HIPAA Update – Significant
Omnibus Rule Changes
Rose Willis
Billee Lightvoet Ward
Dickinson Wright PLLC
HIPAA OMNIBUS RULE
Timeline:
•
•
•
•
Published: January 25, 2013
Effective Date: March 26, 2013
Compliance Date: September 23, 2013
Transition Period: September 23, 2014
omnibus adjective: containing or including many items*
•
•
•
•
Privacy Rule
Security Rule
Breach Notification Rule
Enforcement Rule
*”omnibus.” Merriam-Webster.com. 2014. http://www.merriam-webster.com/dictionary/omnibus (9 September 2014)
HIPAA OMNIBUS RULE
“. . . the most sweeping changes
to the HIPAA Privacy and Security
Rules since they were first
implemented.”
Leon Rodriguez, Director, HHS Office for Civil Rights
HIPAA OMNIBUS RULE
“These changes not only greatly enhance a
patient’s privacy rights and protections, but also
strengthen the ability of my office to vigorously
enforce the HIPAA privacy and security
protections, regardless of whether the information
is being held by a health plan, a health care
provider, or one of their business associates.”
Leon Rodriguez, Director, HHS Office for Civil Rights
WHAT’S NEW
Decedents
• PHI no longer protected 50 years after date of death
Access
• Covered Entities (CE) must provide access to e-PHI in the form
requested if readily producible in such form
• Must be provided within 30 days (30 day extension allowed)
Restrictions
• CE must restrict disclosures to health plans concerning treatment for
which the individual paid in full
WHAT’S NEW
Notice of Privacy Practices
•
•
•
•
Past Compliance Deadline for Revisions
Material Revisions
Distribution of Revised Version
HHS Model Notice of Privacy Practices
Business Associates (BA)
• Expanded definition
• New requirements for Business Associate Agreements
• Direct liability
Breach Notification Rule
• Presumption of breach
• New risk assessment standards
Notice of Privacy Practices
The deadline for making required changes
was September 23, 2013
What if you did not meet this deadline?
• No “back dating”
Notice of Privacy Practices
What’s new: The NPP must include a statement
that any uses and disclosures of a patient’s PHI
for marketing purposes require an individual’s
written authorization.
Marketing Purposes: The term “marketing” means “to make a communication about a product or
service that encourages recipients of the communication to purchase or use the product or
service” but generally excepts communications for treatment and health care operations.
Exception: face to face communication made by the covered entity or promotional gift of nominal
value provided by the covered entity
If the marketing involves $$ to the covered entity by a third party, the
authorization must state that $$ is involved.
Notice of Privacy Practices
What’s new: The NPP must include a statement
that any uses and disclosures of a patient’s PHI
that are considered the sale of PHI require an
individual’s written authorization.
Authorization must state that the disclosure will result in $$ to
the CE!
Notice of Privacy Practices
What’s new: If the CE records or maintains psychotherapy
notes, NPP must include a statement that uses and
disclosures of psychotherapy notes require an individual’s
written authorization.
Psychotherapy Notes:
notes recorded (in any medium) by a health care provider who is a
mental health professional documenting or analyzing the contents of conversation during a private
counseling session or a group, joint, or family counseling session and that are separated from the rest of
the individual’s medical record. Psychotherapy notes excludes medication prescription and monitoring,
counseling session start and stop times, the modalities and frequencies of treatment furnished, results of
clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan,
symptoms, prognosis, and progress to date.
Notice of Privacy Practices
What’s new: Other Uses and Disclosures - The NPP must
also state that uses and disclosures of PHI not listed in the
notice will be made only with an individual’s written
authorization.
“Uses and disclosures of your PHI that are not listed in this notice will be
made only with your written authorization”
Remember - Notice of Privacy Practices is the Roadmap!
Notice of Privacy Practices
Refresher: What is an Authorization?
Make sure that you have a HIPAA-compliant authorization!
It must meet specific requirements of the HIPAA Privacy Rule, such as:
• Specific identification of the information to be used or disclosed
• Expiration date or expiration event
• Signature of the patient and date
• Certain required statements such as the individual having the right to
revoke the authorization in writing.
