HIPAA: Impact on Corporate Compliance AAPC HEALTHCON April 2014 Stacy Harper, JD, MHSA, CPC Disclaimer The information provided is for educational purposes only and is not intended to be considered legal advice or create an attorney-client relationship. Opinions expressed are those of the speaker and do not represent the opinions or position of the AAPC. 1
Overview Current State of HIPAA Recent Regulations Recent Enforcement Litigation Trends Interaction of HIPAA Safeguards with Billing/Coding Compliance Strategies for Improvement Statutory Background Health Insurance Portability and Accountability Act of 1996 (Administrative Simplification Provisions) August 21, 1996 Health Information Technology for Economic and Clinical Health Act of 2009 February 17, 2009 Regulatory Background HIPAA Electronic Transaction Standards August 17, 2000 HIPAA Privacy Standards December 28, 2000 and August 14, 2002 HIPAA Unique Employer Identifier Standard May 31, 2002 HIPAA Security Standards February 20, 2003 HIPAA/HITECH Breach Notification Standards August 24, 2009 Omnibus HIPAA Regulatory Modifications January 25, 2013 2
Basic Structure of HIPAA HIPAA Privacy Applies to all protected health information Determines when PHI can be used/disclosed Minimal Safeguard Requirements Provides Patients Rights to Information HIPAA Security Applies to electronic protected health information Additional layers of safeguards for ephi HIPAA Breach Notification Spans Privacy and Security Adds transparency to the process If state law differs from HIPAA, the more restrictive law applies Who is a Covered Entity A health plan A health care clearinghouse A health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA. Transaction means the transmission of information between two parties to carry out financial or administrative activities related to healthcare including claims or encounter information, healthcare payment or remittance advice, coordination of benefits, health care claims status, enrollment and disenrollment in a health plan, eligibility for a health plan, health plan premium payments, referral certification and authorization, first report of injury, health claim attachments, and other transactions prescribed by regulation. 3
Who is a Business Associate A person/entity who, with respect to a covered entity: On behalf of such covered entity or an organized health care arrangement, but other than as a member of the workforce of the covered entity, creates, receives maintains or transmits PHI for an activity regulated by HIPAA, including claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; patient safety activities; benefit management; practice management and repricing; or Provides, other than as a member of the workforce, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for the covered entity or organized health care arrangement where the performance of service involves the disclosure of PHI. BA includes a health information organization, e-prescribing gateway, or other person that provides data transmission services that requires access on a routine basis to such PHI; a person that offers a personal health record on behalf of a covered entity; and a subcontractor that receives, creates, maintains or transmits PHI on behalf of a BA. Certain exceptions What is Protected Health Information Individually identifiable health information that is transmitted in electronic media, maintained in electronic media, or transmitted or maintained in any other form, but not including education records covered by FERPA, certain higher education records, employment records held by a covered entity in its role as employer, and regarding a person who has been deceased more than 50 years. Health information means any information, including genetic information, that is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse and relates to past, present, or future physical or mental health or condition of an individual, provision of health care, or past, present or future payment for the provision of health care. Individually identifiable means information that identifies an individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual 4
What Did the Omnibus Regulations Change? Application of HIPAA to Business Associates HIPAA Privacy Standards Notice of Privacy Practices Use of PHI for Marketing Sale of PHI Use of PHI for Fundraising Disclosure of PHI to Decedent s Family Members HIPAA/HITECH Breach Notification Standards Definition of Breach HIPAA Enforcement Business Associates 5
Business Associates Definition revised to add Patient safety organizations Health information exchange, e-prescribing and other data transmission companies Personal health records offered by covered entities Subcontractors of Business Associates Business Associates required to implement HIPAA Security Policies Application of Minimum Necessary to Business Associates Agreements with Subcontractors Revisions to Business Associate Agreements Model Business Associate Agreement from Office of Civil Rights New terms Written agreement with subcontractor Comply with HIPAA Security as if Covered Entity Notification of breaches If carry out Covered Entity obligation under HIPAA, comply with terms of HIPAA If Business Associate is considered an agent, knowledge of breach may be imputed to the Covered Entity 6
Enforcement- Liability for Business Associates Covered Entity is liable for violations of Business Associate IF Business Associate is considered an agent of the Covered Entity. Factors to determine scope of agency Time, place, and purpose of Business Associate conduct Whether Business Associate engaged in course of conduct subject to Covered Entity s control Whether Business Associate-agent s conduct is commonly done by a Business Associate to accomplish the service performed on behalf of the Covered Entity Whether or not the Covered Entity reasonably expected that a Business Associateagent would engage in the conduct in question Business Associate can be an agent Despite the fact that Covered Entity does not retain right or authority to control every aspect of Business Associate s activities Even if Covered Entity does not exercise right of control but evidence exists it holds the authority to exercise the right HIPAA Privacy Standards 7
