HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule Association of Corporate Counsel Houston Chapter October 14, 2014 Jeffery P. Drummond Jackson Walker L.L.P. 901 Main Street, Suite 6000 Dallas, Texas 75202 (214) 953-5781 jdrummond@jw.com www.hipaablog.blogspot.com Agenda HIPAA Background and History Are you a Covered Entity Are you a Business Associate Group Health Plan issues Special Law Firm issues 1
HIPAA Background and History Health Insurance Portability and Accountability Act of 1996 (HIPAA) Based on the Kennedy-Kassebaum bill Created to: Assure health insurance portability Reduce health care fraud and abuse Increase electronic data interchange in the healthcare industry through standardization Guarantee security and privacy of health information 2
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Collateral Issues: Electronic records require greater protection Employer access to ERISA health plan information National floor for health data protection Minimize disruption to legitimate healthcare business The Health Insurance Portability and Accountability Act of 1996 HIPAA It s more than insurance portability and accountability TITLE I Health Insurance Access Insurance Portability Insurance Renewal TITLE III Medical Savings Accounts Health Insurance Tax Deductions TITLE II Fraud and Abuse Control Programs Administrative Simplification Medical Liability Reform TITLE IV Enforcement of Group Health Plan Provisions TITLE V Revenue Offset Provisions 3
Administrative Simplification Transaction and Code Sets Privacy Security A brief history of HIPAA 1996: HIPAA statute passes 2000/2001: Privacy Rule published 2003: Privacy Rule enforceable, Security Rule published 2005: Security Rule enforceable 2009: HITECH Act passes, initial regulations passed 2013: HITECH omnibus rule 4
The Privacy Rule: Who (is covered)? Direct applicability to Covered Entities Physicians, hospitals and other healthcare providers Health insurance plans Healthcare clearinghouses Prior to HITECH/Omnibus: Indirect applicability to Business Associates of CEs After HITECH/Omnibus: Direct and indirect applicability to BAs The Privacy Rule: Business Associates An entity that provides a service to a CE that involves PHI. Exceptions: courier services, workforce members HITECH change: create, receive, maintain or transmit PHI. Despite HITECH making BAs directly subject to HIPAA, BAAs are still required. 5
The Privacy Rule: What (is PHI?) Any health information relating to - - Past, present or future physical or mental health or conditions - Provision of health care or - Past, present or future payment for health care Created/received by provider, plan, employer or clearinghouse Individually identifiable or presents reasonable basis to believe the information can be used to identify the individual In any medium - Written - Verbal - Electronic - Termed Protected Health Information (PHI) The Privacy Rule: What (is NOT PHI?) Education records (mostly covered by FERPA) Employment records Records relating to someone who has been dead for at least 50 years Records entirely unrelated to a Covered Entity 6
Privacy Regulations in General Cover: Rules for the disclosure and use of PHI Individual rights regarding protected health information Administrative Safeguards (responsibilities of CEs and BAs) The Privacy Rule: The Rule An absolute prohibition with exceptions: Thou shalt not : A covered entity may not use or disclose protected health information, except For treatment, payment, or healthcare operations With the individual s authorization or to the individual As otherwise required by law or otherwise permitted or required under the privacy regulations 7
The Privacy Rule: the Rights Right to Notice of Privacy Practices - Describes individual s rights to access, inspection, accounting - Duties of covered entity - Complaints and contacts - How covered entity will use and disclose their health information Information cannot be used or disclosed for any purpose not included on the Notice. Individual must be notified if information is used in a new fashion not covered by the old Notice 8
Privacy Standards: Individual Rights Right to Access own Information Right to Request Amendment - Accepting amendments - Denying amendments - Grounds for denial Right to Request Restrictions - Can refuse* - If agree, are bound to it Right to Request Communications in alternative fashion - Correspondence sent to alternate address - Must accommodate reasonable requests Right to Receive an Accounting of Disclosures - Date and purpose - Recipient name - Description of information disclosed - Exceptions for treatment, payment and health care operations - Exception for disclosures pursuant to an Authorization The Privacy Rule: the Responsibilities Enter Business Associate Agreements Appropriate documentation (NoPP, authorizations) Policies and Procedures Training Privacy Officer and Security Officer Document complaints Comply with the Security Rule 9
The Security Rule Covered entities must establish policies and procedures and put in place safeguards to secure the PHI they maintain and transmit. A risk analysis is the first step in the process to determine what risks exist and how they can be mitigated. Then, safeguards must be put in place. The Security Rule Administrative Security officer, training, access controls, contingency planning, BAA management Physical Facility access controls, workstation use rules and security, device/media controls Technical Log-ons and passwords, audit controls, encryption 10
HITECH Act Provisions New Data Breach Rules unsecured PHI is the key Business associates are now treated like covered entities Hide rule Marketing/fundraising Accounting for disclosures if you use an EMR Increased enforcement, penalties State AGs can prosecute Omnibus Rule Provisions New Data Breach Rules harm is out, low probability of compromise is in Business associates and subcontracting business associates Enforcement: Reasonable Cause and Willful Neglect Marketing/Fundraising/Sale of PHI Dead People Increased enforcement, penalties State AGs can prosecute 11