Notice of Privacy Practices
What’s new: A covered entity that intends to contact an
individual for fundraising purposes must disclose in its
NPP that it may contact the individual to raise funds and
that the individual has the right to “opt out” of receiving
such communications.
Fundraising: A communication to an individual that is made by a covered entity, an
institutionally related foundation, or a business associate on behalf of the covered entity for the
purpose of raising funds for the covered entity is a fundraising communication
Opt out: the mechanism for opting out must go in the
fundraising solicitation, not in the NPP.
Notice of Privacy Practices
What’s new: NPP must include right to restrict
disclosures of PHI to a health plan when the
individual (or someone on their behalf) pays out of
pocket in full for the health care item or service.
This is a new obligation of each CE where disclosure is to carry out payment or
health care operations and the PHI pertains solely to a service for which payment has
been made to the covered entity in full.
• Discuss with patient any inability to unbundle a bundled service
• Downstream providers- no obligation to notify (so far)
Notice of Privacy Practices
What’s new: NPP must include a statement
informing individuals of their right to be notified
following a breach of their unsecured PHI.
“You have the right to be notified following a breach of your
unsecured PHI”
A simple statement – no need to include the regulatory requirements
of breach notification (discussed later in this session).
Notice of Privacy Practices
What’s new: For health plans only, the NPP must
state that the health plan is prohibited from using
or disclosing genetic information for underwriting
purposes.
Notice of Privacy Practices
Possible Additional Amendments (not required):
• Statement regarding individual’s right to a copy of PHI
maintained electronically by the CE
• Individual’s ability to have immunization records sent
directly by the CE to a school
• Applicable time frames for an individual’s access to
his or her PHI.
Notice of Privacy Practices –
Distribution of Revised Version
Incorporate new Revision Date (no back dating)
CE must distribute the revised NPP as follows:
•
•
•
•
•
Make the revised NPP available upon request on or after the effective date of
the revised notice
Have the NPP available at the delivery site
Post the revised notice in a clear and prominent location
Provide to all new patients along with an acknowledgment of receipt
Post to website, if you have one
HHS Model Notices of Privacy Practices
http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html
Recommendation:
Use HHS’ form but tailor it.
BUSINESS ASSOCIATES
Who is a Business Associate?
Refresher:
• A person (or entity) who performs certain functions or
activities for or on behalf of CE, or provides certain
services to CE
• Billing, claims processing, data analysis
• Utilization review, QA, practice management
• Legal, accounting, financial services
• Must involve the use or disclosure of PHI
• Not a member of the CE’s workforce
BUSINESS ASSOCIATES
Who is a Business Associate?
What’s new:
• Any person who “creates, receives, maintains or transmits” PHI for
certain functions or activities on CE’s behalf
• New category of functions : patient safety activities
• Clarification: data storage companies who maintain PHI are BAs
regardless of whether they view the PHI
BUSINESS ASSOCIATES
Who is a Business Associate?
What’s new:
• New service providers:
• Persons providing data transmission services (HIO; eprescribing gateway, etc.) and require routine access
• Persons offering personal health records on CE behalf
• Subcontractors of the BA
BUSINESS ASSOCIATES
Business Associate Agreements
Refresher:
• CE must enter into a Business Associate Agreement (BAA)
• BAA must:
• Establish permitted and required uses and disclosures of PHI
• Require BA to implement administrative, physical and technical
safeguards
• Comply with certain other obligations to assist CE in meeting its
HIPAA obligations
• Report use/disclosure not provided for in BAA
• Authorize termination of the contract for BA’s material violation
BUSINESS ASSOCIATES
Business Associate Agreements
What’s new:
The BAA must now require BA to:
• Comply with the HIPAA Security Rule for e-PHI
• Report breaches of unsecured PHI
• Comply with applicable Privacy Rule requirements when carrying out a
CE’s obligation under the Privacy Rule
• Take steps to cure or end the violation (or terminate the relationship) if
it knows of a Subcontractor’s pattern of activity or practice that
constitutes a material breach of the Subcontractor’s obligations
What’s new:
BA must have BAA with Subcontractors
BUSINESS ASSOCIATES
Liability
Refresher:
• CE is liable for BA violations
• BA had no direct HIPAA liability (breach of contract only)
What’s new:
• BA (including Subcontractors) are now directly liable under HIPAA
• CE/BA can be held vicariously liable for “agents” violations
• Facts and circumstances
• Key indicator: authority to control performance of the services
• “Independent Contractor” language not enough
BREACH NOTIFICATION
Breach Notification Rule
• CEs and BAs must notify affected patients, DHHS, and, in some
instances, the media of certain breaches of “unsecured” PHI
• i.e. not encrypted or destroyed
• “Breach” means an “acquisition, access, use, or disclosure of PHI in
a manner not permitted under [the Privacy Rule] which compromises
the security or privacy of the PHI.”
