Impact of HITECH Act on HIPAA and the interface New Hampshire Privacy Law Cinde Warmington Shaheen & Gordon, P.A. 107 Storrs Street P.O. Box 2703 Concord, NH 03302-2703 (603) 225-7262 cwarmington@shaheengordon.com Understanding HITECH This presentation is for informational purposes only. It does not constitute legal advice. You should seek the advice of counsel if you need legal assistance. 2 HITECH The Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009. Contains provisions affecting HIPAA including breach notification requirements. Interim final rule on breach notifications was issued August 24, 2009 effective September 23, 2009. 74 Fed. Reg. 42740. Sanctions will not be imposed for failure to comply with notification requirements for breaches which are discovered before February 22, 2010. 3 Breach Notification Requirements Prior to HITECH, there was no affirmative duty under HIPAA to notify an individual if protected health information (PHI) was breached unless the breach involved “personal information” as defined under NH law and notification was required under RSA 359-C:20; HIPAA does include a duty to mitigate harm (which may require notification of the individual); and HIPAA does include a duty to keep an accounting of certain disclosures which individuals can request; But there was no explicit duty to notify individuals of a breach. 4 Breach Notification Requirements HITECH imposes an affirmative duty to notify each individual whose “unsecured PHI” is breached. “A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of a breach.” 45 CFR §164.404 5 What is a breach? Breach means the acquisition, access, use, or disclosure of protected health information not permitted under HIPAA which compromises the security or privacy of the PHI. “Compromises the security or privacy of the PHI means poses a significant risk of financial, reputational, or other harm to the individual.” 45 CFR § 164.402(1)(i) 6 What is “unsecured” protected health information? PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified in guidance issued by Secretary of DHHS. 45 CFR § 164.402 Approved technologies/methodologies include Encryption Destruction 7 Encryption Means “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.” 45 CFR §164.304. Requires that the confidential process or key has not been breached. 8 Encryption Valid encryption processes: “Data at rest” are set forth in NIST Special Publication 800-111. Valid encryption processes for “data in motion” must comply with the Federal Information Processes (FIPS 140-2). Available at http://www/csrc.nist.gov 9 Valid Destruction Processes: Paper, film or other hard copy media must be shredded or destroyed in such a way that the PHI cannot be read or otherwise reconstructed. Electronic media must be cleared, purged or destroyed so that PHI cannot be retrieved consistent with NIST Special Publication 800-88 Available at http://www.csrc.nist.gov 10 Is there a breach? If the PHI is encrypted or destroyed through a means specified in DHHS guidance, disclosure of the PHI will not result in a breach. …and, therefore, no notification is required. 11 Is there a breach? Does the improper acquisition, access, use or disclosure compromise the security or privacy of the PHI? In other words, does it impose a significant risk of financial, reputational or other harm to the individual? The covered entity (or business associate) must perform a risk assessment. 12 Factors to be considered in performing risk assessment Who used the PHI? Who received the PHI? Was the disclosure to another covered entity? Was there evidence that the information was accessed? What was the nature of the information disclosed? Was the covered entity able to take immediate steps to mitigate the harm? 13 Examples from preamble to Interim Final Rule: If disclosure was to another covered entity, there may be less risk of harm to the individual; If a lost or stolen laptop is returned and testing shows PHI was not accessed, the risk of harm is lessened; If the PHI included only limited information not likely to cause harm (e.g. patient’s name and name of hospital where patient was treated); If the covered entity obtains immediate assurances from recipient that PHI will not be disclosed and will be destroyed, risk of harm may be lessened. 14 Risk Assessment Each risk assessment will be individual and fact specific; The covered entity or business associate must document the risk assessment, the factors considered to support conclusions; The burden of proof is on the covered entity or business associate to show no breach has occurred; If no risk of harm then no breach notification. 15 Breach notification requirements Timeliness If the covered entity determines there is a breach, each individual must be notified without unreasonable delay but no later than sixty (60) days after discovery. If a business associate determines there is a breach, it must notify the covered entity. 16 Breach notification requirement When is the breach discovered? On the first day the covered entity or business associate knows of the breach or would have known if it had exercised reasonable diligence. 17 Breach notification requirements Covered entity’s written notification of the breach must include: Brief description of what happened; Date of the breach and date of discovery of the breach, if known; Description of information disclosed; Any steps individuals should take to protect themselves; Brief description of what the covered entity is doing to investigate the breach, mitigate any harm and prevent future breaches; and Toll free number, email address, website or postal address where individuals can receive additional information. 18 Notice must be written in plain language: Must take reasonable steps to ensure that meaningful access for individuals with Limited English Proficiency (may have to translate). Must ensure effective communications with individuals with disabilities (may require notice be made in Braille, large print or audio). 19 Methods of Notification Written notice must be: By first class mail; To last known address or by email if individual agrees to electronic notice*; Must notify next of kin or personal representative if individual is deceased and address is known. *Covered entities may want to start obtaining this consent at time of patient registration. 