Omnibus Rule Timetable Regulations published January 25, 2013 Primary effective date: September 23, 2013 Secondary effective date: September 22, 2014 Mainly relates to Business Associate Agreements BAAs that were fully compliant on January 25, 2013 and were not amended prior to September 23, 2013 were grandfathered until September 22, 2014 (or any sooner date that they were revised or amended). Are You a Covered Entity? 12
Covered Entities Healthcare Plans, Providers, and Clearinghouses Privacy Rule compliance: Obey the rule, respect the rights, fulfill the responsibilities Security Rule compliance: Do the risk analysis, adopt administrative, physical and technical safeguards Covered Entities Hybrid entities (e.g., in-house health clinic at a manufacturing site): Can you segregate the healthcare component from the rest of the entity? Treat healthcare component as its own separate entity for HIPAA purposes Privacy Rule compliance Security Rule compliance 13
Covered Entities OHCAs and Affiliated Covered Entities: Organized Health Care Arrangements: separate entities that operated in combined format for HIPAA compliance Affiliated Covered entities: related organizations that operate in combined fashion Organizations with some CE entities and some non-ce entities (and maybe some BAs thrown in as well) Are You a Business Associate? 14
Are you a BA? Provide service to one or more covered entities? Create, receive, maintain or transmit PHI in connection with the service? No other exception (workforce member, providing services to patient/beneficiary rather than to other party, etc.)? HITECH Act Expansion Under original HIPAA, only plans, providers and clearinghouses are CEs HITECH (legislatively) expands HIPAA to include BAs BAs are now liable for some Privacy Rule provisions BAs are now liable for virtually all Security Rule provisions 15
Privacy Rule Compliance Abide by the BAA Enter Subcontractor BAAs with any subcontractors Abide by HITECH privacy requirements Minimum necessary Data breach rules Restrict uses and disclosures of PHI Control access to PHI Security Rule Compliance Policies and procedures (45 CFR 164.3xx) Administrative (164.308) Physical (164.310) Technical (164.312) Must do a Risk Analysis to determine what policies and procedures to adopt Encryption? Special Record-keeping? Minimum Necessary? Audit/restrict access? 16
Administrative Safeguards Security Management Process Risk Analysis Risk Management Sanction Policy Information System Activity Review Assigned Security Responsibility Workforce Security Authorization and Supervision Workforce Clearance Procedure Termination Procedure Information Access Management Isolating Clearinghouse Function Access Authorization Access Establishment and Modification Administrative Safeguards (cont.) Security Awareness and Training Security Reminders Protection from Malicious Software Log-in Monitoring Password Management Security Incident Procedures Response and Reporting Contingency Plan Data Backup Plan Disaster Recovery Plan Testing and Revision Procedure Applications and Criticality Analysis Evaluation Business Associate Contracts 17
Physical Safeguards Facility Access Controls Contingency Operations Facility Security Plan Access Control and Validation Procedures Maintenance Records Workstation Use Workstation Security Device and Media Controls Disposal Media Re-use Accountability Data Backup and Storage Technical Safeguards Access control Unique User Identification Emergency Access Procedure Automatic Logoff Encryption and Decryption Audit controls Integrity Mechanism to Authenticate E-PHI Person or Entity Authentication Transmission Security (encryption) 18
Business Associate Issues Obligated under HIPAA for some Privacy Rule and all Security Rule obligations Obligated under the BAA for much of the same Obligated to downstream BAA obligations to subcontractors Indemnification obligations under the BAA? Even simple damages can be very high Do you have a Group Health Plan? 19
Group Health Plan Issues Group health plans are covered entities, even if the employer/sponsor is not. Group health plan must meet all of the Privacy Rule and Security Rule obligations of any other Covered Entity Group health plan must also ensure separation between plan and employer Special Issues relating to Law Firms 20
Lawyers as BAs Attorneys defined to be BAs if they: Represent covered entity Create, receive, maintain or transmit PHI for, from or to CE in connection with services Must sign BAA Must comply with Security Rule Special issues with lawyers and BAAs Attorneys are not like other vendors who are business associates Must be careful when negotiating contract with client (you are adverse to them) Unlike other vendors, your communications with clients are privileged BAA must require BA to allow HHS to audit books and records Watch out for indemnification provisions 21
PS: Don t forget Texas law Texas HB300 Compliance (Actually B&C Ch. 521, H&S Ch. 181) Entity is covered if it engages for profit in assembling, using, storing or transmitting protected health information Pretty much all CEs and BAs are subject to it Must reasonably protect data, report data breaches Must train staff within 90 days of employment and within 1 year of changes in law Required sign-in sheets Sales of PHI prohibited 22
And just for grins.... PS: Don t forget Texas law 23
HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule Association of Corporate Counsel Houston Chapter October 14, 2014 Jeffery P. Drummond Jackson Walker L.L.P. 901 Main Street, Suite 6000 Dallas, Texas 75202 (214) 953-5781 jdrummond@jw.com www.hipaablog.blogspot.com 24