Final HIPAA Omnibus Rule Highlights Presented to the Colorado Bar Association, Health Law Section February 20, 2013 Emily Wey, Shareholder Polsinelli Shughart PC Polsinelli Shughart PC In California, Polsinelli Shughart LLP Polsinelli Shughart provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Nothing herein should be relied upon or used without consulting a lawyer to consider your specific circumstances, possible changes to applicable laws, rules and regulations and other legal issues. Receipt of this material does not establish an attorney-client relationship. Polsinelli Shughart is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements. © 2013 Polsinelli Shughart PC. In California, Polsinelli Shughart LLP. Polsinelli Shughart is a registered mark of Polsinelli Shughart PC © 2013 Polsinelli Shughart PC 2 Important Final Omnibus Rule Dates • Publication Date: January 25, 2013 – www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf • Effective Date: March 26, 2013 • Compliance Date: September 23, 2013 • Business Associate Agreement Compliance Date: September 22, 2014 – For “grandfathered” BAAs © 2013 Polsinelli Shughart PC 3 FINAL OMNIBUS RULE TOP 6 Many more entities are Business Associates Business Associates are now directly subject to HIPAA in many regards Breach notification standard is greatly changed Marketing rules are updated Individual rights are expanded, particularly with respect to ePHI and genetic information Monetary penalties are tiered © 2013 Polsinelli Shughart PC 4 POLICY RATIONALES • 1996 Act and its regulations have been vastly outpaced by technology (ePHI transmission, genetic information) • One level of accountability (only Covered Entities) is not enough enforcement authority – legal/regulatory liability and contractual liability have all shifted downstream one level (i.e., Business Associates are now like Covered Entities, subcontractors are like Business Associates) © 2013 Polsinelli Shughart PC 5 BUSINESS ASSOCIATE CHANGES, Part 1 • Category of entities that will be considered Business Associates has been expanded to include: – Entities that transmit and need routine access to PHI (such as HIOs and E-Prescribing Gateways) – PHR/EHR vendors who serve Covered Entities – Subcontractors who create, receive, maintain, or transmit PHI for a Business Associate © 2013 Polsinelli Shughart PC 6 BUSINESS ASSOCIATE CHANGES, Part 1 • Category of entities that are not included in new Business Associate definition are: – Health care provider who receives PHI from another provider for treatment – Plan sponsors, with respect to disclosures by Group Health Plans – Government agencies (determining eligibility) – OHCA participants – “Conduits” – transmission services w/ temporary storage of PHI • Maintaining PHI (even without viewing) = BA © 2013 Polsinelli Shughart PC 7 BUSINESS ASSOCIATE CHANGES, Part 2 • Business Associates are now directly liable, and subject to OCR enforcement, for: – Impermissible uses and disclosures of PHI and ePHI – Failure to comply with the Security Rule • Business Associates must have in place the same security measures as are required of Covered Entities – Failure to provide notification of breach to a Covered Entity © 2013 Polsinelli Shughart PC 8 BUSINESS ASSOCIATE CHANGES, Part 2 • Business Associates are now directly liable, and subject to OCR enforcement, for: – Failure to provide access to PHI/ePHI to an individual – Failure to provide an accounting of disclosures (similar to current requirement) – Failure to enter into BAAs with downstream subcontractors – Failure to cooperate with HHS in any compliance investigation • Consider appointing Privacy Officer or person responsible for HIPAA compliance © 2013 Polsinelli Shughart PC 9 ACTION ITEMS FOR POTENTIAL BUSINESS ASSOCIATES • Decide whether you are a Business Associate. If yes, then (by 9/23/13) … • Comply with the HIPAA Security Rule – Implement administrative, physical, and technical, and safeguards that protect the confidentiality, integrity and availability of ePHI – Implement policies and procedures regarding the same • Implement HIPAA Privacy Policies © 2013 Polsinelli Shughart PC 10 Business Associate Action Items, cont’d • Implement Breach Notification Policies • Develop a Business Associate Agreement for downstream subcontractors • Be ready to provide access to PHI/ePHI • Comply with OCR/HHS Investigations © 2013 Polsinelli Shughart PC 11 BREACH NOTIFICATION • Old HIPAA Breach notification standard: – the breach “poses a significant risk of financial, reputational, or other harm to the individual” • New HIPAA Breach notification standard: – Any unauthorized use or disclosure of PHI/ePHI that does not meet 1 of 3 exceptions is presumed to be a “breach” for which notice must occur, UNLESS the Covered Entity or Business Associate can demonstrate, through a risk assessment, that there is a “low probability that the PHI has been compromised” © 2013 Polsinelli Shughart PC 12 BREACH NOTIFICATION, cont’d • EXCEPTIONS TO DEFINITION OF BREACH (1) Unintentional acquisition, access or use of PHI by a workforce member in the scope of duties – no further access or disclosure (2) Inadvertent disclosure from one authorized person to another within a CE/BA – no further access or disclosure (3) Disclosure of PHI where CE/BA has good faith belief that the recipient cannot retain the information © 2013 Polsinelli Shughart PC 13 RISK ASSESSMENT STANDARD • Factors that must be