What You Don’t Know Can Cost You HIPAA in a HITECH World October 10, 2013 Alaina N. Crislip, Esq. 2 www.jacksonkelly.com Final HIPAA Omnibus Rule • What Happened? – Adopted modifications to the HIPAA Privacy, Security, and Enforcement Rules to implement statutory requirements from HITECH Act – Adopted changes to the Breach Notification Rules for Unsecured PHI – Modified HIPAA to conform to the Genetic Information Nondiscrimination Act (GINA) 3 www.jacksonkelly.com What’s Not in the Final Rule • Accounting of Disclosures • Methods for giving individuals harmed by HIPAA violations a percentage of any civil monetary penalties or settlements collected (HITECH Sec. 13409(c)(3)) • HITECH also mandated study of definition of “psychotherapy notes” 4 www.jacksonkelly.com Final Rule: Important Dates • Final Rule became effective on March 26, 2013 – Enforcement rules effective on that date – CEs and BAs must comply with the Final Rule by September 23, 2013 – Only exception is for a BAA that complied with the NPRM by January 25, 2013, and is not renewed or modified between March 26, 2013 and Sept. 23, 2013 • Compliance required by September 22, 2014 5 www.jacksonkelly.com Focus of Final Rule Discussion • Overview of changes to: – Breach Notification Rule – Business Associates • Subcontractor Relationships – Other key changes – Enforcement Rule 6 www.jacksonkelly.com 7 www.jacksonkelly.com Breach Notification • Refers to the concept that a patient has a right to know if his or her PHI has been “breached” in an improper manner • Federal breach notification standard established by HITECH Act • Breach notification laws exist at the state level – WVC § 46A-2A-101 8 www.jacksonkelly.com Breach Notification – NPRM • Definition of “Breach”: – Acquisition, access, use, or disclosure of unsecured PHI – In a manner not permitted by the Privacy Rule – That poses significant risk of financial, reputational, or other harm to patient 9 www.jacksonkelly.com Breach Notification – Final Rule • Final Rule changed the definition of “Breach” by deleting the “significant risk of harm” standard • Focus is now upon whether PHI has been “compromised” • New definition: – Acquisition, access, use, or disclosure of unsecure PHI – In a manner not permitted by the Privacy Rule – Compromises security or privacy of the PHI 10 www.jacksonkelly.com Breach Notification – Final Rule • Any compromise of PHI is presumed to be a “Breach” unless it is shown that there is a “low probability” that the PHI has been compromised • Based on risk assessment that considers at least the following factors: – The nature and extent of the PHI involved, including types of identifiers and likelihood of re-identification; – The unauthorized person to whom the disclosure was made; – Whether the PHI was actually acquired or viewed; and – The extent to which risk to the PHI has been mitigated 11 www.jacksonkelly.com Breach Notification-Final Rule • Probability of Compromise Risk Assessment – Covers impermissible “acquisition, access, use, or disclosure” of PHI – Limited data sets are required to have the risk assessment performed – Violations of minimum necessary must be evaluated using the risk assessment 12 www.jacksonkelly.com Breach Notification – Final Rule • The exceptions were retained in Final Rule – Unintentional access or use by workforce member of CE or BA if in good faith, within scope of authority, and not resulting in further use or disclosure – Inadvertent disclosure by a person with authorized access to PHI at a CE or BA to another workforce member with authorized access, and not resulting in further use or disclosure – Any disclosure of PHI where a CE or BA has good faith belief that unauthorized person to whom disclosure was made would not reasonably have been able to retain such information 13 www.jacksonkelly.com Breach Notification – Final Rule • Other aspects of breach notification remain unchanged – Contents of notification • • • • Description and time of incident Description of types of PHI Description of investigation and mitigation List of steps and contacts for patients to protect themselves – Notification within 60 days of discovery (without unreasonable delay) – Notification of prominent media outlets and HHS/OCR if 500 or more patients impacted – Annual notification of HHS/OCR if less than 500 patients impacted 14 www.jacksonkelly.com Breach Notification – Final Rule • Applies to both CEs and BAs • BA must notify its CE without unreasonable delay, and in no case later than 60 days after discovery • Content of notification – Identification of each patient whose unsecured PHI is reasonably believed to have been compromised – Other available information that CE may need to put in its notification to patient 15 www.jacksonkelly.com Business