lorman medical records seminar

1

Welcome!

Richard E. NellNell & Associates, S.C.

[email protected]

The health care facet of our group focuses on contract drafting, review and negotiation, as well as entity formation and regulatory compliance. Our practice encompasses all of the laws and regulations affecting the business of health care and HIPAA including Civil Monetary Penalties, EMTALA including defense of EMTALA proceedings, NPDB, tax exempt issues, practice management, professional licensure and medical staff issues.

Jesse A. BergGray Plant Mooty

[email protected]

Jesse counsels health care providers on federal and state anti kickback laws, the Stark physician self-referral law, Medicare and Medicaid reimbursement, enrollment and participation issues, HIPAA and state privacy and confidentiality matters, as well as federal and state antitrust issues. Jesse provides legal guidance to a variety of different types of health care providers.

mailto:[email protected]


2

Background on HIPAA and HITECH:Privacy and Security Regulations and

the Status of HITECH Regulations

Lorman Education Services: Medical Records Law

March 23, 2012


Jesse A. BergGray Plant & Mooty

33

Key Changes Under HITECH

• Breach notification• Business associates subject to privacy, security rules• Accounting of Disclosure requirements• Access to PHI kept in EHR• Minimum Necessary Rule• Request for Restrictions on Disclosures• Disclosures for Marketing• Fundraising• Sale of PHI• HHS investigations and penalties required for cases

involving willful neglect• State attorneys general authorized to sue for HIPAA

violations• Adversely affected parties can recover a percentage of civil

monetary penalties or settlements

44

Effective Dates of Key HITECH Provisions2009

Feb. 17– CMPs applicable to BAs– State AGO enforcement

Aug. 24– Notification of breach interim

regulationsSep. 23

– Effective Date of Breach Notification regulations

2011Jan. 1

– Accounting for EHR disclosures (if EHR acquired after 1/1/09)

Feb. 17– Effective date for final regulations

on sale of EHRs or PHI– Criminal willful neglect effective

2010Feb. 17

– BA contracts required for certain entities

– BA’s security obligations– BA’s privacy obligations– Access to information in electronic

format– Request on restrictions for PHI

disclosures to plans when payment is out of pocket

– Conditions on certain communication as part of health care operations

Aug. 17– Guidance on minimum necessary rule– Proposed regulations on prohibition

on sale of EHRs or PHISep. 17

– Criminal willful neglect regulations

2014Jan 1

– Accounting for EHR disclosures (if EHR acquired as of 1/1/09)

5

HITECH Developments: where are we now?

• HITECH Act (Feb. 17, 2009)• Breach Notification Interim Final Rule

(74 FR 42740, Aug. 2009)– Effective Sep. 23, 2009

• HITECH Enforcement Interim Final Rule (74 FR 56123, Oct. 2009)– Effective Nov. 30, 2009

• HITECH Proposed Rule (July 2010)– Addresses HIPAA Privacy, Security &

Enforcement Rules

6

Overview of Proposed Regulations

• Dates:– Published July 14, 2010

(75 Fed. Reg. 40,868)– Deadline for submitting

comments was September 13, 2010

– Unless otherwise indicated, compliance date is 180 days after publication of Final Rule

– Later date for revising BA contracts

• Content:– Business associates– Enforcement– Electronic access– Marketing– Fundraising– Sale of PHI– Right to request restrictions – Minimum necessary– Notice of privacy practices– Research authorizations– Student immunization records– Decedent information

7

Modifications to Privacy, Security and

Enforcement Rules• Proposed modifications included:

– Require BAs to be subject to Security Rule and parts of Privacy Rule

• Written agreements between BAs and subcontractors

– Issue of whether amendments to BA contracts with Covered Entities is required

– New limitations on use and disclosure of PHI for marketing, fundraising

– Individual rights (access, requesting restrictions, notice of privacy practices)

– HHS sought guidance on “minimum necessary”

8

Modifications to Privacy, Security and

Enforcement Rules• Proposed regulations (July 14, 2010)

– Comment period closed on Sep. 13, 2010– No final rule to date, which means regulations

remain nonbinding

• HHS has indicated it will be issuing an “omnibus” HIPAA rule– Addressing penalties, breach notification and

issues from the July 2010 proposal

9

HIPAA Enforcement: A Perfect Storm

• Why?– Increased regulation and greater complexity

• HITECH and HIPAA• State laws

– Increasing volumes and types of information• EHRs• Mobile devices and locations• Social media• Online treatment options

– Increasing enforcement• Enhanced penalties• Aggressive regulators

10

HITECH Act

• Required Covered Entities to provide accounting of disclosures from an electronic health record to carry out treatment, payment and health care operations

• May 3, 2010: HHS issues request for information for HITECH AOD standard

1111

ACCOUNTING OF DISCLOSURES

Current Rule:

• Accounting of disclosures is required in only a limited number of instances –

• Accounting of disclosures not required for disclosures for Treatment, Payment or Health Care Operations

1212

ACCOUNTING OF DISCLOSURES

• Under HITECH, CEs and BAs will need to account for TPO disclosures if they use an EHR:– CEs that have EHR before 1/1/09 not bound

until 2014– CEs that acquire EHR after 1/1/09 bound on

1/1/11– Applies to 3 years prior to date on which

accounting requested– HHS can postpone compliance dates for two

years

13

Proposed AOD Regulations

• Issued May 31, 2011; comments accepted through Aug 1, 2011– 76 Fed. Reg. 31426 (May 31, 2011)

• Key components:– Created broad new access report right– Limited current AOD right

• Effective Dates– Access reports on 1/1/13 or 1/1/14– AOD requirement 240 days after final

regulations published

14

Right to AOD

• Scope of information subject to accounting is information in designated record set (DRS)

• Proposal would require the CE to include the disclosures of its BAs in the accounting.

• Reduces the accounting period to disclosures occurring during the previous 3 years, rather than 6 years.

15

Right to AOD

• Provides a list of the types of disclosures subject to the accounting:

– Public health– Judicial and administrative proceedings– Law enforcement– Avert threat to health/safety– Military and veterans activities– Dept. of state– Government programs providing public benefits– Workers compensation– Impermissible disclosures, unless constitutes a breach.

16

Right to AOD

• Modifies elements of the existing content requirements:

– An explanation of the type of PHI disclosed, instead of a brief description of the PHI disclosed

– A description of the purpose, instead of a statement of the purpose, in an effort to clarify that only a “minimum description is required if it reasonably informs the individual of the purpose.”

– Gives individuals the option to limit their accounting to either a particular time period, type of disclosure or recipient.

17

Access Report

• Covered entities required to provide an individual with an “access report” identifying who has accessed the individual’s electronic designated record set information.

• Access right does not extend to paper records.

18

Access Report

• Two major differences from HITECH Act statutory provisions:

– Provides an individual with the right to be informed of all persons who have accessed their record

• Regardless of whether the information was actually disclosed to someone outside of the entity’s workforce.

– Creates a new right to receive an access report with respect to the designated record set maintained by all covered entities, regardless of whether those entities have implemented EHRs.

• HITECH provided for accounting of disclosures from EHRs

19

Access Report

• HHS: new access right would not impose an unreasonable burden on covered entities

• HHS: under HIPAA Security Rule, electronic systems with designated record set information should currently be creating access logs with sufficient information to create an access report

20

Access Report

• Report must include the following elements: – date of the access– time of the access; – name of the individual, if available, or otherwise the

name of the entity who accessed the information– description of what information was accessed, if

available– description of the action by the user, if available

• Electronic DRS information will often reside on a number of distinct systems with separate access logs. HHS expects covered entities to aggregate that data into a single access report.

21

Access Report

• 30 day timeline for providing the access report

• Within the 30 day period, a covered entity also would need to include the access logs of its business associates that create, receive, maintain or transmit electronic designated record set information.

22

Access Report

• Covered entity would need to provide an individual with a notice of privacy practices that contains a statement of the individual’s right to receive both an accounting of disclosures of PHI and an access report.

• Because the access report requirement is new, it would require an amendment to existing privacy notices.

• Other changes to NPP as HITECH regulations are finalized?

23

Right to AOD

• Provision of an accounting of disclosures:– Timeframe for responding to an accounting request

decreased to 30 days– Must provide individuals with the accounting in the

form (e.g. paper or electronic) and format (i.e., compatible with a specific software application) requested by the individual, if readily producible

– May require the individual to submit the accounting request in writing (which includes electronic requests)

• Covered entity informs individuals of this requirement.

24

Problems with Proposed Regulations

• HHS recognizes that EHRs do not have technical capacity to allow HITECH accountings

• HHS believes HIPAA Security Rule already requires all access report information already to be tracked

• Fundamental “re-thinking” of regulators’ interpretation of Security Rule?

• Is this a reasonable burden to place on covered entities?

• What is the patient interest being advanced?

25

Minimum Necessary

• HITECH section 13405(b): Covered entity must limit PHI, to extent practicable, to limited data set, or, if necessary, to minimum necessary. HHS to issue guidance on what constitutes minimum necessary (at which time provision sunsets).

• HHS asked for comment on what guidance would be helpful to covered entities and BAs

• No change to current regulation

26

Electronic Access to PHI

• For ePHI, covered entity must provide electronic access:– In form and format requested by individual, if

readily producible, otherwise– Readable electronic form and format as

agreed to by CE and individual

• Must provide copy to individual’s designee:– Request must be in writing– Must clearly identify designated person

27

Electronic Access to PHI

• Covered entity may charge for:– Labor

• Time attributable to reviewing request and producing copy

– Cost of electronic media• CD, USB drive, or similar portable media/device• Can’t charge for access through portal, e-mail, or

PHR

• BA must provide PHI to covered entity, individual, or individual’s designee as set forth in BA agreement

27

2828

MARKETING

• Current rule: certain marketing-type activities are exempted from definition of “marketing” and are considered as part of treatment or healthcare operations

• Under HITECH, authorization is required for such disclosures if the CE receives direct or indirect payment in connection with the communication

• Effective Feb. 17, 2010

29

HITECH Audit Program

• HITECH required HHS to conduct periodic audits of Covered Entities & Business Associates

• 2 contracts (June, July 2011) with Booz Allen Hamilton and KPMG to engage in audits– Booz to identify “audit candidate information”– KPMG to develop audit protocol and conduct

audits

• Audits to conclude by Dec. 31, 2012

30

HITECH Audit Program

• Audits to include– Site visit (interview with CIO, legal counsel,

HIM/medical records director, other leaders)• Examination of physical features, operations and

adherence to policies

– Audit report:• Best practices noted; instances of noncompliance• Raw data (completed checklists, interview notes)• Recommendations for actions to address

compliance problems• Recommendations to HHS for corrective action

31

Right to Request Restrictions

• Covered entity must agree to individual’s request to restrict disclosure of PHI to health plan if:– PHI pertains solely to health care for which

individual (or person on behalf of individual other than health plan) has paid covered entity in full out of pocket

– Disclosure is for payment or health care operations purposes and not required by other law

32

Right to Request Restrictions

• Covered entity cannot require individual to pay out of pocket for all services if individual wishes to restrict disclosures regarding only certain services

• If individual’s payment not honored, and payment issue cannot otherwise be resolved with individual, covered entity may submit PHI to health plan for payment

• HHS asked for public comment on various operational issues

33

Notice of Privacy Practices

• Changes to NPPs– Statement regarding sale of PHI and other purposes

that require authorization– Statement regarding subsidized treatment

communications, if applicable, and that individual can opt out

– Statement regarding fundraising communications, including that individual can opt out

– Statement that covered entity must agree to restrict disclosure to health plan if individual pays out of pocket in full for health care service

34


• HHS requested comment:– Include specific statement on breach

notification?– Options for health plans to distribute revised

NPP• In next annual mailing to enrollees• Extension or waiver of current 60-day deadline• Retain 60-day deadline• Others?

35

Research Authorizations

• Covered entity can use one authorization form for use and disclosure of PHI in clinical trial and for PHI to be placed into repository (biospecimen storage)

• Requested comment on amount of specificity about future research uses needed in authorization– Do authorizations have to be research

specific?

36

Student Immunization Records

• Covered entity may disclose proof of immunization of child to schools in States with school entry laws– Written authorization not required– Need prior oral or written agreement from

parent

37

Decedent Information

• Decedent’s information is no longer PHI after 50-year period– Request for comment on proposal of 50 years

• Covered entity may disclose decedent’s PHI to family members and others who were involved in care/payment for care of decedent prior to death, unless inconsistent with prior expressed preference

38

Future HHS/OCR HITECH Activities

• Accounting of Disclosures Final Rule• Reports to Congress on Compliance,

Breach Notification• HIPAA Audit Program• State Attorneys General Enforcement• Minimum Necessary Guidance• De-identification Guidance• Final Rules on HITECH, Breach

Notification, Enforcement

39

Overview of HIPAA Privacy Rule: Application, Patient Access

Rights and Restrictions


March 23, 2012



4040

The Privacy Rule

• The Privacy Rule Does Not Preempt State Law Where the Provision of State Law Relates to the Privacy of Health Information and Is Contrary to and More Stringent Than a Provision of the Privacy Rule

4141

The Privacy Rule

• The Privacy Rule Also Does Not Preempt:– State Laws That Provide for the Reporting of

Disease or Injury, Child Abuse, Birth or Death, or for the Conduct of Public Health Surveillance Investigation or Intervention;

– State Laws That Require a Health Plan to Report, or to Provide Access to Information, for the Purpose of Management or Financial Audits, Program Monitoring and Evaluation, Licensing, and Related Issues;

– Laws That the Secretary of HHS Has Determined Should Not Be Preempted

4242

Covered Entities

• Health Plans• Group Health Plans• Health Care Clearinghouses• Health Care Providers Who Engage in

Electronic Transactions

4343

Health Plans

• Individual or Group Plan That Pays for the Cost of Medical Care, Includes:– Health Insurance Issuer– HMO– Medicare– Medicaid– Medicare Supplement Policy

4444

Health Plans

• Long Term Care Policies (Excluding Nursing Home Fixed Indemnity)

• Employee Welfare Benefit Plan• Health Care Program for Active Military• Veteran’s Health Program• CHAMPUS• Indian Health Service Program

4545

Health Plans

• Federal Employees Health Benefits Program

• SCHIP• Medicare+Choice• High Risk Pool• Any Other Individual or Group Plan or

Combination

4646

Health Plans

• Excluded From Health Plans:– Policy, Plan, or Program to Extent it Provides

or Pays for Benefits Excepted Under the PHS Act

– A Government Funded Program (Other Than Those Listed) Whose Principal Purpose is Other Than Providing or Paying for Health Care or Direct Provision or Grants

– Workers Compensation, Automobile, Property and Casualty Insurance

4747

Group Health Plans

• How Most Employers Will Get Pulled Into HIPAA

• Employee Welfare Benefit Plan (ERISA)– Possibly Include Flex Plans, FSAs

• Insured and Self-Insured Plans• To Extent Plan Provides Medical Care to

Employees or Participants– 50 or More Participants OR– Administered by Third Party

4848

Health Care Clearinghouse

• Public or Private Entity Including:– Billing Service– Community Health Management Information

System– Community Health Information System

4949

Health Care Clearinghouse

• Does Either of the Following:– Processes Health Information From Another

Entity in Non-Standard Format or Non-Standard Data into Standard Data Elements or Standard Transaction; OR

– Vice-Versa

5050

Health Care Provider

• Provider of Services• Provider of Medical or Health Services• Provider of Health Care

5151


• Provider of Services– Hospital– Critical Access Hospital– Skilled Nursing Facility– Outpatient Rehab Facility– Home Health Agency– Hospice Program

5252


• Provider of Medical Services– Physician Services– Hospital Services– Diagnostic Services– Outpatient PT Services– Outpatient OT Services– Rural Health Clinic Services– Home Dialysis Supplies and Equipment

5353


• Provider of Medical Services Continued:– Self-Care Home Dialysis Support Services– Physician Assistant Services– Nurse Practitioner Services– Certified Nurse Midwife Services– Psychological Services– Clinical Social Worker Services– X-Ray Services

5454


• Provider of Medical Services Continued:– DME– Ambulance Services– Prosthetic Devices– Certified Nurse Anesthetist Services– Other Services, Which if Provided by

Physician, Would be Considered Physician Services

5555


• Only Health Care Providers Who Transmit Health Information in Electronic Form in Connection With a Transaction, Are Covered

• Electronic Does Not Include Facsimile

5656


• Transaction Means– Transmission Between Two Parties to Carry

Out Financial or Administrative Activities– Includes

• Health Care Claims• Health Care Payment and Remittance Advice• Coordination of Benefits• Enrollment and Disenrollment• Referral Certification

5757

HIPAA and Employers

• Only Certain Health Care Providers, Health Plans, and Health Care Clearinghouses Are Covered Entities

• Employers Not Generally Covered Unless Fall Under Above Definitions

• Caveat: Medical Information Provided to Employers and Employer Sponsored Group Health Plans

5858

What is Covered

• Protected Health Information– Also Known as “PHI”– Individually Identifiable Health Information– Transmitted Electronically– Maintained in any Media Described Under

HIPAA– Transmitted or Maintained in ANY OTHER

FORM

5959

Protected Health Information

• Individually Identifiable Health Information– Relates to Past, Present, or Future Physical or

Mental Health or Condition of an Individual– Provision of Health Care to Individual– Past, Present, or Future Payment for Health

Care to an Individual– That Identifies the Individual, or– Reasonably Used to Identify

6060

Protected Health Information

• Excludes– Education Records Under FERPA– Certain Other Records Defined Under FERPA– Employment Records Held by a Covered

Entity in Capacity as Employer

6161

Employment Records and PHI

• Definition of Protected Health Information (“PHI”) Specifically Excludes:

– Employment Records Held by a Covered Entity in its Role as Employer

• 45 C.F.R. § 165.501

• Example: Drug Testing or Fitness for Duty– Must be Provided to CE in Capacity as Employer– If Conducting Testing, Must Get Authorization to

Transmit to HR

• Example: Professional Sports Teams’ Player Information

6262

Personal Rights

• Overview– Covered Entities Must Grant Certain Rights to

Individuals– Informational Forms and Means of Access and

Accounting

6363


• Covered Entity Must Provide Notice of Uses and Disclosures of PHI

• Not Directly Applicable to Group Health Plans

6464


• Not Applicable to Inmates or Correctional Facilities

• Content– Written– Plain Language– No Prescribed Font Size

6565


• Elements– Header – Prominent, All Capital Letters– Description of Uses and Disclosures

• TPO• Other Purposes Without Authorization• Must Reflect More Stringent State Law• Those Disclosures Requiring Authorization• Right to Revoke Authorization

6666


• Specific Uses or Disclosures– Appointment Reminders– Treatment Alternatives– Fundraising– Group Plan Disclosure to Plan Sponsor– Marketing, per Restrictions– Health-Related Benefits/Communications

6767


• Individual Rights– Right to Request Restrictions– Right to Receive Confidential

Communications– Right to Access– Right to Amend– Right to Accounting– Right to Copy of Notice

6868


• Covered Entity’s Duties– Required by Law to Maintain Confidential– Required to Abide by Notice– May Only Change Privacy Practices Through

Revised Notice

• Complaint Process– Internal and DHHS

• Contact– Privacy Officer

• Effective Date

6969


• Optional Elements– Covered Entity May Further Restrict Use or

Disclosure– No Restriction on Legally-Required

Disclosures

• Revise– Covered Entity Must Promptly Revise and

Distribute if Material Change

7070


• Providing Notice– Health Plans

• No Later than Compliance Date• To New Enrollees at Time of Enrollment• Within 60 Days of Revision• At Least Once per Three Years• Provided to Named Insured Only

7171


• Health Care Providers– Direct Treatment Relationship– Date of First Service on or After April 14,

2003– In Emergency, May Provide When Reasonably

Practicable– Good Faith Effort to Obtain Written

Acknowledgment (Non-Emergency)– Document Failed Attempts

7272


• Electronic Notice– If Maintain Website, Must Post– If Requested, Provide Notice via Email– If Failed, or if Requests, Must Provide Paper

Copy– Good Faith Effort Must be Documented

7373


• Joint Notice– OHCA– All Covered Entities Must Abide by– Joint Notice Contains Elements Listed Above– States Entities in OHCA May Share PHI– OHCA Entities Now Provide the Notice– Entities Must Document Compliance

7474


• Changes to Privacy Practices– Notice Must be Revised– Revised Notice Available to Individuals– No Changes Prior to Effective Date of Notice– If Not Reserved Right to Change, Covered

Entity Bound for All Prior PHI Received– If Not Reserved, Change Only if

• Meets Requirements Above• Effective Only as to PHI Created/Received After

Date

7575

ACCESS TO PHI

• Effective Feb. 17, 2010 - CE which maintains an EHR is required:– To produce a copy of such PHI in

electronic format upon individual’s request

– To transmit an electronic copy directly to an entity designated by the individual if request is clear and specific

– Fees for this may not be greater than CE’s labor costs in responding to the request for the copy

7676

Access to PHI

• Individual Has Right of Access and Inspection

• No Right to Psychotherapy Notes, Information Compiled for Legal Proceeding, or Exempt Under CLIA

• May Deny Without Review if For Above, if For Inmate, if During Research, if Under Privacy Act, or if Obtained From Another Party

• Access to “Designated Record Set”

7777

Right of Access

• Must Provide Review if Refused Due to Endangerment, Due to Mention Another Person, or if Access by Personal Representative a Danger

• Response to Request Within 30 Days + 30 Day Extension

• If Reasonable, Must be in Requested Format or Summary if Acceptable; Cost-based Fee

7878

Denial of Access

• Provide Access to Non-Objectionable PHI• Written Denial, in Plain Language, of Basis

and Complaint Process• Notify Individual of Location if Not With

Covered Entity

7979

Right to Amendment

• Individual May Request Amendment to PHI

• Covered Entity May Deny if Not Its Record, Not Available for Access, or if Accurate

• Covered Entity May Require That in Writing and Provide Reason

• 60 Day Time Limit + 30 Day Extension

8080

Acceptance of Amendment

• Covered Entity Must Amend/Append Record

• Covered Entity Must Notify Individual• Covered Entity Must Notify Third Parties

and Business Associates of Amendment

8181

Denial of Amendment

• Must Provide Individual With Written Denial

• Provide Individual Right to Submit Statement in Disagreement

• Copies Sent Out to Third Parties• Covered Entity May Submit Rebuttal

Statement

82

Current Accounting of Disclosures Rule

• Individual has right to receive an accounting of disclosures of PHI by Covered Entity or its Business Associate up to 6 years prior to the the request

• CEs and BAs required to track PHI disclosures that fall under accounting rule:

– Date– Name of recipient of PHI (Address, if available)– Brief description of PHI– Purpose of the disclosure

83


• No tracking required:– For treatment– For payment– For healthcare operations– Incidental to permitted disclosures – Disclosures under an authorization

84


• No tracking required:– For the facility’s directory– To persons involved in the individual’s care– For national security or intelligence purposes

– To law enforcement officials or correctional institutions about an inmate

85

Current Accounting of Disclosures Rule:

• No tracking required:– As part of a limited data set, or information

that has been de-identified– Made prior to April 14, 2003– Made more than 6 years prior to the date of

the request

86


• Tracking required:– To the Secretary of DHHS– Required by law (e.g., mandated reporting

under state law)– For public health activities/reporting– About victims of abuse, neglect or domestic

violence– For health oversight activities (e.g., licensure

actions)

87


• Tracking required:– In response to a court order– In response to a subpoena or discovery

request – For law enforcement– To a medical examiner or funeral director, or

for cadaveric organ donations– For research where authorization is not

required

8888

Suspension of Accounting

• Temporarily Suspend Accounting if Health Oversight Agency or Law Enforcement Official Provides Statement

• If in Writing, for as Long as Specified• If Orally, for 30 Days

8989

Providing the Accounting

• Date of Disclosure• Name of Party Receiving• Description of PHI• Brief Statement of Purpose for Disclosure

or Copy of the Request• 60 Day Time Limit + 30 Day Extension

9090

Request for Restriction on Use or Disclosure of

PHI• Request for Restrictions on Any Aspect• Covered Entity Need Not Comply with Request• If Agree, Then may Not Disclose Except in

Emergency– Even Then, Must Obtain Assurance from Recipient That

Will Not Further Disclose– Not a Bar to Disclosures for Facility Directory (Unless

Otherwise Objects) or for Other Legally-Required Disclosures

• May Terminate Orally if Documented and Post-PHI Only

9191

RESTRICTIONS ON DISCLOSURES

• Effective Feb. 17, 2010, CE must agree to requested restrictions on disclosures of PHI if:

• Disclosure is to health plan for purposes of carrying out payment or health care operations; and

• PHI pertains solely to an item/service for which provider involved was paid out of pocket in full

92

Uses and Disclosures of PHI Including Authorization, Business

Associates, and Other Key Components


March 23, 2012



9393

Uses or Disclosures

• Use and Disclosure for Treatment, Payment, and Health Care Operations (“TPO”)– Covered Entity Generally May Use and

Disclose PHI for TPO– No Consent – Now Notice of Privacy Practices– Treatment

• Use or Disclose to Any Provider

– Payment• Use or Disclose Minimum Necessary to Any Other

9494

Uses or Disclosures

• Health Care Operations– Quality Assurance Activities

• Quality Assessment and Guidelines, Case Mgmt.

– Professional Competency Activities• Accreditation, Credentialing, Licensing

– Insurance Activities• Underwriting, Premium Rating

– Compliance Activities• Fraud and Abuse Compliance

– Business Activities• Legal, Auditing, Business Planning, Sale of Practice

9595

Uses or Disclosures

• De-Identified Information– Not PHI– May Statistically Determine That PHI has

Been De-Identified• Qualified Individual Offer Professional Conclusion• Mathematically Not Identifiable

9696

Uses or Disclosures

• De-Identified Information Safe Harbor– Names– Geographic Subdivisions– Dates– Telephone Numbers– Facsimile Numbers– Email Address– Social Security Numbers– Medical Record Numbers– Health Plans Numbers

9797

Uses or Disclosures

• De-Identified Information Safe Harbor– Account Numbers– License Numbers– Vehicle Identifiers– Device Identifiers– URLs– Internet Addresses– Biometric – Finger and Voice Prints– Facial Photographs– Etc.

9898

PROHIBITION ON SALE OF PHI

• Effective Feb. 2011- HITECH prohibits CEs, BAs from receiving ANY payment for PHI, unless individual signs authorization

• Limited exceptions exist– Transfer in connection with sale or

merger of CE– Transfer for treatment, public health or

research activities– Providing individuals with copy of their

PHI• HHS to issue regulations by Aug. 2010

99

Sale of PHI

• Covered entity prohibited from disclosing PHI (without individual authorization) in exchange for remuneration

• If authorization obtained, authorization must state that disclosure will result in remuneration

• Exceptions:– Public health– Research, if remuneration limited to cost to

prepare and transmit PHI– Treatment & payment

100

Sale of PHI

• Exceptions (cont.)– Sale of business– Remuneration to BA for services rendered– Providing access or accounting to individual– Disclosure required by law– Where only remuneration received for

otherwise permitted disclosure is reasonable, cost-based fee to prepare and transmit PHI or fee otherwise expressly permitted by other law

101101

Authorization

• Elements– Meaningful Description of PHI– Identify Entities or Class Disclosing– Identify Entities or Class Receiving– Purpose– Expiration Date or Event– Individual’s Rights – Revocation– Marketing = Remuneration– Dated and Signed

102102

Authorization

• Typically Cannot Condition Treatment Upon Execution

• Allowed to Condition if for Third Party – Fitness for Duty, etc.

• Health Plan May Condition for Underwriting or Risk Rating

• Provider May Condition for Research

103103

Authorization

• Psychotherapy Notes Require• Marketing Requires• Research Typically Requires• Any Use or Disclosure Not Addressed by

the Rule

104104

Use and Disclosure of PHI

• Overview– “Use”

• Sharing, Employment, Application, Utilization, Examination, or Analysis of PHI Within the Covered Entity

– “Disclosure”• Release, Transfer, Provision of Access to, or

Divulging PHI In Any Manner Outside Covered Entity

105105

Use and Disclosure of PHI

• Mandatory Disclosures– CE Must Disclose to Individual or Personal

Representative– CE Must Disclose to DHHS for Investigation

106106

Other Uses or Disclosures Requiring Opportunity to

Object• Covered Entity may Use or Disclose PHI in

Limited Situations Based Upon Informal Permission

• Disclose to Family Members, Relatives, Individuals Identified Who Are Involved in Care or Treatment

• Use or Disclose for Facility Directory to Anyone Asking for by Name, Clergy

107107

Opportunity to Object

• Permission in Advance• No Documentation Required• If Emergency, May Disclose to Those

Involved in Care, if Professional Judgment Exercised

• Covered Entity May Release X-Rays, Rxs, Supplies to Person Acting on Individual’s Behalf, if Professional Judgment

108108

Other Uses or Disclosures Without Opportunity to

Object• Covered Entity Must Verify Identity of

Requester and Authority• Where Required by Law• Public Health Activities

– Reporting Disease– Reporting Vital Statistics– Reporting to FDA– Reporting to Employer– Reporting Communicable Diseases

109109

Disclosures Without Objection

• Victims of Abuse, Neglect, or Domestic Violence– Reasonably Believes and Required/Allowed

by Law– No Consent or Notification From/to

Individual if Danger– Notice to Personal Representative Unless

Harm

110110


• Health Oversight Activities– Audits– Civil or Criminal Investigations– Not Where Individual’s Health is at Issue

111111


• Law Enforcement– Where Required by Law– Information Must be Relevant– Minimum Necessary Disclosed

112112


• Decedents– Disclose to Coroners, Medical Examiners, and

Funeral Directors to Carry out Duties

• Organ, Eye, or Tissue Donation– Use or Disclose PHI to Procurement

Organizations

113113


• Research Purposes– Must Satisfy Conditions With Respect to IRB

Waiver

• To Avert Serious Threat to Public• Certain Specialized Governmental

Functions: National Security, VA, Military, Secret Service

• Workers Compensation Act

114114

Disclosures to Attorneys

• Subpoenas– Notice and Opportunity to Object or Move for

Qualified Protective Order (“QPO”)– QPO Not a Good Choice

• Would Appear to Require Return or Destruction• No “Not Feasible” Language in the Order

115115

Subpoenas

• Proposed Procedure– Notice Letter to Patient/Patient’s Attorney

• Allow for Reasonable Time (14 Days) to File Objection

• Dispute Over Notice to Attorney Only?

– Upon Conclusion of Time Period Send Subpoena, Copy of Notice Letter, and Cover Letter to Covered Entity

• One Package, Not Waiting on Objections

116116

Subpoena - Guidance

• A Copy of the Subpoena (or Other Lawful Process) is Sufficient When, On Its Face, It Meets the Requirements of 45 CFR 164.512(e)(1)(iii), Such as Demonstrating the Individual Who is the Subject of the PHI is a Party to the Litigation, Notice of the Request has Been Provided to the Individual or His or Her Attorney, and the Time for Objections has Elapsed and No Objections Were Filed or All Objections Have Been Resolved. When These Requirements are Evident on the Face of the Request, No Additional Documentation is Required.

• HHS FAQ #708

117117

Incidental Uses or Disclosures

• Where Covered Entity has Engaged in Reasonable Efforts to Safeguard PHI

• Minimum Necessary Utilized for Uses and Disclosures of PHI

• Unintentional or “Incidental” Uses or Disclosures Not Violation

• Byproduct of Otherwise Permissible Action

118118

MINIMUM NECESSARY RULE

• Current rule: – With certain exceptions, a CE must limit

uses and disclosures of PHI to the “minimum necessary” information for the purpose of the disclosure

• By Aug. 17, 2010, new regulations defining minimum necessary PHI

• Until that time, CE should limit PHI, to the extent practicable, to the “limited data set”– Excludes names, addresses, phone and fax

numbers, email, social security and medical record numbers and nine other identifiers

119119

Minimum Necessary

• Must Use or Disclose the Minimum Necessary PHI to Carry Out Task

• Specifically Restricted From Using Entire Medical Record

• May Reasonably Rely Upon Statement of Professional or Law Enforcement

• Internally, Restrict Access – Role-Based

120120

Minimum Necessary

• Exceptions– Treatment– Authorization– To the Individual– To DHHS– Where Required by Law, Including HIPAA

121121

Law Enforcement

• Disclosure for law enforcement purpose to law enforcement official– As required by law; reporting of

wounds/injuries– To comply with a court order or court-

ordered warrant, a subpoena or summons– In response to a grand jury subpoena – To respond to an administrative request– Only Minimum Necessary

122122

Law Enforcement Official

• Definition of Law Enforcement Official– Officer or employee of US, State, Tribe, or political

subdivision– Empowered by law to investigate or– Prosecute or conduct criminal, civil, or administrative

proceeding

• If requesting official unknown, Covered Entity must identify and verify authority of official

– CE may reasonably rely upon official’s representation that minimum necessary requested

123123

Required by Law

• To report PHI to law enforcement when required by law to do so(45 CFR 164.512(f)(1)(i))– Example, state laws commonly require

providers to report gunshot or stab wounds, or other violent injuries

– Required by law• Mandate contained in law compelling disclosure

which is enforceable in a courtof law

124124

Process

• Court order, court-ordered warrant, or a subpoena or summons issued by a judicial officer (45 CFR 164.512(f)(1)(ii)(A))– The Rule recognizes the legal process in

obtaining a court order protects the PHI– “Judicial Officer”

• Preamble originally required “finding”• Term is not defined – look to state law?• Appears to be different than “court”

125125

Grand Jury Subpoena

• To comply with a grand jury subpoena (45 CFR 164.512(f)(1)(ii)(B))– State or Federal Grand Jury– The Rule recognizes that the secrecy of the

grand jury process provides protections for the individual’s PHI

126126

Administrative Request

• To respond to an administrative request, such as an administrative subpoena or summons, civil or authorized investigative demand or similar process authorized under law (45 CFR 164.512(f)(1)(ii)(C))– May be without judicial involvement– Must provide that:

• PHI is relevant and material,• PHI is specific and limited in scope, and• De-identified information not sufficient

127127

Identification and Location

• Disclosure of limited information in response to request of law enforcement official for purpose of identifying or locating a suspect, fugitive, material witness, or missing person (45 CFR 164.512(f)(2))

• Only if “requested”– Request may be oral or written– Includes person acting on behalf of law enforcement

• E.g., media making announcement seeking public’s assistance in identifying suspect or “Wanted” Poster

128128

Limited Information

• Limited information to be disclosed:– Name and address– Date and place of birth– Social Security number– ABO blood type and rh factor– Type of injury– Date and time of treatment– Date and time of death– Distinguishing physical characteristics

• Height, weight, gender, race, hair and eye color,facial hair, scars, and tattoos

129129

Information Not to be Disclosed

• Except as otherwise permitted, following information not to be disclosed

• PHI relating to:– DNA or DNA analysis– Dental records– Typing, samples, or analysis of body fluids or

tissue

130130

Victims of Crime

• Disclosure of PHI in response to law enforcement official’s request for information about victim or suspected victim of crime (45 CFR 164.512(f)(3))

• Only if individual agrees– Agreement may be oral or written

• If unable to obtain agreement, other factors must be satisfied

131131

Victims of Crime

• Disclosure if individual agrees or• Lack of agreement due to incapacity or

emergency and– Law enforcement official represents PHI is needed to

determine if violation of law by person other than victim and not intended to be used against victim

– Law enforcement official represents that immediate action depends upon disclosure and would be materially and adversely impacted if waited; and

– Disclosure is in the bests interests of individual in professional judgment

132132

Workforce Victims

• No violation if workforce member who is the victim of a criminal act discloses PHI to a law enforcement official (45 CFR 164.502(j)(2))– PHI is about the suspected perpetrator– Only limited information (name, address,

SSN#, date of treatment, etc.)– Crime does not need to occur on premises

133133

Other Provisions on Victims

• Child abuse victims or adult victims of abuse, neglect or domestic violence, other provisions apply:– Child abuse or neglect reported to law

enforcement official authorized by law to receive such reports and agreement of individual is not required (45 CFR 164.512(b)(1)(ii))

134134

Business Associates

• Historically not Covered Directly by HIPAA

• Third Parties Who Use or Disclose PHI on Behalf of a Covered Entity, Other Than as Workforce Member

• Workforce Member– More Than Employees– Also Volunteers, Aides, Trainees, and Some

Agents

135135

Business Associates

• Examples– Claims Processing– Utilization Review– Quality Assurance– Billing– Legal– Accounting– Consulting

136136

Business Associates

• Covered Entity Must Obtain Satisfactory Assurances From Business Associate– Business Associate Agreement– If Public Entities, Memorandum of

Understanding– Covered in Greater Detail

137137

Identifying Business Associates

• Formal Definition– Person Who on Behalf of Covered Entity or

OHCA Performs or Assists in Activity Involving Use or Disclosure of PHI

• Including Claims Processing, Data Analysis or Processing, Billing, Etc.

• Or– Who Provides Legal, Actuarial, Accounting,

Consulting, or Similar Services Involving Use or Disclosure of PHI

• Not a Workforce Member

138138

Entities/Persons Not Business Associates

• Workforce Members– Workforce Includes employees, volunteers,

trainees, and Other Persons Conducting Work Under Direct Control of Covered Entity

– Look Beyond Titles– If Workstation on Site, Then Likely Workforce– If No BA Agreement, Then Presumed to be

Workforce

139139

Not Considered Business Associates

• Entity Not Using or Disclosing PHI– Regardless of Title– Examples: Janitors, Maintenance Services– Only Incidental Uses or Disclosures

140140

Not Business Associates

• OHCA– Organized Health Care Arrangement– Technical Relationship– Same Said Regarding Affiliated Covered

Entities (“ACE”)

141141


• Conduits– Entity or Person That Transports PHI, but

Only Accesses it Incidentally– Examples: US Mail, Couriers, Electronic

Transmitters

142142


• De-Identified Information– Where Identifying Factors Removed, No Need

to Protect– Any Person May Use or Disclose De-Identified

Information

143143


• Covered Entities– May Be Considered a Business Associate of

Another Covered Entity– If Acting as Business Associate, and Makes

Mistake, Then DHHS Will Treat as Covered Entity and Not Business Associate

144144

Business Associate Contract/Agreement

• Documents the Satisfactory Assurances• Prerequisite Before Covered Entity May

– Disclose PHI to the BA– Allow BA to Create PHI on Behalf of the

Covered Entity– Allow BA to Receive PHI on Behalf of the

Covered Entity

145145

No Business Associate Contract

or Agreement• Covered Entity Transmitting PHI to a

Provider for Treatment• Group Health Plan and Plan Sponsor, If

Otherwise Comply With Rule • Interagency Disclosure Among

Government Health Plans

146146

Business Associate Agreement

• Non-Governmental Entities– Written Contract Required– Permitted and Required Uses and Disclosures

of PHI– BA Not Further Use or Disclose– BA Use Appropriate Safeguards– BA Report Breach– BA Ensure Subcontractors Agree to Same

Terms

147147

Business Associate Agreement Terms

• Make PHI Available for Access• Make PHI Available for Amendment and

Incorporate Amendments• Make PHI Available to Prepare

Accounting• Compliance with DHHS Investigation• Return, Destroy, or Safeguard PHI

148148


• Covered Entity Must Be Able to Terminate if Violation

• Covered Entity Must Attempt to Mitigate or Cure Breach, and Report to DHHS

149149

Business Associate Agreement Additions

• Permit BA to Use or Disclose PHI to Provide Data Aggregation Services– Combining PHI From One Covered Entity,

with PHI of Another to Prepare Data Analysis That Relates to Operations of the Respective Covered Entities

150150

Business Associate Agreement Additions

• BA May USE PHI– Proper Management and Administration– Carry Out Legal Responsibilities

• BA May DISCLOSE PHI– Proper Management and Administration– Carry Out Legal Responsibilities– Reasonable Assurances Obtained

151151

Business Associate Model Contract

• Not State Law Compliant• Not All Essential Terms• Not All Desirable Terms

152152

Suggested Business Associate Agreement

Terms• Negotiating Power/Leverage Deciding Factor

– Large Provider vs. Small BA– JCAHO vs. Large Provider

• Damages/Liquidated Damages Clauses• Indemnification Clauses• Insurance Coverage Requirement• Burden of Proof• CE Will Oversee BA Response to Access,

Amendment, Accounting, and Any Other Disclosures

153153

Other Terms in Your BAA

• Many Covered Entities Require Indemnification Clause in Business Associate Agreement– Contractual Indemnity May Void Legal

Malpractice Insurance Coverage– Appears that Contractual Obligation Imposed

Under BAA Would be Covered

• Best Choice for Client May be No Indemnification Clause– Full Disclosure – Conflict of Interest?

154154

Other Aspects of Relationship

• Privacy Rule Requires Business Associate to Return or Destroy PHI Upon Conclusion or Termination of Relationship– Not Required if “Not Feasible” But Then Must

Extend Protections to PHI– Attorney Obligated to Maintain Records

155155

Accountability

• Penalties for Non-Compliance – On Covered Entity

• If Covered Entity Knew of Pattern or Practice That Constitutes Material Breach

– CE Must Take Steps to Cure Breach or End Violation– If Unsuccessful, CE May Terminate Agreement– If Termination Not Feasible, Then Report to DHHS– Not Obligated to Monitor– Must Investigate All Complaints– Must Act Upon Any Knowledge of Violation

156

New Definition of Business Associate?

• Health Information Organizations • E-Prescribing Gateways• Others that provide

– Data transmission services with respect to PHI and

– Require access on a routine basis to such PHI

• “Conduits” that only access PHI on random or infrequent basis to support transport are not BAs

157

Definition of Business Associate

• PHR vendors acting on behalf of covered entities are BAs– PHR vendor can be a BA with respect to only

some individuals

• Subcontractors– Treated as BAs if they create, receive,

maintain, or transmit PHI on behalf of a BA– BA must have BA agreement with

subcontractor BA– No BA agreement required between CE and

subcontractor BA

158

Business Associates

• BAs directly liable for:– Security Rule violations– Impermissible uses and disclosures under Privacy Rule

• Uses and disclosures must comply with Privacy Rule and business associate agreement

– Failure to disclose to Secretary or provide e-access– Minimum necessary rule

• Covered entities (and BAs) liable for acts of BAs acting as agents within scope of agency

• BA must take reasonable steps in response to impermissible pattern or practice of subcontractor BA

159

Business Associate Contracts—Amendments Required?

• HITECH statute said privacy and security requirements that apply to covered entities– “shall be incorporated into

business associate agreement”• Uncertainty as to whether this

required an actual amendment or provisions incorporated into BA contracts as matter of law

160

Business Associate Contracts—Amendments Required?

• Under Proposed Rule following provisions need to be added:– BAs to use appropriate safeguards and comply

with Security Rule with respect to E-PHI– BAs must report to CE any breach of unsecured

PHI– Enter into written agreements with

subcontractors that create/receive PHI on behalf of BA imposing same restrictions that apply to BA

– BAs must comply with Privacy Rule to extent BA is to carry out a CE’s obligation under the Privacy Rule

161

Compliance Date, Generally

• Covered entities and BAs will have 240 days from publication of final rule to comply– Rule will become effective 60 days after

publication– Additional 180-day compliance period

• Enforcement Rule changes effective immediately when final rule goes into effect

162

Compliance Date for Amending Business Associate Contracts

• If (1) a BA contract (compliant with pre-HITECH BA requirements) is entered into prior to publication date of Final Rule; and

• (2) that contract is not renewed or modified during the time period that is 60 days to 240 days after the publication of the final rule, then the contract deemed to be compliant until the earlier of:

– The date the contract is renewed or modified on or after the 240-day post-publication date; or

– The date that is one year and 240 days after publication of the Final Rule

• Bottom Line:– CEs and BAs will have up to 1 year and 8 months after

Final Rule published to revise BA agreements– BAs must comply with other applicable provisions of

Privacy and Security Rules during this transition period

163163

Notification by Business Associates

• BAs required to notify CE of breach• Notification to occur no later than 60 days after

discovery of breach• Breach treated as discovered by BA as of first

day breach is known to BA, or through reasonable diligence, would have been known

• BA deemed to have knowledge of breach if breach would have been known through reasonable diligence to anyone who is agent of BA

• If BA is an agent, then BA’s discovery of breach is imputed to CE

164164

Business Associates

• Historically were not covered directly by HIPAA– Generally liable only for breaching their

business associate agreement with a covered entity

• HITECH: – Clarifies that certain entities are BAs– Expands HIPAA requirements that apply to

BAs

165165

Business Associates—who is a BA?

• In the past, entities that provided networks or other hardware for data transmission were not considered BAs

• Under HITECH, entities that provide data transmission services and require access to PHI are BAs, including:– Health information exchange organizations– RHIOs– E-Prescribing gateways– PHR vendors that provide PHRs to covered

entities

166166

Business Associates—New Requirements

• HITECH: BAs are required to:– Notify CE if they discover a breach– Directly comply with HIPAA Security

Rule administrative, physical and technical safeguards and documentation requirements—as if they were CEs

– Means regulators may impose fines directly on BAs who fail to comply with Security Rule

167167


• HITECH: BAs are required to:– Use or disclose PHI only if such use or

disclosure is in compliance with the privacy provisions of their BA contracts

– Means BAs are subject to same penalties as CEs if they violate Privacy Rule

168168


• Other HITECH privacy and security requirements that apply to covered entities– “shall be incorporated into business

associate agreement”

169169


WHAT DOES THIS MEAN FOR BAs?• BAs must take action if they know of a pattern of

activity or practice by CE that constitutes a breach of the CE’s obligations under the contract:

– Reasonable steps to cure breach– Terminate the arrangement– Report the problem to HHS if termination is not

feasible• If BA does not do the above, it may be liable for

HIPAA penalties

170170

HIPAA and Attorneys

• Interaction of HIPAA Requirements Imposed Upon Attorneys via Business Associate Agreements

171171

Business Associates

• Business Associate Means a Person, Other Than a Workforce Member, Who:– Provides Legal, Actuarial, Accounting,

Consulting, …, Where the Provision of the Service Involves the Disclosure of Individually Identifiable Health Information

• Lawyers May Be Business Associates

172172


• Covered Entity Must Enter Into Business Associate Agreement With Lawyer if Using or Disclosing Protected Health Information (“PHI”)

• If Business Associate Fails to Comply, Covered Entity Must Do One of the Following:– Try to Cure Breach– Terminate the Agreement– Report Violation to DHHS

173173

Violation ofBusiness Associate

Agreement• If Business Associate Violates Agreement,

and Covered Entity Fails to Act, Then Covered Entity is Subject to Penalties

• Note that Business Associate Attorney is NOT Subject to Penalties– Privacy Rule Does Not Directly Govern

Business Associates

174174

Business Associate Agreement Terms

• Agreement Must Contain Specified Terms:– Permitted and Required Uses and Disclosures

of PHI– Required Safeguards for PHI– Ensure Subcontractors Comply– Make PHI Available for Access, Accounting,

and Amendment– Upon Termination, Return, Destroy, or Keep

in Accordance with Privacy Rule

175175


• Specified Terms of BA Agreement Include that Business Associate Must:– Make its Internal Practices, Books, and

Records Relating to the Use and Disclosure of Protected Health Information (“PHI”) Available to DHHS for Inspection to Determine Compliance

176176

Waiver/Loss of Protections

• BA Agreement Requirement That BA Attorney Must Make Internal Practices, Books, and Records Available– Could Result in Requiring Production of

Privileged and/or Work Product Materials– Issue Whether Must Produce to DHHS and

Whether Waives Protections as to Others

177

Overview of HIPAA Security Rule: Obligations of Covered Entities

and Business Associates


March 23, 2012



178178

HIPAA Security Rule

• Security Rule– Addressable Implementation Specifications

(“AIS”)– Allows Covered Entities Additional Flexibility– Covered Entity Must Do One of the Following

• Implement One or More AIS• Implement One or More Alternative Security

Measures• Implement One or the Other• Implement Neither

179179

Security Rule

• Security Rule Administrative Safeguards– Security Management Process

• Implement Policies and Procedures to Prevent, Detect, Contain, and Correct Security Violations

• Implementation Analysis– Risk Analysis (Required)

» Conduct an Accurate and Thorough Assessment of the Potential Risks and Vulnerabilities to the Confidentiality, Integrity, and Availability of Electronic Protected Health Information

– Risk Management (Required)» Implement Security Measures Sufficient to Reduce

Risks and Vulnerabilities to a Reasonable and Appropriate Level

180180

Security Rule

• Security Rule Administrative Safeguards– Implementation Analysis (Continued)

• Sanction Policy (Required)– Appropriate Sanctions Against Workforce Members

Who Fail to Comply With the Security Policies and Procedures

• Information System Activity Review (Required)– Implement Procedures to Regularly Review Records

of Information System Activity, Such As Audit Logs, Access Reports, and Security Incident Tracking Reports

181181

Security Rule

• Security Rule Administrative Safeguards– Assigned Security Responsibility

• Identify the Security Official

– Workforce Security• Implement Policies and Procedures to Ensure That

All Members of Its Workforce Have Appropriate Access to Electronic Protected Health Information

• Prevent Those Workforce Members Who Do Not Have Access From Obtaining Access

182182

Security Rule

• Security Rule Administrative Safeguards– Workforce Security (Continued)

• Implementation Analysis– Authorization and/or Supervision (Addressable)

» Procedures for the Authorization And/or Supervision of Workforce Members Who Work With Electronic Protected Health Information

– Workforce Clearance Procedure (Addressable)» Procedures to Determine That the Access of a

