Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton March 19, 2009 Overview American Recovery and Reinvestment Act (“ARRA”) Stricter privacy and security obligations under HIPAA: Direct application to “business associates” Breach notification requirements for unsecured PHI Enhanced enforcement and penalties Other changes to facilitate wider use of electronic health records Additional restrictions on sale, marketing of PHI 2 Overview – Refresher “Protected health information” (PHI): individually identifiable information, in any form, about health or condition, treatment or payment, that is created or received by provider, health plan (including insurance issuer or agent), employer, or clearinghouse. “Covered entity”: a health care provider, health insurance plan, or health care clearinghouse. “Business associate”: entities that receive or are exposed to PHI in the course of providing services to or on behalf of covered entities. 3 Overview – Refresher HIPAA Privacy Requirements for Covered Entities: Notice Opt-in Access Administrative (Obligations of business associates effectively the same) HIPAA Security Safeguards re Electronic PHI for Covered Entities: Administrative (e.g., measures to prevent, detect, security violations) Physical (e.g., limit workstation and facility access) Technical (e.g., access control and audit) (Obligations of business associates effectively the same) 4 New Privacy & Security Obligations Obligations are now the same for “business associates” as for “covered entities” under the law No longer just a matter of contractual obligation to covered entity for whom business associate works Means enhanced enforcement and penalties under the statute will apply to business associates, in addition to any contractual penalties for failure to comply with privacy and security obligations BUT, mechanics of day-to-day compliance should not change unless need to adopt HHS-identified best practices 5 New Privacy & Security Obligations Breach Notification Requirement – Applies only to “unsecured” PHI “unsecured” = not protected by methods HHS will identify in guidance to be published April 18, 2009 Goes into effect September 15, 2009 Only exceptions: inadvertent internal access, or inadvertent disclosure by one authorized employee to a fellow employee at the same facility 6 New Privacy & Security Obligations Breach Notification Requirement – Business Associates: Notify Covered Entity of Breach Identify each individual whose information was, or reasonably may have been, disclosed in the breach 7 New Privacy & Security Obligations Breach Notification Requirement – Covered Entities: Notify each individual whose information was, or reasonably may have been, disclosed in the breach Notify upon discovery of the breach 8 New Privacy & Security Obligations Breach Notification Requirement – Covered Entities -- Notice Specifics: Timing: ASAP, but no more than 60 days after breach discovered Content: provide brief description of what happened including date of breach, date of discovery, types of PHI disclosed, steps individuals should take to protect themselves, what’s being done to investigate breach, contact info for further questions HHS & Media notice: if more than 500 individuals in an area are affected. If fewer than 500 affected, must be logged and sent to HHS annually; logs will be publicly posted by HHS Method: generally written, via mail; substitute notice via publication possible for those with outdated/no contact info 9 New Privacy & Security Obligations Breach Notification Requirement – Personal Health Record (“PHR”) Vendors: -- Same breach notification requirements apply; includes entities offering products and services through a PHR vendor’s website and those who access and receive information from a PHR -- PHR Vendors are now subject to regulation by Federal Trade Commission regarding HIPAA compliance 10 New Privacy & Security Obligations Breach Notification Requirement – HHS will publish detailed rules on notification process for covered entities and business associates FTC will publish detailed rules on notification process for PHR vendors Both sets of rules to be published by August 16, 2009 11 New Privacy & Security Obligations Breach Notification Requirement – SAFE HARBOR Adopt HHS-identified best practices 12 Enhanced Enforcement & Penalties Broader Enforcement Mechanisms: State Attorneys General may initiate civil enforcement in federal court if HHS or DOJ do not prosecute -- Injunctions -- Fines up to $25,000 for all violations of an identical requirement or prohibition per calendar year -- Attorneys fees & costs HHS OCR can investigate and fine for alleged criminal violations even if DOJ does not prosecute Individuals may now be criminally liable, not just covered entities HHS must conduct regular audits 13 Enhanced Enforcement & Penalties Increased Penalties: Unknowing violation: -- $100-$50,000 per; max = $25,000-$1.5 million “Reasonable cause” but not “willful neglect”: -- $1,000-$50,000 per; max = $100,000-$1.5 million; no fine if corrected within 30 days of discovery “Willful neglect”: -- Corrected within 30 days: $10,000-$50,000 per; max = $250,000-$1.5 million -- Not corrected: at least $50,000 per; max at least $1.5 million 14 Changes Concerning Electronic PHI Existing right of access amended to include right to access any electronic PHI OK to charge reasonable, cost-based fee Existing right to an accounting of disclosures amended to include accounting for electronic PHI disclosures -- Runs for 3 years, prospectively -- Obligation starts sooner (January 1, 2011) for those who have not yet adopted electronic capability Only disclose “limited data set” unless an exception applies HHS will publish rules with more specifics 15 Other Noteworthy Changes Health care providers can be barred from disclosing PHI concerning items for which individual paid out-of-pocket in full Be aware that insurers may not receive all information about health conditions/risks 16 Other Noteworthy Changes Unauthorized sale of PHI prohibited -- Exceptions for research, public health purposes; payments limited Marketing limitations (effective February 17, 2010): -- Marketing in context of “health care operations” limited to communications regarding health-care related product or service -- No payments from third parties to do marketing unless merely describing a health care item or service previously prescribed or administered to recipient -- All other marketing involving PHI requires individual’s authorization 17 Resources: HHS website on HIPAA: http://www.hhs.gov/ocr/privacy/index.html (has general information) Contact CIAB – check www.ciab.com for more information or contact Joel Kopperud (joel.kopperud@ciab.com) with questions 18 Please Note: These slides are intended to provide only a general overview of selected issues related to the new HIPAA privacy and security requirements. They do not provide a complete analysis. The information provided is for general use only and is not intended to provide specific advice or recommendations, legal or otherwise, for any individual or organization. The information provided herein is not intended to be and should not be construed as a legal opinion or advice. You need to consult with your own attorney or other adviser relating to your specific circumstances or those of any organization that you advise. If you have any questions about these slides, feel free to contact Joel Kopperud with the CIAB at (202) 783-4400. 19 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton March 19, 2009