Welcome to today s Webinar Managing Risk Exposure in Meaningful Use Stage 2 June 28 28, 2013 A A project project of of L.A. L.A. Care Care Health Health Plan Plan 1
Ralph Oyaga, Esq., J.D., MBA is the associate counsel for HITEC LA and a member of the legal team with L.A. Care Health Plan. Mr. Oyaga teaches a masters level lhealth lhlaw course at the USC Sol Price School of Public Policy. He has over 25 years experience in health care, in both non profit andfor profit organizations. Ralph held various positions; such as, Compliance Officer, Director of Contracts, and managed hospital and medical groupbusiness servicesoperationsand and inpatient admissions for hospital systems A project of L.A. Care Health Plan 2
Andrew Kan is Managing Partner of Fusion Systems North America, and head of its health care division All Medical Solutions, a HITEC LA Service Partner. A project of L.A. Care Health Plan 3
Leeann Habte, Esq. is an associate with Foley & Lardner LLP and a member of the Health Care Industry Team and Privacy, Security & Information Management Practice. She is also a Certified Information Privacy Professional. Ms. Habte has advised a variety of health care clients, including hospitals, pharmacies, healthplans plans, medical device companies and health information technology companies on federal and state privacy legal issues. Shehashadpracticalexperience has had experience in developing and implementing health care data privacy and security policies and procedures, managing git resources and human subjects protection compliance. A project of L.A. Care Health Plan 4
Agenda Meaningful Use Privacy and Security Requirements 2012 HIPAA Audit Highlights Omnibus Rule Q&A Ralph Andrew Leeann All A project of L.A. Care Health Plan 5
MU Objective: Protect Electronic Health Information Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1), including addressing the encryption/security of data at rest and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. A project of L.A. Care Health Plan 6
MU Objective: Protect Electronic Health Information Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1), including addressing the encryption/security of data at rest and implement security updatesasnecessary as andcorrect identified security deficiencies as part of its risk management process. A project of L.A. Care Health Plan 7
MU Objective: Protect Electronic Health Information Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1), including addressing the encryption/security of data at rest and implement security updates as necessary andcorrect identifiedsecuritydeficiencies deficiencies aspartof its risk management process. A project of L.A. Care Health Plan 8
MU Objective: Protect Electronic Health Information Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1), including addressing the encryption/security of data at rest and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. A project of L.A. Care Health Plan 9
2012 HIPAA Audit Highlights, User Activity Monitoring By Andre Kahn A A project project of of L.A. L.A. Care Care Health Health Plan Plan 10
Congress Requires Audits Section 13411 of the HITECH Act US Government Accountability Office GAO-12-481 HIPAA Omnibus HHS Contracts KPMG Pilot Audits 2012 A project of L.A. Care Health Plan 11
Audited Entities A project of L.A. Care Health Plan 12
Privacy Vs. Security Results A project of L.A. Care Health Plan 13
*Reused with permission from Adam H. Greene, JD, MPH from PPN Final Omnibus Presentation A project of L.A. Care Health Plan 14
Pilot Audit > > Official HHS Audit Privacy Audit Procedures 68 > > 81 Security Audit Procedures 77 > 78 SPHER fulfills #69 & 70 SPHER assists #2, 3, 4, 18, 23, 24 & 36 Breach Notification Audit Procedures 10 Link: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html A project of L.A. Care Health Plan 15
HIPAA Security Rule Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. HIPAA Security Rule 164.308(a)(1)(ii)(D) Implement procedures for monitoring log in attempts and reporting discrepancies. HIPAA Security Rule 164.308(a)(5)(ii)(C) Implement hardware, software, and/or procedural mechanisms that record andexamine activity in information systems that contain oruse electronic protected health information. HIPAA Security Rule 164.312(B) Retain required documentation of policies,,p procedures, actions, activities or assessments required by the HIPAA Security Rule for six years from the date of its creation or the date when it last was in effect, whichever is later. HIPAA Security Rule 164.316(B)(1)(ii) A project of L.A. Care Health Plan 16
Core Features AMS SPHER is a service that allows practices to review their EHR audit logs quickly and easily to meet HIPAA Security Requirements: Automated audit log review User & BA / Vendor activity Identifies and analyzes workflow Incident detection EHR specific intelligence analysis A project of L.A. Care Health Plan 17
PHI Systems Centric A project of L.A. Care Health Plan 18
