HIPAA Changes - Shaheen & Gordon, PA

advertisement
Impact of HITECH Act on HIPAA and the interface
New Hampshire Privacy Law
Cinde Warmington
Shaheen & Gordon, P.A.
107 Storrs Street
P.O. Box 2703
Concord, NH 03302-2703
(603) 225-7262
cwarmington@shaheengordon.com
Understanding HITECH
 This presentation is for informational purposes only.
It does not constitute legal advice. You should seek
the advice of counsel if you need legal assistance.
2
HITECH
 The Health Information Technology for Economic and
Clinical Health Act (HITECH) was enacted as part of the
American Recovery and Reinvestment Act of 2009 (ARRA)
on February 17, 2009.
 Contains provisions affecting HIPAA including breach
notification requirements.
 Interim final rule on breach notifications was issued
August 24, 2009 effective September 23, 2009.
74 Fed. Reg. 42740.
 Sanctions will not be imposed for failure to comply with
notification requirements for breaches which are
discovered before February 22, 2010.
3
Breach Notification Requirements
 Prior to HITECH, there was no affirmative duty under
HIPAA to notify an individual if protected health
information (PHI) was breached unless the breach
involved “personal information” as defined under NH
law and notification was required under RSA 359-C:20;
 HIPAA does include a duty to mitigate harm (which
may require notification of the individual); and
 HIPAA does include a duty to keep an accounting of
certain disclosures which individuals can request;
 But there was no explicit duty to notify individuals of a
breach.
4
Breach Notification Requirements
 HITECH imposes an affirmative duty to notify each
individual whose “unsecured PHI” is breached.
 “A covered entity shall, following the discovery of a
breach of unsecured protected health information,
notify each individual whose unsecured protected
health information has been, or is reasonably believed
by the covered entity to have been, accessed, acquired,
used, or disclosed as a result of a breach.”
45 CFR §164.404
5
What is a breach?
 Breach means the acquisition, access, use, or
disclosure of protected health information not
permitted under HIPAA which compromises the
security or privacy of the PHI.
 “Compromises the security or privacy of the PHI
means poses a significant risk of financial,
reputational, or other harm to the individual.”
45 CFR § 164.402(1)(i)
6
What is “unsecured” protected
health information?
 PHI that is not rendered unusable, unreadable, or
indecipherable to unauthorized individuals through
the use of a technology or methodology specified in
guidance issued by Secretary of DHHS.
45 CFR § 164.402
 Approved technologies/methodologies include
 Encryption
 Destruction
7
Encryption
 Means “the use of an algorithmic process to transform
data into a form in which there is a low probability of
assigning meaning without use of a confidential
process or key.” 45 CFR §164.304.
 Requires that the confidential process or key has not
been breached.
8
Encryption
 Valid encryption processes: “Data at rest” are set forth
in NIST Special Publication 800-111.
 Valid encryption processes for “data in motion” must
comply with the Federal Information Processes (FIPS
140-2).
Available at http://www/csrc.nist.gov
9
Valid Destruction Processes:
 Paper, film or other hard copy media must be
shredded or destroyed in such a way that the PHI
cannot be read or otherwise reconstructed.
 Electronic media must be cleared, purged or destroyed
so that PHI cannot be retrieved consistent with NIST
Special Publication 800-88
Available at http://www.csrc.nist.gov
10
Is there a breach?
 If the PHI is encrypted or destroyed through a means
specified in DHHS guidance, disclosure of the PHI will
not result in a breach.
 …and, therefore, no notification is required.
11
Is there a breach?
 Does the improper acquisition, access, use or
disclosure compromise the security or privacy of the
PHI?
 In other words, does it impose a significant risk of
financial, reputational or other harm to the individual?
 The covered entity (or business associate) must
perform a risk assessment.
12
Factors to be considered in
performing risk assessment
 Who used the PHI?
 Who received the PHI?
 Was the disclosure to another covered entity?
 Was there evidence that the information was accessed?
 What was the nature of the information disclosed?
 Was the covered entity able to take immediate steps to
mitigate the harm?
13
Examples from preamble to
Interim Final Rule:
 If disclosure was to another covered entity, there may be
less risk of harm to the individual;
 If a lost or stolen laptop is returned and
testing shows PHI was not accessed, the risk of harm is
lessened;
 If the PHI included only limited information not likely to
cause harm (e.g. patient’s name and name of hospital
where patient was treated);
 If the covered entity obtains immediate assurances from
recipient that PHI will not be disclosed and will be
destroyed, risk of harm may be lessened.
