Navigating HIPAA & Recent Healthcare Reform: What You Need to Know What is HIPAA? • The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Public Law 104-191, was enacted on August 21, 1996. • HIPAA is federal legislation designed to improve the efficiency of the healthcare system and to protect the security & privacy of a patient’s health information What Does HIPAA Do? • Gives patients more control over their health information • Sets boundaries on the use and release of patient information • Establishes that covered entities and their business associates must have appropriate safeguards to protect the privacy and security of PHI • Limits release of PHI to the minimum reasonably needed for the purpose of the disclosure • Holds violators accountable with civil and criminal penalties Who Needs to Comply? • HIPAA applies to “covered entities.” • A covered entity is: – A health plan. – A health care clearinghouse. – A health care provider that transmits health information in electronic form in connection with health care transactions. • Examples: doctors, clinics, psychologists, dentists, chiropractors, nursing homes, health insurance companies, HMOs and Company health plans What does HIPAA Protect? • The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. • Individually identifiable health information is information that – is created or received by a covered entity; – relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual – identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual. • The Privacy Rule calls this information “protected health information” or PHI. Examples of PHI • • • • Medical Records Billing Information Insurance Forms Authorizations and Notices • Conversations with covered entity about PHI • • • • Prescriptions Patient Charts Patient Registry Correspondence about a patient • Medical Records Summaries • Correspondence discussing PHI General Rules for Disclosure • The privacy rule governs how a covered entity may disclose PHI to persons outside of the covered entity. • HIPAA prohibits covered entities from disclosing PHI without a patient’s authorization unless an exception exists. Permitted Uses and Disclosures • A covered entity is permitted, but not required, to use and disclose PHI, without an individual’s authorization, for the following purposes or situations: – To the Individual (unless required for access or accounting of disclosures); – Treatment, Payment, and Health Care Operations; – Opportunity to Agree or Object (i.e., Facility Directories); – Incident to an otherwise permitted use and disclosure; – Public Interest and Benefit Activities (i.e., Required by Law, Judicial and Administrative Proceedings, Law Enforcement) and – Limited Data Set for the purposes of research, public health or health care operations Authorized Uses and Disclosures • A covered entity must obtain the individual’s written authorization for any use or disclosure of PHI that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule. Examples include: Psychotherapy Notes and Marketing. • A covered entity may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization, except in limited circumstances. • An authorization must be written in specific terms. Privacy Practices Notice • Each covered entity, with certain exceptions, must provide a notice of its privacy practices. • The Privacy Rule requires that the notice contain certain elements. Other Individual Rights • Access. Except in certain circumstances, individuals have the right to review and obtain a copy of their PHI in a covered entity’s designated record set. • Amendment. The Rule gives individuals the right to have covered entities amend their PHI in a designated record set when that information is inaccurate or incomplete. • Disclosure Accounting. Individuals have a right to an accounting of the disclosures of their PHI by a covered entity or the covered entity’s business associates. Business Associates • In general, a business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. • Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing. • Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. Business Associate Agreement • There must be a contract between the covered entity and the business associates. • There are specific requirements that must be included in business associate agreements. Health Care Reform • The American Recovery and Reinvestment Act of 2009 signed into law on February 17, 2009. • Enactment of Health Information Technology for Economic and Clinical Health (“HITECH”) Act Definition of Breach • Breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPPA Privacy Rule which compromises the security or privacy of the PHI. – Compromises the security or privacy of the PHI means poses a significant risk of financial, reputational, or other harm to the individual. – A use or disclosure of PHI that does not include the 16 direct identifiers (“limited data set”), date of birth, and zip code does not compromise the security or privacy of the PHI. Significant Risk of Harm • Who Impermissibly used or to whom the information was impermissibly disclosed • Type of PHI involved • Number of Individuals Affected • Likelihood the Information is Accessible and Usable • Likelihood the Breach May Lead to Harm – Broad Reach of Potential Harm – Likelihood Harm Will Occur • Ability to Mitigate the Risk of Harm Breach excludes . . . • Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule. • Any inadvertent disclosure by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule. • A disclosure of PHI where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. Notification of Breach • A covered entity shall, following the discovery of a breach of