20 Substitute Notice: If contact information is insufficient or out-of-date, substitute notice must be provided. Substitute notice is not required if person is deceased and there is insufficient contact information for next of kin or personal representative. 21 Substitute Notice If there is insufficient or out-of-date contact information for fewer than 10 individuals, then substitute notice can be provided by an alternative form of written notice, telephone or other means. 22 Substitute Notice From a practical perspective what does this mean? If covered entity does not have a valid street address but does have an email address, the email can be used and without individual’s consent. If the covered entity has a phone number and not an email or street address, the individual can be notified by telephone. It may not be immediately clear whether there are more or less than ten individuals with insufficient contact information (returned mail may be first notice that info is out-of-date). 23 Substitute Notice If there is insufficient or out-of-date contact information for 10 or more individuals, substitute notice shall be either: Conspicuous posting for 90 days on home page of covered entity’s web-site; Conspicuous notice in major print or broadcast media in geographic areas where affected individuals may reside; Must include a toll-free number where an individual can learn whether their information may have been breached. 24 Substitute Notice Practical Concerns regarding the cost of providing notice with toll-free number Since public notice will not identify the 10 or more affected individuals, notice may prompt a deluge of calls from unaffected individuals at a substantial cost to covered entity. DHHS notes that the toll-free number is statutorily required. DHHS suggests that notice can include another means of determining if the person is affected by the breach. 25 Notice in Urgent Situations In addition to written notice, the covered entity may provide notice by telephone if it is urgent because of possible, imminent misuse of PHI. 26 Breach involving more than 500 residents For breaches involving more than 500 residents of a State or jurisdiction. Covered entity must notify prominent media outlets in the State or jurisdiction. Notice must be without reasonable delay but no later than sixty (60) days after discovery of the breach. Notification must include the same information that would be given to the individuals (except would not identify the individuals). Notice would most likely be in the form of a press release. 27 Notification to the Secretary of DHHS For breaches involving 500 or more individuals, must notify DHHS at the same time as individuals are notified. For breaches involving less than 500 individuals, the covered entity must maintain a log of breaches and submit annually to Secretary within 60 days after the end of the calendar year. 28 Administration Covered entity must train its workforce; Covered entity must have appropriate sanctions against workforce members who fail to comply with its privacy policies; Covered entity must change its policies and procedures. Covered entity must revise its Business Associates Agreements 29 Notification by Business Associate Business associate must notify covered entity of a breach without unreasonable delay but not later than sixty (60) days after discovery. Notification shall include the identification of individuals whose PHI has been breached. Business associate will provide covered entity with additional information needed for notice as required above or promptly thereafter as information becomes available. 30 NH State Law RSA 359-C:20 Requires notification of individuals in the event of a security breach of computerized personal information if there is a determination that misuse of the information has occurred or is likely to occur or if a determination cannot be made. Health care providers must also notify the Attorney General’s office. 31 NH State Law RSA 359-C:20 Personal information is more limited than PHI Personal information includes: o An individual’s first name or initial and last name in combination with any of the following data elements when the name or the data element is not encrypted: • • • Social Security Number; Driver’s license number or other government ID number or Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. 32 NH State Law RSA 359-C:20 Notification Requirements Written Notice Electronic (if that is the primary means of communication with individuals) Telephonic notice (must keep a log) HIPAA require written notification. 33 NH State Law RSA 359-C:20 Substitute Notice If cost of notice would exceed $5000*, or Affected class of individuals exceed 1000*; or There is insufficient contact information to provide notice; then o Substitute notice can be given via: Email ; Conspicuous posting on web-site; or Notification of major statewide media. *HIPAA breach notifications requirements will preempt. 34 NH State Law RSA 359-C:20 Notice includes:* General description of incident; Approximate date of breach; Type of information involved; and Telephonic contact information where affected person can call. * Notice will also need to comply with HIPAA requirements. If more than 1000 are affected then, must also notify all consumer reporting credit agencies, without unreasonable delay (but notice is not required to include names of affected persons). 35 HIPAA/ State Law Interface See decision matrix attached as pdf document. 36 Accounting for Disclosures A new requirement to account for disclosures made for treatment, payment and healthcare operations for covered entities using an EHR. Effective Dates: By 1/1/2014 for EHRs acquired as of 1/1/2009. By the later of 1/1/2011 or the date the EHR is acquired for EHRs acquired after 1/1/2009. Individuals entitled to receive an accounting for such disclosure for a period of three years. This accounting is of “disclosures” and not “uses”. It is not the same as an audit trail. 