What You Need to Know

advertisement
Navigating HIPAA &
Recent Healthcare Reform:
What You Need to Know
What is HIPAA?
• The Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”), Public
Law 104-191, was enacted on August 21, 1996.
• HIPAA is federal legislation designed to
improve the efficiency of the healthcare system
and to protect the security & privacy of a
patient’s health information
What Does HIPAA Do?
• Gives patients more control over their health
information
• Sets boundaries on the use and release of patient
information
• Establishes that covered entities and their business
associates must have appropriate safeguards to protect
the privacy and security of PHI
• Limits release of PHI to the minimum reasonably
needed for the purpose of the disclosure
• Holds violators accountable with civil and criminal
penalties
Who Needs to Comply?
• HIPAA applies to “covered entities.”
• A covered entity is:
– A health plan.
– A health care clearinghouse.
– A health care provider that transmits health information in
electronic form in connection with health care transactions.
• Examples: doctors, clinics, psychologists, dentists,
chiropractors, nursing homes, health insurance
companies, HMOs and Company health plans
What does HIPAA Protect?
• The Privacy Rule protects all “individually identifiable health
information” held or transmitted by a covered entity or its business
associate, in any form or media, whether electronic, paper, or oral.
• Individually identifiable health information is information that
– is created or received by a covered entity;
– relates to the past, present, or future physical or mental health or
condition of an individual; the provision of health care to an individual;
or the past, present, or future payment for the provision of health care to
an individual
– identifies the individual or there is a reasonable basis to believe the
information can be used to identify the individual.
• The Privacy Rule calls this information “protected health information”
or PHI.
Examples of PHI
•
•
•
•
Medical Records
Billing Information
Insurance Forms
Authorizations and
Notices
• Conversations with
covered entity about PHI
•
•
•
•
Prescriptions
Patient Charts
Patient Registry
Correspondence about a
patient
• Medical Records
Summaries
• Correspondence
discussing PHI
General Rules for Disclosure
• The privacy rule governs how a covered entity
may disclose PHI to persons outside of the
covered entity.
• HIPAA prohibits covered entities from
disclosing PHI without a patient’s authorization
unless an exception exists.
Permitted Uses and Disclosures
• A covered entity is permitted, but not required, to use and
disclose PHI, without an individual’s authorization, for the
following purposes or situations:
– To the Individual (unless required for access or accounting of
disclosures);
– Treatment, Payment, and Health Care Operations;
– Opportunity to Agree or Object (i.e., Facility Directories);
– Incident to an otherwise permitted use and disclosure;
– Public Interest and Benefit Activities (i.e., Required by Law, Judicial and
Administrative Proceedings, Law Enforcement) and
– Limited Data Set for the purposes of research, public health or health
care operations
Authorized Uses and Disclosures
• A covered entity must obtain the individual’s written
authorization for any use or disclosure of PHI that is
not for treatment, payment or health care operations or
otherwise permitted or required by the Privacy Rule.
Examples include:
Psychotherapy Notes and
Marketing.
• A covered entity may not condition treatment, payment,
enrollment, or benefits eligibility on an individual
granting an authorization, except in limited
circumstances.
• An authorization must be written in specific terms.
Privacy Practices Notice
• Each covered entity, with certain exceptions,
must provide a notice of its privacy practices.
• The Privacy Rule requires that the notice contain
certain elements.
Other Individual Rights
• Access. Except in certain circumstances, individuals
have the right to review and obtain a copy of their PHI
in a covered entity’s designated record set.
• Amendment. The Rule gives individuals the right to
have covered entities amend their PHI in a designated
record set when that information is inaccurate or
incomplete.
• Disclosure Accounting. Individuals have a right to an
accounting of the disclosures of their PHI by a covered
entity or the covered entity’s business associates.
Business Associates
• In general, a business associate is a person or organization, other
than a member of a covered entity’s workforce, that performs
certain functions or activities on behalf of, or provides certain
services to, a covered entity that involve the use or disclosure of
individually identifiable health information.
• Business associate functions or activities on behalf of a covered
entity include claims processing, data analysis, utilization review,
and billing.
• Business associate services to a covered entity are limited to
legal, actuarial, accounting, consulting, data aggregation,
management, administrative, accreditation, or financial services.