14
Risk Assessment
 Each risk assessment will be individual and fact
specific;
 The covered entity or business associate must
document the risk assessment, the factors considered
to support conclusions;
 The burden of proof is on the covered entity or
business associate to show no breach has occurred;
 If no risk of harm then no breach notification.
15
Breach notification requirements
Timeliness
 If the covered entity determines there is a breach, each
individual must be notified without unreasonable
delay but no later than sixty (60) days after discovery.
 If a business associate determines there is a breach, it
must notify the covered entity.
16
Breach notification
requirement
When is the breach discovered?
 On the first day the covered entity or business
associate knows of the breach or would have known if
it had exercised reasonable diligence.
17
Breach notification
requirements
Covered entity’s written notification of the breach must
include:
 Brief description of what happened;
 Date of the breach and date of discovery of the breach, if
known;
 Description of information disclosed;
 Any steps individuals should take to protect themselves;
 Brief description of what the covered entity is doing to
investigate the breach, mitigate any harm and prevent
future breaches; and
 Toll free number, email address, website or postal address
where individuals can receive additional information.
18
Notice must be written in plain
language:
 Must take reasonable steps to ensure that meaningful
access for individuals with Limited English Proficiency
(may have to translate).
 Must ensure effective communications with
individuals with disabilities (may require notice be
made in Braille, large print or audio).
19
Methods of Notification
Written notice must be:
 By first class mail;
 To last known address or by email if individual agrees
to electronic notice*;
 Must notify next of kin or personal representative if
individual is deceased and address is known.
*Covered entities may want to start obtaining this
consent at time of patient registration.
20
Substitute Notice:
 If contact information is insufficient or out-of-date,
substitute notice must be provided.
 Substitute notice is not required if person is deceased
and there is insufficient contact information for next
of kin or personal representative.
21
Substitute Notice
 If there is insufficient or out-of-date contact
information for fewer than 10 individuals, then
substitute notice can be provided by an alternative
form of written notice, telephone or other means.
22
Substitute Notice
From a practical perspective what does this mean?
 If covered entity does not have a valid street address but
does have an email address, the email can be used and
without individual’s consent.
 If the covered entity has a phone number and not an
email or street address, the individual can be notified
by telephone.
 It may not be immediately clear whether there are more
or less than ten individuals with insufficient contact
information (returned mail may be first notice that info
is out-of-date).
23
Substitute Notice
If there is insufficient or out-of-date contact
information for 10 or more individuals, substitute
notice shall be either:
 Conspicuous posting for 90 days on home page of
covered entity’s web-site;
 Conspicuous notice in major print or broadcast media
in geographic areas where affected individuals may
reside;
 Must include a toll-free number where an individual
can learn whether their information may have been
breached.
24
Substitute Notice
Practical Concerns regarding the cost of providing
notice with toll-free number
 Since public notice will not identify the 10 or more
affected individuals, notice may prompt a deluge of
calls from unaffected individuals at a substantial cost
to covered entity.
 DHHS notes that the toll-free number is statutorily
required.
 DHHS suggests that notice can include another means
of determining if the person is affected by the breach.
25
Notice in Urgent Situations
 In addition to written notice, the covered entity may
provide notice by telephone if it is urgent because of
possible, imminent misuse of PHI.
26
Breach involving more than 500
residents
 For breaches involving more than 500 residents of a
State or jurisdiction.
 Covered entity must notify prominent media outlets in
the State or jurisdiction.
 Notice must be without reasonable delay but no later
than sixty (60) days after discovery of the breach.
 Notification must include the same information that
would be given to the individuals (except would not
identify the individuals).
 Notice would most likely be in the form of a press
release.
27
Notification to the Secretary of
DHHS
 For breaches involving 500 or more individuals, must
notify DHHS at the same time as individuals are
notified.
 For breaches involving less than 500 individuals, the
covered entity must maintain a log of breaches and
submit annually to Secretary within 60 days after the
end of the calendar year.
28
Administration
 Covered entity must train its workforce;
 Covered entity must have appropriate sanctions
against workforce members who fail to comply with its
privacy policies;
 Covered entity must change its policies and
procedures.
