hipaa final rules: what you need to know and...
TRANSCRIPT
HIPAA Final Rules: What You Need to Know and Do
February 06, 2013 ID Experts
www2.idexpertscorp.com
2
ID Experts Webinar Series
ID Experts delivers complete data breach care. The company's solutions in data breach prevention, analysis and response are endorsed by the American Hospital Association, meet regulatory compliance and achieve the most positive outcomes for its customers. ID Experts is a leading advocate for privacy as a contributor to legislation, a corporate and active member in both the IAPP and HIMSS, a corporate member of HCCA and chairs the ANSI Identity Management Standards Panel PHI Project. For more information visit: • www2.idexpertscorp.com • RADAR: Risk Assessment, Documentation And Reporting • Complete Data Breach Care
Mahmood Sher-Jan
VP of Product Management Partner
Adam H. Greene, JD, MPH
4
Agenda
• Review the scope and history of the rules • Key areas of change: what’s new and what’s different • Implications of the removal of the harm threshold from breach
notification • What the changes mean for covered entities and business
associates • Guidance and recommendations for compliance
5
The Wait is Over
6
The “Omnibus Rule”
• Most of HITECH Act privacy and security provisions • Breach Notification Rule • Genetic Information Nondiscrimination Act (limit on
underwriting) • Enforcement Rule • Several workability amendments • General Compliance Date:
September 23, 2013
7
What’s Still Missing?
• Accounting of disclosures/access reports
• Minimum necessary guidance
• Distribution of penalties/settlements to harmed individuals
8
NEW LIMITS ON USES AND DISCLOSURES OF PHI
9
The Good News: Fundraising
• Adds categories of PHI that may be used or disclosed for fundraising: – Department of service – Treating physician – Outcome information – Health insurance status
10
The Good News: Fundraising
• Strengthens opt-out for fundraising: – Clear and conspicuous – Must not require undue burden – May not condition treatment or payment – Covered entity may not make fundraising communications
after opt-out (previous standard was “reasonable effort”)
• Covered entity may provide method of opting back in
11
The Good News: Research
• Covered entities may combine “conditioned” and “unconditioned” authorizations – For example, conditioned
authorization for clinical trial may be combined with unconditioned authorization for tissue specimen repository
12
The Good News: Research
• Authorization must differentiate between conditioned and unconditioned portions
• Unconditioned authorization must be opt in, e.g., – Check box – Second signature line
13
The Good News: Research
• HHS changed interpretation on authorization for future research: – Prior interpretation – Authorization for research must be
study specific – New interpretation – Authorization may govern future
research – Authorization must reasonably put individual on notice of
potential future research
14
The Good News: Student Immunization Records
• Covered entity may release student immunization records to school without authorization – If state law requires school to have
immunization record – Written or oral agreement (must be
documented)
15
The Good News: Decedent Information
• No longer PHI 50 years after death
• Covered entity may disclose PHI to persons involved in decedent’s care or payment if not contrary to prior expressed preference
16
The Bad News: Marketing
• Question 1: Communication about a product or service that encourages purchase or use? If yes, marketing.
• Question 2: Describes health-related item or service offered by covered entity or treatment alternative? If yes, no longer marketing.
• (New) Question 3: Remuneration received from third party whose item or service is described? If yes, marketing again (authorization required).
17
The Bad News: Sale of PHI
• Covered entity may not receive remuneration in exchange for PHI
• Exceptions (no limit): – Treatment – Payment – Public health – Sale of covered entity and related due diligence – Required by law
18
The Bad News: Sale of PHI
• Exceptions (no limit) – Business associate activities
• Exceptions (limits) – Any other permissible purpose if remuneration limited to
reasonable, cost-based fee for preparation and transmittal (not in HITECH Act)
– Research – To an individual for access and accounting
19
The Bad News: Genetic Information
• Clarification that genetic information is health information
• Health plan (other than long-term care plan) may not use or disclose genetic information for underwriting purposes
20
BUSINESS ASSOCIATES AND SUBCONTRACTORS
21
Who Is a Business Associate?
• New definition of business associate
– Uses or discloses individually identifiable health information
– Creates, receives, maintains, or transmits protected health information
• On behalf of a covered entity
22
Subcontractors: Welcome to the HIPAA Party!
• Subcontractor + PHI = Business Associate
• Subcontractor = Person to whom a business associate delegates a function, activity, or service
• Subcontractor ≠ workforce member
• All the way down the chain (contractual relationships should remain the same)
23
Liability of Business Associates
• Impermissible uses and disclosures • Breach notification to covered entity • Failure to provide e-copy of ePHI as specified in the
business associate contract • Failure to disclose PHI to HHS for HIPAA investigation • Failure to provide an accounting of disclosures • Failure to comply with the applicable requirements of the
Security Rule
24
Business Associate Contracts
• Must specify compliance with Breach Notification Rule
• Should specify to whom BA provides electronic access
• If CE delegates HIPAA responsibility, must specify that BA will comply with HIPAA
• 1-yr grandfathering may be available
25
INCREASED PATIENT RIGHTS
26
Electronic Copy of PHI
Old Rule: – Form or format requested,
if readily producible – If not readily producible,
then readable hard copy
New Rule: – If not readily producible
and maintained electronically, then readable electronic copy
27
Copy of PHI to Third Party
• Individual may designate third party to receive copy – Must be in writing – Clearly identify the designated person
– Clearly identify where to send the copy
• Access vs. Authorization further confused
28
Restriction for Out-of-Pocket Payments
• Covered entity must agree to individual’s request to restrict disclosure to health plan, if: – For payment or health care operations, – Disclosure is not required by law, and – Individual (or person on individual’s behalf )
pays for item or service in full out of pocket
29
NOTICE OF PRIVACY PRACTICES
30
Changes to Notice of Privacy Practices
• Prohibition on sale of PHI
• Duty to notify affected individuals of a breach of unsecured PHI
• Right to opt out of fundraising (if applicable)
• Right to restrict disclosure of PHI when paid out of pocket
• Limit on use of genetic information (certain health plans only)
31
BREACH NOTIFICATION RULE
32
New “Compromise Standard”
• “Significant risk of financial, reputational, or other harm”
• Exception for limited data set without ZIP codes or dates of birth
• Presumption of reportable breach, unless low probability the PHI has been compromised after risk assessment
33
Risk Assessment
• Risk assessment must include four required
elements • What is “compromised”?
– Comment to interim final rule suggesting compromise standard indicates that it is whether PHI is “inappropriately viewed, re-identified, re-disclosed, or otherwise misused”
34
PRACTICAL IMPLICATIONS OF BREACH NOTIFICATION RULE
35
Data Breaches Keep Happening
• Nearly 60% of respondents’ organization had
suffered an incident in the last year, and 20% had suffered four or more.
• Leading source of Data Breaches: Lost Paper
files (38%)
• Leading source & discovery by rank and file Employees (47%) (non-IT)
SOURCE: HCCA/SCCE survey (published Jan, 2013)
The Human Factor!
Theft, 50%
Unauthorized Access,
18%
Loss/Improper
Disposl, 16%
Hacking/IT
Incident, 6%
Other, 10.0%
Breach Types
36
Breach Notification: Spirit of the Rule
• Put pressure on the healthcare industry to better safeguard patient privacy by protecting PHI
• Increase patient/consumer confidence in privacy protection
• Mitigate harm to the affected individuals when consequential events occur
The intent behind the obligation to notify
37
Factors for Incident Risk Assessment
Before • Type of PHI disclosed • Recipient of PHI • Accessed; Disclosed; Used;
Acquired • Intent of Recipient • Steps Taken to Mitigate or
Eliminate Risk of Harm
After • Type of PHI disclosed • Recipient of PHI • Accessed; Viewed; Re-
Identified; Re-Disclosed • Intent of Recipient • Steps Taken to Mitigate risk
to PHI
Before and After Final Rule
38
Know The Statutory Exceptions
• Unintentional Good Faith Acquisition of PHI by Workforce Member (CE/BA/Subcontractors)
• Inadvertent Disclosure between Authorized Persons in an organized healthcare arrangement (i.e. clinically integrated care setting)
• Good Faith Belief that Unauthorized Person Could not have Reasonably Retained the Information
The Remaining Exceptions
39
Incident Management: Burden of Proof Requires more than issue tracking & ad-hoc risk assessment
Solution Scope & Automation
Eas
e of
Use
& A
ffor
dab
ilit
y
RADARTM
40
INCREASED ENFORCEMENT
41
Focus on Willful Neglect
• Willful neglect: Conscious, intentional failure or reckless indifference
• OCR will investigate all cases of possible willful neglect
• OCR will impose penalty on all violations due to willful neglect
• Greater OCR discretion to proceed directly to penalty without seeking informal resolution
42
Other Enforcement Changes
• Revised definition of reasonable cause (fills gap between “did not know …” and willful neglect)
• Vicarious liability for business associate agents • Modification of factors impacting CMP calculation
43
ACTION ITEMS
44
Compliance & Risk Mitigation Actions
• Conduct Compliance Assessment – Privacy, Security & Breach Notification Rules
• Amend Policies, Training & NPP • Perform/Update Risk Analysis • Revise Incident Management Process (Burden of Proof ) • Develop a Business Associate Strategy
– Update Agreement Template (Agent?) – Monitoring for Compliance?
For Covered Entities
45
Compliance & Risk Mitigation Actions
• Confirm your BA classification! – BA Agreement (are you an “agent”)? – Subcontract Assurances
• Do you have a compliance program? – Risk analysis & risk management plan – Policies & Procedures – Workforce training & awareness – How do you monitor your sub-contractors?
• What is your incident detection and response plan? – Incident documentation and risk assessment (Burden of Proof ) – Covered Entity reporting timeline
For Business Associates
46
Resources
• Omnibus HIPAA Rule:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/index.html
• Breach Notification Rule: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html
• OCR audit website: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html
• NIST IRP Planning Guide: http://csrc.nist.gov/publications/drafts/800-61-rev2/draft-sp800-61rev2.pdf
47
Resources
• ID Experts RADAR: http://www2.idexpertscorp.com/RADAR
• Privacy Incident Management Solution Guide: http://www2.idexpertscorp.com/breach-tools/radar/solution-guide/
• Davis Wright Tremaine Blog: http://www.dwt.com/New-Omnibus-Rule-Released-HIPAA-Puts-on-More-Weight-01-23-2013/
48
Mahmood Sher-Jan, CHPC
VP of Product Management Partner
Adam Green, JD, MPH
Questions & Answers
971-242-4706
If you are having a breach now, call 866-726-4271
202-973-4213
ID Experts Davis Wright Tremaine LLP
49
Events of Interest
• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam Greene, co-chairing and presenting – Keynote presentations from top OCR officials on the Omnibus Rule. – Additional information is available at www.hipaasummit.com
• PHI Protection Network Forum on PHI Security, Boston, MA – March 12 - 13 – Presentations from PHI Privacy Experts – Leave with the knowledge necessary to build, present and defend a customized business
case for PHI security initiatives tailored exclusively for your enterprise. – Additional information is available at http://phiprotection.org