Business Associate Agreement
• There must be a contract between the covered
entity and the business associates.
• There are specific requirements that must be
included in business associate agreements.
Health Care Reform
• The American Recovery and Reinvestment Act
of 2009 signed into law on February 17, 2009.
• Enactment of Health Information Technology
for Economic and Clinical Health (“HITECH”)
Act
Definition of Breach
• Breach means the acquisition, access, use, or disclosure
of PHI in a manner not permitted under the HIPPA
Privacy Rule which compromises the security or privacy
of the PHI.
– Compromises the security or privacy of the PHI means poses a
significant risk of financial, reputational, or other harm to the
individual.
– A use or disclosure of PHI that does not include the 16
direct identifiers (“limited data set”), date of birth, and zip
code does not compromise the security or privacy of the
PHI.
Significant Risk of Harm
• Who Impermissibly used or to whom the information
was impermissibly disclosed
• Type of PHI involved
• Number of Individuals Affected
• Likelihood the Information is Accessible and Usable
• Likelihood the Breach May Lead to Harm
– Broad Reach of Potential Harm
– Likelihood Harm Will Occur
• Ability to Mitigate the Risk of Harm
Breach excludes . . .
• Any unintentional acquisition, access, or use of PHI by a workforce
member or person acting under the authority of a covered entity or a
business associate, if such acquisition, access, or use was made in good
faith and within the scope of authority and does not result in further use
or disclosure in a manner not permitted under the Privacy Rule.
• Any inadvertent disclosure by a person who is authorized to access PHI at
a covered entity or business associate to another person authorized to
access PHI at the same covered entity or business associate, or organized
health care arrangement in which the covered entity participates, and the
information received as a result of such disclosure is not further used or
disclosed in a manner not permitted under the Privacy Rule.
• A disclosure of PHI where a covered entity or business associate has a
good faith belief that an unauthorized person to whom the disclosure was
made would not reasonably have been able to retain such information.
Notification of Breach
• A covered entity shall, following the discovery
of a breach of unsecured PHI, notify each
individual whose unsecured PHI has been, or is
reasonably believed by the covered entity to have
been, accessed, acquired, used, or disclosed as a
result of such breach.
• Content Requirements.
Definition of Unsecured PHI
• Unsecured PHI means PHI that is not rendered
unusable, unreadable, or indecipherable to
unauthorized individuals through the use of a
technology or methodology specified by the
Secretary.
• Unsecured PHI can include information in any
form or medium, including electronic, paper, or
oral form.
Discovery of Breach
• A breach shall be treated as discovered by a covered
entity as of the first day on which such breach is
known to the covered entity, or, by exercising
reasonable diligence would have been known to the
covered entity.
• A covered entity shall be deemed to have knowledge
of a breach if such breach is known, or by exercising
reasonable diligence would have been known, to any
person, other than the person committing the breach,
who is a workforce member or agent of the covered
entity.
Timing of Notice
• All required notifications shall be made without
unreasonable delay and in no case later than 60
days after the discovery of a breach by the
covered entity involved.
• Exception – Notification shall be delayed if a
law enforcement official determines that the
required notification would impede a criminal
investigation or cause damage to national
security.
Methods of Notice
• Individual notice. Written notification must be
provide by first class mail to the individual, or next of
kin or personal representative, if the individual is
deceased, at the last known address.
– Email notification possible.
– Other methods of notification if emergency or covered
entity does not have sufficient contact information.
• Media notice. For a breach of unsecured PHI
involving more than 500 individuals in a State or
jurisdiction, a covered entity notify prominent media
outlets in the State or jurisdiction.
Duty to Notify Secretary
• A covered entity shall, following the discovery of a
breach of unsecured PHI.
– For breaches involving 500 or more individuals, than such
notice must be provided contemporaneously with notification
to individuals.
– For breaches involving less than 500 individuals, a covered
entity shall maintain a log or other documentation of such
breaches and, not later than 60 days after the end of each
year, submit such log to the Secretary.
• http://transparency.cit.nih.gov/breach/index.cfm
Duty to Notify Secretary
Posting on HHS Website
• Secretary will post a list on the HHS website
that identifies each covered entity involved in a
breach in which the unsecured PHI of more
than 500 individuals is acquired or disclosed.
