hipaa final rules: what you need to know and...

49
HIPAA Final Rules: What You Need to Know and Do February 06, 2013 ID Experts www2.idexpertscorp.com

Upload: others

Post on 16-Jul-2020

1 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

HIPAA Final Rules: What You Need to Know and Do

February 06, 2013 ID Experts

www2.idexpertscorp.com

Page 2: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

2

ID Experts Webinar Series

ID Experts delivers complete data breach care. The company's solutions in data breach prevention, analysis and response are endorsed by the American Hospital Association, meet regulatory compliance and achieve the most positive outcomes for its customers. ID Experts is a leading advocate for privacy as a contributor to legislation, a corporate and active member in both the IAPP and HIMSS, a corporate member of HCCA and chairs the ANSI Identity Management Standards Panel PHI Project. For more information visit: • www2.idexpertscorp.com • RADAR: Risk Assessment, Documentation And Reporting • Complete Data Breach Care

Page 3: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

Mahmood Sher-Jan

VP of Product Management Partner

Adam H. Greene, JD, MPH

[email protected]

[email protected]

Page 4: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

4

Agenda

• Review the scope and history of the rules • Key areas of change: what’s new and what’s different • Implications of the removal of the harm threshold from breach

notification • What the changes mean for covered entities and business

associates • Guidance and recommendations for compliance

Page 5: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

5

The Wait is Over

Page 6: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

6

The “Omnibus Rule”

• Most of HITECH Act privacy and security provisions • Breach Notification Rule • Genetic Information Nondiscrimination Act (limit on

underwriting) • Enforcement Rule • Several workability amendments • General Compliance Date:

September 23, 2013

Page 7: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

7

What’s Still Missing?

• Accounting of disclosures/access reports

• Minimum necessary guidance

• Distribution of penalties/settlements to harmed individuals

Page 8: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

8

NEW LIMITS ON USES AND DISCLOSURES OF PHI

Page 9: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

9

The Good News: Fundraising

• Adds categories of PHI that may be used or disclosed for fundraising: – Department of service – Treating physician – Outcome information – Health insurance status

Page 10: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

10

The Good News: Fundraising

• Strengthens opt-out for fundraising: – Clear and conspicuous – Must not require undue burden – May not condition treatment or payment – Covered entity may not make fundraising communications

after opt-out (previous standard was “reasonable effort”)

• Covered entity may provide method of opting back in

Page 11: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

11

The Good News: Research

• Covered entities may combine “conditioned” and “unconditioned” authorizations – For example, conditioned

authorization for clinical trial may be combined with unconditioned authorization for tissue specimen repository

Page 12: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

12

The Good News: Research

• Authorization must differentiate between conditioned and unconditioned portions

• Unconditioned authorization must be opt in, e.g., – Check box – Second signature line

Page 13: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

13

The Good News: Research

• HHS changed interpretation on authorization for future research: – Prior interpretation – Authorization for research must be

study specific – New interpretation – Authorization may govern future

research – Authorization must reasonably put individual on notice of

potential future research

Page 14: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

14

The Good News: Student Immunization Records

• Covered entity may release student immunization records to school without authorization – If state law requires school to have

immunization record – Written or oral agreement (must be

documented)

Page 15: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

15

The Good News: Decedent Information

• No longer PHI 50 years after death

• Covered entity may disclose PHI to persons involved in decedent’s care or payment if not contrary to prior expressed preference

Page 16: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

16

The Bad News: Marketing

• Question 1: Communication about a product or service that encourages purchase or use? If yes, marketing.

• Question 2: Describes health-related item or service offered by covered entity or treatment alternative? If yes, no longer marketing.

• (New) Question 3: Remuneration received from third party whose item or service is described? If yes, marketing again (authorization required).

