosure Individual may restrict disclosure for PHI relating to item or services paid for completely out-of-pocket, for purposes of payment or health care operations Exception to meet legal requirements 49

Individual Rights Right to access PHI in Designated Record Set Provide in form requested if readily producible If not, readily producible in requested form: - For electronic PHI that is requested electronically, provide in agreed-upon electronic form - Otherwise, provide in agreed-upon form or as a readable hard copy Also must provide to individual s designee if designation is made clearly. 50

Individual Rights Right to accounting of disclosures Generally Covered Entity required to account for limited range of disclosures of PHI on request for up to 6 years HITECH Act required Covered Entity to report broader range of disclosures of EHR on request for up to 3 years Proposed regulations extended requirement to all electronic records in Designated Record Set Final regulations do not address 51

Individual Rights Notice of Privacy Practices must be amended to state that authorization is required for: Most uses and disclosures of psychotherapy notes (where applicable) Marketing and sale of PHI Other uses and disclosures not described in the notice 52

Individual Rights The New Regulations also require that the Notice of Privacy Practices be amended to state: PHI may be used to contact individuals for fundraising, but individual may opt out Individual may restrict use or disclosure for expenses paid outof-pocket Notice will be provided of a breach of unsecured PHI Genetic information may not be used or disclosed for underwriting purposes 53

Individual Rights Health Plan - Distribution of Notice of Privacy Practices Post restated notice or notice of material changes on website by compliance date and distribute restated notice of notice of material changes in next annual mailing to enrollees If no website, distribute restated notice or notice of material changes within 60 days of material change 54

Individual Rights Health Care Provider - Distribution of Notice of Privacy Practices Make restated notice available when individual requests Make copies of restated notice available at site where services are delivered Post restated notice in clear and prominent location at delivery site Give notice to new patients and try in good faith to obtain acknowledgment of receipt 55

Enforcement/Penalties 56

Enforcement, OCR Audits & Penalties OCR enforces privacy and security rules by: - Investigating complaints - Conducting compliance reviews - Performing education and outreach to promote compliance 57

Complaints http://www.hhs.gov/ocr/privacy/hipaa/enforcement/process/index.html 58

The Audit Process What is an OCR Audit? - HHS s method of ensuring compliance - Compliance improvement tool - Comprehensive audit protocol to assess processes, control, and policies relating to: Privacy Rule requirements Security Rules requirements Breach Notification Rule requirements 59

The Audit Process Protocols consider: - Existence of formal or informal policies? - Have policies been communicated to employees? Pilot phase November 2011- December 2012-115 audits Audit selection - At random - As the result of a breach - In response to a complaint to OCR 60

The Audit Process The audit process: - Introductory letter - Commence 30 to 90 days from the date of letter - Onsite visits for 3-10 business days - After fieldwork, the auditor provides a draft final report 10 days to respond in writing - Auditor completes final report within 30 days after receiving written comments - Submission to OCR 61

Resolution If showing of noncompliance, OCR attempts to resolve through: - Voluntary compliance - Corrective action - Resolution agreement OCR may impose civil monetary penalties 62

Civil Monetary Penalties Did not know and by exercising reasonable diligence would not have known of violation Violation due to reasonable cause Willful neglect but corrected problem Willful neglect but did not correct problem $100 to $50,000 per violation $1.5 million per type per year $1,000 to $50,000 per violation $1.5 million per type per year $10,000 to $50,000 per violation $1.5 million per type per year $50,000 per violation $1.5 million per type per year 63

Statistics and Trends 12000 Add complaints received by calendar year chart 10000 8000 6000 4000 2000 10347 9579 9032 9158 8770 8370 8071 7587 4412 4429 3898 3336 3391 2595 2703 2140 1303 1526 1010 1199 2012 2011 2010 2009 0 Received Resolved Investigated No Violation CAO 64

Risks Loss of contracts Criminal and civil investigation Federal penalties, state fines Public harm and reputational risk Legal costs Cost of notification 65

Compliance Measures 66

Compliance Measures Considerations New Requirements and a Deadline Changes in the Privacy/Security Environment Internal and External Experience 67

Compliance Measures To Do List Security Risk Assessment (BAs and CEs) Security Policies and Procedures (BAs and CEs) Privacy Policies and Procedures (CEs) Breach Response Readiness (BAs and CEs) Training (BAs and CEs) Notice of Privacy Practices (CEs) Business Associate Agreements (BAs and CEs) Effect on other HIPAA Documents and Practices (BAs and CEs) 68

Compliance Measures What to Watch For Accounting of Disclosure Rules Electronic Distribution of Notice of Privacy Practice Minimum Necessary Rules Technical Guidance Further Information about Enforcement/Penalties 69

Thank you Jean C. Hemphill hemphill@ballardspahr.com 215.864.8539 Edward I. Leeds leeds@ballardspahr.com 215.864.8419 Amy Mushahwar mushahwara@ballardspahr.com 202.661.7644 Dee Spagnuolo spagnuolod@ballardspahr.com 215.864.8312 70

Questions? 71

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback