HIPAA Omnibus Final Rule:Understanding the Risks and Developing Compliance Strategy

June 23, 2014

Presented by Jennifer Breuer, David Mayer and Sara Shanti

Sponsored by:

2

Program Outline

Background – HIPAA Omnibus Final Rule Business Associates

– New responsibilities for business associates

– Changes to Business Associate Agreements that must be in place as of September 23, 2014

– Recommended compliance strategies

Security Risk Analyses Enforcement OCR Audits

BACKGROUND

3

Background – HIPAA Omnibus Final Rule

4

Announced on January 17, 2013 Published in Federal Register on January 25, 2013

– http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf

Effective on March 26, 2013 Initial Compliance Date: September 23, 2013

– HHS began enforcing Final Rule on the Initial Compliance Date

Final Compliance Date: September 23, 2014– If existing BAAs were not renewed or modified between March 26

and September 23, 2013, they will remain compliant until the earlier of:

• The date the BAA is renewed or modified after September 23, 2013; or

• September 22, 2014

5

BUSINESS ASSOCIATES

6

Business Associates (BAs)

The HIPAA Omnibus Final Rule made the following key changes to Business Associates:

– Expands definition of BAs

– Expands compliance obligations applicable to BAs

– Explains scope of direct liability for violations applicable to BAs

– Identifies required changes to BA agreements

7

Business Associates: Definition (cont’d)

BAs are still BAs:– A person or entity who creates, receives, maintains, or transmits

PHI on behalf of a Covered Entity

• Change reflected in the addition of “maintains”

Definition of BA now specifically includes: – Health Information Organization, E-Prescribing Gateway, or other

person who provides data transmission services with respect to PHI to a Covered Entity and who requires access to such PHI on a routine basis

– A person who offers a personal health record to one or more individuals on behalf of a Covered Entity

• This does not include PHR vendors that offer PHR directly to an individual and not on behalf of a Covered Entity

8

Business Associates: Definition (cont’d)

Subcontractors are now BAs:– Definition of “business associate” now includes a “subcontractor

that creates, receives, maintains, or transmits [PHI] on behalf of the business associate”

• “Subcontractor” is a person to whom a BA delegates function, activity or service, other than in the capacity of a member of the workforce of such BA

• BA does not need to provide Subcontractor with PHI directly

– A Covered Entity can provide PHI directly to a BA’s subcontractor without the subcontractor being the Covered Entity’s direct BA

Note: a BA’s disclosure of PHI for its own management, administration and legal responsibilities may not create a subcontractor relationship with the recipient

9

Responsibilities of Business Associates

BAs are governed by: – HIPAA

• Most Security Rule standards and implementation specifications extend directly to BA

• All relevant Privacy Rule provisions extend directly to BA

• Legal obligations and enforcement risks

– Contracts

• Terms of the BAA continue to govern BAs

• Terms of Master Services Agreements, Confidentiality Agreements, etc.

– Vicarious liability

• Common law

• BAs may be “agents” of Covered Entity

10

Responsibilities of Business Associates (cont’d)

BAs are now directly liable for: – Security Rule compliance

• Complying with administrative, physical, and technical safeguards and documentation requirements

• BAs must conduct a risk analysis of potential security risks and vulnerabilities

– Uses and disclosures of PHI only as permitted:

• Under BAA – BA must comply with terms of BAA

• Under HIPAA – BA cannot use PHI in a manner that would be impermissible by a Covered Entity

11

Responsibilities of Business Associates (cont’d)

BAs also directly liable for:– Failing to notify Covered Entities of breaches of unsecured

PHI

– Failing to disclose PHI when required by HHS to determine compliance

– Failing to disclose PHI to Covered Entity or individual to satisfy an individual’s request for electronic copy of PHI

– Failing to make reasonable efforts to limit use and disclosure of PHI to minimum necessary

– Failure to enter into BAAs with subcontractors

12

Responsibilities of Business Associates (cont’d)

A BA that becomes aware of noncompliance by a subcontractor must:

– Take reasonable steps to cure the breach or end the violation

– If steps are unsuccessful, terminate the relationship

Otherwise, the BA may face liability for its own noncompliance with BA requirements

BUSINESS ASSOCIATE AGREEMENTS

13

Business Associate Agreements

14

BAAs must require BAs to:– Use appropriate safeguards for electronic PHI

– Report to Covered Entity use or disclosure of PHI not provided in the BAA, including:

• Breaches of unsecured PHI

• Any security incident

– Ensure that “subcontractors” agree to the same restrictions and conditions as the BA with regard to PHI

– If a BA carries out a Covered Entity’s obligation under HIPAA, comply with those HIPAA requirements that would apply to Covered Entity in the performance of such obligation

Business Associate Agreements (cont’d)

15

Other key changes to BAAs (since last modified in June 2006):

– BA must comply with the Security Rule

• Risk Analysis

• Safeguards

• Reporting

– BA must maintain and make available information required to make an accounting of disclosures

Sample BAA– HHS released a form of BAA on January 25, 2013

– http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

16

Business Associates and Subcontractors

Must have BAAs in place, even though BAs are directly liable under many provisions of HIPAA

BAs must enter into BAAs with their subcontractors– BA may disclose PHI to a subcontractor only with a BAA

– No BAA is required between Covered Entity and the BA’s subcontractor

Each BAA in the chain must be at least as stringent than the one above it regarding the uses and disclosures of PHI

– Extension of rules not limited to “first tier” contractors, but to all downstream contractors

BA, as opposed to Covered Entity, is responsible for responding to any noncompliant subcontractors

17

Other BAA Terms and Trends

Industry trends in BAAs– BA Indemnification

• Specifically, related to breaches that require costly notification

– Permit Aggregation

– Permit De-identification

– Acknowledgements of BA obligations under HIPAA

– Liability could attach under agency theory

BUSINESS ASSOCIATES:COMPLIANCE STRATEGIES

18

Compliance Strategies

19

Do not aim to “overachieve”– HHS looks to the BAA and internal policies for compliance

– Where internal policies are more restrictive than HIPAA standards, HHS may determine noncompliance on the basis of policies rather than legal requirements

20

Compliance Strategies

More covered entities are using BAAs to transfer obligations

– Some highlight BA HIPAA obligations

– Some insert additional compliance requirements

– Some use BAAs to limit the covered entity’s own inability

• Indemnification clauses

• Reference to MSA clauses

• Insurance requirements

21

SECURITY RISK ANALYSES

22

Security Risk Analyses

HIPAA requires BAs to conduct the same security risk analysis that a Covered Entity must undertake

Covered Entities must:– Conduct an accurate and thorough analysis of the potential

risks and vulnerabilities to the confidentiality, integrity and availability of the electronic protected health information held by the organization

23

Security Risk Analyses

OCR believes Risk Analyses are best practices in the health care industry

Covered Entities have been subject to this Security Rule requirement since April 2003

– Enforced by OCR since July 2009

In the case of a breach or other investigation, OCR will request a copy of a CE Risk Analysis:

– Risk Analysis should be current

• Should be reviewed/revised every 2 or 3 years

– Risk Analysis should reflect changes in operations

• E.g., implementation of new systems

– Risk Analysis should address mobile devices

24

Security Risk Analyses

Risk Analysis should be scalable and flexible– Does not have to be a single document

Risk Analysis can be a useful business tool for determining the IT strengths and weaknesses of an organization

– More and more CEs and other contractors are wanting to review their vendors’ security risk analyses

Risk Analysis requires an organization to consider what administrative, physical and technical safeguards it has in place to protect PHI

25

Elements of a Risk Analysis

Identify ePHI within the organization– All systems, programs and applications used to create,

maintain, receive and transmit ePHI

Identify all external sources of ePHI– Third-party vendors, consultants and subcontractors

Review human and environmental threats– Current Security Measures

– Likelihood of Threat

– Impact of Threat

Document all of the above

26

Elements of a Risk Analysis

Vulnerability– A system weakness that could result in a breach

Threat– The potential for a person or thing to exercise a vulnerability

Risk– The impact considering the probability of a given vulnerability

and threat

The Risk Analysis should identify each Vulnerability, Threat and Risk as High, Medium or Low

27

GOVERNMENT ENFORCEMENT

Enforcement Process

28

29

Enforcement Trends

30

Recent Enforcement Actions

Columbia University/New York Presbyterian Hospital (2014)– Impermissible disclosure of ePHI of 6,800 patients to Google/other

search engines

• Disclosed PHI included patient status, vital signs, medications and lab results

• Computer server with access to ePHI was not properly configured

– Failure to conduct accurate and thorough risk analysis

– HHS investigation found:

• Failure to implement processes for assessing and monitoring all IT systems that accessed PHI

• Failure to implement policies and procedures for authorizing access to databases containing PHI

• Failure to follow policies on information access management

– $4.8 MM resolution payment to HHS; largest settlement to date

31

Recent Enforcement Actions (cont’d)

Concentra Health Services (2014)– Unencrypted laptop stolen from PT department

– HHS investigation found:

• Failure to adequately remediate and manage its identified lack of encryption

– Risk analysis did not address why encryption was not reasonable and appropriate and what other measures would be taken to secure PHI

• Failure to implement policies and procedures to prevent, detect, contain and correct security violations

– $1.7 MM resolution payment to HHS

32

Recent Enforcement Activities (cont’d)

Shasta Regional Medical Center (2013)– SRMC responded to media allegations of Medicare fraud by providing

information about medical services provided to patient without authorization

• Disclosures made to California Watch, The Record Searchlight and The Los Angeles Times

– SRMC also revealed the patient’s PHI to its entire workforce and medical staff without authorization

– HHS investigation found:

• Failure to safeguard PHI

• Impermissible use of PHI

• Failure to sanction appropriate workforce members pursuant to internal sanctions policy

– $275,000 resolution payment to HHS

33

Recent Enforcement Activities (cont’d)

Phoenix Cardiac Surgery, P.C. (2013)– Practice published patient scheduling information to publicly accessible,

Internet-based calendar and transmitted ePHI from Practice’s e-mail account to workforce members’ personal e-mail account

– HHS investigation found:

• Failure to provide and document training of workforce members on use and disclosure of PHI

• Failure to implement administrative and technical safeguards to protect ePHI

– No Security Official identified

• Failure to obtain satisfactory assurances from business associates that they would appropriately safeguard ePHI

– No Risk Analysis performed

– No BAA in place with vendor that provided Internet-based calendar

– $100,000 resolution payment to HHS

34

Recent Enforcement Activities (cont’d)

Future Enforcement– OCR anticipates more aggressive enforcement

• Attention on risk analyses

• Mobile devices

– Monetary settlements

– Corrective Action Plans

Common Law– Post-breach private actions

• State jurisdictions

• Standards of harm vary (including lack thereof)

35

OCR AUDITS

36

2012 Implementation of Pilot Audit Program

Audit Protocol Design

• Create a comprehensive, flexible process for analyzing entity efforts to provide regulatory protections and individual rights

Resulting Audit Program

• Conducted 115 performance audits from November 2011 through December 2012 to identify findings with regard to adherence to standards. Two phases:• Initial 20 audits tested original audit protocol• Final 95 audits used modified audit protocol

37

Audit Program Likely to Begin Again in 2014

Pilot Program is currently under review for effectiveness Lessons from Pilot Program will be implemented in future program

Future audits likely to include CEs and BAs– 1,200 candidates identified as potential audit targets

• Two-thirds are CEs; one-third are BAs

– Number of actual audits likely to be much less than 1,200

Future audits likely to focus on Security Rule compliance

– Failure to perform a thorough risk analysis is the biggest source of Security Rule violation

38

Understanding HIPAA Audits

NOT an investigation Random

– Does NOT indicate that a complaint has been filed or that OCR is suspicious about the audit target

NOT intended to be confrontational Covered Entities (and BAs) need to be prepared for Audits

– Provide prompt and complete cooperation during Audit

– Conduct regular self-audits to prepare (at least annually)

– DOCUMENT compliance activities; make sure documentation is organized and accessible

39

Who Can Be Audited?

Any Covered Entity

For Pilot Program, OCR reviewed range of types/sizes• Health plans of all types• Health care clearinghouses• Individual and organizational providers

40

What to Expect During an Audit

Notification letter– Auditee should confirm its authenticity

Letter will request documentation (10-day turnaround) Letter will provide notice of a site audit (30 – 90 days from date of letter) Site Visit

– Interview of key personnel

– Observations of processes and operations

Receipt of Draft Report/Opportunity to Respond (10 days)– OCR will not see draft report

Issuance of Final Audit Report– OCR will receive copy of final report, which incorporates the steps the auditee has

taken to resolve any compliance issues identified by the audit and describes any best practice

Audit Protocol available on OCR’s website

41

Questions?

42

Contact Information

Jennifer Breuer, PartnerDrinker Biddle & Reath LLP

(312) 569-1256Jennifer.Breuer@dbr.com

David Mayer, Senior Advisor

Drinker Biddle & Reath LLP(312) 569-1060

David.Mayer@dbr.com

Sara Shanti, AssociateDrinker Biddle & Reath LLP

(312) 569-1258Sara.Shanti@dbr.com

Or, visit our website for more information at:www.DrinkerBiddleHealthCare.com

43Footer (edit using the slide master) |

Thank you to our sponsor

Iatric Systems Business Associate Manager™ manages the risk and workflow necessary for organizations to ensure due diligence with their business associate relationships. By monitoring and

managing the risk of business associate agreement and providing alerts when agreements need updating. Business Associate Manager™ helps organizations protect patient privacy and build trust.