Practice/Clinic/Organization Benefits Compliance Audit Log Requirement SPHER is impartial versus manual log review Activity Recording 6yrs documentation & retention requirement A project of L.A. Care Health Plan 19
Insurance Exclusions For arising out of or resulting from any act, error, omission, incident, failure of Computer Security. Based upon, arising from, or in consequence of any claim or proceeding brought by or on behalf of any federal, state, or local government agency or authority; or licensing or regulatory organization. Beazley, Chubb, Doctors Company, Lloyds A project of L.A. Care Health Plan 20
Costs for SPHER $2,300 / provider over 3 years Direct Funding: Meaningful Use Program ~4% Year 1 Mdi Medicare ~3% Year 1 Medicaid HRSA HIE Grants ACO Funds Other Grants Self Funded A project of L.A. Care Health Plan 21
Omnibus Rule By Leeann Habte A A project project of of L.A. L.A. Care Care Health Health Plan Plan
HHS Omnibus Final Rule Implementingregulations for Health Information Technology for Economic and Clinical Health (HITECH Act) & Genetic Information Nondiscrimination Act (GINA) Makesother changes to the HIPAA regulations» Effective: March 26, 2013» Compliance date: September 23, 2013» Compliance dt date for existing iti Business Associate Agreements: September 22, 2014 A project of L.A. Care Health Plan 23
Business Associate Re Defined Privacy Rule generally defines the term Business Associate to include: Entities engaged in certain administrative activities or services for or on behalf of Covered Entities which require access to PHI (i.e., claims processing, billing, benefitmanagement, utilization review, management, consulting, etc.). Under the Final Rule, Patient safety activities are also a Business Associate activity. Covered Entity can be Business Associate of another Covered Entity. A project of L.A. Care Health Plan 24
Broader Definition Adds... Health data transmission organizations, including Health Information Organizations, E Prescribing Gt Gateways, and Others that t require access on a routine basis to PHI. Except if mere conduit (i.e. ISP) Personal Health Record vendors who manage the health records for Covered Entities. Subcontractors (and their downstream subcontractors) who perform Business Associate functions or services. Subcontractor would be defined as Business Associate, even if the Business Associate has failed to enter into a Business Associate contract with the Subcontractor. A project of L.A. Care Health Plan 25
But Explicitly Excludes Health care providers, if disclosures are for treatment purposes. Government agencies that determine eligibility or enrollment in a government health plan that provides public benefits and is administered by another agency. Covered Entities participating in an Organized Health Care Arrangement that provide a Business Associate function or service for the Organized Health hcare Arrangement. A project of L.A. Care Health Plan 26
Enforcement Changes Currently, a Covered Entity is not liable for the acts of its Business Associates who meet the fd federal common law definition of an agent If HIPAA compliant Business Associate agreement is in place Covered dentity did not know of a pattern or practice of violations and fail to act. The Final Rule eliminates this exception, essentially making a Covered Entity orbusiness Associate strictly/vicariouslyliable liable for violations by its agent. The most important criterion is the right to exercise control over the Business Associate. In drafting a BAA, consider the tradeoff between the need to control the Business Associate and the liability associated with such control. A project of L.A. Care Health Plan 27
Business Associate Agreements Covered Entities must amend Business Associate Agreements to address new obligations: Compliance with HIPAA Security Rule. Contracts with downstream Subcontractors must include agreement to comply with HIPAA regulations with respect to PHI. Breach reporting to Covered Entity. Compliance with Privacy Rule for certain activities. Agreement should contemplate: Costs and liabilities associate with Subcontractors security breaches orother other violations of contract terms related to information security. Breach reporting procedures. A project of L.A. Care Health Plan 28
Transition Provisions for BAAs Allow Covered Entities and Business Associates to continue to operate under certain existing i contracts until September 22, 2014. Transition Period Applies if: Prior to January 25, 2013, the Covered Entity or Business Associate had an existing contract or other written arrangement with a Business Associate or Subcontractor that: Complied with the prior provisions of the HIPAA Rules, and Such contract or arrangement was not renewed or modified between March 26, 2013 and September 23, 2013. New agreements executed on or after January 25, 2013must be updated by September 23, 2013. A project of L.A. Care Health Plan 29