• http://www.hhs.gov/ocr/privacy/hipaa/admini
strative/breachnotificationrule/postedbreaches.
html
Posting on HHS Website
Notice by Business Associate
• A business associate shall, following the
discovery of a breach of unsecured PHI, notify
the covered entity of such breach.
• If BA is an agent of covered entity, then the
BA’s discovery of the breach will be imputed to
the covered entity.
Documentation
In the event of a use or disclosure in violation
of the HIPAA Privacy Rule, the covered entity
or business associate, as applicable, shall have
the burden of demonstrating that all
notifications were made as required or that the
use or disclosure did not constitute a breach.
Restricted Disclosures
In the case that an individual requests that a covered
entity restrict the disclosure of the PHI, the covered
entity must comply with the requested restriction if—
– the disclosure is to a health plan for purposes of carrying out
payment or health care operations (and is not for purposes of
carrying out treatment or required to be disclosed by law);
and
– the PHI pertains solely to a health care item or service for
which the health care provider has been fully paid out of
pocket.
Minimum Necessary
• When using or disclosing PHI or when requesting PHI from another covered
entity, a covered entity must make reasonable efforts to limit PHI to the
minimum necessary to accomplish the intended purpose of the use,
disclosure, or request.
• A covered entity shall be in compliance with this requirement if the covered
entity limits the use, disclosure or request of PHI, to the extent practicable:
– To a limited data set, or
– if needed by the covered entity, to the minimum necessary to accomplish the
intended purpose of the use, disclosure, or request.
• By August 18, 2010, the Secretary will issue guidance on what constitutes
“minimum necessary.”
• The covered entity disclosing such information shall determine what
constitutes the minimum necessary to accomplish the intended purpose of
such disclosure.
Minimum Necessary Cont.
The minimum necessary requirement is not imposed in
any of the following circumstances:
– Disclosure to or a request by a health care provider for
treatment;
– Use or disclosure made to the individual, or the individual’s
personal representative;
– Use or disclosure made pursuant to an authorization;
– Disclosure to HHS for complaint investigation, compliance
review or enforcement;
– Use or disclosure that is required by law; or
– Use or disclosure required to comply with HIPAA.
Accounting of PHI Disclosures
If a covered entity uses or maintains electronic
health records with respect to PHI, then an
individual has a right to receive an accounting of
disclosures of PHI through the EHR made by a
covered entity to carry out treatment, payment
and health care operations for only three years
prior to the date of request.
Accounting of PHI Disclosures
OCR published a request for information seeking comments to
help better understand the interests of individuals with respect
to learning of such disclosures, the administrative burden on
covered entities and business associates of accounting for such
disclosures, and other information that may inform the
Department’s rulemaking in this area.
– What are the benefits to the individual of an accounting of disclosures,
particularly of disclosures made for treatment, payment, and health care
operations purposes?
– If you are a covered entity, how do you make clear to individuals their
right to receive an accounting of disclosures? How many requests for an
accounting have you received from individuals?
Accounting Request
• A covered entity may provide the individual either an—
– Accounting for disclosures that are made by covered entity
and by a business associate acting on behalf of the covered
entity; or
– Accounting for disclosures that are made by covered entity
and provide a list of all business associates acting on behalf
of the covered entity.
• A business associate included on a list must provide an
accounting of disclosures made by the business
associate to the individual.
Accounting of PHI Disclosures
• Effective date of new rules
– Covered entity that acquires EHR before January 1,
2009: January 1, 2014.
– Covered entity that acquires EHR after January 1,
2009: The later of January 1, 2011 or the date that
the covered entity acquires the EHR.
• Secretary may set a later effective date.
Sale of EHR or PHI
•
•
A covered entity or business associate may not receive payment (directly or indirectly)
in exchange for an individual’s PHI unless the covered entity obtains an authorization
that specifies that the PHI can be further exchanged for payment by the receiving
entity.
Authorization is not required if the purpose of the exchange is for:
– Public health activities
– Research and the price charged reflects the costs of preparation and transmittal of the
data for such purpose
– Treatment of the individual, subject to any regulation that the Secretary may
promulgate to prevent PHI from inappropriate access, use, or disclosure
– Health care operations
– Payment that is provided by a covered entity to a business associate for activities
involving the exchange of PHI that the business associate undertakes on behalf of and
at the specific request of the covered entity pursuant to a business associate agreement
– Providing an individual with a copy of the individual’s PHI
– Any other purpose determined by the Secretary in regulations
Individual Access to PHI
• If a covered entity uses or maintains an electronic health record
with respect to PHI, the individual shall have a right to obtain
from the covered entity a copy of the information in an
electronic format and, if the individual chooses, to direct the
covered entity to transmit such copy directly to an entity or
person designated by the individual, provided that any such
choice is clear, conspicuous, and specific.