Workforce Member to Electronic Protected Health Information

183183

Security Rule

• Security Rule Administrative Safeguards– Workforce Security Implementation Analysis

(Continued)• Termination Procedures (Addressable)

– Procedures for Terminating Access to Electronic PHI When Employment Ends

– Information Access Management• Implement Policies and Procedures for Authorizing

Access to Electronic Protected Health Information

184184

Security Rule

• Security Rule Administrative Safeguards– Information Access Management

Implementation Analysis• Isolating Clearinghouse Functions (Required)• Access Authorization (Addressable)

– Implement Policies and Procedures for Granting Access to Electronic Protected Health Information

• Access Establishment and Modification (Addressable)

– Implement Policies and Procedures That, Based Upon the Entity's Access Authorization Policies, Establish, Document, Review, and Modify a User's Right of Access

185185

Security Rule

• Security Rule Administrative Safeguards– Security Awareness and Training

• Implementation Analysis– Security Reminders (Addressable)

» Periodic Security Updates

– Protection From Malicious Software (Addressable)» Procedures for Guarding Against, Detecting, and

Reporting Malicious Software

– Log In Monitoring (Addressable)» Monitor Access and Discrepancies

– Password Management (Addressable)» Procedures for Creating, Changing, and Safeguarding

186186

Security Rule

• Security Rule Administrative Safeguards– Security Incident Procedures

• Implementation Analysis– Response and Reporting (Required)

» Identify and Respond to Suspected or Known Security Incidents; Mitigate Harmful Effects of Security Incidents and Document Security Incidents and Their Outcomes

187187

Security Rule

• Security Rule Administrative Safeguards– Contingency Plan

• Implementation Analysis– Data Backup Plan (Required)

» Procedures to Create and Maintain Retrievable Exact Copies of Electronic Protected Health Information

– Disaster Recovery Plan (Required)– Emergency Mode Operation Plan (Required)

» Procedures to Enable Continuation of Critical Business Processes for Protection of the Security of Electronic Protected Health Information While Operating in Emergency Mode

188188

Security Rule

• Security Rule Administrative Safeguards– Contingency Plan Implementation Analysis

(Continued)• Testing and Revision Procedures (Addressable)• Applications and Data Criticality Analysis

(Addressable)

– Evaluation• Implementation Analysis

– Periodic Technical and Nontechnical Evaluation, Based Initially Upon the Standards Implemented Under This Rule and Subsequently, in Response to Environmental or Operational Changes Affecting the Security of Electronic Protected Health Information

189189

Security Rule

• Security Rule Physical Safeguards– Facility Access Controls

• Implementation Analysis– Contingency Operations (Addressable)

» Procedures That Allow Facility Access in Support of Restoration of Lost Data

– Facility Security Plan (Addressable)» Procedures to Safeguard the Facility and the

Equipment

– Access Control and Validation Procedures (Addressable)

» Procedures to Control and Validate a Person's Access to Facilities Based on Their Role or Function

190190

Security Rule

• Security Rule Physical Safeguards– Facility Access Controls Implementation Analysis

(Continued)• Maintenance Records (Addressable)

– Procedures to Document Repairs and Modifications to the Physical Components of a Facility

– Workstation Use• Procedures That Specify the Proper Functions to Be

Performed, the Manner in Which Those Functions Are to Be Performed, and the Physical Attributes of the Surroundings of a Specific Workstation or Class of Workstation

– Workstation Security• Physical Safeguards for All Workstations

191191

Security Rule

• Security Rule Physical Safeguards– Device and Media Controls

• Implementation Analysis– Disposal (Required)– Media Reuse (Required)– Accountability (Addressable)– Data Backup and Storage (Addressable)

192192

Security Rule

• Security Rule Technical Safeguards– Access Control

• Implementation Analysis– Unique User Identification (Required)

» Unique Name And/or Number for Identifying and Tracking User Identity

– Emergency Access Procedure (Required)» Procedures for Obtaining Necessary Electronic

Protected Health Information During an Emergency

– Automatic Logoff (Addressable)– Encryption and Decryption (Addressable)

193193

Security Rule

• Security Rule Technical Safeguards– Audit Controls

• Hardware, Software, And/or Procedural Mechanisms That Record and Examine Activity in Information Systems

– Integrity• Procedures to Protect Electronic Protected Health

Information From Improper Alteration or Destruction

• Mechanism to Authenticate Electronic PHI (Addressable)

194194

Security Rule

• Security Rule Technical Safeguards– Person or Entity Authentication

• Procedures to Verify That a Person or Entity Seeking Access to Electronic Protected Health Information Is the One Claimed

– Transmission Security• Integrity Controls (Addressable)

– Security Measures to Ensure That Electronically Transmitted Electronic Protected Health Information Is Not Improperly Modified Without Detection

• Encryption (Addressable)

195195

Security Rule

• Security Rule Organizational Requirements– Business Associate Contracts

• Very Similar to the Requirements Imposed for Business Associates Under the Privacy Rule

– Group Health Plans• Except in Certain Situations, Group Health Plan

Must Ensure That Its Plan Documents Provide That the Plan Sponsor Will Reasonably and Appropriately Safeguard Electronic Protected Health Information Created, Received, Maintained, or Transmitted to or by the Plan Sponsor on Behalf of the Group Health Plan

196196

Security Rule

• Security Rule Policies and Procedures and Documentation Requirements– Policies and Procedures

• Implementation Analysis– Reasonable and Appropriate Policies and

Procedures to Comply With the Standards, Implementation Specifications, or Other Requirements

197197

Security Rule

• Security Rule Policies and Procedures• Documentation

– Implementation Analysis• Time Limit (Required)

– 6 Years

• Availability (Required)• Updates (Required)

198198

Security Rule

199

HIPAA Breach Notification


March 23, 2012



200200

Breach Notification

• Previous Rule: – Covered Entities (“CEs”) must mitigate, to the extent

practicable, any harmful effect that is known to the CE of an unauthorized use or disclosure of PHI by the CE or its Business Associate (“BA”)

• HITECH established breach notification requirement for CEs and BAs

• “Interim” Final Regulations published on Aug. 24, 2009 (74 FR 42740)

– Regulations will be at 45 CFR Subpart D

• Effective on Sept. 23, 2009• 6-month delay in enforcement

201201

Breach Notification

• The Basics:– Covered Entities must provide notification to

individuals in event of breach of the security or privacy of unsecured PHI

– Notice must also be provided to HHS– BAs must provide notice to CEs

202

Breach Notification

• Interim Final Rule (Aug. 2009)– Effective Sept. 23, 2009– Final Rule submitted to OMB in May, 2010 but

withdrawn “for further consideration”

• Key elements:– Notification if breach of unsecured PHI and significant

risk of harm– “Unsecured” = unusable, unreadable or indecipherable– Notice w/in 60 days of discovery or date “should have

known.” Content requirements for notice– Notice to media and HHS if more than 500 people;

annual reporting to HHS if less than 500 people– Direct application to Covered Entities and BAs

203203

Key Terms—”Unsecured PHI”

• PHI not secured through use of a technology or methodology specified in Federal Register guidance published by HHS on 4/27/09 (74 FR 19006)– Encryption (as specified in Security Rule)– Destruction of media on which PHI is stored

or recorded

• Why secure your PHI?

204204

Breach Notification Analysis

• If your PHI is “unsecured,” a 3-step analysis applies:– Has there been an impermissible use or

disclosure of PHI under the Privacy Rule?– Has the impermissible use or disclosure

compromised the security or privacy of the PHI?

– Does an exception apply?

205205

Step 1—”Breach”

• The “acquisition, access, use, or disclosure of PHI in a manner not permitted under subpart E (the HIPAA privacy rule) which compromises the security or privacy of the PHI”– Information must be PHI– For disclosure, acquisition, etc., to be a

“breach” it must violate the Privacy Rule

206206

Step 2—”Compromises Security or Privacy of

PHI”• Harm threshold must be met for breach to

“compromise the security or privacy of the PHI”– Must pose a significant risk of financial,

reputational or other harm to the individual

• CEs and BAs must perform “risk assessment” to determine whether this threshold is met

• Documentation of risk assessment is key for CE, BA if they decide harm threshold has not been met

207207

Step 2—”Compromises Security or Privacy of

PHI”• Risk assessment factors:

– Status of person who impermissibly used or to whom the PHI was improperly disclosed

– Nature of mitigation efforts undertaken– Whether PHI was returned prior to being

accessed for improper purpose– Type and amount of PHI involved– If LDS was involved, whether the date of birth

and zip code are also excluded (if so, not a breach). Also, likelihood of re-association with individual is factor to be considered.