Associates What’s New Under the Final Rule? • Expanded Definition of Business Associate • Subcontractors of a BA are now defined as a BA; even if they do not have a business associate agreement • Direct Application – Security Rule – technical, administrative, and physical safeguard requirements – Privacy Rule – compliance with disclosure limitations in the rule and in contract • Direct liability for violations – Criminal and civil penalties for failure to comply with applicable provisions (impermissible uses and disclosures of PHI and failure to report breaches to covered entities) 16 www.jacksonkelly.com Business Associate Obligations The Final Rule specifies the Privacy Act obligations of a Business Associate, not addressed in detail in the HITECH Act. Business Associates are obligated to: • Limit uses and disclosures to what is permitted under the Privacy Rule, subject to what is allowed under the Business Associate Agreement. This specifically includes compliance with the minimum necessary standards; • Provide breach notification to the covered entity; • Provide a copy of electronic PHI to either the covered entity, the individual or to the individual’s personal representative, as specified in the business associate agreement; • Disclose PHI to the Secretary in an investigation of the Business Associate’s compliance with HIPAA; • Provide an accounting of disclosures; • Comply with the security rule. 17 www.jacksonkelly.com Business Associates-Expanded Definition • Entities that create, receive, maintain, or transmit PHI on a routine bases – Health Information Organizations – E-Prescribing Gateways – Data Transmission Services – Patient Safety Organizations • Personal Health Record vendors who serve CEs • Subcontractors who create, receive , maintain or transmit PHI for BA 18 www.jacksonkelly.com Vendors & Data Transmission Companies • Conduit Exception – Very Narrow – Fact-specific analysis will determined whether BA – Transmission Services – (digital or hard copy) including any temporary storage of transmitted data incident to such transmission • U.S. Postal Service • Internet Service Providers – Storage and Maintenance of PHI on behalf of a CE • Not a conduit, even if the entity does not actually view the PHI – Transient v. persistent nature of opportunity to view data – Random or infrequent access standard – More guidance expected on conduits 19 www.jacksonkelly.com Subcontractor Example • A shredding company is hired by a BA of a hospital for document shredding and secure disposal of PHI – Is a BA Subcontractor Agreement necessary? – Is the shredding company directly obligated to implement safeguards with respect to handling the PHI, as well as to limit its uses and disclosures of the PHI? 20 www.jacksonkelly.com Downstream Contractors • A hospital contracts with a billing company. The billing company contracts with a shredding company to dispose of its billing records. The shredding company contracts with a trucking company to bring the hospital’s paper billing records to its shredding facility. 21 www.jacksonkelly.com Downstream Contractors (cont.) • • Under the Final Rule, each of these entities would be directly responsible for compliance with the business associate requirements under the Security and Privacy Rules, even if the parties failed to enter into a written business associate agreement. The trucking company’s responsibility would likely be based on custody, even if it did not view the records, as discussed above. Under the Final Rule, the hospital would only be required to enter into a business associate agreement with the billing company. Each business associate or downstream subcontractor would be required to obtain written “satisfactory assurances” from its immediate subcontractor. In the event of a breach of the security of unsecure PHI, the chain of reporting would follow the chain of contracting in reverse: trucking company to shredding company; shredding company to billing company; billing company to hospital. 22 www.jacksonkelly.com Grandfathered Business Associates In recognition that it will take time to renegotiate existing business associate agreements, the Final Rule grandfathers certain business associate agreements for up to one year beyond the compliance date, up to September 23, 2014. • In order to qualify, the business associate agreement must have been in existence prior to the publication of the Final Rule (January 25, 2013), have complied with HIPAA prior to the publication date and not be renewed or modified during the grandfather period. • An automatic renewal, under a so-called evergreen clause, does not constitute a renewal or modification for purposes of the availability of the grandfather period. 