Preparing for a HIPAA Audit & Hot Topics in Health Care Reform 2013 San Francisco Mid-Sized Retirement & Healthcare Plan Management Conference March 17-20, 2013 Elizabeth Loh, Esq. Copyright Trucker Huss, APC One Embarcadero Center, 12th Floor, San Francisco, California 94111 Telephone: 415-788-3111 Facsimile: 415-421-2017
Agenda HIPAA Enforcement Final Omnibus HIPAA Rules Issued 2013 Health Care Reform To-Do List 2
HIPAA Enforcement HIPAA Complaints HIPAA Compliance Reviews HIPAA Audits 3
Complaint Process HHS delegated to OCR authority to administer and enforce compliance with the HIPAA privacy and security rules Individual may file complaint with OCR for alleged violations of the privacy and/or security rule OCR website describes process for filing a complaint 4
Number of HIPAA Related Complaints to OCR 5
Complaints Typically Received by OCR Top 5 Complaints Impermissible uses and disclosure of PHI Lack of safeguards of PHI Lack of patient access to their PHI Uses or disclosures of more than the minimum necessary PHI Lack of administrative safeguards of ephi Top 5 Covered Entities Private Practices General Hospitals Outpatient Facilities Health Plans (group health plans and health insurance issuers) Pharmacies 6
Enforcement Results 7
Compliance Review OCR has authority to conduct agency-initiated cases > Determine whether entities subject to privacy and security rules are complying Initiated at discretion of OCR > For example, may initiate compliance review based on media reports that a violation has occurred Covered entity is required to cooperate with OCR > Must keep records and submit compliance reports > Permit access to facilities and records 8
HIPAA Audit Program HITECH Act requires HHS to provide for periodic audits to ensure that Covered Entities and Business Associates are complying with the HIPAA privacy and security rules and the HITECH breach notification requirements OCR launched pilot program in 2011 > 115 random audits (20 initial, and then 95 completed in 3 waves) > Conducted by KPMG from November 2011 through December 2012 9
Timing of Audit Pilot Program 10
Purpose of HIPAA Audit Pilot Program Examine mechanisms for compliance Identify best practices Discover risks and vulnerabilities OCR will share best practices gleaned through audit process via its website 11
Understanding HIPAA Audits Audits are random > An audit does NOT indicate that a complaint has been filed An audit is not an investigation Audits are not intended to be confrontational 12
Who Will be Audited in the Future? Every covered entity and business associate is eligible for audit Selections in initial round designed to provide broad assessment Covered providers of health services Health plans of all sizes and functions Health care clearinghouses Business Associates were not included in pilot program but may be subject to audits in the future 13
How Does the Audit Program Work? OCR engaged KPMG to conduct audits Will notify entities in writing of their section for audit > Notification letter will include a request for documents Every audit in pilot program included a site visit Following site visit, auditors will prepare a draft report and share it with entity Entity has an opportunity to discuss concerns and describe corrective actions it has taken to address issues identified in audit Auditor s final report to OCR will incorporate entity s corrective steps and best practices 14
What is the General Timeline for an Audit? OCR will notify the entity in writing when it is selected for audit OCR expects to notify selected entities between 30 and 90 days prior to anticipated onsite visit Notification letter will contain details regarding audit process OCR expects entities to provide requested information within 10 business days of the request for information 15
What is the General Timeline for an Audit? Onsite visits may take between 3 and 10 business days depending on organization After fieldwork is completed, auditor will provide entity with a draft final report Entity will have 10 business days to review and provide written comments to auditor Auditor will complete final audit report within 30 business days after the covered entity s response and submit it to OCR 16
What is the General Timeline for an Audit? 17
What Happens After an Audit? OCR will review final reports and use them to determine the types of technical assistance that should be developed OCR will determine what type of corrective actions are most effective At this time, audits are primarily a compliance improvement activity > An auditor s discovery of an error will most likely lead to a simple recommendation for corrective action Should the audit report indicate a serious compliance issue OCR may initiate a compliance review to address the problem 18
Current Audit Findings Smaller entities had more HIPAA related issues than larger entities For all entities, Security Rule compliance problems were more of an issue than Privacy Rule compliance problems 19
Preparing for a HIPAA Audit Use the Audit Protocol to review your HIPAA privacy and security program 20