Page 17: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

17

The Bad News: Sale of PHI

• Covered entity may not receive remuneration in exchange for PHI

• Exceptions (no limit): – Treatment – Payment – Public health – Sale of covered entity and related due diligence – Required by law

Page 18: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

18

The Bad News: Sale of PHI

• Exceptions (no limit) – Business associate activities

• Exceptions (limits) – Any other permissible purpose if remuneration limited to

reasonable, cost-based fee for preparation and transmittal (not in HITECH Act)

– Research – To an individual for access and accounting

Page 19: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

19

The Bad News: Genetic Information

• Clarification that genetic information is health information

• Health plan (other than long-term care plan) may not use or disclose genetic information for underwriting purposes

Page 20: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

20

BUSINESS ASSOCIATES AND SUBCONTRACTORS

Page 21: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

21

Who Is a Business Associate?

• New definition of business associate

– Uses or discloses individually identifiable health information

– Creates, receives, maintains, or transmits protected health information

• On behalf of a covered entity

Page 22: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

22

Subcontractors: Welcome to the HIPAA Party!

• Subcontractor + PHI = Business Associate

• Subcontractor = Person to whom a business associate delegates a function, activity, or service

• Subcontractor ≠ workforce member

• All the way down the chain (contractual relationships should remain the same)

Page 23: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

23

Liability of Business Associates

• Impermissible uses and disclosures • Breach notification to covered entity • Failure to provide e-copy of ePHI as specified in the

business associate contract • Failure to disclose PHI to HHS for HIPAA investigation • Failure to provide an accounting of disclosures • Failure to comply with the applicable requirements of the

Security Rule

Page 24: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

24

Business Associate Contracts

• Must specify compliance with Breach Notification Rule

• Should specify to whom BA provides electronic access

• If CE delegates HIPAA responsibility, must specify that BA will comply with HIPAA

• 1-yr grandfathering may be available

Page 25: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

25

INCREASED PATIENT RIGHTS

Page 26: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

26

Electronic Copy of PHI

Old Rule: – Form or format requested,

if readily producible – If not readily producible,

then readable hard copy

New Rule: – If not readily producible

and maintained electronically, then readable electronic copy

Page 27: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

27

Copy of PHI to Third Party

• Individual may designate third party to receive copy – Must be in writing – Clearly identify the designated person

– Clearly identify where to send the copy

• Access vs. Authorization further confused

Page 28: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

28

Restriction for Out-of-Pocket Payments

• Covered entity must agree to individual’s request to restrict disclosure to health plan, if: – For payment or health care operations, – Disclosure is not required by law, and – Individual (or person on individual’s behalf )

pays for item or service in full out of pocket

Page 29: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

29

NOTICE OF PRIVACY PRACTICES

Page 30: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

30

Changes to Notice of Privacy Practices

• Prohibition on sale of PHI

• Duty to notify affected individuals of a breach of unsecured PHI

• Right to opt out of fundraising (if applicable)

• Right to restrict disclosure of PHI when paid out of pocket

• Limit on use of genetic information (certain health plans only)

Page 31: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

31

BREACH NOTIFICATION RULE

Page 32: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

32

New “Compromise Standard”

• “Significant risk of financial, reputational, or other harm”

• Exception for limited data set without ZIP codes or dates of birth

• Presumption of reportable breach, unless low probability the PHI has been compromised after risk assessment

Page 33: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

33

Risk Assessment

• Risk assessment must include four required

elements • What is “compromised”?

– Comment to interim final rule suggesting compromise standard indicates that it is whether PHI is “inappropriately viewed, re-identified, re-disclosed, or otherwise misused”

Page 34: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

34

PRACTICAL IMPLICATIONS OF BREACH NOTIFICATION RULE

Page 35: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

35

Data Breaches Keep Happening

• Nearly 60% of respondents’ organization had

suffered an incident in the last year, and 20% had suffered four or more.

• Leading source of Data Breaches: Lost Paper

files (38%)

• Leading source & discovery by rank and file Employees (47%) (non-IT)

SOURCE: HCCA/SCCE survey (published Jan, 2013)

The Human Factor!

