HIPAA Privacy of Health Information Claudia Allen, Esq. General Counsel HealthBridge Federal Privacy Legislation a. State laws requiring privacy and confidentiality have existed for many years b. Federal law – HIPAA – was enacted in 1996, but the regulations containing the Privacy and Security Rules were not in place until 2003 c. HIPAA creates a minimum threshold of confidentiality – but does not pre-empt state law if the state law requires a higher standard Federal Privacy Legislation d. “Covered Entities” are subject to the rules protecting the privacy/confidentiality of “Protected Health Information” i. Covered Entities: 1. Providers of health care services (e.g., labs, physicians, dentists, chiropractors, psychologists) 2. Health Plans 3. Health Clearinghouses Federal Privacy Legislation ii. PHI is health related information that is 1. Identifiable to an individual (contains name, address, phone, SSN, medical record number, date of birth, etc.) 2. Transmitted or maintained by electronic or any other media I. HIPAA Privacy Rule (1) A. HIPAA sets standards for security, use and disclosure of PHI and permits disclosure or use of PHI without patient consent for the following purposes: i. Treatment ii. Payment iii. Health Care Operations iv. Research: Limited data set or IRB v. Public health vi. As otherwise required by law I. HIPAA Privacy Rule (2) B. HIPAA rules for Business Associates of CEs (e.g., HealthBridge, the Collaborative, EMR vendors) i. Covered Entities may authorize disclosure of PHI to BA for a specific permitted purpose ii. CE required to enter into a Business Associate Agreement with BAs to protect PHI security iii. Originally, a breach of the BAA would only subject the CE to liability to third parties iv. CE would recover cost from BA in a breach of contract lawsuit II. 2009: ARRA and HITECH Extended Privacy & Security Rules to Business Associates (“BA”) a. Business Associates became directly subject to privacy/confidentiality requirements and some security rules (can be held liable) b. BA can be held liable for privacy noncompliance by a subcontractor who is acting as an “agent” of a BA c. BA Agreements are now required with entities that provide data to a CE such as Health Information Exchanges III: 2013: Omnibus Final Regulations A. Definition of “Business Associate” Expanded i. Entities that create, receive, maintain, transmit PHI to perform functions or activities for a CE ii.Health Information Organizations, e-prescribing gateways, entities maintaining personal health records for a CE iii. Subcontractors receiving PHI on behalf of BAs • Subcontractors are now subject to the same obligations as BAs with respect to the CE – need BAAs • Subs must have HIPAA compliant security policies III. Omnibus Final Regulations (2) B. New Breach Standard: When it is discovered that there has been an unauthorized use or disclosure of Unsecured PHI, notice is presumed necessary EXCEPT where CE or BA demonstrates that “there is a low probability that PHI has been compromised.” III. Omnibus Final Regulations (3) i. Final Rule does not define “Compromised” but specifies what the risk assessment must consider: • Nature and extent of PHI, types of identifiers (likelihood of re-identification) • The unauthorized person to whom PHI was disclosed • Was the PHI actually used/viewed? • Extent to which the risk has been mitigated III. Omnibus Final Regulations (4) C. Notification requirements upon determination of Breach: i. CEs must notify each individual whose UPHI is breached ii. BA must notify the CE (CE may delegate to BA by BAA) iii. Time period: without unreasonable delay but no later than 60 calendar days after discovery (first day known or should have been known) III. Omnibus Final Regulations (5) 1. Burden on discoverer to notify 2. Written notice by mail unless urgent 3. If more than 9 individuals involved, posting on web 4. Notice to media if over 500 residents in state or jurisdiction affected 5. Immediate notice to Secretary if over 500 affected 6. Breach log required to be sent to Secretary annually III. Omnibus Final Regulations (6) D. Notice must contain 1. Description of what happened 2. Description of types of data involved 3. Steps individuals should take to protect themselves 4. What CE is doing to investigate, mitigate losses, and protect from further breaches 5. Contact procedures IV. Patient Rights re Disclosures a. Individuals may restrict disclosure to a health plan for payment or operations if individual has paid out of pocket in full for services b. Patient may request an accounting of all 3 years’ disclosures of his/her ePHI to any third party including TPO – i.e., to the billing company, to the insurance company, to another provider for a consult. V. HHS Audit Initiative • Pilot Audit of 115 CEs uncovered violations – All but 13 had some type of violation – 60 violations were security related • Missing: risk assessments, documentation of decisions • Privacy violations include no notice of privacy practices – Notices must be revised to include new breach notification and disclosure rules – Policies and procedures (such as patient access to disclosure information, breach assessment and notification, restriction where paid) must be formulated and written – Employee training missing to inform them of rules and procedures VI. Practical Steps to Avoid Liability: Show How You Secure PHI a. Appoint a Privacy Officer to establish policies, field questions and monitor compliance b. Review company policies and procedures with your staff to ensure compliance with ARRA privacy and security requirements – update as needed c. Make sure you have signed BAAs with those from whom you are receiving PHI (as from other physicians, clinics, hospitals, labs) and those you are sending/disclosing PHI to (e.g., billing company, insurance company, etc.) d. Conduct a general risk assessment to determine if procedures are protecting PHI. Document review. VI. Practical Steps (2) e. Take steps to see that: i. Doors are locked except for business entrances and exits during business hours ii. Employee access is restricted/logged during nonbusiness hours iii. Visitors are not in a position to see or access data iv. Employees understand the importance of not disclosing patient information outside of work- and at work, only as necessary v. All remote access to data is limited, inventoried vi. All portable electronics are encrypted VI. Practical Steps (3) vii. Keys, pass codes are inventoried/changed frequently viii. Workstations are secured, screens not in view of public ix. Procedures are implemented for ending data access by terminated employees x. Procedures are implemented for reporting suspicious activity xi. Hiring practices are implemented that help minimize risk –(i.e., checking references and background) xii. Regular training on privacy and security requirements is conducted xiii. Decisive action is taken if a breach is suspected: procedures are followed and actions documented. HIPAA Privacy QUESTIONS?