Preparing for a HIPAA Audit Audit Protocol On June 25, 2012, OCR published the audit protocol that is being used in the current round of privacy and security audits Available at http>//www.hhs.gov/ocr/privacy/hipaa/enforcement /audit/protocol.html Protocol includes 165 key activities (77 related to the security rule, 10 related to breach notification, and 78 related to privacy rule) 21
Preparing for a HIPAA Audit Audit Protocol Provides questions auditors will be asking with respect to HIPAA compliance Use the audit protocol for purposes of improving HIPAA compliance programs 22
Preparing for a HIPAA Audit Regularly conduct self-audits (at least annually) Review policies, procedures, etc. Ensure that properly train workforce > Not only Privacy and Security officers > OCR will interview management to confirm that all levels of the organization are focused on compliance 23
Preparing for a HIPAA Audit Document, document, document > Retain copies of all Business Associate Agreements > Notice of Privacy Practices > HIPAA Policies and Procedures > HIPAA training programs, attendance records for the programs, training materials used > Document HIPAA security compliance For example, document decision NOT to implement a certain addressable security measure Ensure documentation is organized and accessible 24
Preparing for a HIPAA Audit Focus on Mobile Technology Recent OCR enforcement trends have focused on mobile technology Entities have faced penalties for lack of policies and procedures that directly address mobile technology OCR has established a new initiative addressing mobile technology OCR suggests the following measures > Use passwords > Install encryption > Install remote wiping > Use adequate controls when using wi-fi 25
Why Comply with HIPAA? If a HIPAA violation is discovered > Substantial Penalties > Burdensome Corrective Action Plans 26
Why Comply with HIPAA HIPAA Enforcement Actions 2012 Massachusetts Ear and Eye Infirmary Theft of an unencrypted personal laptop containing ephi of patients and research subjects > Investigation followed breach report submitted by MEEI > Lack of safeguards, $1.5 million resolution amount and corrective action plan Alaska DHSS Settlement Portable electronic storage device (USB hard drive) possibly containing ephi was stolen from vehicle of DHSS employee > Investigation followed breach report submitted by Alaska DHSS > Lack of safeguards, $1.7M resolution amount and corrective action plan 27
Why Comply with HIPAA HIPAA Enforcement Actions 2012 Blue Cross Blue Shield of Tennessee Settlement 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. Hard drives included PHI of over 1 million individuals, including names, SSNs, diagnosis codes, etc. > Investigation followed notice sent by BCBS > Lack of safeguards, $1.5M resolution amount and corrective action plan Phoenix Cardiac Surgery Settlement Physician practice was posting clinical and surgical appointments for patients on an internet based calendar that was publicly accessible > Investigation based on complaint > Lack of Safeguards, $100,000 resolution amount and corrective action plan 28
Why Comply with HIPAA? Civil penalties for violations based on level of culpability > From $100/violation (not to exceed $25,000/year for the same violation) to $50,000/violation (not to exceed $1.5 million/year for the same violation) 29
Why Comply with HIPAA? Criminal penalties can also be imposed > If convicted of wrongful disclosure of health information, a fine of up to $50,000 and a one-year term of imprisonment can be imposed > If the offense is under false pretenses, a fine of up to $100,000 and a 5-year term of imprisonment can be imposed 30
Why Comply with HIPAA? If convicted with the intent to sell, transfer or use health information for commercial or personal gain or malicious harm, a fine of up to $250,000 and a jail term of 10 years can be imposed 31
Complying with the New Omnibus HIPAA Rule Department of Health and Human Service has released Omnibus HIPAA Rules > Omnibus HIPAA rules effective March 26, 2013 > Covered entities and Business Associates must generally comply on September 23, 2013 (with a few exceptions) Omnibus HIPAA Rules implement changes to HIPAA Privacy, Security, Enforcement, and Breach Notification requirements 32
Breach Notification New Standard Old Rule: If information relating to the health plan is used or disclosed in violation of HIPAA, a notification obligation may be triggered if the use or disclosure compromises the security or privacy of such information and poses a significant risk of financial, reputational or other harm to the affected individual(s) Under Omnibus HIPAA Rules: HHS has eliminated the risk of harm standard 33
Breach Notification New Standard HHS clarifies that the presumption is that a breach requires notification to the affected individuals UNLESS > Covered entity demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment Risk assessment consists of four factors > The nature and extent of the PHI involved > The unauthorized person who used the PHI or to whom the disclosure was made > Whether the PHI was actually acquired or viewed > The extent to which the risk to the PHI has been mitigated Where employer determines notice to individual is not required, it must document its risk assessment 34
Breach Notification New Standard New lower standard may lead to increased Breach Notifications, which may in turn lead to increased risk of enforcement action Note: Most of OCR s settlements with covered entities originated in a security breach 35
Breach Notification New Standard Employers should take steps to reduce risk of breach > Encrypt email containing PHI > Implement policies that generally prohibit storage of unencrypted PHI on portable electronic devices > Develop plan of action that will permit employer to document that erroneous recipients of unencrypted PHI never actually viewed the PHI (e.g., have IT department recall email or delete email) 36
Revised HIPAA Privacy Notices Must be Issued Background: Covered entities are required to provide Notice of Privacy Practices Notice must describe > The uses and disclosures of PHI that may be made by the covered entity > The individual s rights > The covered entity s legal duties with respect to the PHI 37
Revised Notice of Privacy Practices Must be Issued Omnibus HIPAA Rules require that employers make three additions to the Privacy Notice > Privacy Notice must state that the plan must obtain plan participant s authorization to use or disclose psychotherapy notes, to use PHI for marketing purposes, to sell PHI, or to use or disclose PHI for any purpose not described in the notice, as well as a statement explaining how plan participants may revoke an authorization > Privacy Notice must state that the plan is prohibited from using PHI that is genetic information for underwriting purposes > Privacy Notice must inform plan participants of their right to receive a notice when there is a breach of their unsecured PHI 38
Distribution of Revised Notice of Privacy Practices Must post revised Notice of Privacy Practices on benefits website by September 23, 2013 Distribute the revised Notice of Privacy Practices at next annual mailing to plan participants If employer does not maintain a benefits website, it must distribute the revised Notice of Privacy Practices within 60 days of revising the Notice If employer has already issued a Notice of Privacy Practices that complies with the Omnibus HIPAA Final Rules, it is not required to re-issue Notice 39
Re-Negotiate Business Associate Agreements Background: Covered Entities (e.g., health plans, healthcare providers) must enter into BAA with > Business Associates (e.g., TPAs, claims processors, billing companies, legal counsel, actuaries, accountants) > in order to disclose PHI to a Business Associate or allow a Business Associate to create, receive, maintain or transmit PHI on a Covered Entity s behalf 40
Re-Negotiate Business Associate Agreements New rules provide for broader definition of Business Associate > Subcontractors of Business Associates are also considered Business Associates Covered Entity may be held liable for improper acts of Business Associates > Omnibus HIPAA Rules eliminate prior exemption (if Covered Entity did not know of improper acts and had a BAA in place not liable) > Now Covered Entity can be held vicariously liable for violations of its Business Associate as long as Business Associate is agent of Covered Entity 41
Re-Negotiate Business Associate Agreements Must amend BAAs to include additional provisions: > Business Associates will comply with HIPAA Security Rule with regard to ephi > Business Associate will report breaches of unsecured PHI to Covered Entity > Business Associate will ensure that any subcontractors that create or receive PHI on behalf of the Business Associate will agree to same restrictions/conditions that apply to the Business Associate > To extent Business Associate is to carry out a Covered Entity s obligations, the Business Associate must comply with the requirements of the Privacy Rule in the performance of such obligation 42
Re-Negotiate Business Associate Agreements Timing > If had BAA in place prior to January 25, 2013 have until September 22, 2014 to amend BAA > Otherwise- will need BAA that complies with Omnibus HIPAA Rules by September 23, 2013 Model BAA provisions available on OCR website http://www.hhs.gov/ocr/privacy/hipaa/understandin g/coveredentities/contractprov.html 43
Complying with Omnibus HIPAA rules Update policies and procedures Re-train workforce 44
2013 To Do List for Health Care Reform Compliance Budget for new fees > Patient Centered Outcomes Research ( PCOR fee) Fees will fund the Patient-Centered Outcomes Research Institute Plans that are subject to the PCOR fee include Applicable self-insured health plans Specified health insurance policies Plans that cover employees, former employees and retirees 45
PCOR Fees (cont d) Plans exempt from PCOR fees > Health FSAs that are excepted benefits > Stand-alone dental and vision plans > Employee assistance programs, disease management programs, and wellness programs IF the program does not provide significant benefits in the nature of medical care or treatment > Plans designed specifically to cover employees who are working and residing outside of the United States > Stop-loss and indemnity policies 46
PCOR Fees (cont d) The PCOR fee is a temporary fee and will be imposed for plan/policy years ending on or after October 1, 2012 and before October 1, 2019 For plan/policy years ending on or after October 1, 2012, and before October 1, 2013, the applicable dollar amount is $1 (multiplied by average number of covered lives under plan/policy) For plan/policy years ending on or after October 1, 2013, and before October 1, 2014, the applicable dollar amount is $2 47