23 www.jacksonkelly.com HIPAA Omnibus Rule— Other Key Changes • • • • • Strengthens limitations on use and disclosure of PHI for marketing and fundraising and prohibited sale without individual authorization Expands an individual’s right to receive electronic copies of health information and restricted disclosures to health plans concerning treatment for which the individual has paid the out of pocket amount in full Requires modifications to, and redistribution of, a CE’s notice of privacy practices Modifies the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others Modifies the HIPAA Privacy Rule as required by GINA to prohibit most health plans from using or disclosing genetic information for underwriting purposes 24 www.jacksonkelly.com Access - Electronic • Must have reasonable safeguards in place to protect transmission of ePHI, but … • If an individual wants information by unencrypted e-mail, entity can send if they advise the individual that such transmission is risky. • Must have a secure mechanism – can’t force individuals to accept unsecure. • An electronic “machine readable copy” o Digital information stored in a standard format enabling the PHI to be processed and analyzed by a computer. • Covered entities must accommodate individual requests for specific formats, if possible. 25 www.jacksonkelly.com Access - Fees • Fees charged are restricted to labor costs – cannot include costs of retrieval, or portion of capital costs. • Charge can include supplies provided to individual upon request. 26 www.jacksonkelly.com Access - Third Parties • Individual may request a covered entity send PHI directly to another individual. • Request must be o be “in writing” and signed by the individual o clearly identify the designated person and where to send the copy of the PHI • Information must be protected and entity must implement reasonable policies and procedures to send it to the right place (e.g., type e-mail correctly). • “In writing” can be electronic. 27 www.jacksonkelly.com Fundraising • Previously, permitted a covered entity to use or disclose PHI to a business associate or related foundation for fundraising purposes without an individual’s authorization. • Permitted PHI included: o Demographic information related to an individual. o Dates of health care provided to an individual. • Demographic information include: name, address, other contact information, age, gender, and insurance status, not diagnostic information. • Had to include fundraising in Notice of Privacy Practices and tell individual how to opt out of future fundraising. 28 www.jacksonkelly.com Fundraising (cont.) • Now expands demographic information to include: o Treating physician o Outcome o Department (limited diagnostic information) 29 www.jacksonkelly.com Fundraising (cont.) • Flexibility to decide the method to allow for individuals to opt out and opt back into the use of PHI in fundraising activities. o For example, toll-free number, email address, other opt-out mechanism or a combination of methods • Leaves the decision as to the scope of the opt-out related to future fundraising communications to the covered entity. • Many covered entities found campaign-specific opt-outs difficult to track for compliance purposes. • HHS strengthened the standard related to further communications after individuals opt out from reasonable efforts to an outright prohibition. 30 www.jacksonkelly.com Notice of Privacy Practices (NPP) • Include statements regarding certain uses and disclosures requiring authorization. o Psychotherapy notes (where appropriate) o Marketing o Sales of PHI o Right to restrict disclosures to health plans (provider only) o Right to be notified of breach (but not an entity specific statement) • Include a general statement that all uses and disclosures not described in NPP also require authorization. • Methods for redistributing set forth in Final Rule- Sept. 23rd deadline 31 www.jacksonkelly.com Enforcement Rule Provisions • Adopted increased Civil Monetary Penalty (CMP) amounts and on tiered levels of culpability from 2009 IFR/ HITECH Act • Clarified “reasonable cause” tier • Willful Neglect Penalties do not require informal resolution by OCR • Intentional wrongful disclosures may be subject to civil, rather than criminal penalties • Removed “did not know” affirmative defense to CMP • No CMP for violations, if not due to willful neglect and corrected 32 www.jacksonkelly.com Increasing Penalty Tiers Each Violation Total CMP for Violations of an Identical Provision in a Calendar Year $100 – $50,000 $1,500,000 Reasonable Cause $1,000 – $50,000 $1,500,000 Willful Neglect – Corrected $10,000 – $50,000 $1,500,000 At least $50,000 $1,500,000 Violation Category : Unknowing Willful Neglect – Not Corrected 33 www.jacksonkelly.com 34 www.jacksonkelly.com Questions??? 35 www.jacksonkelly.com