HITECH Act and HIPAA: Important Compliance Update Susan E. Ziel Gerald “Jud” DeLoss Disclaimer This content is provided for general information purposes and is not intended as legal advice. Competent legal counsel should be sought before taking any action in reliance on this content. 2 Legislative History Health Information Portability and Accountability Act of 1996 Privacy Regulations (2003) Security Regulations (2005) American Recovery and Reinvestment Act of 2009 (“ARRA”) (2/17/09) Title XIII: Health Information Technology for Economic and Clinical Health Act (“HITECH”) 3 HHS Regulations Under HITECH Act To Date 4/27/09 HHS Guidance: Techniques and Methods to Create Secure PHI 8/24/09 HHS IFR: Breach Notification Involving Unsecured PHI 8/30/09 HHS Moves HIPAA Security Responsibilities from CMS to OCR 10/30/09 HHS IFR: Amend HIPAA Civil Money Penalties and Enforcement 4 HITECH Act Amendments to HIPAA HIPAA and Business Associates Amended Civil and Criminal Penalties Breaches Involving Unsecured PHI “Minimum Necessary” Disclosures Patient Requests to Restrict Disclosures Accounting of Disclosures Marketing and Fundraising Patient Access to PHI in Electronic Format Prohibition on Sale of PHI HHS “ Improved Enforcement” 5 HIPAA and Business Associates (“BA”) Current Law HIPAA requirements only apply to covered entities BA not directly subject to HIPAA Covered Entities (“CE”) required to enter into BA agreements with BA Indirect way to impose requirements on BA 6 HIPAA and Business Associates (“BA”s) New Law Effective 2/17/10 (Section 13401) HIPAA Security Provisions Apply to BA BA required to comply with HIPAA Security Rule as if they were CE 45 CFR § 164.308 (Administrative Safeguards) 45 CFR § 164.310 (Physical Safeguards) 45 CFR § 164.312 (Technical Safeguards) 45 CFR § 164.316 (Policies and Procedures) 7 HIPAA and Business Associates (BA) New Law (Section 13404) Certain HIPAA Privacy Provisions apply to BA BA required to use or disclose PHI only if such use or disclosure is in compliance with privacy provisions of their BA agreements 8 HIPAA and Business Associates (BA) Other ARRA privacy/security requirements that apply to CE “shall be incorporated” into BA agreements If BA aware of CE’s violation of HIPAA, BA obligated to either terminate BA agreement with CE or report CE to HHS BA subject to HIPAA enforcement and penalties as if a CE 9 HIPAA and Business Associates (BA) Section 13408. CE must also enter into BAA with third parties that provide PHI transmission/exchange Health Information Exchange Organizations Regional Health Information Organizations E-Prescribing Gateways Other 10 Amended Civil and Criminal Penalties Current Law Only CE directly liable for criminal violations New Law Effective 2/17/10 (Section 13409) Clarifies that CE, as well as employees, BA, and other actors that obtain/disclose PHI maintained by a CE without authorization will be subject to potential criminal penalties 11 Civil and Criminal Penalties: “Improved Enforcement” Current Law Civil Money Penalties (“CMP”s) limited to $100 per HIPAA violation, with a maximum of $25,000 for all violations of identical nature in single year New Law Effective 2/17/09 (Section 13410(d)) CMPs are now tiered and increase for different levels of HIPAA violations Fines range from $100 to a maximum of $1.5 million cap for all violations per year OCR maintains discretion to use corrective action without penalty where person did not know of violation 12 HHS IFR: Civil Penalties New Definitions Reasonable Cause Reasonable Diligence Willful Neglect New CMP Amounts Depend On Whether Violations Pre or Post 2/18/09 No Knowledge Reasonable Cause Willful Neglect 13 Security Breach Notification Current Law CE are only required under HIPAA to account for wrongful disclosure However, Security Rule imposes a duty to mitigate Remember: IN Security Breach Laws New Law/Regulations Effective 9/17/09, Now Delayed Until 2/22/10 (Section 13402) CE required to notify individuals whose “unsecured” PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed as a result of a breach BA required to notify CE of breach 14 Security Breach Notification “Breach” Unauthorized acquisition, access, use, or disclosure of PHI which compromises the security/privacy of such information, except when