• Any fee that the covered entity may impose for providing such
individual with a copy of such information in an electronic form
shall not be greater than the entity’s labor costs in responding to
the request for the copy.
Marketing
• A covered entity must obtain an authorization for marketing
purposes.
• Marketing is defined as a communication about a product or
service that encourages recipients of the communication to
purchase or use the product or service.
• The following types of communications are not considered
marketing (“Marketing Exceptions):
– Description of a health-related product or service that is provided by, or
included in a plan of benefits of the covered entity making the
communication;
– Communication made for treatment of the individual; or
– Information for case management or care coordination for the individual,
or to recommend alternative treatments, therapies, health care providers,
or settings.
Marketing Communications Cont.
A communication by a covered entity or business associate as
described in one of the Marketing Exceptions shall be
considered marketing if the covered entity receives or has
received direct or indirect payment in exchange for making such
communication, except where such communication:
– Describes only a drug or biologic that is currently being prescribed for
the recipient of the communication; and any payment received by such
covered entity in exchange for making a communication is reasonable in
amount;
– Is made by the covered entity; and the covered entity obtains a valid
authorization with respect to such communication; or
– Is made by a business associate on behalf of the covered entity; and the
communication is consistent with the written contract between such
business associate and covered entity.
Fundraising
• The Secretary shall issue a rule providing that any
written fundraising communication must, in a clear and
conspicuous manner, provide an opportunity for the
recipient of the communications to elect not to receive
any further such communication.
• When an individual elects not to receive any further
such communication, such election shall be treated as a
revocation of authorization to use or disclose such
individual’s PHI.
Education
• By August 18, 2009, the Secretary shall designate an individual in
each regional office of HHS to offer guidance and education to
covered entities, business associates, and individuals on their rights
and responsibilities related to Federal privacy and security
requirements for PHI.
• By February 18, 2010, the HHS Office for Civil Rights shall
develop and maintain a multi-faceted national education initiative to
enhance public transparency regarding the uses of PHI, including
programs to educate individuals about the potential uses of their
PHI, the effects of such uses, and the rights of individuals with
respect to such uses.
Education Cont.
• For the first year beginning after the date of the
enactment of this Act and annually thereafter, the
Secretary is responsible for issuing annual guidance on
the provisions in the HIPAA Security Rule.
• HIPAA Security Standards: Guidance on Risk Analysis
– May 7, 2010
http://www.hhs.gov/ocr/privacy/hipaa/administrative
/securityrule/radraftguidance.pdf
Enforcement Wrongful Disclosure Criminal Penalties
• A person (including an employee or other individual) shall be
considered to have obtained or disclosed individually identifiable
health information in violation of HIPAA if the information is
maintained by a covered entity and the individual obtained or
disclosed such information without authorization.
• A person in violation of this section shall
– be fined not more than $50,000, imprisoned not more than 1 year, or both;
– if the offense is committed under false pretenses, be fined not more than
$100,000, imprisoned not more than 5 years, or both; and
– if the offense is committed with intent to sell, transfer, or use individually
identifiable health information for commercial advantage, personal gain, or
malicious harm, be fined not more than $250,000, imprisoned not more than 10
years, or both.
Enforcement Required Penalty and Investigation
• The Secretary is now required to impose a civil penalty for a
HIPAA violation (up to $100 for each violation) due to willful
neglect.
• The Secretary shall formally investigate any complaint of a
HIPAA violation if a preliminary investigation of the facts of
the complaint indicate a possible violation due to willful neglect.
• Any HIPAA violation by a covered entity will now be subject to
criminal and civil penalties for each violation.
• Penalties are effective on or after February 18, 2011.
• Within 18 months after the enactment date, the Secretary shall
promulgate regulations to implement these requirements.
Enforcement -
Civil Penalties
Effective for violations on or after February 18,
2009.