unsecured PHI, notify each individual whose unsecured PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach. • Content Requirements. Definition of Unsecured PHI • Unsecured PHI means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary. • Unsecured PHI can include information in any form or medium, including electronic, paper, or oral form. Discovery of Breach • A breach shall be treated as discovered by a covered entity as of the first day on which such breach is known to the covered entity, or, by exercising reasonable diligence would have been known to the covered entity. • A covered entity shall be deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the covered entity. Timing of Notice • All required notifications shall be made without unreasonable delay and in no case later than 60 days after the discovery of a breach by the covered entity involved. • Exception – Notification shall be delayed if a law enforcement official determines that the required notification would impede a criminal investigation or cause damage to national security. Methods of Notice • Individual notice. Written notification must be provide by first class mail to the individual, or next of kin or personal representative, if the individual is deceased, at the last known address. – Email notification possible. – Other methods of notification if emergency or covered entity does not have sufficient contact information. • Media notice. For a breach of unsecured PHI involving more than 500 individuals in a State or jurisdiction, a covered entity notify prominent media outlets in the State or jurisdiction. Duty to Notify Secretary • A covered entity shall, following the discovery of a breach of unsecured PHI. – For breaches involving 500 or more individuals, than such notice must be provided contemporaneously with notification to individuals. – For breaches involving less than 500 individuals, a covered entity shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each year, submit such log to the Secretary. • http://transparency.cit.nih.gov/breach/index.cfm Duty to Notify Secretary Posting on HHS Website • Secretary will post a list on the HHS website that identifies each covered entity involved in a breach in which the unsecured PHI of more than 500 individuals is acquired or disclosed. • http://www.hhs.gov/ocr/privacy/hipaa/admini strative/breachnotificationrule/postedbreaches. html Posting on HHS Website Notice by Business Associate • A business associate shall, following the discovery of a breach of unsecured PHI, notify the covered entity of such breach. • If BA is an agent of covered entity, then the BA’s discovery of the breach will be imputed to the covered entity. Documentation In the event of a use or disclosure in violation of the HIPAA Privacy Rule, the covered entity or business associate, as applicable, shall have the burden of demonstrating that all notifications were made as required or that the use or disclosure did not constitute a breach. Restricted Disclosures In the case that an individual requests that a covered entity restrict the disclosure of the PHI, the covered entity must comply with the requested restriction if— – the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for purposes of carrying out treatment or required to be disclosed by law); and – the PHI pertains solely to a health care item or service for which the health care provider has been fully paid out of pocket. Minimum Necessary • When using or disclosing PHI or when requesting PHI from another covered entity, a covered entity must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. • A covered entity shall be in compliance with this requirement if the covered entity limits the use, disclosure or request of PHI, to the extent practicable: – To a limited data set, or – if needed by the covered entity, to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. • By August 18, 2010, the Secretary will issue guidance on what constitutes “minimum necessary.” • The covered entity disclosing such information shall determine what constitutes the minimum necessary to accomplish the intended purpose of such disclosure. Minimum Necessary Cont. The minimum necessary requirement is not imposed in any of the following circumstances: – Disclosure to or a request by a health care provider for treatment; – Use or disclosure made to the individual, or the individual’s personal representative; – Use or disclosure made pursuant to an authorization; – Disclosure to HHS for complaint investigation, compliance review or enforcement; – Use or disclosure that is required by law; or – Use or disclosure required to comply with HIPAA. Accounting of PHI Disclosures If a covered entity uses or maintains electronic health records with respect to PHI, then an individual has a right to receive an accounting of disclosures of PHI through the EHR made by a covered entity to carry out treatment, payment and health care operations for only three years prior to the date of request. Accounting of PHI Disclosures OCR published a request for information seeking comments to help better understand the interests of individuals with respect to learning of such disclosures, the administrative burden on covered entities and business associates of accounting for such disclosures, and other information that may inform the Department’s rulemaking in this area. – What are the benefits to the individual of an accounting of disclosures, particularly of disclosures made for treatment, payment, and health care operations purposes? – If you are a covered entity, how do you make clear to individuals their right to receive an accounting of disclosures? How many requests for an accounting have you