an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information Exceptions Unintentional acquisition, access, or use of PHI by employee or individual acting under authority of CE or BA in good faith & within scope of employment or other relationship; or Inadvertent disclosure involving employees or individuals acting under authority of CE or BA; or Inadvertent disclosure to third party not reasonably able to retain information Risk Assessment Reveals Evidence of “Low Risk” Harm 15 Security Breach Notification Unsecured PHI HHS Guidance (4/17/09) “Unsecured” PHI is not secured through the use of a technology or methodology specified by HHS that makes the PHI unusable, unreadable, or indecipherable to unauthorized individuals 16 Security Breach Notification HHS Guidance re: Technologies & Methodologies to render PHI unusable, unreadable, indecipherable; not required but if used, “safe harbor” with no reporting not required Two Mechanisms: Electronic PHI has been encrypted as specified in the HIPAA Security Rule and NIST Guidelines; or Media on which PHI is stored or records has been destroyed: Paper, film, or other hard copy media have been shredded or destroyed such that PHI cannot be read or otherwise reconstructed Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that PHI cannot be retrieved 17 Security Breach Notification Notification Requirements Notification required to be made “without unreasonable delay” but no later than 60 calendar days after discovery of breach Notice must be: In writing to individual by mail (or e-mail) Sent to last known address of individual If insufficient/out-of-date info; CE must give notice in substitute form (e.g. web site/media) 18 Security Breach Notification Notification Requirements (continued) If breach involves PHI of more than 500 individuals in a state, CE must give notice of breach to prominent media outlets CE must also notify HHS of any breach If more than 500 individuals, HHS must be notified immediately If fewer than 500 individuals affected, the CE must notify HHS annually (March 1) 19 Security Breach Notification All Notices must include, if possible: A brief description of what happened, including dates of the breach & discovery Description of the types of unsecured PHI that were involved in the breach Steps individuals should take to protect themselves from potential harm resulting from the breach Brief description of what the CE involved is doing to investigate the breach, to mitigate losses, and protect against further breaches Contact procedures, including toll-free telephone number, e-mail address, web site, or postal address 20 Patient Requests to Restrict Disclosures Current Law Individual has right to request that a CE restrict certain uses/disclosure of PHI pertaining to that individual CE not obligated to comply with request New Law (Section 13405(a)) CE required to agree to requested restriction if disclosure is to a health plan for payment purposes AND PHI relates to item/service that CE has been paid for out of pocket in full 21 “Minimum Necessary” Disclosures Current Law CE required (except for treatment) to provide only the “minimum necessary” amount of PHI to accomplish purpose of use/disclosure New Law (Section 13405(b)) Until further guidance is issued, a CE is required, to the “extent practicable,” to limit disclosures of PHI to the “limited data set,” or if more information is needed, the “minimum necessary” to accomplish intended purposes of such use, disclosure, or request 22 “Minimum Necessary” Disclosures Limited Data Set: PHI that excludes direct identifiers, such as names, addresses, and SS#s Does not apply to treatment disclosures HHS required to issue guidance on minimum necessary standard within 18 months of ARRA (8/2010) 23 Accounting of Disclosures Current Law Individual has right to receive accounting of disclosures of PHI for certain purposes made by a covered entity in the preceding 6 years Excludes treatment, payment, HC operations New Law (Section 13405(c)) CE that use electronic health records (“EHR”) must account for ALL PHI disclosures, including all TPO disclosures, that were made through the use of an EHR 24 Accounting of Disclosures Grace period for compliance: For CE having EHR as of 1/1/09, new rules apply to disclosures of PHI on or after 1/1/2014 For CE