Theft, 50%

Unauthorized Access,

18%

Loss/Improper

Disposl, 16%

Hacking/IT

Incident, 6%

Other, 10.0%

Breach Types

Page 36: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

36

Breach Notification: Spirit of the Rule

• Put pressure on the healthcare industry to better safeguard patient privacy by protecting PHI

• Increase patient/consumer confidence in privacy protection

• Mitigate harm to the affected individuals when consequential events occur

The intent behind the obligation to notify

Page 37: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

37

Factors for Incident Risk Assessment

Before • Type of PHI disclosed • Recipient of PHI • Accessed; Disclosed; Used;

Acquired • Intent of Recipient • Steps Taken to Mitigate or

Eliminate Risk of Harm

After • Type of PHI disclosed • Recipient of PHI • Accessed; Viewed; Re-

Identified; Re-Disclosed • Intent of Recipient • Steps Taken to Mitigate risk

to PHI

Before and After Final Rule

Page 38: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

38

Know The Statutory Exceptions

• Unintentional Good Faith Acquisition of PHI by Workforce Member (CE/BA/Subcontractors)

• Inadvertent Disclosure between Authorized Persons in an organized healthcare arrangement (i.e. clinically integrated care setting)

• Good Faith Belief that Unauthorized Person Could not have Reasonably Retained the Information

The Remaining Exceptions

Page 39: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

39

Incident Management: Burden of Proof Requires more than issue tracking & ad-hoc risk assessment

Solution Scope & Automation

Eas

e of

Use

& A

ffor

dab

ilit

y

RADARTM

Page 40: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

40

INCREASED ENFORCEMENT

Page 41: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

41

Focus on Willful Neglect

• Willful neglect: Conscious, intentional failure or reckless indifference

• OCR will investigate all cases of possible willful neglect

• OCR will impose penalty on all violations due to willful neglect

• Greater OCR discretion to proceed directly to penalty without seeking informal resolution

Page 42: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

42

Other Enforcement Changes

• Revised definition of reasonable cause (fills gap between “did not know …” and willful neglect)

• Vicarious liability for business associate agents • Modification of factors impacting CMP calculation

Page 43: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

43

ACTION ITEMS

Page 44: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

44

Compliance & Risk Mitigation Actions

• Conduct Compliance Assessment – Privacy, Security & Breach Notification Rules

• Amend Policies, Training & NPP • Perform/Update Risk Analysis • Revise Incident Management Process (Burden of Proof ) • Develop a Business Associate Strategy

– Update Agreement Template (Agent?) – Monitoring for Compliance?

For Covered Entities

Page 45: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

45

Compliance & Risk Mitigation Actions

• Confirm your BA classification! – BA Agreement (are you an “agent”)? – Subcontract Assurances

• Do you have a compliance program? – Risk analysis & risk management plan – Policies & Procedures – Workforce training & awareness – How do you monitor your sub-contractors?

• What is your incident detection and response plan? – Incident documentation and risk assessment (Burden of Proof ) – Covered Entity reporting timeline

For Business Associates

Page 46: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

46

Resources

• Omnibus HIPAA Rule:

http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/index.html

• Breach Notification Rule: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html

• OCR audit website: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html

• NIST IRP Planning Guide: http://csrc.nist.gov/publications/drafts/800-61-rev2/draft-sp800-61rev2.pdf

Page 47: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

47

Resources

• ID Experts RADAR: http://www2.idexpertscorp.com/RADAR

• Privacy Incident Management Solution Guide: http://www2.idexpertscorp.com/breach-tools/radar/solution-guide/

• Davis Wright Tremaine Blog: http://www.dwt.com/New-Omnibus-Rule-Released-HIPAA-Puts-on-More-Weight-01-23-2013/

Page 48: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

48

Mahmood Sher-Jan, CHPC

VP of Product Management Partner

Adam Green, JD, MPH

[email protected]

[email protected]

Questions & Answers

971-242-4706

If you are having a breach now, call 866-726-4271

202-973-4213

ID Experts Davis Wright Tremaine LLP

Page 49: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam

49

Events of Interest

• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam Greene, co-chairing and presenting – Keynote presentations from top OCR officials on the Omnibus Rule. – Additional information is available at www.hipaasummit.com

• PHI Protection Network Forum on PHI Security, Boston, MA – March 12 - 13 – Presentations from PHI Privacy Experts – Leave with the knowledge necessary to build, present and defend a customized business

case for PHI security initiatives tailored exclusively for your enterprise. – Additional information is available at http://phiprotection.org