received from individuals? Accounting Request • A covered entity may provide the individual either an— – Accounting for disclosures that are made by covered entity and by a business associate acting on behalf of the covered entity; or – Accounting for disclosures that are made by covered entity and provide a list of all business associates acting on behalf of the covered entity. • A business associate included on a list must provide an accounting of disclosures made by the business associate to the individual. Accounting of PHI Disclosures • Effective date of new rules – Covered entity that acquires EHR before January 1, 2009: January 1, 2014. – Covered entity that acquires EHR after January 1, 2009: The later of January 1, 2011 or the date that the covered entity acquires the EHR. • Secretary may set a later effective date. Sale of EHR or PHI • • A covered entity or business associate may not receive payment (directly or indirectly) in exchange for an individual’s PHI unless the covered entity obtains an authorization that specifies that the PHI can be further exchanged for payment by the receiving entity. Authorization is not required if the purpose of the exchange is for: – Public health activities – Research and the price charged reflects the costs of preparation and transmittal of the data for such purpose – Treatment of the individual, subject to any regulation that the Secretary may promulgate to prevent PHI from inappropriate access, use, or disclosure – Health care operations – Payment that is provided by a covered entity to a business associate for activities involving the exchange of PHI that the business associate undertakes on behalf of and at the specific request of the covered entity pursuant to a business associate agreement – Providing an individual with a copy of the individual’s PHI – Any other purpose determined by the Secretary in regulations Individual Access to PHI • If a covered entity uses or maintains an electronic health record with respect to PHI, the individual shall have a right to obtain from the covered entity a copy of the information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific. • Any fee that the covered entity may impose for providing such individual with a copy of such information in an electronic form shall not be greater than the entity’s labor costs in responding to the request for the copy. Marketing • A covered entity must obtain an authorization for marketing purposes. • Marketing is defined as a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. • The following types of communications are not considered marketing (“Marketing Exceptions): – Description of a health-related product or service that is provided by, or included in a plan of benefits of the covered entity making the communication; – Communication made for treatment of the individual; or – Information for case management or care coordination for the individual, or to recommend alternative treatments, therapies, health care providers, or settings. Marketing Communications Cont. A communication by a covered entity or business associate as described in one of the Marketing Exceptions shall be considered marketing if the covered entity receives or has received direct or indirect payment in exchange for making such communication, except where such communication: – Describes only a drug or biologic that is currently being prescribed for the recipient of the communication; and any payment received by such covered entity in exchange for making a communication is reasonable in amount; – Is made by the covered entity; and the covered entity obtains a valid authorization with respect to such communication; or – Is made by a business associate on behalf of the covered entity; and the communication is consistent with the written contract between such business associate and covered entity. Fundraising • The Secretary shall issue a rule providing that any written fundraising communication must, in a clear and conspicuous manner, provide an opportunity for the recipient of the communications to elect not to receive any further such communication. • When an individual elects not to receive any further such communication, such election shall be treated as a revocation of authorization to use or disclose such individual’s PHI. Education • By August 18, 2009, the Secretary shall designate an individual in each regional office of HHS to offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to Federal privacy and security requirements for PHI. • By February 18, 2010, the HHS Office for Civil Rights shall develop and maintain a multi-faceted national education initiative to enhance public transparency regarding the uses of PHI, including programs to educate individuals about the potential uses of their PHI, the effects of such uses, and the rights of individuals with respect to such uses. Education Cont. • For the first year beginning after the date of the enactment of this Act and annually thereafter, the Secretary is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule. • HIPAA Security Standards: Guidance on Risk Analysis – May 7, 2010 http://www.hhs.gov/ocr/privacy/hipaa/administrative /securityrule/radraftguidance.pdf Enforcement Wrongful Disclosure Criminal Penalties • A person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of HIPAA if the information is maintained by a covered entity and the individual obtained or disclosed such information without authorization. • A person in violation of this section shall – be fined not more than $50,000, imprisoned not more than 1 year, or both; – if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and – if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both. Enforcement