Enforcement -
Civil Penalties Cont.
The Secretary may not impose a civil money penalty on
a covered entity for a violation if the covered entity
establishes that an affirmative defense exists with
respect to the violations, including the following:
– The violation is an a Wrongful Disclosure Criminal Act; or
– The covered entity establishes to the satisfaction of the
Secretary that the violation is not due to willful neglect; and
corrected during either:
• The 30-day period beginning on the first date the covered entity liable
for the penalty knew, or, by exercising reasonable diligence, would
have known that the violation occurred; or
• Such additional period as the Secretary determines to be appropriate
based on the nature and extent of the failure to comply.
Enforcement Definitions
• Reasonable cause means circumstances that would make it
unreasonable for the covered entity, despite the exercise of
ordinary business care and prudence, to comply with the
administrative simplification provision violated.
• Reasonable diligence means the business care and prudence
expected from a person seeking to satisfy a legal
requirement under similar circumstances.
• Willful neglect means conscious, intentional failure or
reckless indifference to the obligation to comply with the
administrative simplification provision violated.
Enforcement
State Attorneys General
• If a State attorney general has reason to believe that an interest of one or
more of the State’s residents has been or is threatened or adversely affected
by any person who violates HIPAA, may bring a civil action on behalf of
such State residents in a US district court:
– to enjoin further such violation by the defendant; or
– to obtain damages on behalf of such State’s residents.
• The amount of damages shall be determined by multiplying the number of
violations by up to $100.
– In the case of a continuing violation, the number of violations shall be
determined consistent with the HIPAA privacy regulations.
– The total amount of damages for all violations of an identical requirement or
prohibition during a year may not exceed $25,000.
– In the case of any successful action, the court may award the costs of the action
and reasonable attorney fees to the State.
State Attorneys General
Audits
The Secretary shall conduct periodic audits to
ensure that covered entities and business
associates comply with HIPAA’s privacy and
security rules.
Business Associates
• Under HITECH, business associates are now required by law to comply with
the business associate requirements provided under HIPAA.
• Business Associates are now required to comply with Administrative, Physical
and Technical safeguards along with the Policies and procedures and
documentation requirements, in the same manner that such sections apply to
the covered entity.
• Business Associates are required to comply with any additional requirements
of the HITECH Act that relate to security and that are made applicable with
respect to covered entities.
• These additional requirements of the HITECH Act shall be incorporated into
the business associate agreement between the business associate and the
covered entity.
• Business Associates are now subject to the same criminal and civil penalties
applicable to a covered entity that violates such security provision.
HHS Rulemaking
• On March 15, 2010, OCR stated that it continues to
work on a Notice of Proposed Rulemaking (“NPRM”)
regarding the following provisions:
– Business associate liability;
– New limitations on the sale of PHI, marketing, and
fundraising communications; and
– Stronger individual rights to access electronic medical records
and restrict the disclosure of certain information.
• Interim final rules implementing HITECH Act
provisions in two areas have already been issued and are
currently in effect:
enforcement and breach
notification.
Timeline
PPACA
The Patient Protection and Affordable Care Act
(“PPACA”) is a federal statute that was signed
into law on March 23, 2010 along with the
Health Care and Education Reconciliation Act
of 2010.
Administrative Simplification
Section 1104 of the Act amends HIPAA’s administrative
simplification provisions by requiring the Secretary to adopt
uniform standards for health care transactions which
– Enable determination of individual’s eligibility and financial responsibility
prior to or at point of care;
– Minimize the need for paper attachments to claims submissions;
– Provide for timely acknowledgment, response and status reporting
– Describe all data elements (including reason and remark codes) in
unambiguous terms, require that such data elements be required or
conditioned upon set values in other fields, and prohibit additional
conditions.
HIPAA Compliance
• States that participate under Wellness Program Demonstration
Projects shall ensure that consumer data is protected in accordance
with HIPAA
• School-Based Health Centers must comply with regulations
promulgated under HIPAA
• Any federally conducted or supported health care or public health
program activity or survey collected by Secretary is protected under
HIPAA
• Secretary shall ensure compliance with HIPAA in pursuing activities
under Elder Justice
• Secretary shall ensure that the Congenital Heart Disease
Surveillance System complies with HIPAA
• Enhances subpoena authority under HIPAA
Download