considered: – Nature and extent of the PHI involved, including types of identifiers and the likelihood of re-identification – The unauthorized person who used the protected health information or to whom the disclosure was made – Whether the PHI was actually acquired or viewed – The extent to which the risk to the protected health information has been mitigated © 2013 Polsinelli Shughart PC 14 BREACH NOTIFICATION PRACTICALITIES • Encryption and destruction are the only two methods to secure PHI and make its disclosure exempt from notification requirements • CE/BA can decide to notify WITHOUT conducting a risk assessment • Notice to HHS (less than 500 records) has to occur within 60 days of the end of the year where breach was “discovered”, not “occurred” • Compliance required by September 23, 2013 – in the interim, comply with old standard • ACTION ITEMS: – Revise policies and procedures, BAAs – Train workforce © 2013 Polsinelli Shughart PC 15 BREACH NOTIFICATION, cont’d • MOST OTHER PRACTICALITIES OF BREACH NOTIFICATION PROVISIONS UNCHANGED – Notice to media is not changed (large number of individuals) – Details of notification do not change – Reporting to HHS does not change, except for the year in which the reporting obligation falls © 2013 Polsinelli Shughart PC 16 MARKETING RULES STRENGTHENED • Sale of PHI without authorization is prohibited – Exceptions for sale of business, public health • Marketing communications that are paid for by a 3rd party (other than the Covered Entity) require authorization – Limited exceptions for refill reminders – Includes health-related product or service communications • Must provide individual with an easy way to stop fundraising communications © 2013 Polsinelli Shughart PC 17 MARKETING REQUIREMENT EXCEPTIONS • No authorization needed for: – Treatment or health care operations activities done face-to-face, even if money exchanged – Communications regarding health in general – Communications about government-sponsored programs – Refill/drug communications, including communications about generics and adherence communications ONE TAKEAWAY REGARDING CHANGES: REMUNERATION = AUTHORIZATION REQUIRED © 2013 Polsinelli Shughart PC 18 INDIVIDUAL RIGHTS • Individuals have a right to receive an electronic copy of their EHR/ePHI – Can direct the copy to go to third person • Individuals can restrict disclosures to health plans if paying cash for treatment/services – Doesn’t apply if check bounces – Discuss bundled and follow-up services – Patient must notify downstream providers • Family members/persons involved in care have access to records of deceased person • Forwarding of immunization records to schools • Genetic information is treated as PHI (GINA) © 2013 Polsinelli Shughart PC 19 Individual Access to ePHI • Clarifications for access to ePHI – Providers not required to give direct access to their systems – ePHI linked data must also be provided – Can provide hard copy and ePHI, if record is mixed – Don’t have to use an individual’s flash drive, etc. to provide the copies – Unencrypted email acceptable if individual waives risk of interception – 30 days to provide records – Charging of costs is acceptable: see state law, though © 2013 Polsinelli Shughart PC 20 ACTION ITEMS: INDIVIDUAL RIGHTS • Evaluate system ability to provide ePHI • Revise Notice of Privacy Practices – Right to receive electronic copy – Marketing/sale of PHI/psychotherapy notes: authorization required – Right to receive notice following a breach – PHI provided to family members after death – Restrict disclosures to health plan if cash paid for services (not applicable if check bounces) – Opt-out for fundraising – Health plans: no use of genetic information for underwriting • Revise Policies and Procedures © 2013 Polsinelli Shughart PC 21 Genetic Information Nondiscrimination Act (GINA) • Provisions prohibit use of genetic information for underwriting • Genetic information is: – Information about genetic tests of an individual or family member – Manifestation of a disease or disorder in an individual’s family members – Does not include age/sex – Genetic test includes DNA/RNA, but not analysis of proteins or metabolites related to a disease © 2013 Polsinelli Shughart PC 22 TIERED CIVIL PENALTIES EACH VIOLATION PER YEAR Did not know $100-$50,000 $1.5M Reasonable cause $1000-$50,000 $1.5M VIOLATION CATEGORY Willful neglect, corrected in $10,000-$50,000 30 days $1.5M Willful neglect, not corrected $1.5M © 2013 Polsinelli Shughart PC $50,000 23 PENALTY ASSESSMENT FACTORS • HHS is not bound to impose the maximum penalty, but will consider: – Nature and extent of the violation – Resulting harm (number of people, reputational harm) – Entity’s history of compliance or violations – Financial condition of the entity – Any other factors justice may require • REMEMBER: intentional acts may be subject to separate criminal prosecution © 2013 Polsinelli Shughart PC 24 FINAL ACTION ITEM LIST • • • • CE: Revise Notice of Privacy Practices BA: Comply with Privacy & Security Rules CE/BA: Identify Business Associates CE/BA: Revise and enter into new/amended Business Associate Agreements (2 different deadlines) • CE/BA: Review any “remuneration” relationships involving PHI/ePHI • CE/BA: Implement/revise HIPAA Policies and Procedures • CE/BA: Train Workforce © 2013 Polsinelli Shughart PC 25 QUESTIONS? © 2013 Polsinelli Shughart PC 26 Emily Wey ewey@polsinelli.com, 303.583.8255 © 2013 Polsinelli Shughart PC 27