The Impact of Final Omnibus HIPAA/HITECH Rules Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 0
Disclaimer The material in this presentation is not meant to be construed as legal advice or in any way a substitute for legal counsel. The session is intended as an overview of the highlights of the new HIPAA Omnibus rule. 1
What is HIPAA? 2
What is HIPAA? HIPAA (Health Insurance Portability and Accountability Act) is a federal law enacted in 1996 (Public Law 104-191) Required HHS to establish standards that Protects the privacy of a patient s personal and health information Provides for electronic and physical security of personal and health information Simplifies billing and other transactions 3
HIPAA Requires... Administrative Safeguards Documentation Process Requirements Technical Safeguards Organizational Requirements Physical Safeguards 4
Covered Entity Health Plans: Individual and group plans that provide or pay the cost of medical care Health Care Providers: Any provider who electronically transmits health information in connection with standardized transactions regulated by HIPAA Covers transactions conducted either directly or indirectly by the provider Includes all providers of services, (e.g., institutional providers such as home health agencies), providers of medical or health services, and any other person or organization who furnishes, bills, or is paid for health care Health Care Clearinghouses: Entities that process nonstandard information they receive from one entity into a standard format (or vice versa) Billing services, repricing companies, etc 5
Business Associate A person or organization (other than an employee of the CE) that performs certain functions or activities on behalf of the CE that involves the use or disclosure of protected information Redefined under new rules as entities that: Create Receive Maintain, and/or Transmit PHI on behalf of a covered entity 6
Protected Health Information Health information means any information, including genetic information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; AND (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual 7
8
What is HITECH? The Health Information Technology for Economic and Clinical Health Act Enacted as part of the American Recovery and Reinvestment Act in 2009 Required expansive changes to HIPAA: Applying HIPAA privacy and security requirements directly to BAs Establishing mandatory security breach reporting requirements Creating new privacy requirements for CEs and BAs Establishing new criminal and civil penalties for noncompliance Since HITECH, HHS issued proposed and interim final regulations to implement its changes 9
Why HITECH? HIPAA was a paper tiger looked ferocious but no teeth During ARRA we were focused on economy, unemployment, bank failures, etc During Health Care Reform, we were focused on the public debate AND NOW... It all comes around Security in general is top of mind Corporations under intense scrutiny Health Care Reform and the push for automated processes Current Administration is enforcement focused 10
What s the Difference? 11
So What? HIPAA/HITECH STATE LAW BUSINESS IMPACT Fines up to $1.5 million annually Criminal penalties up to 10 years in prison HHS will audit HHS now has subpoena power not fun! State Attorney General can file civil lawsuits Gives HHS 50 free high profile enforcers Laws and penalties in addition to HIPAA/HITECH Lawsuits already in play AND... Loss of reputation Loss of patients, clients, funding, etc. Being published on the HHS website ( Hall of Shame ) Negative publicity in local and national media 12
Notable Settlements Entity Amount Year WellPoint, Inc. $1.7 million July 2013 Walgreens $1.44 million July 2013 MN AG & Accretive Health (started from July 2011 lost laptop) $2.5 million July 2013 Shasta Regional Med Center $275,000 June 2013 Idaho State University $400,000 May 2013 Goldthwait Associates & 4 Pathology Groups $140,000 January 2013 13
The Final Omnibus HIPAA Rule On January 25, 2013, the Office of Civil Rights (OCR) published an omnibus regulation finalizing HHS previously-issued regulations: Proposed Rule modifying the Privacy, Security, and Enforcement Rules Interim Final Rule adopting changes to the Enforcement Rule Interim Final Rule on Breach Notification for Unsecured Protected Health Information Proposed Rule modifying the Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) 14
What s Changed? Deadlines Application of the Rules Business Associates Breach Notification Enforcement and Penalties Privacy Requirements Security Requirements Genetic Information 15
Deadlines What is the significance of September 23, 2013? Deferred compliance date September 22, 2014 Applies only to certain existing business associate agreements Default compliance period now 180 days 16
Application of the Rules Numerous provisions now directly apply to Business Associates and subcontractors Big Change affecting Hybrid Entities Example - supermarket with pharmacy Before changes employer could choose how to handle support functions Now support functions must comply like a business associate 17
Business Associates The final rule makes clear that BAs include: Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services to a CE and requires routine access to PHI A person that offers a PHR to one or more individual on behalf of a CE (e.g., PHR vendors) A subcontractor that creates, receives, maintains, or transmits PHI on behalf of a BA Organizations that perform certain patient safety activities (e.g., Patient Safety Organizations) 18
Subcontractors as BAs The final rule applies the BA provisions of the HIPAA Rules to subcontractors A person to whom a BA delegates a function, activity, or service, other than in the capacity of a member of the BA s workforce. Subcontractors that are involved with the creation, receipt, maintenance or transmission of PHI must be in compliance with the applicable HIPAA Rules BAs must obtain satisfactory assurances in the form of a BA agreement or otherwise that a subcontractor will comply with HIPAA requirements 19
Increased BA Liability Before Final Omnibus Rule BAs were contractually liable for failing to comply under BA agreements with covered entities After Final Omnibus Rules BAs are directly liable for: Uses and disclosures of PHI that are not in accord with its BA agreement or the Privacy Rule; Failing to disclose PHI when required for investigative purposes or when individuals request copies of their PHI; Failing to make reasonable efforts to limit information disclosed to the minimum necessary; Failing to enter into BA agreements with subcontractors, and; Contractually liable for any obligations in its BA agreements 20