Required Penalty and Investigation • The Secretary is now required to impose a civil penalty for a HIPAA violation (up to $100 for each violation) due to willful neglect. • The Secretary shall formally investigate any complaint of a HIPAA violation if a preliminary investigation of the facts of the complaint indicate a possible violation due to willful neglect. • Any HIPAA violation by a covered entity will now be subject to criminal and civil penalties for each violation. • Penalties are effective on or after February 18, 2011. • Within 18 months after the enactment date, the Secretary shall promulgate regulations to implement these requirements. Enforcement - Civil Penalties Effective for violations on or after February 18, 2009. Enforcement - Civil Penalties Cont. The Secretary may not impose a civil money penalty on a covered entity for a violation if the covered entity establishes that an affirmative defense exists with respect to the violations, including the following: – The violation is an a Wrongful Disclosure Criminal Act; or – The covered entity establishes to the satisfaction of the Secretary that the violation is not due to willful neglect; and corrected during either: • The 30-day period beginning on the first date the covered entity liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred; or • Such additional period as the Secretary determines to be appropriate based on the nature and extent of the failure to comply. Enforcement Definitions • Reasonable cause means circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated. • Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances. • Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. Enforcement State Attorneys General • If a State attorney general has reason to believe that an interest of one or more of the State’s residents has been or is threatened or adversely affected by any person who violates HIPAA, may bring a civil action on behalf of such State residents in a US district court: – to enjoin further such violation by the defendant; or – to obtain damages on behalf of such State’s residents. • The amount of damages shall be determined by multiplying the number of violations by up to $100. – In the case of a continuing violation, the number of violations shall be determined consistent with the HIPAA privacy regulations. – The total amount of damages for all violations of an identical requirement or prohibition during a year may not exceed $25,000. – In the case of any successful action, the court may award the costs of the action and reasonable attorney fees to the State. State Attorneys General Audits The Secretary shall conduct periodic audits to ensure that covered entities and business associates comply with HIPAA’s privacy and security rules. Business Associates • Under HITECH, business associates are now required by law to comply with the business associate requirements provided under HIPAA. • Business Associates are now required to comply with Administrative, Physical and Technical safeguards along with the Policies and procedures and documentation requirements, in the same manner that such sections apply to the covered entity. • Business Associates are required to comply with any additional requirements of the HITECH Act that relate to security and that are made applicable with respect to covered entities. • These additional requirements of the HITECH Act shall be incorporated into the business associate agreement between the business associate and the covered entity. • Business Associates are now subject to the same criminal and civil penalties applicable to a covered entity that violates such security provision. HHS Rulemaking • On March 15, 2010, OCR stated that it continues to work on a Notice of Proposed Rulemaking (“NPRM”) regarding the following provisions: – Business associate liability; – New limitations on the sale of PHI, marketing, and fundraising communications; and – Stronger individual rights to access electronic medical records and restrict the disclosure of certain information. • Interim final rules implementing HITECH Act provisions in two areas have already been issued and are currently in effect: enforcement and breach notification. Timeline PPACA The Patient Protection and Affordable Care Act (“PPACA”) is a federal statute that was signed into law on March 23, 2010 along with the Health Care and Education Reconciliation Act of 2010. Administrative Simplification Section 1104 of the Act amends HIPAA’s administrative simplification provisions by requiring the Secretary to adopt uniform standards for health care transactions which – Enable determination of individual’s eligibility and financial responsibility prior to or at point of care; – Minimize the need for paper attachments to claims submissions; – Provide for timely acknowledgment, response and status reporting – Describe all data elements (including reason and remark codes) in unambiguous terms, require that such data elements be required or conditioned upon set values in other fields, and prohibit additional conditions. HIPAA Compliance • States that participate under Wellness Program Demonstration Projects shall ensure that consumer data is protected in accordance with HIPAA • School-Based Health Centers must comply with regulations promulgated under HIPAA • Any federally conducted or supported health care or public health program activity or survey collected by Secretary is protected under HIPAA • Secretary shall ensure compliance with HIPAA in pursuing activities under Elder Justice • Secretary shall ensure that the Congenital Heart Disease Surveillance System complies with HIPAA • Enhances subpoena authority under HIPAA