Exempla/PHP/PPP Concepts - Colorado Bar Association

Final HIPAA Omnibus Rule
Highlights
Presented to the Colorado Bar Association,
Health Law Section
February 20, 2013
Emily Wey, Shareholder
Polsinelli Shughart PC
Polsinelli Shughart PC
In California, Polsinelli Shughart LLP
Polsinelli Shughart provides this material for informational purposes only. The
material provided herein is general and is not intended to be legal advice.
Nothing herein should be relied upon or used without consulting a lawyer to
consider your specific circumstances, possible changes to applicable laws,
rules and regulations and other legal issues. Receipt of this material does not
establish an attorney-client relationship.
Polsinelli Shughart is very proud of the results we obtain for our clients, but
you should know that past results do not guarantee future results; that every
case is different and must be judged on its own merits; and that the choice of
a lawyer is an important decision and should not be based solely upon
advertisements.
© 2013 Polsinelli Shughart PC. In California, Polsinelli Shughart LLP.
Polsinelli Shughart is a registered mark of Polsinelli Shughart PC
© 2013 Polsinelli Shughart PC
2
Important Final Omnibus Rule Dates
• Publication Date: January 25, 2013
– www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf
• Effective Date: March 26, 2013
• Compliance Date: September 23, 2013
• Business Associate Agreement Compliance
Date: September 22, 2014
– For “grandfathered” BAAs
© 2013 Polsinelli Shughart PC
3
FINAL OMNIBUS RULE TOP 6
Many more entities are Business
Associates
Business Associates are now directly
subject to HIPAA in many regards
Breach notification standard is greatly
changed
Marketing rules are updated
Individual rights are expanded, particularly
with respect to ePHI and genetic
information
Monetary penalties are tiered
© 2013 Polsinelli Shughart PC
4
POLICY RATIONALES
• 1996 Act and its regulations have been
vastly outpaced by technology (ePHI
transmission, genetic information)
• One level of accountability (only Covered
Entities) is not enough enforcement
authority
– legal/regulatory liability and contractual liability
have all shifted downstream one level (i.e.,
Business Associates are now like Covered
Entities, subcontractors are like Business
Associates)
© 2013 Polsinelli Shughart PC
5
BUSINESS ASSOCIATE CHANGES, Part 1
• Category of entities that will be considered
Business Associates has been expanded to
include:
– Entities that transmit and need routine access
to PHI (such as HIOs and E-Prescribing
Gateways)
– PHR/EHR vendors who serve Covered Entities
– Subcontractors who create, receive, maintain,
or transmit PHI for a Business Associate
© 2013 Polsinelli Shughart PC
6
BUSINESS ASSOCIATE CHANGES, Part 1
• Category of entities that are not included in new
Business Associate definition are:
– Health care provider who receives PHI from another
provider for treatment
– Plan sponsors, with respect to disclosures by Group
Health Plans
– Government agencies (determining eligibility)
– OHCA participants
– “Conduits” – transmission services w/ temporary
storage of PHI
• Maintaining PHI (even without viewing) = BA
© 2013 Polsinelli Shughart PC
7
BUSINESS ASSOCIATE CHANGES, Part 2
• Business Associates are now directly liable,
and subject to OCR enforcement, for:
– Impermissible uses and disclosures of PHI and
ePHI
– Failure to comply with the Security Rule
• Business Associates must have in place the same
security measures as are required of Covered
Entities
– Failure to provide notification of breach to a
Covered Entity
© 2013 Polsinelli Shughart PC
8
BUSINESS ASSOCIATE CHANGES, Part 2
• Business Associates are now directly liable, and
subject to OCR enforcement, for:
– Failure to provide access to PHI/ePHI to an individual
– Failure to provide an accounting of disclosures (similar
to current requirement)
– Failure to enter into BAAs with downstream
subcontractors
– Failure to cooperate with HHS in any compliance
investigation
• Consider appointing Privacy Officer or person
responsible for HIPAA compliance
© 2013 Polsinelli Shughart PC
9
ACTION ITEMS FOR POTENTIAL BUSINESS
ASSOCIATES
• Decide whether you are a Business
Associate. If yes, then (by 9/23/13) …
• Comply with the HIPAA Security Rule
– Implement administrative, physical, and
technical, and safeguards that protect the
confidentiality, integrity and availability of
ePHI
– Implement policies and procedures regarding
the same
• Implement HIPAA Privacy Policies
© 2013 Polsinelli Shughart PC
10
Business Associate Action Items, cont’d
• Implement Breach Notification Policies
• Develop a Business Associate
Agreement for downstream
subcontractors
• Be ready to provide access to
PHI/ePHI
• Comply with OCR/HHS Investigations
© 2013 Polsinelli Shughart PC
11
BREACH NOTIFICATION
• Old HIPAA Breach notification standard:
– the breach “poses a significant risk of financial,
reputational, or other harm to the individual”
• New HIPAA Breach notification standard:
– Any unauthorized use or disclosure of PHI/ePHI that
does not meet 1 of 3 exceptions is presumed to be a
“breach” for which notice must occur, UNLESS the
Covered Entity or Business Associate can
demonstrate, through a risk assessment, that there is
a “low probability that the PHI has been
compromised”
© 2013 Polsinelli Shughart PC
12
BREACH NOTIFICATION, cont’d
• EXCEPTIONS TO DEFINITION OF BREACH
(1) Unintentional acquisition, access or use of PHI by a
workforce member in the scope of duties – no
further access or disclosure
(2) Inadvertent disclosure from one authorized person
to another within a CE/BA – no further access or
disclosure