 Covered entity must revise its Business Associates
Agreements
29
Notification by Business Associate
 Business associate must notify covered entity of a
breach without unreasonable delay but not later than
sixty (60) days after discovery.
 Notification shall include the identification of
individuals whose PHI has been breached.
 Business associate will provide covered entity with
additional information needed for notice as required
above or promptly thereafter as information becomes
available.
30
NH State Law RSA 359-C:20
 Requires notification of individuals in the event of a
security breach of computerized personal information
if there is a determination that misuse of the
information has occurred or is likely to occur or if a
determination cannot be made.
 Health care providers must also notify the Attorney
General’s office.
31
NH State Law RSA 359-C:20
 Personal information is more limited than PHI
 Personal information includes:
o An individual’s first name or initial and last name in
combination with any of the following data elements
when the name or the data element is not encrypted:
•
•
•
Social Security Number;
Driver’s license number or other government ID number or
Account number, credit card number, or debit card number, in
combination with any required security code, access code, or
password that would permit access to an individual’s financial
account.
32
NH State Law RSA 359-C:20
 Notification Requirements



Written Notice
Electronic (if that is the primary means of communication
with individuals)
Telephonic notice (must keep a log)
 HIPAA require written notification.
33
NH State Law RSA 359-C:20
 Substitute Notice



If cost of notice would exceed $5000*, or
Affected class of individuals exceed 1000*; or
There is insufficient contact information to provide notice;
then
o Substitute notice can be given via:
 Email ;
 Conspicuous posting on web-site; or
 Notification of major statewide media.
 *HIPAA breach notifications requirements will
preempt.
34
NH State Law RSA 359-C:20
 Notice includes:*




General description of incident;
Approximate date of breach;
Type of information involved; and
Telephonic contact information where affected person can
call.
 * Notice will also need to comply with HIPAA
requirements.
 If more than 1000 are affected then, must also notify
all consumer reporting credit agencies, without
unreasonable delay (but notice is not required to
include names of affected persons).
35
HIPAA/ State Law Interface
 See decision matrix attached as pdf document.
36
Accounting for Disclosures
 A new requirement to account for disclosures made for
treatment, payment and healthcare operations for
covered entities using an EHR.
 Effective Dates:


By 1/1/2014 for EHRs acquired as of 1/1/2009.
By the later of 1/1/2011 or the date the EHR is acquired for
EHRs acquired after 1/1/2009.
 Individuals entitled to receive an accounting for such
disclosure for a period of three years.
 This accounting is of “disclosures” and not “uses”. It is
not the same as an audit trail.
37
“Minimum Necessary”
 Covered entity must limit disclosure of PHI to a
limited data set rather than minimum necessary to the
extent practicable – this will sunset when guidance
concerning “minimum necessary” is issued.
 Secretary shall issue guidelines on what constitutes
minimum necessary by August 10, 2010.
38
Requested Restrictions
 Currently an individual can request restrictions on
the use and disclosure of PHI but covered entity
does not have to agree to such requests.
 Under HITECH, covered entities must comply with
a request if:
 The disclosure is to a health plan for payment or
healthcare operations; and
 The PHI pertains to an item or service for which
the healthcare provider has been paid out-ofpocket in full.
 Effective Feb. 2010.
39
Access to Info in EHR
 Individual has a right to receive information stored in a
EHR in an electronic format.
 If directed by an individual, covered entity must
transfer a copy to someone designated by the
individual.
 Charge cannot be greater than labor costs for
responding to request.
 Effective Feb. 2010.
40
Marketing and Fundraising- HIPAA
Changes (Effective 2/2010)
 If remuneration is received, an authorization is
required except in very limited circumstances.
 Marketing communications are not defined as health
care operations except for treatment, case.
management, care coordination, alternative therapies,
providers or care settings or descriptions of covered
entities own services.
 Fundraising communications will need to include a
clear and conspicuous opportunity to opt out.
41
Marketing Changes –NH State
Law (Effective 1/1/ 2010)
 Under HB 619 -- Marketing means: (1) To make a communication about
a product or service that encourages recipients of the communication
to purchase or use the product or service, unless the communication is
made by the individual’s health care provider:
o
o
o
o
For treatment of the individual;
For case management or care coordination for the individual;
To direct or recommend alternative treatments, therapies, health care providers or
settings of care.