208208

Step 3—the “Exceptions”

• 3 Exceptions:– (1) Unintentional acquisition, access or use of

PHI by work force member or person acting under authority of CE or BA, if acquisition was made in good faith, within scope of authority and does not result in further impermissible use or disclosure

209209


• (2) Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE, BA (or OHCA in which CE participates) and information received is not further used or disclosed in an impermissible manner

210210


• (3) A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information

211211

Notification

• Breach discovered on the first day it is known, or by exercising reasonable diligence, would have been known

• Notice can be imputed to CE or BA from a variety of its representatives, including employees (other than the employee causing the breach) and from agents

212212

Timing of Notification

• All notifications must be made without unreasonable delay– No later than 60 calendar days after discovery– Burden on notifying entity to demonstrate

that• All required notifications were made• Explain any delays

• 60 day period not tolled by time spent in analysis or investigation

• Limited delay if requested by law enforcement

213213

Methods of Notice

• Notice must be– In writing– By first class mail– Sent to the last known address of individual (if

individual specified preference for email notification, that should be done)

– One or more mailings (as more information becomes available)

– If more than 500 residents of a state or jurisdiction are affected:

• Notices described above; and• Notification to prominent media outlets in state or

jurisdiction

214214

Methods of Notice

• Special circumstances notices:– If insufficient or out-of-date information and– Fewer than 10 affected people:

• By an alternative form of written notice, telephone or other means

– More than 10 affected people:• Conspicuous posting for 90 days on CEs homepage; or• Notice to major print or broadcast media• Must include toll-free phone number

• Notice to HHS:– If more than 500 individuals affected, notice must be

contemporaneous with notice to individuals – Can keep log of breaches affecting fewer people and

provide annually to HHS– HHS to publicize breached entities on its web site

215215

Content of Notice

• All notices, to the extent possible, must include:– Description of what happened, including date of

breach and date breach was discovered– Description of the types of unsecured PHI involved in

the breach– Steps individuals should take to protect themselves

from potential harm resulting from breach– Description of what CE is doing to investigate breach,

mitigate harm to the individual and protect against further breaches

– Contact procedures for individuals to ask questions or learn additional information, including toll-free number, email, web site or postal address

216

Wisconsin Law


March 23, 2012



Applicable Medical Records Statutes &

Regulations• Wisconsin Statutes:

– 51.30(4): Access to Registration and Treatment Records– 134.97: Disposal of Records Containing Personal Information– 146.81-146.84: Health Care Records– 146.83: Access to Patient Health Care Records– 146.83(3f): Record Copy Fees– 153.50-153.55: Protection of Patient Confidentiality– 610.70: Disclosure of Personal medical Information– 146.82: Confidentiality of Patient Healthcare Records– 252.15: Restrictions on use of an HIV Test– 118.125: Pupil Records– 631.89: Restrictions on use of Genetic Test Results– 51.47: AODA Treatment for Minors without Parental Consent

217


Regulations• DHS:

– 92: Confidentiality of Treatment Records– 94: Patient Rights and Resolution of Patient Grievances– 89.34: Residential Care Apartments & Complexes-

Rights of Tenants– 145.12: Certification of public heath dispensaries– 124.14: Medical Records Services– 105.36: Family Planning Clinics or Agencies– 104.01: Recipient rights– 109.51: Provider Responsibility– 134.47: Facilities servicing people with developmental

disabilities-Records– 120.30: Patient data elements considered patient-

identifiable– 105.16: Home Health Agencies (Medical Record)

218


Regulations• DOC:

– 348.09: Records & Reporting– 346.28 : Medical Records

• DCF:– 53.06: Release of adoption information– 54.06: Child Placing Agencies- Records– 56.09: Care of Foster Children

219

Confidentiality of Patient Healthcare Records

• WSA 146.82- Confidentiality of Patient Healthcare Records– Default Rule: All patient healthcare records are confidential– Patient Healthcare Records may be released only to the

persons designated in Section 146.82– Disclosure must be made by informed consent of the patient

or person authorized by patient.– All consents must be in writing and include:

• Patients name• Purpose of disclosure• Type of professional making disclosure• Information to be disclosed• Entity to which disclosure is to be made• Time period during which consent is effective• Signature of patient • Relationship of signatory to patient (if not patient)• Date of execution

• Wis Stats 146.81(2)

220

Informed Consent Expectations

• Wis. Stats. 146.81- Informed Consent Expectations– Informed consent is not required for the following:

• Release of information necessary to conduct management or financial audits or evaluations of programs & services

• Research purposes under specific conditions• Various state agencies whose function it is to protect vulnerable

populations• Persons rendering assistance when a person’s life or health

appears to be in danger• A lawful court order• Parent, guardian, or legal custodian of a minor or incompetent

patient• Guardian of an adjudged incompetent patient• A personal representative of surviving spouse of a deceased patient

• Wis. Stats. 146.82(2), 146.81(5) and 148.82(2)

221

Who is the boss?

• HIPAA vs. Wis. Stats– Covered Entity vs. Custodian of Records– Protected Health Information (PHI) vs. Patient Healthcare

Records• Administrative requirements imposed by HIPAA generally

have no Wis. Law counterpart• Most issues are created by the interaction of HIPAA and

Wis. Law • HIPAA and Wis. Law both impose restrictions on the

disclosure of confidential medical information• Practical approach is to look first to HIPAA for baseline

guidance and then to Wis. Law for more stringent legal requirements

• Examples

222

Deceased Patient’s Medical Records

• HIPAA extends persons privacy rights into death• HIPAA requires release of records to authorized

individuals• HIPAA defers to state law to determine access

rights• Who is authorized in WI?

– Personal representatives and surviving spouses– If no Personal Rep. or surviving spouse, next

responsible member of the deceased’s family

• Behavioral Health Records

223

Pupil Records

• Federal Law (FERPA)• Wis. Stats. 118.125

– Adds to the FERPA definition– Defines Patient records within a school– Pupil physical record– Disclosure is subject to Wis. Stats 118.125(2)

• Exceptions to Patient Healthcare Records

224

Medical Record Confidentiality &

Litigation• Wis. Stats 804.10, 146.82 and 51.30• Discovery of healthcare records

– What to do when you receive a Subpoena or Medical Request

– Consent and HIPAA Authorization

• Mental Health, AODA records and Developmental Disabilities– Permitted discovery– “Lawful order”

225

Mental Health Records & Confidentiality

• HIPAA allows broad use of PHI for treatment, payment & health care operations without patient consent

• Wis. Stats 51.30 allows the release of mental health treatment records without patient authorization only within the facility where the patient is being treated

• Wisconsin allows the release of mental health treatment records without patient authorizations for billing or collection purposes only to DHFS or a county department

• Compliance with HIPAA does not mean compliance with Wisconsin Law

226

Summary

• Check application of HIPAA first• Check application of various Wisconsin

Statutes and Regulations• Choose most favorable provision for the

patient• When in doubt either:

– Seek informed consent; or– Call your attorney

227

228

Enforcement


March 23, 2012



231

Enforcement Rule

• OCR will investigate and conduct compliance review when preliminary investigation indicates willful neglect

• OCR may proceed directly to formal enforcement without seeking informal resolution

• Definition of “reasonable cause” – Necessary for culpability tiers used under HITECH to

impose penalties

• Preamble includes examples of conduct triggering various tiers of culpability (and associated penalties)

232

Enforcement Rule

• Rule would eliminate exception from liability of CEs for civil monetary penalties for violations resulting from acts of agents if:

– Agent is BA– Compliant BA agreement in place– CE did not (1) know of pattern of activity or practice of

BA; and (2) did not fail to act as required by Privacy Rule/Security Rule with regard to such violations

• CEs directly liable for acts of BAs who are agents within meaning of federal common law

• BAs similarly liable for acts of their agents (including subcontractors and workforce members)

233233

HIPAA Enforcement Rule

• Investigation• Notice of Proposed Determination• Administrative Hearing• Appeal• Judicial Review• Informal Resolution

– Available at Any Time

234234

Enforcement Authority

• Secretary of HHS Delegated to the Administrator, CMS Authority to Investigate Noncompliance and Enforcement of Certain Regulations:

– Transaction and Code Set Rule– National Employer Identifier Number (“EIN”) Rule– Security Rule– National Provider Identifier Rule– National Plan Identifier Rule

• Delegation Does Not Include Authority with Respect to the Privacy Rule

– Delegated to the Office for Civil Rights

235235

Criminal Enforcement

• Previous rule: up to $250,000 in fines and 10 years in prison for disclosing or obtaining PHI with intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm. Only a CE—not an employee or agent of CE—may be held criminally liable

• Under HITECH, penalties for wrongful disclosure of PHI apply to individuals who without authorization obtain or disclose such information maintained by CE, regardless of whether such person is employed by CE

236236

Civil Enforcement

• Previous Rule: HHS may impose CMPs for failure to comply with the Privacy and Security Rules, with a maximum civil fine of $100 per violation and up to $25,000 for all violations of an identical type during a calendar year

• CMPs may not be imposed if:– The violation is a criminal offense under HIPAA’s

criminal penalty provisions– The person did not have actual or constructive

knowledge of the violation– The failure to comply with due to reasonable cause and

not to willful neglect and the failure to comply was corrected within 30 days of discovery

237237

Civil Enforcement under HITECH

• New approach to civil enforcement, with civil monetary penalties of varying amounts based on level of intent:

Level of Intent Amount of CMP

Person did not know, and through reasonable diligence, would not have known

$100 for each identical violation up to $25,000 for all identical violations, but no more than $1.5 million for all violations of this type within calendar year

Violation was due to reasonable cause and not willful neglect

$1,000 per violation up to $100,000 for all identical violations, with a cap of $1.5 million for all violations of this type within calendar year

Violation due to willful neglect but was corrected within 30 days

$10,000 per violation up to $250,000 for all identical violations, with a cap of $1.5 million for all violations of this type within calendar year

Violation due to willful neglect and was not corrected within 30 days

$50,000 per violation, with an annual cap of $1.5 million for all violations due to willful neglect that are not corrected within 30 days

238238

Federal Enforcement

• HHS required to investigate complaints if preliminary investigation indicates violation due to willful neglect

– If HHS finds violation due to willful neglect, penalties are mandatory

• Distribution of CMPs:– Proceeds from CMPs to go to OCR for purposes of

further Privacy and Security Rule enforcement activities– Portion will be paid directly to harmed individuals

• Similar to qui tam provisions in False Claims Act• HHS must issue regulations within 3 years to implement

this requirement

• HHS to conduct audits of CEs and BAs to ensure compliance with Privacy, Security Rules

239239

State Attorney General Enforcement

• AGOs authorized to bring civil action in federal court against persons who violate HIPAA if AGO has reason to believe that violation threatens or adversely affects any state resident

– Unless a federal action is pending

• Can enjoin violations and obtain damages: – $100 per separate violation with a cap of $25,000 for all

identical violations within calendar year– Costs and attorneys’ fees

• AGO required to give HHS notice of suit• HHS can intervene and take over action• HHS can also file appeals

240


• HITECH provides state AGOs authority to bring civil actions on behalf of residents for violations of Privacy & Security Rules

– AGO can obtain damages on behalf of residents and enjoin further violations

• OCR offered free training sessions for AGOs– Dallas, TX (Apr. 4-5, 2011)– Atlanta, GA (May 9-10, 2011)– Washington, DC (May 19-20, 2011)– San Francisco, CA (Jun. 13-14, 2011)