(3) Disclosure of PHI where CE/BA has good faith belief
that the recipient cannot retain the information
© 2013 Polsinelli Shughart PC
13
RISK ASSESSMENT STANDARD
• Factors that must be considered:
– Nature and extent of the PHI involved,
including types of identifiers and the likelihood
of re-identification
– The unauthorized person who used the
protected health information or to whom the
disclosure was made
– Whether the PHI was actually acquired or
viewed
– The extent to which the risk to the protected
health information has been mitigated
© 2013 Polsinelli Shughart PC
14
BREACH NOTIFICATION PRACTICALITIES
• Encryption and destruction are the only two methods to
secure PHI and make its disclosure exempt from
notification requirements
• CE/BA can decide to notify WITHOUT conducting a
risk assessment
• Notice to HHS (less than 500 records) has to occur
within 60 days of the end of the year where breach was
“discovered”, not “occurred”
• Compliance required by September 23, 2013 – in the
interim, comply with old standard
• ACTION ITEMS:
– Revise policies and procedures, BAAs
– Train workforce
© 2013 Polsinelli Shughart PC
15
BREACH NOTIFICATION, cont’d
• MOST OTHER PRACTICALITIES OF BREACH
NOTIFICATION PROVISIONS UNCHANGED
– Notice to media is not changed (large number of
individuals)
– Details of notification do not change
– Reporting to HHS does not change, except for
the year in which the reporting obligation falls
© 2013 Polsinelli Shughart PC
16
MARKETING RULES STRENGTHENED
• Sale of PHI without authorization is prohibited
– Exceptions for sale of business, public health
• Marketing communications that are paid for by a
3rd party (other than the Covered Entity) require
authorization
– Limited exceptions for refill reminders
– Includes health-related product or service
communications
• Must provide individual with an easy way to stop
fundraising communications
© 2013 Polsinelli Shughart PC
17
MARKETING REQUIREMENT EXCEPTIONS
• No authorization needed for:
– Treatment or health care operations activities done
face-to-face, even if money exchanged
– Communications regarding health in general
– Communications about government-sponsored
programs
– Refill/drug communications, including
communications about generics and adherence
communications
ONE TAKEAWAY REGARDING CHANGES:
REMUNERATION = AUTHORIZATION REQUIRED
© 2013 Polsinelli Shughart PC
18
INDIVIDUAL RIGHTS
• Individuals have a right to receive an electronic copy of
their EHR/ePHI
– Can direct the copy to go to third person
• Individuals can restrict disclosures to health plans if paying
cash for treatment/services
– Doesn’t apply if check bounces
– Discuss bundled and follow-up services
– Patient must notify downstream providers
• Family members/persons involved in care have access to
records of deceased person
• Forwarding of immunization records to schools
• Genetic information is treated as PHI (GINA)
© 2013 Polsinelli Shughart PC
19
Individual Access to ePHI
• Clarifications for access to ePHI
– Providers not required to give direct access to their
systems
– ePHI linked data must also be provided
– Can provide hard copy and ePHI, if record is mixed
– Don’t have to use an individual’s flash drive, etc. to
provide the copies
– Unencrypted email acceptable if individual waives risk
of interception
– 30 days to provide records
– Charging of costs is acceptable: see state law, though
© 2013 Polsinelli Shughart PC
20
ACTION ITEMS: INDIVIDUAL RIGHTS
• Evaluate system ability to provide ePHI
• Revise Notice of Privacy Practices
– Right to receive electronic copy
– Marketing/sale of PHI/psychotherapy notes:
authorization required
– Right to receive notice following a breach
– PHI provided to family members after death
– Restrict disclosures to health plan if cash paid for
services (not applicable if check bounces)
– Opt-out for fundraising
– Health plans: no use of genetic information for
underwriting
• Revise Policies and Procedures
© 2013 Polsinelli Shughart PC
21
Genetic Information Nondiscrimination Act (GINA)
• Provisions prohibit use of genetic
information for underwriting
• Genetic information is:
– Information about genetic tests of an individual
or family member
– Manifestation of a disease or disorder in an
individual’s family members
– Does not include age/sex
– Genetic test includes DNA/RNA, but not
analysis of proteins or metabolites related to a
disease
© 2013 Polsinelli Shughart PC
22
TIERED CIVIL PENALTIES
EACH
VIOLATION
PER YEAR
Did not know
$100-$50,000
$1.5M
Reasonable cause
$1000-$50,000
$1.5M
VIOLATION CATEGORY
Willful neglect, corrected in
$10,000-$50,000
30 days
$1.5M
Willful neglect, not
corrected
$1.5M
© 2013 Polsinelli Shughart PC
$50,000
23
PENALTY ASSESSMENT FACTORS
• HHS is not bound to impose the
maximum penalty, but will consider:
– Nature and extent of the violation
– Resulting harm (number of people, reputational
harm)
– Entity’s history of compliance or violations
– Financial condition of the entity
– Any other factors justice may require
• REMEMBER: intentional acts may be
subject to separate criminal prosecution
© 2013 Polsinelli Shughart PC
24
FINAL ACTION ITEM LIST
•
•
•
•
CE: Revise Notice of Privacy Practices
BA: Comply with Privacy & Security Rules
CE/BA: Identify Business Associates
CE/BA: Revise and enter into new/amended
Business Associate Agreements (2 different
deadlines)
• CE/BA: Review any “remuneration” relationships
involving PHI/ePHI
• CE/BA: Implement/revise HIPAA Policies and
Procedures
• CE/BA: Train Workforce
© 2013 Polsinelli Shughart PC
25
QUESTIONS?
© 2013 Polsinelli Shughart PC
26
Emily Wey
ewey@polsinelli.com, 303.583.8255
© 2013 Polsinelli Shughart PC
27