PCOR Fees (cont d) For a self-insured health plan, the PCOR fee must be reported and paid by the plan sponsor. For an insured health plan, the PCOR fee must be reported and paid by the insurance company. The fee is collected like a tax and is reported using an IRS Form 720 The first potential due date for filing IRS Form 720 is July 31, 2013 48
Transitional Reinsurance Fees Purpose of the Transitional Reinsurance Program is to help stabilize premiums for coverage in the individual market For 2014, HHS estimates the national per capita uniform contribution rate to be $5.25 per covered life per month for a total of $63 per covered life per year Reinsurance fee must be paid by health insurers and third party administrators on behalf of group health plans > Or by the sponsor of a self-insured, self-administered group health plan 49
Transitional Reinsurance Fees Plans that must pay fee include: > Self-insured group health plans > Insured group health plans covering employees, former employees, and retirees 50
Transitional Reinsurance Fees Certain entities are excluded (for example): > Any group health plan that does not provide major medical coverage > Coverage consisting solely of excepted benefits > Health reimbursement arrangements that are integrated with major medical coverage > Health savings accounts > Health flexible spending arrangements > Employee assistance plans, disease management programs and wellness programs, if they do not provide major medical coverage > Stop-loss and indemnity reinsurance policies, etc. 51
Transitional Reinsurance Fees HHS proposes to collect reinsurance contributions annually from all contributing entities No later than November 15, 2014, each contributing entity must submit to HHS its annual enrollment count of the number of covered lives for purposes of its reinsurance contributions for 2014 Within 15 days of that submission, HHS will notify the contributing entity of its required total contribution amount for 2014 The contributing entity must then submit the required payments to HHS within 30 days of the notification Reinsurance contributions for 2014 may be due no earlier than December 30, 2014 52
Distribute Notice of Exchange Prepare and distribute Notice of Exchange > Employers must provide all new hires and current employees with Notice of Exchange > Distribution of Notice delayed until late summer or fall of 2013 > To assist employers, DOL is considering providing model language that employers may use to satisfy this notice requirement 53
Preparing for Pay-or-Play An applicable large employer is subject to an assessable payment if either: > (1) the employer fails to offer to substantially all (at least 95%) of its full-time employees (and their dependents) the opportunity to enroll in minimum essential coverage under an eligible employer-sponsored plan and any full-time employee is certified to the employer as having received an applicable premium credit or cost sharing reduction for coverage purchased on the public exchange (section 4980H(a) liability) OR 54
Preparing for Pay-or-Play > (2) the employer offers substantially all (at least 95%) of its full-time employees (and their dependents) the opportunity to enroll in minimum essential coverage under an eligible employer-sponsored plan and one or more fulltime employees is certified to the employer as having received an applicable premium tax credit or cost sharing reduction for coverage purchased on the public exchange (section 4980H(b) liability) 55
Preparing for Pay-or-Play The 4980H(a) penalty will likely be triggered because the employer does not offer enough of its full-time employees the ability to enroll in employersponsored health coverage The 4980H(b) penalty will likely be triggered because the employer s coverage is unaffordable or does not provide minimum value 56
Preparing for Pay-or-Play Determine if Applicable Large Employer If Applicable Large Employer > Review employees that make up workforce > If have variable hour/seasonal employees, determine whether to implement tracking > Review plan document eligibility provisions > Perform cost analysis regarding what type of coverage to offer to employees and dependents 57
Contact Elizabeth Loh, Esq. Trucker Huss, APC One Embarcadero Center, 12th Floor San Francisco, CA 94111 (415) 788-3111 eloh@truckerhuss.com www.truckerhuss.com 58
Disclaimer These materials have been prepared by Trucker Huss, APC for informational purposes only and constitute neither legal nor tax advice Transmission of the information is not intended to create, and receipt does not constitute, an attorney-client relationship Anyone viewing this presentation should not act upon this information without seeking professional counsel In response to new IRS rules of practice, we hereby inform you that any federal tax advice contained in this writing, unless specifically stated otherwise, is not intended or written to be used, and cannot be used, for the purpose of (1) avoiding tax-related penalties or (2) promoting, marketing or recommending to another party any tax-related transaction(s) or matter(s) addressed herein 59