BREACH NOTIFICATION
What’s new:
Presumption of Breach
• An improper use or disclosure is presumed to be a
breach
• To refute the presumption that there was a breach,
CE must:
• conduct and document a comprehensive risk assessment;
and
• determine that there was a low probability that PHI has been
compromised
BREACH NOTIFICATION
Risk Assessment
• Nature and extent of PHI
• Sensitive information included?
• Unauthorized person who used or obtained the PHI
• Another CE?
• Whether the PHI was actually acquired or viewed
• Extent to which the risk to PHI has been mitigated
• Documents retrieved?
BREACH NOTIFICATION
Notification to Individuals
• Without unreasonable delay, not more than 60 days after “discovery”
• When CE knew or would have known (reasonable diligence)
• When agent/workforce member knew (other than the person
committing the breach)
• When CE receives notice from BA
• If BA is an agent, when BA discovered breach
Content of Notice
•
•
•
•
•
What, when, and when discovered
Description of compromised PHI
Steps individuals should take to mitigate effects
Steps CE is taking
CE contact information
BREACH NOTIFICATION
Notification to Media
• > 500 affected individuals
• Within 60 days of discovery
• “Prominent media outlets” (depends on the market)
• Press release on a CE website does not meet this
requirement
BREACH NOTIFICATION
Notification to Secretary
• Immediately:
• > 500 affected individuals (anywhere)
• “immediate” means at the time individual notices
are sent
• Annually:
• < 500 affected individuals
• maintain log and report on HHS website within 60
days of end of calendar year
Breach Notification Reports to Congress
Breaches affecting fewer than 500 individuals:
•
•
165,135 reports made to OCR in 2012
Most common (in order of frequency):
(1) unauthorized access or disclosure (21,639 reports affecting 62,069
individuals);
(2) unknown/other (2,033 reports affecting 13,091 individuals);
(3) theft (1,028 reports affecting 49,132 individuals);
(4) loss (789 reports affecting 20,176 individuals);
(5) improper disposal (155 reports affecting 4,518 individuals); and
(6) hacking/IT incident (61 reports affecting 2,619 individuals).
Breach Notification Reports to Congress
Secretary’s Annual Report to Congress
•
Submitted May 20, 2014 for calendar years 2011 and 2012
Breaches involving more than 500 individuals:
• Healthcare providers: 68%; Business Associates: 25%
• Theft: 53%; Unauthorized Access/Disclosure: 18%
– Largest Breach: theft of unencrypted laptop from employee’s vehicle
(>116,000 individuals affected)
– Other Locations:
» Medical offices and pharmacies
» Subway and other public transit
» Storage facilities
Breach Notification Reports to Congress
Improper Disposal
• Largest breach (189,489 individuals affected):
X-rays (lost) by Business Associate hired to digitize and destroy xrays and accompanying paper jackets
• Others: disposal in recycling or trash bins
Hacking/IT Incidents
• Largest breach of 2012 overall: (780,000 individuals affected
Unencrypted network server compromised by a cyber-attack
• Others:
– viruses and malware
– unidentified, unauthorized persons accessing systems
– PHI rendered corrupt and inaccessible (CE received “ransom note”
to restore access to the files)
OCR Audits of Breach Notification Rule
Pilot Audit Program
•
•
Detailed in Enforcement presentation
The pilot audits looked at covered entities’ compliance with specific aspects
of the Breach Notification Rule:
• Notification to Individuals
• Timeliness of Notification
• Methods of Individual Notification
• Burden of Proof
QUESTIONS?