HIPAA OMNIBUS FINAL RULE Webinar Series Part 3 Breach Notification April 16, 2013 I. BACKGROUND 2 1
Background > HIPAA Omnibus Final Rule: Announced on January 17, 2013 Published in Federal Register on January 25, 2013 http://www.gpo.gov/fdsys/pkg/fr-2013-01-25/pdf/2013-01073.pdf Effective on March 26, 2013 Compliance date of September 23, 2013 U.S. Department of Health & Human Services (HHS) will begin enforcing the Final Rule s provisions on the compliance date 3 Background: What is Addressed? > This Omnibus Rule includes: Final rule on Breach Notification for Unsecured PHI under HITECH (Interim Final Rule issued August 2009) Final rule modifying HIPAA Privacy Rule under GINA (Proposed Rule issued October 2009) Final rule modifying HIPAA Enforcement Rule under HITECH (Interim Final Rule issued October 2009) Final modifications to HIPAA Privacy, Security, and Enforcement Rules mandated by HITECH (Proposed Rule issued July 2010) 4 2
Background: What is Not Addressed? > The Omnibus Rule does not include: Changes to accounting of disclosures requirements HHS received many comments opposing this provision (Proposed Rule issued May 2011) Patient right to an access report requirements (Proposed Rule issued May 2011) Minimum necessary guidance (Required by the HITECH Act of 2009) 5 II. FINAL RULE OVERVIEW 6 3
Final Rule Overview (I) > Part III of the Webinar Series will address: Breach of protected health information (PHI) Notification obligations Changes to the definition of Breach Changes to the Breach risk assessment Harm standard is replaced with a low probability of PHI being compromised 7 Final Rule Overview (II) > Part I of this Webinar Series covered the significant changes to: Business Associates (BAs) Subcontractors Business Associate Agreements (BAAs) Notice of Privacy Practices (NPPs) > Part II covered changes to: Marketing restrictions Research Sale of PHI 8 4
III. BREACH NOTIFICATION 9 Breach Notification Generally (I) > Breach Notification Rule: 45 C.F.R. 164.402 et seq. Effective February 22, 2010 Requires covered entities (CE) and BAs, as applicable, to report certain Breaches of PHI to affected individuals, HHS, the media, depending on the size of the Breach 10 5
Breach Notification Generally (II) > A Breach is an unauthorized acquisition, access, use, or disclosure of PHI requiring Notification, unless: PHI is encrypted Unsecured PHI = PHI not rendered unusable, unreadable, or indecipherable to unauthorized persons through technology or methodology specified by HHS (i.e., encryption) An exception to the definition of Breach applies; or CE or BA, as applicable, demonstrates a low probability that the PHI has been compromised Based on a risk assessment (objective standard) 11 Breach Exceptions > General statutory exceptions to Breach Unchanged from Interim Rule Unintentional acquisition, access, or use of PHI by a workforce member or an authorized person, if made in good faith and within scope of authority Inadvertent disclosures of PHI from a person authorized to access to another person authorized to access at same CE, BA, or OHCA Have good faith belief that an unauthorized person to whom disclosure made would not reasonably have been able to retain such PHI 12 6
Breach Notification Key Changes > Definition > Burden of proof > Risk Assessment Entities may choose to provide Notification without conducting a risk assessment > Clarification of Notification requirements > Changes reflect HHS belief that Breaches are going unreported Shift from subjective to objective standard 13 Definition of Breach Interim Rule > Breach: Acquisition, access, use, or disclosure of [PHI] in a manner not permitted under [the Privacy Rule] which compromises the security or privacy of the [PHI] Breach may be electronic or physical > Compromises the security or privacy of the [PHI]: Poses a significant risk of financial, reputational or other harm to individual This definition was the risk of harm threshold 14 7
Definition of Breach Final Rule (I) > Compliance date: September 23, 2013 > Breach: [A]n acquisition, access, use, or disclosure of [PHI] in a manner not permitted under [the Privacy Rule] is presumed to be a Breach, unless: The covered entity (CE) or BA, as applicable, demonstrates that there is a low probability [the PHI] has been compromised based on a risk assessment, reviewing specific factors 15 Definition of Breach Final Rule (II) > demonstrates that there is a low probability that the [PHI] has been compromised Low probability remains undefined Compromised remains undefined Terms are established through the risk assessment HHS sets forth specific factors which must be considered in conducting a compliant risk assessment 16 8
Breach Risk Assessment > Breach Risk Assessment must include the following factors, at a minimum: (i) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification (ii) The unauthorized person who used the PHI or to whom the disclosure was made (iii) Whether the PHI was actually acquired or viewed (iv) The extent to which the risk to the PHI has been mitigated > Meeting one or all of the factors does not automatically negate Notification obligations 17 Safe Harbor > CE or BA, as applicable, may decide to provide Breach Notification without conducting a risk assessment Safe Harbor considerations: Toll on: Costs, compliance audits, reputation Risk of federal/state enforcement Because Notification must be reported to HHS, these considerations are especially important on the heals of HHS recent enforcement of Breaches affecting < 500 individuals 18 9
IV. BREACH AND BUSINESS ASSOCIATES 19 BA Breach Notification Obligations > Upon discovery of a Breach, BAs are directly responsible for Breach Notification To CEs Possibly to Individuals, Media, HHS Look to BAA between CE/BA and BA/Subcontractor State Breach Notification laws > Even where no Breach, there may be A violation of the BAA A violation of HIPAA 20 10
V. OTHER NOTABLE PROVISIONS 21 Breach Notification Clarifications > Final Rule removed the exception on limited data sets that did not contain any DOB or ZIP > Notice to HHS for Breaches affecting < 500 individuals should be no later than 60 days after the end of the calendar year of discovery (rather than the year of event) When should your entity report to HHS > Entities must report to media > residents of State or jurisdiction; however > Media does not have an obligation to report/publish the notice 22 11
VI. COMPLIANCE STRATEGIES 23 Compliance Strategies > Take a breath Enforcement will not begin until September 23, 2013 Interim strategy (risk of harm v. low probability) > OCR recognizes that entities will have Breaches (rogue employee, theft), but looks to compliance infrastructure (procedures, mitigation, response, training, sanctions) > Do not aim to overachieve Where internal policies are more restrictive than HIPAA standards, HHS may determine compliance based on policies rather than legal requirements 24 12
Compliance Action Steps > Update policies and procedures: Risk assessment v. Automatic notification Consider effect on costs, compliance audits, and reputation Templates, Training, and Technology Assessment documentation, Rogue employees, Remote wiping of mobile devices Breach Insurance > BAAs BA contractually responsible for risk assessments; Notification Indemnification clauses Subcontractor responsibilities > State law enforcement Many state law equivalents maintain a risk of harm exception 25 Further Guidance > HHS plans to issue further guidance on risk assessments for Breaches before September 23, 2013, compliance date, including how to address frequently occurring Breach scenarios 26 13
VII. QUESTIONS 27 Contact Information Jennifer Breuer 312/ 569-1256 Jennifer.Breuer@dbr.com Sara Shanti 312/ 569-1258 Sara.Shanti@dbr.com Fatema Zanzi 312/ 569-1285 Fatema.Zanzi@dbr.com April 16, 2013 28 14