that acquire an EHR after 1/1/09, new rules apply to disclosures made on or after the later of 1/1/2011 or the date that the CE acquired the EHR HHS can postpone compliance dates 25 Accounting of Disclosures Under new law, required reporting period reduced from 6 years to 3 years HHS to issue regulations re: what information must be maintained about each PHI disclosure In response to request from an individual, a CE shall provide account of disclosures of PHI: Made by the CE and all applicable BA; OR Made only by the CE and provide a list and contact information for all relevant BA 26 Marketing Current Law CE must obtain patient’s authorization for any PHI use or disclosure for marketing purposes. Certain exceptions apply. New Law (Section 13406(a)) with New Regulations Due 2/17/10 Confirms that any communication that encourages recipient to use a product or service is not considered a health care operation (and is therefore marketing) unless it is made: (continued) 27 Marketing Marketing Exceptions Continued: To describe a health-related product/service provided by or included in plan of benefits of the CE making communication; For treatment of that individual; OR For case management, care coordination, or to recommend alternative treatments, therapies, providers, settings of care Above 3 exceptions will not be considered HC operations unless: Payment is for a communication re: a drug currently prescribed for the recipient of the communication and payment is reasonable in amount; The communication is made by the CE & the CE obtains a valid HIPAA authorization; OR The communication is made by a BA of a CE, and such communication is consistent with the BA Agreement 28 Fundraising Fundraising (Section 13406(b)) All written fundraising communications shall provide the recipient with an opportunity to opt out of any future fundraising communications If person opts out, such election is to be treated as revocation of authorization under HIPAA Applies to communications occurring on or after February 17, 2010 29 Patient Access to PHI in Electronic Format Current Law Patients have a right to obtain copy of their PHI maintained in designated record set New Law (Section 13405(e)) Patients have a right to obtain copy of their PHI in electronic format if the CE uses an EMR so long as request is clear & specific Fee limitations apply 30 Prohibition on Sale of PHI New Law (Section 13405(d)) CE and BA are prohibited from receiving remuneration in exchange for PHI unless the patient has signed an authorization specifying approval Several exceptions, including public health activities, due diligence in conjunction with sale/merger of CE, etc. Subject to additional regulations 31 HHS “Improved Enforcement” New Law (Section 13411) Secretary of HHS required to perform periodic audits to ensure that CE and BA are in compliance with HIPAA and new ARRA requirements HHS required to submit number of audits performed and summary of findings to Congress on annual basis by 2/17/10 32 HHS “Improved Enforcement” New Law (Section 13410(a)) HHS must investigate any complaint that may have resulted from “willful neglect” effective 2/17/11 If violation found, HHS required to impose CMPs -New Law (Section 13410(c)) CMPs/monetary settlements collected shall be transferred to the OCR to be used for HIPAA enforcement purposes HHS shall establish regulations (by 2/17/12) that specify methodology under which an individual who has been harmed by HIPAA violation may receive a percentage of any monetary amount collected 33 HHS “Improved Enforcement” New Law Effective 2/17/09 (Section 13410(e)) State Attorneys General may bring civil actions to enjoin privacy/security actions or obtain damages on behalf of state residents Damages limited to $100 per violation with cap of $25,000 for identical violations in year Costs and attorney fees can be awarded to State 34 HIPAA Action Plan Covered Entity Compliance Update Policies Update Privacy Notice Communicate With BAs Regarding New Obligations BAA Amendments Business Associate Compliance Security Risk Assessment Establish Policies Communicate with Subcontractors Regarding New Obligations BAA (Subcontractor) Amendments 35 Questions? Susan Ziel, RN JD (317) 238-6244 sziel@kdlegal.com Gerald “Jud” DeLoss (312) 423-9307 gdeloss@kdlegal.com 36