37 “Minimum Necessary” Covered entity must limit disclosure of PHI to a limited data set rather than minimum necessary to the extent practicable – this will sunset when guidance concerning “minimum necessary” is issued. Secretary shall issue guidelines on what constitutes minimum necessary by August 10, 2010. 38 Requested Restrictions Currently an individual can request restrictions on the use and disclosure of PHI but covered entity does not have to agree to such requests. Under HITECH, covered entities must comply with a request if: The disclosure is to a health plan for payment or healthcare operations; and The PHI pertains to an item or service for which the healthcare provider has been paid out-ofpocket in full. Effective Feb. 2010. 39 Access to Info in EHR Individual has a right to receive information stored in a EHR in an electronic format. If directed by an individual, covered entity must transfer a copy to someone designated by the individual. Charge cannot be greater than labor costs for responding to request. Effective Feb. 2010. 40 Marketing and Fundraising- HIPAA Changes (Effective 2/2010) If remuneration is received, an authorization is required except in very limited circumstances. Marketing communications are not defined as health care operations except for treatment, case. management, care coordination, alternative therapies, providers or care settings or descriptions of covered entities own services. Fundraising communications will need to include a clear and conspicuous opportunity to opt out. 41 Marketing Changes –NH State Law (Effective 1/1/ 2010) Under HB 619 -- Marketing means: (1) To make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, unless the communication is made by the individual’s health care provider: o o o o For treatment of the individual; For case management or care coordination for the individual; To direct or recommend alternative treatments, therapies, health care providers or settings of care. For treatment-related reminders or health promotion activities by health care providers. (2) An arrangement whereby the health care provider discloses PHI in exchange for payment so that third party can make a marketing communication about its own products/services. An authorization is required for any use or disclosure of marketing information. To the extent State law is contrary to HIPAA and more protective of privacy, State law will preempt HIPAA. 42 Fundraising-NH Law Fundraising communications must include a clear and conspicuous opportunity to opt out of receiving such communications. Notice must be provided: o o o 60 days prior to any fundraising communication; or In the Notice of Privacy Practices if the notice is given prior to any fundraising communication; In any subsequent fundraising communications. Once a person opts out, it is treated as a revocation of an authorization. 43 Marketing and Fundraising- NH Law Enforcement: An aggrieved individual may bring a civil action under RSA 332-I:4 or 332-I:5 and, if successful, shall be awarded special or general damages of not less than $1000 for each violation, for each violation, and costs and reasonable legal fees. The interface between state and federal law still to be determined. 44 Prohibition on the Sale of EHR/PHI HITECH prohibits a covered entity from receiving directly or indirect remuneration in exchange for PHI unless the person provides a valid authorization. Exceptions o o o o o o Pubic health activities; Research ( price is for preparation and transmittal of data) For treatment of the individual For health care operations associate with the sale/merge/consolidation of the covered entity Payment by the covered entity for the services of a business associate; To provide individual a copy of record 45 Prohibition on the Sale of EHR/PHI Secretary to promulgate regulations not later than 18 months after enactment. Prohibition becomes effective 6 months after regualtions are promulgated. 46 Business Associates Breach notification requirements apply. Security Rule Sections 45 CFR §§ 164.308, 310, 312, 316 apply. HIPAA provisions governing use and disclosure of PHI apply to business associates. Civil and criminal penalties now apply to business associates. Business Associates will need to maintain an accounting of any disclosures of EHR. 47 HIPAA Enforcement and Penalties CATEGORIES OF VIOLATIONS AND RESPECTIVE PENALTY AMOUNTS AVAILABLE Violation category – Section 1176(a)(1) (A) Did Not Know… (B) Reasonable Cause… (C)(i) Willful Neglect-Corrected… (C)(ii) Willful Neglect-Not Corrected… Each violation All such violations of an identical provision in a calendar year $100-$50,000 $1,500,000 $1,000-$50,000 $1,500,000 $10,000-$50,000 $1,500,000 $50,000 $1,500,000 48 HIPAA Enforcement and Penalties Reasonable cause means circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the [HIPAA] provision violated. Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances. Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the [HIPAA] provision violated. 49 HIPAA Enforcement and Penalties HIPAA imposes a minimum penalty amount in each category Previously, a covered entity would have an affirmative defense if it did not know or reasonably would not have known of the violation; HITECH removes this affirmative defense; However, if the violation is not due to willful neglect and is corrected within 30 days of discovery (or the date covered should have know by exercising reasonable diligence), this will be an affirmative defense 50 HIPAA Enforcement and Penalties Secretary still has discretion to limit or waive penalties in cases due to reasonable cause and not willful neglect. No later than 3 years after enactment, the Secretary shall establish a methodology under which an individual harmed may receive a percentage of the penalties collected. 51 Enforcement by State Attorneys General State Attorneys General may bring a civil action on behalf of residents of the State who have been or are threatened or adversely affected by any person violating the statute: o o o o State may seek equitable injunctive relief. Damages calculated by multiplying $100 times the number of violations. Total amount of damages for identical violations in a calendar year is $25,000. State may seek payment of attorney fees. 52