ACC Compliance and Ethics Committee Presentation February 19, 2013 Melinda G. Murray Associate General Counsel, Holy Cross Hospital and Jill M. Girardeau Partner, Womble Carlyle Sandridge & Rice, LLP HIPAA Background Originally, HIPAA applied only to Covered Entities Covered Entities (sometimes called CEs ) Health care providers conducting certain transactions electronically Health plans Health care clearinghouses 1
HIPAA Background HIPAA has various parts Today s topics Privacy Rule Security Rule Breach Notification Rule HITECH Act The HITECH Act part of the American Recovery and Reinvestment Act of 2009 expanded the scope of HIPAA and made other changes Since HITECH, we have been waiting on additional HIPAA regulations 2
Final HIPAA Regulations Final HIPAA regulations were published on January 25, 2013 As expected, these regulations expanded the scope of HIPAA and made other significant changes to the rules governing uses of disclosures of PHI Business Associates HIPAA s Privacy Rule did not apply to BAs HITECH (Section 13404) creates direct liability on BAs for noncompliance with their agreements civil & criminal penalties Privacy Rule limits on CE automatically extend to BA 3
Business Associates Definition Creates, receives, maintains, or transmits PHI For claims, data analysis, utilization, quality assurance, billing, benefits, practice management Legal, actuarial, accounting, consulting, financial services, management, data aggregation Subcontractor that creates, receives etc. PHI on behalf of a business associate Exception for mere conduits only for those that merely transmit PHI, not for storers (e.g. cloud vendors) Business Associates Direct liability for: Impermissible uses and disclosures Failure to provide breach notification to the Covered Entity Failure to provide access to a copy of electronic PHI to Entity or individual Failure to disclose PHI in response to an HHS investigation Failure to provide accounting of disclosures Failure to comply with Security Rule 4
Business Associates Business Associate Agreement Business Associate may create or receive PHI on behalf of the Covered Entity Assurances that it will safeguard the information Same responsibility to a subcontractor of Business Associate Implement security measures to protect information All the way down the chain of subcontractors Business Associates Business Associate Agreement Establish the scope of permitted disclosures Subcontractor s agreement must be as stringent or more than the agreement above Establish what activities the Business Assocaite is required to perform who handles what under HIPAA Document the satisfactory assurances required Other provisions re: compliance or indemnification 5
Business Associates Business Associate Agreement-Time Frame New agreements-6 months, by September 23, 2013 Existing agreements-one year, by September 23, 2014 Sale of PHI Sale : Disclosure of PHI by CE or BA Where CE or BA directly or indirectly receives remuneration From or on behalf of the recipient of PHI in exchange for the PHI Requires an authorization Specifically states that disclosing the PHI will result in remuneration Language by BA to describe the type of remuneration 6
Sale of PHI Remuneration Not just financial In kind benefits E.g. computers Health information exchange (HIE) paid by fees assessed on participants for services not for data Sale of PHI De-identified health information not subject to prohibition because not PHI Limited data sets are subject to prohibition 7
Sale of PHI Excluded Public health activity Research or grants Remuneration is cost of preparation and transmittal Treatment Sale, transfer, merger due diligence BA services at request of CE Charging for providing individual access to his/her PHI Marketing Individual authorization required Disclosure of PHI in order to communicate about a product or service CE receives financial remuneration Includes BA of a Covered Entity (e.g. health plan promotion) Face-to-face okay 8
Marketing Authorization not necessary Refill reminders Communication of other information about drugs even if paid Reasonable Promoting health, health diet Government programs Fundraising Communication by CE, BA, institution-related foundation Permissible with opt out provision CE can decide on scope of opt out Single campaign All fundraising 9
Fundraising No authorization necessary to disclose to a related foundation or BA for fundraising: Demographic information (name, address, other contact information, age, gender, d.o.b.) Dates of care provided Department where service provided Treating physician Outcome (including death or sub-optimal treatment) Health insurance status Fundraising Requirements Notice of Privacy Practices must include intent to make fundraising communications and how individual can opt out (once received) All communications (even phone) must include a clear, conspicuous, easy opt out (eg prepaid post card, email) 10
Fundraising Other conditions Minimum necessary Can t condition treatment Right to opt back in Challenge=Tracking the opt-outs Right to Request Restrictions Prior Rule Covered Entity didn t have to agree to restrictions 11
Right to Request Restrictions Covered Entity must agree to request for restrictions on disclosing PHI to a health plan if: Disclosure is for purposes of payment or healthcare operations It is not required by law PHI relates to healthcare services for which the individual has paid in full Right to Request Restrictions Covered Entity issues Does not have to create a separate record Can determine on its own how to flag the restriction (but must create a good system so not disclosed inadvertently) Counsels the patient if he requests restrictions on one service in a single encounter; give patient the option to pay for all Does not have to inform downstream providers of restrictions Does not have to comply if payment is dishonored 12
Right to Request Restrictions Additional Covered Entity exceptions Follow-up care: If not restricted and patient doesn t pay out of pocket, provider can disclose if necessary for billing (medically necessary) HMO contractual provisions: provider still has obligation to adhere to request Government health plan=required by law Patient may choose not to authorize submission of bill to Medicare Notice of Privacy Practices Material changes to Notices of Privacy Practices (NPPs) Business Associates are not required to have NPPs 13
Notice of Privacy Practices Must revise to include new provisions: Disclosures of psychotherapy notes and disclosures for marketing and sale of PHI require authorization Opt out of fundraising New right to request restrictions Individuals rights to be notified of a breach of unsecured PHI Breach Notification Rule Breaches of unsecured PHI require notice from Covered Entity to affected individuals, government, and (in some cases) the media Business Associates must report breaches to Covered Entities But not all impermissible uses and discloses of PHI are breaches 14
Breach Notification Rule Risk assessment must be conducted to determine if a breach occurred Significant changes to definition of breach Breach Notification Rule Previously, an impermissible use or disclosure of unsecured (i.e., unencrypted) PHI that resulted in a significant risk of financial, reputational, or other harm was a breach Now, an impermissible use or disclosure of PHI is presumed to be a breach unless the CE or BA can demonstrate a low probability that the PHI has been compromised 15
Breach Notification Rule Risk assessment required to demonstrate a low probability that the PHI has been compromised Risk assessment must consider Types and extent of PHI involved Who used or received the PHI Whether PHI was actually acquired or viewed Extent to which risks have been mitigated Breach Notification Rule Business Associates report breaches to Covered Entities Covered Entities notify individuals, government, and the media (in some cases) When drafting BAAs, consider Timeframe for BA reports of breaches Payment/reimbursement for breaches caused by BA or subcontractor 16
Security Rule Applies to electronic PHI Requires administrative, physical, and technical safeguards to protected electronic PHI Security Rule Now applies to Business Associates as well as Covered Entities Specific steps: Appoint security officer Conduct risk analysis Develop policies and procedures Implement safeguards Train workforce 17
18