Notice of Privacy Practices Revised Notice of Privacy Practices must be available to patients and provided to new patients New notice must be posted in location where care provided Revisions include: Specific statement of need for authorization for use/disclosure of psychotherapy notes Specific statement of need for authorization to use/disclose PHI for marketing or for sale of PHI Specific statement regarding use/disclosure of PHI for fundraising Specific statement regarding use/disclosure of PHI to Plan Sponsor Specific statement that Health Plan may not use genetic information in connection with its underwriting activities (consistent with GINA) Specific statement regarding the requirement that a Covered Entity notify an individual in the event of breach with respect to his/her PHI Other Changes Use of PHI for Marketing Sale of PHI Use of PHI for Fundraising Disclosure of PHI to Decedent s Family Members 8
HIPAA/HITECH Breach Notification Standards Definition of Breach Breach means the acquisition, access, or use of PHI in a manner not permitted by the HIPAA Privacy Standard which compromises the security or privacy of the protected health information. 9
Exclusions to Breach Workforce Use Unintentional acquisition, access or use of PHI by a workforce member if the PHI is not further used or disclosed in a manner that violates the Privacy Rule Workforce Disclosure - Unintentional disclosure of PHI by a workforce member if the PHI is not further used or disclosed in a manner that violates the Privacy Rule No Way to Retain Info Unauthorized disclosure to which the CE or BA has a good faith belief that the unauthorized person to whom the PHI is disclosed would not reasonably have been able to retain info. Substantial Harm Element Replaced Unauthorized access/disclosure is presumed to be a breach Covered Entity has option of performing breach risk assessment Risk assessment must include analysis of: Nature and extent of PHI involved, including types of identifiers and likelihood of re-identification Unauthorized person who used/received the PHI Whether PHI was actually acquired or viewed Extent to which the risk to PHI has been mitigated If risk assessment determines low probability that the PHI was compromised, then no notification required. 10
Enforcement Enforcement Tier 1 Violation not known or reasonably known Tier 2 Violation due to reasonable cause, but not willful neglect Tier 3 Violation due to willful neglect, if corrected Tier 4 Violation due to willful neglect, if not corrected Old HIPAA None $100 per violation, $25,000 max for identical violations in calendar year $100 per violation, $25,000 max for identical violations in calendar year $100 per violation, $25,000 max for identical violations in calendar year New HIPAA At least $100 per violation, $25,000 max for identical violations in calendar year At least $1,000 per violation, $100,000 max for identical violations in calendar year At least $10,000 per violation, $250,000 max for identical violations in calendar year At least $50,000 per violation, $1.5 million max for identical violations in calendar year 11
Results of OCR Audit Demonstration Program 60% of deficiencies identified were related to HIPAA Security 58 of 59 providers audited had at least one HIPAA Security deficiency 47 out of 59 providers; 20 out of 35 health plans; and 2 of 7 clearing houses had not conducted a complete and accurate risk assessment Top three deficiencies were related to contingency planning and back-ups; audit controls and monitoring; and access management Most common cause of deficiency: entity was unaware of the requirement Next round of audits are expected to affect business associates and be scheduled following the September 23, 2013 effective date Enforcement Activities Settlements may originate with complaint or breach report Primary breaches include Stolen or lost laptops or media Unsecured firewall Employee s access of information Disclosure of information Business Associates were responsible for more breaches than Covered Entitites Most frequent deficiencies mentioned include: Failure to perform risk assessment Inadequate training Insufficient policies and procedures Incomplete security measures Failure to safeguard media Most involve corrective action plan with ongoing monitoring in addition to penalties 12
Litigation Trends Litigation Trends No private cause of action under HIPAA New Development of State Law Claims HIPAA is the standard of care Results vary by state Proof of actual disclosure/damage Automatic damages Punitive damages Vicarious liability 13
Interaction with Corporate Compliance Access and Authorities - HIPAA Workforce Security Information Access Management Minimum Necessary 14
Access and Authorities - Compliance Performance of a Service Ordering/Prescribing a Service or Supply Entry of Documentation Amendment of Documentation Verification of Identity - HIPAA Access Control- Unique User Identification Log-in Monitoring Password Management 15
Verification of Identity - Compliance Signature Requirements Electronic Signature Policy Malpractice Impact Integrity of Data - HIPAA Integrity at Rest Integrity in Transmission Security Awareness and Training 16
Integrity of Data - Compliance Authenticity of Documentation Amendments, Corrections, and Delayed Entries Availability of Records - HIPAA Back-Up Plan Disaster Recovery Plan Emergency Mode Operations 17
Availability of Records - Compliance Record Retention Requirements Medicare/Medicaid/Payors Malpractice State licensure Availability Upon Request Audits Litigation Strategy for Improvement 18
Development of a Robust Compliance Program Learn the rules Identification and control of PHI within the organization Performance of a Risk Assessment Develop a schedule to implement security measures to resolve identified risks Customize Privacy and Security Policies to guide workforce compliance Implement a training program Create an ongoing monitoring program Create a process for identification, investigation, and resolution of incidents Continually re-evaluate and improve Questions? Stacy Harper Lathrop & Gage LLP sharper@lathropgage.com 913-451-5125 19