Typical BA Functions Claims processing or administration Data analysis, processing or administration Utilization review Quality assurance billing Benefit management Practice management Repricing Legal Actuarial Accounting Consulting Data aggregation Management Administrative Accreditation Financial 21
Breach Defined The unauthorized acquisition, access, use or disclosure that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. 22
Four-Factor PHI Breach Assessment 1. Nature and extent of PHI involved 2. Unauthorized person who used PHI or to whom disclosure was made 3. Whether PHI was actually acquired or viewed 4. Extent to which risk to PHI has been mitigated Guilty until proven innocent Breach is now presumed 23
Breach Notification Less Than 500 Patient Records Individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach Notify HHS on an annual basis. 500+ Patient Records Individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach Notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. Provide notice to prominent media outlets serving the State or jurisdiction 24
Breach Notification Interim Final Rule: Acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI Poses a significant risk of financial, reputational, or other harm to the individual (i.e., Harm Standard). Final Rule: An impermissible use or disclosure of PHI is presumed to be a breach unless the CE or BA (as applicable) demonstrates that there is a low probability that the PHI has been compromised or an exception applies 25
New Risk Assessment Standard A CE or BA may only elect not to provide a breach notification if a full, objective analysis of certain enumerated factors, results in a demonstrable low probability that the PHI has been compromised Risk assessments must include at least the following factors: The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; The unauthorized person who used the PHI or to whom the disclosure was made; Whether the PHI was actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated 26
Steps if a Breach is Discovered Notify Counsel Notify Individuals Complete Notice of Breach Notify the Media Notify HHS If a breach is discovered by the BA the BA must notify the CE without reasonable delay and no later than 60 calendar days from the discovery of the breach 27
Fine Structure Violation Category Per Violation Per Calendar Year Did Not Know $100 - $50,000 $1,500,000 Reasonable Cause $1,000 - $50,000 $1,500,000 Willful Neglect Corrected Willful Neglect Not Corrected $10,000 - $50,000 $1,500,000 $50,000 $1,500,000 28
Blue Cross Blue Shield TN Case March 2012 $1.5M settlement related to an incident involving 57 hard drives stolen from a storage facility. The citation that drove the penalty was NOT the breach. Penalty was applied because of the failure to implement appropriate administrative safeguards, not performing a risk assessment, and failure to implement access controls for physical safeguards. HHS considers this case a great example of the lack of ongoing attention to compliance. 29
Prohibition on the Sale of PHI CEs and BAs are prohibited from receiving direct or indirect remuneration in exchange for the disclosure of PHI without authorization from the individual Exceptions: Public health purposes Research disclosures Remuneration must be a reasonable cost-based fee to cover the cost to prepare and transmit the PHI for such purposes Disclosures for the transfer, merger, or consolidation of all or part of a Covered Entity with another Covered Entity, or an entity following such activity will become a Covered Entity, and related due diligence Activities paid by a Covered Entity to a Business Associate performed on behalf of the Covered Entity 30
Street Value of Medical Records A thief downloading and stealing data can get $50 on the street for a medical identification number compared to just $1 for a Social Security number. For those receiving the medical ID number and using it to defraud a health care organization, the average payout is more than $20,000, according to Pam Dixon, executive director of the World Privacy Forum. "Compare that to just $2,000 for the average payout for regular ID theft. Protected Health Information (PHI): High Value to Hackers: Medical Facilities at Risk, http://www.prweb.com/releases/2013/2/prweb10412883.htm 31
Privacy Rule Requirements Changes affecting disclosure of PHI Communications for marketing or fundraising Exchanging PHI for fee Disclosures for patient care or payment for care Disclosures of student immunizations Rights to restrict disclosure Do you need to update? Notices of privacy practices Research authorizations Internal policies and training programs 32
Security Rule Requirements Ensure: confidentiality, availability and integrity Protect against: threats, hazards and wrongful use/disclosure Require: continual risk assessment and sanctions Implement: administrative, technical and physical safeguards 33
Genetic Information Now specifically recognized as PHI Cannot be used for underwriting 34
4 Days Are You Ready? Remember the basics: Do not share or give anyone your passwords under any circumstances Log-off computers when finished and secure paper records that contain PHI Destroy, shred or put in the designated bins all paper that could contain PHI Look at, use, share PHI only if necessary to do your job Consider Insurance policies that cover breach response and notification costs Review agreements for liability indemnification provisions 35
What to do now Ensure Business Associate Agreements (BAAs) are in place Ensure you reciprocate with the BA and they have a BAA in place for your company BAAs should be filed together in HR in a locked cabinet BAAs should be reviewed and updated each year or if there is a major change 36
Dangerous Strategies Assume this is a pure legal matter Assume the same lack of enforcement will continue Assume employees are focused on it Assume you have it covered 37
When (not if) HHS Knocks didn t know now means willful neglect Make sure policies reflect reality Have procedures in place Be sure Business Associate agreements and practices are compliant Have VISIBLE EVIDENCE 38
Questions 39