Changes to Breach Reporting Rule Existing rule: Report required for Breach of Unsecured PHI which creates a substantial risk of financial, reputational or other harm to an individual (the so called harm standard ). New rule: Report required unless Covered Entity or Business Associate can demonstrate t a low probability bilit that the information was compromised. Burden of proof is on the Covered Entity and Business Associate. A project of L.A. Care Health Plan 30
New Presumption of Breach Presumption that impermissible acquisition, access, use, or disclosures is a breach unless... Can demonstrate there is a low probability that the privacy or security of the PHI has been compromised based on a four factor risk assessment. Risk Assessment must be Thorough Completed in good faith Have reasonable conclusions. A project of L.A. Care Health Plan 31
New Four Factor Risk Analysis Mandatory evaluation of four factors: The nature and extent of the PHI involved The individual who impermissibly used the PHI or to whom the impermissible i ibl disclosure was made Whether the PHI was actually acquired, or viewed, or if only the opportunity existed for the information to be acquired or viewed, and The extent to which the risk to the PHI has been mitigated. Other factors may be considered in evaluation of overall probability. A project of L.A. Care Health Plan 32
Implications for Compliance More objective standard? HHS views the risk assessment as more objective, but there remains considerable uncertainty about how to weight factors in analysis. Likely to lead to increased number of breach reports. More documentation of breach investigation and analysis necessary. Revision of breach notification policies required. A project of L.A. Care Health Plan 33
Marketing TheFinal Omnibus Rule restricts previously permissible subsidized communications about the products or services of a third party without patient authorization. A project of L.A. Care Health Plan 34
Marketing Defined Privacy Rule requires a Covered Entity to obtain an individual authorization in order to use or disclose PHI for marketing purposes. Marketing is defined df d as a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, subject to certain exceptions: Face to face communications (verbally or by handing out written materials, such as pamphlets). Gifts of nominal value. A project of L.A. Care Health Plan 35
Exceptions to Marketing Dfiiti Definition Marketing does not include thefollowing treatment and health care operations communications: Treatment of an individual by a health care provider. To describe a health related product or service provided by, or included in a plan of benefits of, the Covered Entity making the communication. For case management or care coordination, or to direct or recommend alternative therapies, treatments, providers, settings or care. A project of L.A. Care Health Plan 36
Significant Change under Final Rule Under the Omnibus Final Rule, treatment and health care operations communications are treatedas as marketing communications for which an authorization is required if a Covered Entity receives financial remuneration in exchange for making the communication from a third party whose products or services are being marketed. A project of L.A. Care Health Plan 37
Revised Framework for Marketing Definition of financial remuneration : Direct or indirect payment from or on behalf of third party whose product or service is being described. Does not include payment for treatment. Does not include in kind benefits. Authorization must state that financial remuneration is involved. Scope of authorization ti is not limited it to a single product or service. A project of L.A. Care Health Plan 38
Revised Marketing Exceptions Exception for communications to provide refill reminders or otherwise communicate about a drug or biologic being prescribed for an individual provided that any financial remuneration received is reasonably related to costs of making the communication (labor, supplies, & postage). Exception includes Communications about generic equivalent of a drug being prescribed to anindividual. Adherence communications. Prescriptions for self administered drugs or biologics. A project of L.A. Care Health Plan 39
Sale of PHI Final Omnibus Rule prohibits a Covered Entity or Business Associate from receiving direct or indirect remuneration for the disclosure of PHI without an individual authorization. Includes in kind benefits. Exceptions listed in Omnibus Rule. Authorization must state that the disclosure will lt i ti t th C de tit result in remuneration to the Covered Entity. A project of L.A. Care Health Plan 40
Compliance Physicians should: Review their contracts and other arrangements with third parties to ensure compliance with new requirements. Revise authorizations for marketing purposes. A project of L.A. Care Health Plan 41
Ralph Oyaga HITEC LA / L.A. Care Health Plan (888) 528 2256 Hitec la@lacare.org Leeann Habte Foley & Lardner LLP Los Angeles, California (213) 972 4679 lhabte@foley.com Andrew Kan Fusion Systems/All Medical Solutions AndrewKan@AllMedicalSolutions.com (310) 602 5140 A project of L.A. Care Health Plan 42