For treatment-related reminders or health promotion activities by health care
providers.
 (2) An arrangement whereby the health care provider discloses PHI in
exchange for payment so that third party can make a marketing
communication about its own products/services.
 An authorization is required for any use or disclosure of marketing
information.
 To the extent State law is contrary to HIPAA and more protective of
privacy, State law will preempt HIPAA.
42
Fundraising-NH Law
 Fundraising communications must include a clear and
conspicuous opportunity to opt out of receiving such
communications. Notice must be provided:
o
o
o
60 days prior to any fundraising communication; or
In the Notice of Privacy Practices if the notice is given prior to
any fundraising communication;
In any subsequent fundraising communications.
 Once a person opts out, it is treated as a revocation of
an authorization.
43
Marketing and Fundraising- NH
Law
 Enforcement: An aggrieved individual may bring a
civil action under RSA 332-I:4 or 332-I:5 and, if
successful, shall be awarded special or general
damages of not less than $1000 for each violation, for
each violation, and costs and reasonable legal fees.
 The interface between state and federal law still to be
determined.
44
Prohibition on the Sale of EHR/PHI
 HITECH prohibits a covered entity from receiving
directly or indirect remuneration in exchange for PHI
unless the person provides a valid authorization.
 Exceptions
o
o
o
o
o
o
Pubic health activities;
Research ( price is for preparation and transmittal of data)
For treatment of the individual
For health care operations associate with the
sale/merge/consolidation of the covered entity
Payment by the covered entity for the services of a business
associate;
To provide individual a copy of record
45
Prohibition on the Sale of
EHR/PHI
 Secretary to promulgate regulations not later than 18
months after enactment.
 Prohibition becomes effective 6 months after
regualtions are promulgated.
46
Business Associates
 Breach notification requirements apply.
 Security Rule Sections 45 CFR §§ 164.308, 310, 312, 316
apply.
 HIPAA provisions governing use and disclosure of PHI
apply to business associates.
 Civil and criminal penalties now apply to business
associates.
 Business Associates will need to maintain an
accounting of any disclosures of EHR.
47
HIPAA Enforcement and Penalties
CATEGORIES OF VIOLATIONS AND RESPECTIVE PENALTY
AMOUNTS AVAILABLE
Violation category – Section
1176(a)(1)
(A) Did Not Know…
(B) Reasonable Cause…
(C)(i) Willful Neglect-Corrected…
(C)(ii) Willful Neglect-Not
Corrected…
Each violation
All such violations of an
identical provision in a
calendar year
$100-$50,000
$1,500,000
$1,000-$50,000
$1,500,000
$10,000-$50,000
$1,500,000
$50,000
$1,500,000
48
HIPAA Enforcement and Penalties
 Reasonable cause means circumstances that would
make it unreasonable for the covered entity, despite
the exercise of ordinary business care and prudence, to
comply with the [HIPAA] provision violated.
 Reasonable diligence means the business care and
prudence expected from a person seeking to satisfy a
legal requirement under similar circumstances.
 Willful neglect means conscious, intentional failure or
reckless indifference to the obligation to comply with
the [HIPAA] provision violated.
49
HIPAA Enforcement and Penalties
 HIPAA imposes a minimum penalty amount in each
category
 Previously, a covered entity would have an affirmative
defense if it did not know or reasonably would not have
known of the violation;
 HITECH removes this affirmative defense;
 However, if the violation is not due to willful neglect and is
corrected within 30 days of discovery (or the date covered
should have know by exercising reasonable diligence), this
will be an affirmative defense
50
HIPAA Enforcement and Penalties
 Secretary still has discretion to limit or waive
penalties in cases due to reasonable cause and not
willful neglect.
 No later than 3 years after enactment, the Secretary
shall establish a methodology under which an
individual harmed may receive a percentage of the
penalties collected.
51
Enforcement by State Attorneys
General
 State Attorneys General may bring a civil action on
behalf of residents of the State who have been or are
threatened or adversely affected by any person
violating the statute:
o
o
o
o
State may seek equitable injunctive relief.
Damages calculated by multiplying $100 times the number of
violations.
Total amount of damages for identical violations in a calendar
year is $25,000.
State may seek payment of attorney fees.
52
Download