241241

Privacy Complaints

• Approximately 19,420 Privacy Complaints Filed With OCR Most Common Allegations Have Been:– Personal Medical Details Wrongly Disclosed– Information Was Poorly Protected– More Details Were Disclosed Than Necessary– Proper Authorization Was Not Obtained– Patients Frustrated in Attempting to Get

TheirOwn Records

• Washington Post June 5, 2006

242242

Security Complaints

• CMS Has Received Approximately 106 Security Complaints (as of last year)– Also Inappropriately Received 28 Privacy-

Related Complaints – To be Directed to OCR

• CMS Has Received Approximately 450 Transaction & Code Set Complaints– 129 Remain Open– Majority Involve Private Sector Organizations

• Health Information Privacy/Security Alert, Melamedia LLC May 22, 2006

243

Top 5 Issues in Enforcement

Year Issue 1 Issue 2 Issue 3 Issue 4 Issue 5

2010 Impermissible Uses & Disclosures

Safeguards Access Minimum Necessary

Notice



Complaints to Covered Entity



Complaints to Covered Entity



Notice



Notice



Mitigation



Authorizations

partial year 2003 Safeguards Impermissible Uses & Disclosures

Access Notice Minimum Necessary

244

Criminal HIPAA Enforcement

• Dr. Huping Zhou (April, 2010)– Sentenced to 4 months in prison, fined $2000– Pled to 4 misdemeanor counts of accessing

and reading medical records – Accessed system 323 times during 3-week

period after UCLA informed him he would be let go

– No attempt to improperly use or sell the PHI

245

Criminal HIPAA Enforcement

• Dr. Richard Alan Kaye– Indicted June 21, 2011 for “wrongful

disclosure” of PHI; maximum of 5 years in prison

– Medical director of psychiatric care center at Suffolk, VA hospital

– Treated patient between Aug. 20, 2007-Sep. 4, 2007

– 3 occasions in Feb. 2008, Dr. Kaye disclosed PHI to patient’s employer

– Did so under false pretenses that patient was a serious and imminent threat

246


• Health Net (July, 2010)– Connecticut AGO settled with insurer for

$250,000• Additional $500,000 contingent fund in event lost

PHI is used illegally• Corrective action plan

– Health Net lost hard drive with over 500,000 patients’ PHI

– Health Net delayed notifying individuals for 6 months

247


• WellPoint (July, 2011)– Indiana AGO settled with insurer for $100,000

• Reimbursement of up to $50,000 per individual for any losses resulting from identity theft

– 32,051 insurance applicants information were accessible to the public through unsecured website

– Information accessible between Oct. 23, 2009-Mar. 8, 2010.

• Consumer notified Well Point on Feb. 22, 2010• Individuals not notified by Well Point until Jun. 18,

2010

248

Enforcement

• Blue Cross Blue Shield of Tennessee (BCBST)– OCR expects a carefully designed, delivered

and monitored HIPAA compliance program– Agreed to pay US Department of Health and

Human Services $1.5 million to settle potential HIPAA violations

– Agreed to a corrective action plan to address gaps in its HIPAA compliance program

249


• Accretive Health, Inc.– July, 2011—laptop with 23,500 patients’ PHI

stolen from car– Accretive is business associate of Fairview and

North Memorial• FV and NM notified patients

– AG suit alleges Accretive violated HIPAA, state health records law, debt collection and consumer fraud statutes

– First action against business associate?– Status of HIPAA as to BAs?

250

Reported HIPAA Breaches in MN

Name of Covered Entity State

Business Associate Involved

Individuals Affected

Date of Breach Type of Breach

Location of BreachedInformation

Date Posted or Updated Summary

UnitedHealth Group--SACE MN 16291

1/26/2010

Unauthorized Access/Disclosure Paper 6/9/2010

UnitedHealth Group--SACE MN 735 3/2/2010

Theft, Unauthorized Access/Disclosure Paper 8/4/2010

On March 2, 2010, the covered entity, United, discovered that remittance forms containing member information that accompany paper checks were stolen. The invoices contained the protected health information of over 735 individuals. The protected health information involved member information that allowed providers to properly record claim payments and credit accounts on behalf of each member for whom United was making a payment. Following the breach, the covered entity notified its clients of the incident, placed notice in The Miami Herald, provided each member with a credit monitoring package, reviewed its payment and remittance information controls, and notified its provider call centers to remain on a high level alert to monitor all remittance payments.

251








Mayo Clinic MN 17407/15/201

0

Unauthorized Access/Disclosure

Electronic Medical Record 9/20/2010

Following the breach, the covered entity: conducted an investigation; terminated the employee who had inappropriately accessed the PHI; re-educated its employees regarding patient privacy and access to PHI; enhanced its supervision of employees and monitoring of their access activity; notified individuals reasonably believed to have been affected and provided them with an information hotline and identity theft services at no cost, if so requested; placed a notice of the breach on its website and in the local newspaper; and submitted a breach report to OCR along with documentation of its voluntary compliance actions

UnitedHealth Group--SACE MN

CareCore National 1270 7/8/2010

Unauthorized Access/Disclosure Paper 10/7/2010

252








Mankato Clinic MN 315911/2/201

0 Theft Laptop

North Memorial MNAccretive Health, Inc 2,800

7/25/2011 Theft Laptop

Fairview Health Services MN

Accretive Health, Inc 14,000

7/25/2011 Theft Laptop

Fairview Health Services MN 1,215

2/19/2011 Loss Paper

United Health Group Health Plan MN

Futurity First Insurance Group 3,994

7/28/2011 Theft

Other Portable Electronic Device

InStep Foot Clinic, P.A. MN 2,600

8/28/2011 Theft

Laptop, Electronic Medical Record

253

UCLA-Reagan (July 2011)

• Allegations that UCLA employees repeatedly accessed ePHI of patients

– Complaint filed on behalf of 2 celebrities – OCR investigation concluded that “numerous” other

patients’ ePHI improperly accessed between 2005-2008

– Alleged violations of both Privacy Rule and Security Rule

• UCLA paid $865,000 and agreed to corrective action plan and independent monitor of HIPAA compliance for 3 years

– 165 employees disciplined, 2 former employees face criminal charges

254

Mass. Gen. Hospital (Feb. 2011)

• Hospital employee left documents on subway train commute– 192 patient records (some with HIV/AIDS)

• HHS alleged violations of Privacy Rule• Mass. Gen agreed to pay $1 million and

implement CAP– P & Ps subject to HHS approval– Independent monitoring of HIPAA compliance– Submit compliance reports to HHS for 3 years

255

HIPAA and Other Issues in Electronic Medical Records


March 23, 2012



256256

HITECH PHYSICIAN INCENTIVES

2011 2012 2013 20142011 $18K - - -2012 $12K $18K - -2013 $8K $12K $15K -2014 $4K $8K $12K $12K2015 $2K $4K $8K $8K2016 $0 $2K $4K $4K2017 $0 $0 $0 $0TOTAL $44K $44K $39K $24K

257

Meaningful Use Update

• Medicare program: up to $44,000 for eligible hospitals, professionals that demonstrate meaningful use of certified EHR technology

– Over 5 year period – To achieve maximum payments, participation must

begin by 2012– Failure to demonstrate MU by 2015 will result in

reimbursement reductions

• Medicaid program: up to $63,750 available over 6-year period

– Beneficiary volume requirements

258


• Registration for Medicare program began Jan. 3, 2011

– Registration for Medicaid program varies by state– MN DHS has indicated registration will begin at end of

2011

• Attestation period for Stage 1 compliance began April 18, 2011

• Meaningful use payments began in May, 2011– CMS: Within first month, more than 300 hospitals and

physicians qualified for incentives and received payments under Medicare program

– CMS: by end of May, more than $83 million dispersed under Medicaid program (7 states)

259


• July 3, 2011: last day for eligible hospitals to begin 90-day reporting period

• Oct. 3, 2011: last day for eligible professionals to begin 90-day reporting period

• Nov. 30, 2011: last day for eligible hospitals, CAHs to register and attest to receive incentive payments for 2011

• Feb. 29, 2012: last day for eligible professionals to register and attest to receive incentive payments for 2011

260


• July 6, 2011: Dr. Farzad Moshashari (National Health IT Coordinator) said he agreed with conclusion that Stage 2 should be delayed until 2014

• Proposed Stage 2 rule issued in March 2012

261


• Stage 2 and 3:– July 28, 2010 Final Rule on Meaningful Use (Stage 1)

did not propose specific regulatory language for Stages 2 or 3. CMS indicated:

• Stage 2 requirements by end of 2011• Stage 3 criteria by end of 2013

• In January 2011, the Health IT Policy Committee (HHS advisory committee) released for public comment preliminary recommendations for Stage 2 and 3 Meaningful Use

– In general, Stage 2 requires more thorough implementation of EHRs into daily practice and increased HIE

262

HITPC Preliminary Recommendations

Stage 2 Preliminary Recommendations

14 measures have higher standards

CPOE increased from 30% to 60%

Record demographics increased from 50% to 80%

Current requirement to perform “test” of HIE changed to “connect to at least three external providers”

8 new measures

List of care team members (including PCP) for 10% of patients in EHR

Hospitals only – 30% of medication orders automatically tracked via electronic administration recording

“Menu” measures would become “core” measures

263


• Feedback from stakeholders on HITPC recommendations:– Providers

• Consistent message: “slow down”• Learn from actual experience in Stage 1 before

requiring Stage 2 measures• Stage 2 should not start until at least 75% of

eligible hospitals and professionals have successfully reached Stage 1 and not before 2014

– Vendors• Need adequate lead time to be able to add new

functionalities to EHR products

264

Still Have Questions?

Richard E. NellNell & Associates, S.C.380 Main Avenue

De Pere, WI 54115

Phone: 920.339.6377

[email protected]

www.nellandassociates.com

Feel free to contact us after the seminar!

Jesse A. BergGray Plant Mooty500 IDS Center80 South 8th St

Minneapolis, MN 55402

Phone: 612.632.4444

[email protected]

www.gpm.law.com


http://www.nellandassociates.com/


http://www.gpm.law.com/

lorman medical records seminar

Documents

lorman education

berggray plant

step 3the

step 2compromises

reported hipaa

phi pertains

grand jury

date breached